--- id: 53328fc9-796a-47b7-81ae-fc57c9b3a202 type: solution title: "Gitea Actions runner can't clone self-hosted composite actions - auth + cache fix" tags: [gitea, ci-cd, actions, runner, authentication, composite-actions, troubleshooting, docker, homelab, lxc-225] importance: 0.9 confidence: 0.8 created: "2026-02-18T17:59:33.367259+00:00" updated: "2026-02-18T18:00:00.224832+00:00" relations: - target: 48ad98e0-6903-40d9-b398-37d02efdc5e7 type: REQUIRES direction: outgoing strength: 0.8 context: "Solution requires this runner configuration to work" - target: f4683542-eb76-4397-9e84-673c86a05904 type: BUILDS_ON direction: outgoing strength: 0.8 context: "Extends original runner troubleshooting with auth for composite actions" --- Problem: Gitea Actions runner fails to clone composite actions from cal/gitea-actions with 'authentication required: Unauthorized'. Three root causes found and fixed: 1. **Repo was private**: tea repos create defaults to private. Fixed by making public via API PATCH to /api/v1/repos/cal/gitea-actions with {private: false}. 2. **REQUIRE_SIGNIN_VIEW = true**: Even with public repos, Gitea's app.ini had REQUIRE_SIGNIN_VIEW=true in /etc/gitea/app.ini on LXC 225, which blocks unauthenticated git clone for ALL repos including public ones. Rather than disabling this (user preference), solved by adding .netrc authentication to the runner. 3. **Runner clone cache**: Failed clone attempts are cached at /root/.cache/act/ in the runner container. Must manually clear: docker exec gitea-runner rm -rf /root/.cache/act/ Solution: Created /etc/gitea/runner-netrc on LXC 225 with machine entries for both git.manticorum.com and 10.10.0.225 using the Gitea API token. Recreated the runner container with: - -v /etc/gitea/runner-netrc:/root/.netrc:ro (authentication for cloning) - -v /etc/gitea/runner-config.yaml:/config.yaml:ro (container options) - daemon --config /config.yaml The runner config.yaml also sets container.options: --add-host=git.manticorum.com:host-gateway for job containers that need to reach the Gitea instance. Key insight: The runner clones action repos in its OWN container (cached at /root/.cache/act/), not in the job containers. So .netrc on the runner container is what matters for action repo authentication. The container.options --add-host is for job container steps that need Gitea access. Runner details: gitea/act_runner:latest on LXC 225 (10.10.0.225), connects to Gitea at http://10.10.0.225:3000 internally.