From 53e19e0ba216cdb96c596c30d703c2191bd1e053 Mon Sep 17 00:00:00 2001
From: Arlind <arlind@sulejmani.xyz>
Date: Wed, 1 Oct 2025 15:44:09 +0200
Subject: [PATCH] Test github token for api requests

---
 .gitea/workflows/deploy-ci.yaml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/deploy-ci.yaml b/.gitea/workflows/deploy-ci.yaml
index a109a56..8820b7a 100644
--- a/.gitea/workflows/deploy-ci.yaml
+++ b/.gitea/workflows/deploy-ci.yaml
@@ -10,6 +10,9 @@ env:
   ARTIFACT_PATH: "/data"
   REPO_LIST_FILE: "/data/valid_repos.txt"
 
+permissions:
+  contents: write
+
 jobs:
   fetch-template:
     name: Fetch CI Template and .gitattributes
@@ -22,14 +25,14 @@ jobs:
 
     steps:
       - name: Mask Sensitive Token
-        run: echo "::add-mask::${{ secrets.TOKEN }}"
+        run: echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
 
       - id: load-template
         name: Load Template from osc/skins-template
         run: |
           set -eo pipefail
           echo "📥 Fetching template from osc/skins-template@$TEMPLATE_PATH"
-          resp=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" \
+          resp=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
             "$GITEA_API/repos/osc/skins-template/contents/$TEMPLATE_PATH?ref=main")
           template_b64=$(echo "$resp" | jq -r .content)
           echo "✅ Template fetched and encoded"
@@ -40,7 +43,7 @@ jobs:
         run: |
           set -eo pipefail
           echo "📥 Fetching .gitattributes from osc/skins-template"
-          resp=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" \
+          resp=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
             "$GITEA_API/repos/osc/skins-template/contents/.gitattributes?ref=main")
           gitattributes_b64=$(echo "$resp" | jq -r .content)
           echo "✅ .gitattributes fetched and encoded"
@@ -66,10 +69,10 @@ jobs:
           page=1
           total_valid=0
           user_index=1
-          users_total=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" "$GITEA_API/admin/users" | jq 'length')
+          users_total=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$GITEA_API/admin/users" | jq 'length')
 
           while :; do
-            users_json=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" "$GITEA_API/admin/users?limit=50&page=$page")
+            users_json=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$GITEA_API/admin/users?limit=50&page=$page")
             users_count=$(echo "$users_json" | jq 'length')
             [ "$users_count" -eq 0 ] && break
 
@@ -77,13 +80,13 @@ jobs:
               user=$(echo "$users_json" | jq -r ".[$i].login")
               echo "[$user_index/$users_total] 👤 Checking user: $user"
 
-              repos_json=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" "$GITEA_API/users/$user/repos")
+              repos_json=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$GITEA_API/users/$user/repos")
               repo_count=$(echo "$repos_json" | jq 'length')
 
               for j in $(seq 0 $((repo_count - 1))); do
                 owner=$(echo "$repos_json" | jq -r ".[$j].owner.login")
                 repo=$(echo "$repos_json" | jq -r ".[$j].name")
-                contents=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" "$GITEA_API/repos/$owner/$repo/contents?ref=main")
+                contents=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$GITEA_API/repos/$owner/$repo/contents?ref=main")
 
                 if echo "$contents" | jq -e '.[] | select(.type == "file" and .name == "hardlink-songs-folder.bat")' > /dev/null; then
                   echo "$owner/$repo" >> "$repo_file"
@@ -141,7 +144,7 @@ jobs:
             api="$GITEA_API/repos/$owner/$repo"
             echo "🔧 Syncing CI and .gitattributes to: $owner/$repo"
 
-            default_branch=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" "$api" | jq -r '.default_branch')
+            default_branch=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$api" | jq -r '.default_branch')
 
             for file in "$TEMPLATE_PATH" ".gitattributes"; do
               if [[ "$file" == "$TEMPLATE_PATH" ]]; then
@@ -153,7 +156,7 @@ jobs:
               fi
 
               url="$api/contents/$file"
-              sha=$(curl -sSL -H "Authorization: token ${{ secrets.TOKEN }}" "$url" | jq -r '.sha // empty' || true)
+              sha=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$url" | jq -r '.sha // empty' || true)
 
               if [[ -z "$sha" ]]; then
                 action="Add"
@@ -165,7 +168,7 @@ jobs:
                   '{message: $message, content: $content, sha: $sha, branch: $branch}')
               fi
 
-              if curl -sSL --fail -X PUT -H "Authorization: token ${{ secrets.TOKEN }}" -H "Content-Type: application/json" \
+              if curl -sSL --fail -X PUT -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -H "Content-Type: application/json" \
                 -d "$payload" "$url" >/dev/null; then
                 echo "✅ $action successful for $file in $owner/$repo"
               else