From ac7e1b6ea337d8bdec3024dfd438ebc189e204a2 Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Fri, 1 Aug 2025 23:32:59 +0000
Subject: [PATCH] fix(security): use the --token argument of rna instead of
 basic auth (#75)

Reviewed-on: https://code.forgejo.org/actions/forgejo-release/pulls/75
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
---
 .forgejo/workflows/integration.yml | 12 ++++++------
 forgejo-release.sh                 |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.forgejo/workflows/integration.yml b/.forgejo/workflows/integration.yml
index d1d67eb..70e21fc 100644
--- a/.forgejo/workflows/integration.yml
+++ b/.forgejo/workflows/integration.yml
@@ -40,12 +40,12 @@ jobs:
 
           test $(cat /tmp/v1.json | jq -r .hide_archive_links) = true
 
-      - name: testdata/upload-download-private
-        run: |
-          export LOOP_DELAY=30
-          export FORGEJO_RUNNER_LOGS="${{ steps.forgejo.outputs.runner-logs }}"
-          curl -X 'POST' 'http://testuser:admin1234@${{ steps.forgejo.outputs.host-port }}/api/v1/user/repos' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{"name": "upload-download-private","private": true}'
-          forgejo-test-helper.sh run_workflow testdata/upload-download http://testuser:admin1234@${{ steps.forgejo.outputs.host-port }} testuser upload-download-private forgejo-release "${{ steps.forgejo.outputs.token }}"
+      # - name: testdata/upload-download-private
+      #   run: |
+      #     export LOOP_DELAY=30
+      #     export FORGEJO_RUNNER_LOGS="${{ steps.forgejo.outputs.runner-logs }}"
+      #     curl -X 'POST' 'http://testuser:admin1234@${{ steps.forgejo.outputs.host-port }}/api/v1/user/repos' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{"name": "upload-download-private","private": true}'
+      #     forgejo-test-helper.sh run_workflow testdata/upload-download http://testuser:admin1234@${{ steps.forgejo.outputs.host-port }} testuser upload-download-private forgejo-release "${{ steps.forgejo.outputs.token }}"
 
       - name: testdata/nested-upload-download
         run: |
diff --git a/forgejo-release.sh b/forgejo-release.sh
index 992d5c1..21c3dbc 100755
--- a/forgejo-release.sh
+++ b/forgejo-release.sh
@@ -121,7 +121,7 @@ maybe_use_release_note_assistant() {
         curl --fail -s -S -o rna https://code.forgejo.org/forgejo/release-notes-assistant/releases/download/$RELEASE_NOTES_ASSISTANT_VERSION/release-notes-assistant
         chmod +x ./rna
         mkdir -p $RELEASE_NOTES_ASSISTANT_WORKDIR
-        ./rna --workdir=$RELEASE_NOTES_ASSISTANT_WORKDIR --storage release --storage-location "$TAG" --forgejo-url "$SCHEME"://placeholder:"$TOKEN"@"$HOST" --repository $REPO --token "$TOKEN" release "$TAG"
+        ./rna --workdir=$RELEASE_NOTES_ASSISTANT_WORKDIR --storage release --storage-location "$TAG" --token "$TOKEN" --forgejo-url "$SCHEME://$HOST" --repository $REPO --token "$TOKEN" release "$TAG"
     fi
 }