From 8d5bdaa518727fa9db32429666e5625416595bb8 Mon Sep 17 00:00:00 2001
From: Konstantin Fickel <mail@konstantinfickel.de>
Date: Fri, 3 Apr 2026 14:00:54 +0200
Subject: [PATCH] fix(ci): add authentication for tag push in release workflow

- Use RELEASE_TOKEN for git push authentication when creating tags
- Add early check to fail with clear error if RELEASE_TOKEN is not configured
---
 .forgejo/workflows/release.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/release.yml b/.forgejo/workflows/release.yml
index 8daf837..20a7c96 100644
--- a/.forgejo/workflows/release.yml
+++ b/.forgejo/workflows/release.yml
@@ -12,6 +12,15 @@ jobs:
     runs-on: nix
 
     steps:
+      - name: Check RELEASE_TOKEN is configured
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          if [ -z "$RELEASE_TOKEN" ]; then
+            echo "::error::RELEASE_TOKEN secret is not configured. Please add it in repository settings."
+            exit 1
+          fi
+
       - name: Check out Repository
         uses: https://git.konstantinfickel.de/actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -19,6 +28,8 @@ jobs:
 
       - name: Extract version and handle tagging
         id: version
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
             # Manual trigger: read version from Cargo.toml
@@ -31,8 +42,9 @@ jobs:
               exit 1
             fi
 
-            # Create and push the tag
+            # Create and push the tag using RELEASE_TOKEN for authentication
             git tag "$TAG"
+            git remote set-url origin "https://oauth2:${RELEASE_TOKEN}@git.konstantinfickel.de/kfickel/streamd.git"
             git push origin "$TAG"
 
             echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT