diff --git a/graph/solutions/gitea-actions-composite-action-auth-fix-default-actions-urls-499462.md b/graph/solutions/gitea-actions-composite-action-auth-fix-default-actions-urls-499462.md
new file mode 100644
index 00000000000..64b5771a778
--- /dev/null
+++ b/graph/solutions/gitea-actions-composite-action-auth-fix-default-actions-urls-499462.md
@@ -0,0 +1,19 @@
+---
+id: 499462d9-3804-4651-9f46-ffabc2e4713f
+type: solution
+title: "Gitea Actions composite action auth fix - DEFAULT_ACTIONS_URL=self + REQUIRE_SIGNIN_VIEW=false"
+tags: [gitea, ci-cd, actions, act-runner, docker, authentication]
+importance: 0.9
+confidence: 0.8
+created: "2026-02-18T19:57:12.550575+00:00"
+updated: "2026-02-18T19:57:12.550575+00:00"
+---
+
+Problem: act_runner fails to clone composite actions from cal/gitea-actions with 'authentication required: Unauthorized'. Root cause: Runner registered at http://10.10.0.225:3000 (internal) but Gitea sends clone URLs using ROOT_URL (https://git.manticorum.com). go-git compares url.Host - hosts don't match so no auth token is passed. Combined with REQUIRE_SIGNIN_VIEW=true, unauthenticated clone fails.
+
+Solution (3 parts):
+1. Set DEFAULT_ACTIONS_URL=self in /etc/gitea/app.ini [actions] section - allows short-form action references (cal/gitea-actions/calver@main) instead of full URLs
+2. Set REQUIRE_SIGNIN_VIEW=false - allows unauthenticated clone of PUBLIC repos only. Private repos remain fully protected. The gitea-actions repo is public and contains no sensitive code (audited).
+3. Update all workflow files: local actions use short form (cal/gitea-actions/calver@main), GitHub actions use full URLs (https://github.com/actions/checkout@v4)
+
+Additional cleanup: Removed runner .netrc mount (doesn't work with go-git anyway). Added SSH alias 'gitea' to ~/.ssh/config (user: root, not cal - LXC runs as root). The 10.10.0.* wildcard in ssh config sets User=cal which was wrong for this LXC.