---
id: 499462d9-3804-4651-9f46-ffabc2e4713f
type: solution
title: "Gitea Actions composite action auth fix - DEFAULT_ACTIONS_URL=self + REQUIRE_SIGNIN_VIEW=false"
tags: [gitea, ci-cd, actions, act-runner, docker, authentication]
importance: 0.9
confidence: 0.8
created: "2026-02-18T19:57:12.550575+00:00"
updated: "2026-02-18T19:57:25.899334+00:00"
relations:
  - target: f4683542-eb76-4397-9e84-673c86a05904
    type: BUILDS_ON
    direction: outgoing
    strength: 0.8
    context: "This auth fix extends the original runner setup - runner must use internal URL for registration, but action clones still go through ROOT_URL causing host mismatch"
---

Problem: act_runner fails to clone composite actions from cal/gitea-actions with 'authentication required: Unauthorized'. Root cause: Runner registered at http://10.10.0.225:3000 (internal) but Gitea sends clone URLs using ROOT_URL (https://git.manticorum.com). go-git compares url.Host - hosts don't match so no auth token is passed. Combined with REQUIRE_SIGNIN_VIEW=true, unauthenticated clone fails.

Solution (3 parts):
1. Set DEFAULT_ACTIONS_URL=self in /etc/gitea/app.ini [actions] section - allows short-form action references (cal/gitea-actions/calver@main) instead of full URLs
2. Set REQUIRE_SIGNIN_VIEW=false - allows unauthenticated clone of PUBLIC repos only. Private repos remain fully protected. The gitea-actions repo is public and contains no sensitive code (audited).
3. Update all workflow files: local actions use short form (cal/gitea-actions/calver@main), GitHub actions use full URLs (https://github.com/actions/checkout@v4)

Additional cleanup: Removed runner .netrc mount (doesn't work with go-git anyway). Added SSH alias 'gitea' to ~/.ssh/config (user: root, not cal - LXC runs as root). The 10.10.0.* wildcard in ssh config sets User=cal which was wrong for this LXC.