From be39662d104bd0ae9f8ccfee30af831a1d9a69e1 Mon Sep 17 00:00:00 2001
From: MaddoScientisto <maddo.science@gmail.com>
Date: Sun, 19 Apr 2026 12:23:35 +0200
Subject: [PATCH] Refactor Forgejo LFS authentication to use secrets for
 username and token

---
 .forgejo/workflows/publish-faceai-container.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.forgejo/workflows/publish-faceai-container.yml b/.forgejo/workflows/publish-faceai-container.yml
index 6bf289ff..160d3d19 100644
--- a/.forgejo/workflows/publish-faceai-container.yml
+++ b/.forgejo/workflows/publish-faceai-container.yml
@@ -26,14 +26,14 @@ jobs:
       DOCKER_HOST: ${{ vars.DOCKER_HOST != '' && vars.DOCKER_HOST || 'tcp://172.17.0.1:2375' }}
       REPO_SERVER_URL: ${{ forgejo.server_url }}
       REPO_NAME: ${{ forgejo.repository }}
-      REPO_ACTOR: ${{ forgejo.actor }}
-      REPO_TOKEN: ${{ forgejo.token }}
+      REPO_AUTH_USER: ${{ secrets.FORGEJO_LFS_USERNAME != '' && secrets.FORGEJO_LFS_USERNAME || 'x-access-token' }}
+      REPO_TOKEN: ${{ secrets.FORGEJO_LFS_TOKEN != '' && secrets.FORGEJO_LFS_TOKEN || forgejo.token }}
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          token: ${{ forgejo.token }}
+          token: ${{ secrets.FORGEJO_LFS_TOKEN != '' && secrets.FORGEJO_LFS_TOKEN || forgejo.token }}
           persist-credentials: true
 
       - name: Validate workflow variables
@@ -90,13 +90,16 @@ jobs:
             echo "forgejo.repository is required for Forgejo LFS auth"
             exit 1
           fi
-          if [ -z "${REPO_ACTOR}" ] || [ -z "${REPO_TOKEN}" ]; then
-            echo "forgejo.actor and forgejo.token are required for Forgejo LFS auth"
+          if [ -z "${REPO_AUTH_USER}" ] || [ -z "${REPO_TOKEN}" ]; then
+            echo "Forgejo LFS auth requires a username and token"
             exit 1
           fi
 
-          AUTH_B64="$(printf '%s' "${REPO_ACTOR}:${REPO_TOKEN}" | base64 | tr -d '\n')"
+          git lfs install --local
+
+          AUTH_B64="$(printf '%s' "${REPO_AUTH_USER}:${REPO_TOKEN}" | base64 | tr -d '\n')"
           git config --local "http.${REPO_SERVER_URL}/.extraheader" "AUTHORIZATION: basic ${AUTH_B64}"
+          git config --local "http.${REPO_SERVER_URL}/${REPO_NAME}.git/info/lfs/.extraheader" "AUTHORIZATION: basic ${AUTH_B64}"
           git config --local lfs.url "${REPO_SERVER_URL}/${REPO_NAME}.git/info/lfs"
 
       - name: Validate Git LFS checkout for matcher binary