26 lines
1.8 KiB
Markdown
26 lines
1.8 KiB
Markdown
---
|
|
id: 499462d9-3804-4651-9f46-ffabc2e4713f
|
|
type: solution
|
|
title: "Gitea Actions composite action auth fix - DEFAULT_ACTIONS_URL=self + REQUIRE_SIGNIN_VIEW=false"
|
|
tags: [gitea, ci-cd, actions, act-runner, docker, authentication]
|
|
importance: 0.9
|
|
confidence: 0.8
|
|
created: "2026-02-18T19:57:12.550575+00:00"
|
|
updated: "2026-02-18T19:57:25.899334+00:00"
|
|
relations:
|
|
- target: f4683542-eb76-4397-9e84-673c86a05904
|
|
type: BUILDS_ON
|
|
direction: outgoing
|
|
strength: 0.8
|
|
context: "This auth fix extends the original runner setup - runner must use internal URL for registration, but action clones still go through ROOT_URL causing host mismatch"
|
|
---
|
|
|
|
Problem: act_runner fails to clone composite actions from cal/gitea-actions with 'authentication required: Unauthorized'. Root cause: Runner registered at http://10.10.0.225:3000 (internal) but Gitea sends clone URLs using ROOT_URL (https://git.manticorum.com). go-git compares url.Host - hosts don't match so no auth token is passed. Combined with REQUIRE_SIGNIN_VIEW=true, unauthenticated clone fails.
|
|
|
|
Solution (3 parts):
|
|
1. Set DEFAULT_ACTIONS_URL=self in /etc/gitea/app.ini [actions] section - allows short-form action references (cal/gitea-actions/calver@main) instead of full URLs
|
|
2. Set REQUIRE_SIGNIN_VIEW=false - allows unauthenticated clone of PUBLIC repos only. Private repos remain fully protected. The gitea-actions repo is public and contains no sensitive code (audited).
|
|
3. Update all workflow files: local actions use short form (cal/gitea-actions/calver@main), GitHub actions use full URLs (https://github.com/actions/checkout@v4)
|
|
|
|
Additional cleanup: Removed runner .netrc mount (doesn't work with go-git anyway). Added SSH alias 'gitea' to ~/.ssh/config (user: root, not cal - LXC runs as root). The 10.10.0.* wildcard in ssh config sets User=cal which was wrong for this LXC.
|