From a1894dfa484419df6767b5cf8cfd857ba243f9fe Mon Sep 17 00:00:00 2001
From: Aleksandr Meshchriakov <avm@sh-inc.ru>
Date: Tue, 5 May 2026 00:01:49 +0200
Subject: [PATCH] ci: harden customer deploy auth

---
 .gitea/workflows/deploy-customer-main.yml | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/deploy-customer-main.yml b/.gitea/workflows/deploy-customer-main.yml
index 5560e2e..d9c9a7d 100644
--- a/.gitea/workflows/deploy-customer-main.yml
+++ b/.gitea/workflows/deploy-customer-main.yml
@@ -50,14 +50,16 @@ jobs:
           REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
           REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
           REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          GITEA_TOKEN: ${{ gitea.token }}
           CUSTOMER_DEPLOY_SSH_KEY: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY }}
           CUSTOMER_DEPLOY_SSH_KEY_B64: ${{ secrets.CUSTOMER_DEPLOY_SSH_KEY_B64 }}
           DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
         run: |
           set -euo pipefail
 
-          registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-}}"
-          registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-}}"
+          registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}"
+          registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}"
+          home_dir="${HOME:-/root}"
 
           if [ -z "${registry_user}" ]; then
             echo "Missing registry user secret: set REGISTRY_USER or REGISTRY_USERNAME" >&2
@@ -70,7 +72,7 @@ jobs:
           if [ -z "${CUSTOMER_DEPLOY_SSH_KEY:-}" ] \
             && [ -z "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ] \
             && [ -z "${DEPLOY_SSH_KEY:-}" ] \
-            && [ ! -f "${HOME}/.ssh/ci-key" ] \
+            && [ ! -f "${home_dir}/.ssh/ci-key" ] \
             && [ ! -f "/root/.ssh/ci-key" ]; then
             echo "Missing customer SSH key: set CUSTOMER_DEPLOY_SSH_KEY_B64, CUSTOMER_DEPLOY_SSH_KEY, DEPLOY_SSH_KEY, or install ~/.ssh/ci-key on the runner" >&2
             exit 1
@@ -89,11 +91,12 @@ jobs:
           REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
           REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
           REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          GITEA_TOKEN: ${{ gitea.token }}
         run: |
           set -euo pipefail
 
-          registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-}}"
-          registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-}}"
+          registry_user="${REGISTRY_USER:-${REGISTRY_USERNAME:-${GITHUB_ACTOR:-}}}"
+          registry_password="${REGISTRY_TOKEN:-${REGISTRY_PASSWORD:-${GITEA_TOKEN:-}}}"
           sha_short="$(printf '%s' "${GITHUB_SHA}" | cut -c1-12)"
           registry_path="${CUSTOMER_REGISTRY_HOST}/${CUSTOMER_REGISTRY_NAMESPACE}"
           web_ref="${registry_path}/${CUSTOMER_WEB_IMAGE}"
@@ -134,16 +137,17 @@ jobs:
         run: |
           set -euo pipefail
 
-          mkdir -p "${HOME}/.ssh"
-          key_path="${HOME}/.ssh/customer_deploy_key"
+          home_dir="${HOME:-/root}"
+          mkdir -p "${home_dir}/.ssh"
+          key_path="${home_dir}/.ssh/customer_deploy_key"
           if [ -n "${CUSTOMER_DEPLOY_SSH_KEY_B64:-}" ]; then
             printf '%s' "${CUSTOMER_DEPLOY_SSH_KEY_B64}" | base64 -d > "${key_path}"
           elif [ -n "${DEPLOY_SSH_KEY:-}" ]; then
             printf '%s' "${DEPLOY_SSH_KEY}" | base64 -d > "${key_path}"
           elif [ -n "${CUSTOMER_DEPLOY_SSH_KEY:-}" ]; then
             printf '%s\n' "${CUSTOMER_DEPLOY_SSH_KEY}" > "${key_path}"
-          elif [ -f "${HOME}/.ssh/ci-key" ]; then
-            cp "${HOME}/.ssh/ci-key" "${key_path}"
+          elif [ -f "${home_dir}/.ssh/ci-key" ]; then
+            cp "${home_dir}/.ssh/ci-key" "${key_path}"
           else
             cp "/root/.ssh/ci-key" "${key_path}"
           fi
-- 
2.39.5