Document Gitea package publishing pitfalls

2026-05-04 10:59:09 +02:00
parent 4de3fb693c
commit 2cd9045a38
6 changed files with 61 additions and 11 deletions
--- a/files/AGENTS.md
+++ b/files/AGENTS.md
@@ -25,6 +25,7 @@ PROJECT_NAME: PROJECT_DESCRIPTION
 - Add or preserve `.gitea/workflows/dependency-check.yml`, `.gitea/workflows/release-dry-run.yml`, and `.gitea/workflows/template-compliance.yml` when the repository is active, releasable, or intended as a Codex-maintained project.
 - Repository cleanup automation must be non-destructive. Do not delete branches, packages, releases, or tracked files without explicit user approval.
 - Dependency, compliance, and release dry-run automation must report findings only. Do not auto-update dependencies, auto-open PRs, create tags, publish packages, or create releases without explicit user approval.
+- Gitea Actions artifacts are not Gitea Package Registry packages. If the user expects a package/download entry, add an explicit registry publish step and verify the package URL after the workflow succeeds.

 ## Commands

@@ -66,6 +67,7 @@ ARTIFACT_NAME
 - Keep external network calls documented.
 - Prefer local processing for user data.
 - Keep CI publishing secrets in repository or organization secrets, not in tracked files. `REGISTRY_TOKEN` is the default package publishing secret name for the Gitea workflow template.
+- Use URL-safe package filenames when publishing to a registry. Do not put raw artifact names with spaces or punctuation directly into upload URLs.
 - Ensure `.gitignore` covers local config, build outputs, logs, temporary files, and secret material for the detected stack.

 ## Finish Checklist
--- a/files/build-gitea.yml
+++ b/files/build-gitea.yml
@@ -53,26 +53,53 @@ jobs:
        run: |
          app_version="PROJECT_VERSION"
          package_version="${app_version}-${GITHUB_SHA::7}"
+          package_name="PACKAGE_NAME"
+          package_dir="package-registry"
          latest_url="https://git.wilkensxl.de/api/packages/REPOSITORY_OWNER/generic/PACKAGE_NAME/latest"

-          for artifact in ARTIFACT_OUTPUT_DIRECTORY/*; do
-            [ -f "$artifact" ] || continue
-            file_name="$(basename "$artifact")"
+          mapfile -d '' artifacts < <(find ARTIFACT_OUTPUT_DIRECTORY -maxdepth 1 -type f -print0)
+          if [ "${#artifacts[@]}" -eq 0 ]; then
+            echo "No package artifacts found in ARTIFACT_OUTPUT_DIRECTORY"
+            exit 1
+          fi
+
+          rm -rf "${package_dir}"
+          mkdir -p "${package_dir}/versioned" "${package_dir}/latest"
+
+          for artifact in "${artifacts[@]}"; do
+            extension=""
+            base_name="$(basename "$artifact")"
+            stem="$base_name"
+            if [[ "$base_name" == *.* ]]; then
+              extension=".${base_name##*.}"
+              stem="${base_name%.*}"
+            fi
+            safe_stem="$(echo "$stem" | tr -cs 'A-Za-z0-9._-' '-' | sed 's/^-//; s/-$//')"
+            safe_name="${safe_stem}-${package_version}${extension}"
+            cp "$artifact" "${package_dir}/versioned/${safe_name}"

            curl --fail-with-body \
              --user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" \
-              --upload-file "$artifact" \
-              "https://git.wilkensxl.de/api/packages/REPOSITORY_OWNER/generic/PACKAGE_NAME/${package_version}/${file_name}"
+              --upload-file "${package_dir}/versioned/${safe_name}" \
+              "https://git.wilkensxl.de/api/packages/REPOSITORY_OWNER/generic/PACKAGE_NAME/${package_version}/${safe_name}"
          done

          curl --silent --show-error --user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" --request DELETE "${latest_url}" || true

-          for artifact in ARTIFACT_OUTPUT_DIRECTORY/*; do
-            [ -f "$artifact" ] || continue
-            file_name="$(basename "$artifact")"
+          for artifact in "${artifacts[@]}"; do
+            extension=""
+            base_name="$(basename "$artifact")"
+            stem="$base_name"
+            if [[ "$base_name" == *.* ]]; then
+              extension=".${base_name##*.}"
+              stem="${base_name%.*}"
+            fi
+            safe_stem="$(echo "$stem" | tr -cs 'A-Za-z0-9._-' '-' | sed 's/^-//; s/-$//')"
+            safe_name="${safe_stem}-latest${extension}"
+            cp "$artifact" "${package_dir}/latest/${safe_name}"

            curl --fail-with-body \
              --user "REPOSITORY_OWNER:${REGISTRY_TOKEN}" \
-              --upload-file "$artifact" \
-              "${latest_url}/${file_name}"
+              --upload-file "${package_dir}/latest/${safe_name}" \
+              "${latest_url}/${safe_name}"
          done