From 8e76020d2d3c91fb7f5fcaca7ec7c911f0ac4a26 Mon Sep 17 00:00:00 2001 From: Cal Corum Date: Fri, 20 Feb 2026 08:56:32 -0600 Subject: [PATCH] store: CT 302 Gitea push: embedded-credential URL rejected, use http.extraHeader instead --- ...redential-url-rejected-use-httpe-c5a9df.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 graph/fixes/ct-302-gitea-push-embedded-credential-url-rejected-use-httpe-c5a9df.md diff --git a/graph/fixes/ct-302-gitea-push-embedded-credential-url-rejected-use-httpe-c5a9df.md b/graph/fixes/ct-302-gitea-push-embedded-credential-url-rejected-use-httpe-c5a9df.md new file mode 100644 index 00000000000..30575b4c35f --- /dev/null +++ b/graph/fixes/ct-302-gitea-push-embedded-credential-url-rejected-use-httpe-c5a9df.md @@ -0,0 +1,40 @@ +--- +id: c5a9dff8-5ebe-4e5e-8494-c46333728db8 +type: fix +title: "CT 302 Gitea push: embedded-credential URL rejected, use http.extraHeader instead" +tags: [gitea, claude-runner, git, authentication, fix] +importance: 0.6 +confidence: 0.8 +created: "2026-02-20T14:56:32.846201+00:00" +updated: "2026-02-20T14:56:32.846201+00:00" +--- + +## Problem + +Pushing from CT 302 (claude-runner, 10.10.0.148) to Gitea failed with 403 Forbidden, even though the token was valid. The remote URL had the token embedded in the URL: + +``` +https://cal:@git.manticorum.com/cal/claude-runner-monitoring.git +``` + +Gitea rejected this format. + +## Fix + +1. Set remote to plain HTTPS (no credentials in URL): + ``` + git remote set-url origin https://git.manticorum.com/cal/claude-runner-monitoring.git + ``` + +2. Configure persistent auth header in git config: + ``` + git config http.https://git.manticorum.com/.extraHeader 'Authorization: token ' + ``` + +Token is stored in `~/.claude/secrets/claude_runner_monitoring_gitea_token` on the workstation. + +## Notes + +- SSH git remote also doesn't work from CT 302 — no SSH key registered with Gitea for root@claude-runner +- The `http.extraHeader` approach applies to all repos under `git.manticorum.com` from CT 302 +- Credential helper approach failed due to shell escaping issues over SSH