claude-memory/graph/solutions/gitea-actions-composite-action-auth-fix-default-actions-urls-499462.md

id	type	title	tags	importance	confidence	created	updated	relations
499462d9-3804-4651-9f46-ffabc2e4713f	solution	Gitea Actions composite action auth fix - DEFAULT_ACTIONS_URL=self + REQUIRE_SIGNIN_VIEW=false	gitea ci-cd actions act-runner docker authentication	0.9	0.8	2026-02-18T19:57:12.550575+00:00	2026-02-18T19:57:25.899334+00:00	target type direction strength context f4683542-eb76-4397-9e84-673c86a05904 BUILDS_ON outgoing 0.8 This auth fix extends the original runner setup - runner must use internal URL for registration, but action clones still go through ROOT_URL causing host mismatch

Problem: act_runner fails to clone composite actions from cal/gitea-actions with 'authentication required: Unauthorized'. Root cause: Runner registered at http://10.10.0.225:3000 (internal) but Gitea sends clone URLs using ROOT_URL (https://git.manticorum.com). go-git compares url.Host - hosts don't match so no auth token is passed. Combined with REQUIRE_SIGNIN_VIEW=true, unauthenticated clone fails.

Solution (3 parts):

1. Set DEFAULT_ACTIONS_URL=self in /etc/gitea/app.ini [actions] section - allows short-form action references (cal/gitea-actions/calver@main) instead of full URLs
2. Set REQUIRE_SIGNIN_VIEW=false - allows unauthenticated clone of PUBLIC repos only. Private repos remain fully protected. The gitea-actions repo is public and contains no sensitive code (audited).
3. Update all workflow files: local actions use short form (cal/gitea-actions/calver@main), GitHub actions use full URLs (https://github.com/actions/checkout@v4)

Additional cleanup: Removed runner .netrc mount (doesn't work with go-git anyway). Added SSH alias 'gitea' to ~/.ssh/config (user: root, not cal - LXC runs as root). The 10.10.0.* wildcard in ssh config sets User=cal which was wrong for this LXC.