From 91c993aae341950b4dc3f46b098a2ceb791a69c3 Mon Sep 17 00:00:00 2001
From: RJ <workgroup@rjianu.com>
Date: Wed, 19 Nov 2025 17:26:59 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=AA=20support=20for=20insecure=20regis?=
 =?UTF-8?q?try=20on=20CICD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitea/workflows/main.yml | 47 +++++++++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/main.yml b/.gitea/workflows/main.yml
index bc99dba..f63325b 100644
--- a/.gitea/workflows/main.yml
+++ b/.gitea/workflows/main.yml
@@ -15,6 +15,14 @@
 # Environment Variables (configured below):
 #   - REGISTRY: Docker registry URL
 #   - IMAGE_NAME: Docker image name
+#
+# Docker Registry Authentication Strategy:
+#   - Registry login is OPTIONAL and conditional
+#   - Login only attempted if REGISTRY_USERNAME and REGISTRY_PASSWORD are configured
+#   - Login failures are logged but do NOT fail the workflow
+#   - Insecure/private registries (e.g., repository.workspace:5000) work without authentication
+#   - If push/pull fails due to auth, the workflow will fail at that point (not at login)
+#   - This approach supports both authenticated and insecure registries without workflow changes
 
 name: Build and Deploy Next.js Blog to Production
 
@@ -84,14 +92,20 @@ jobs:
       - name: 🔎 Checkout code
         uses: actions/checkout@v4
 
+      # Optional: Only needed if registry requires authentication
+      # For insecure/private registries (e.g., repository.workspace:5000), login is not required
+      # Credentials are checked before attempting login to avoid unnecessary failures
       - name: 🔐 Log in to Docker Registry (if credentials provided)
         run: |
           if [ -n "${{ secrets.REGISTRY_USERNAME }}" ] && [ -n "${{ secrets.REGISTRY_PASSWORD }}" ]; then
             echo "Logging into ${{ env.REGISTRY }} with credentials..."
-            echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
-            echo "✅ Login successful"
+            if echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY }} -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin 2>/dev/null; then
+              echo "✅ Login successful"
+            else
+              echo "⚠️ Login failed, continuing anyway (registry might not require auth)"
+            fi
           else
-            echo "⚠️ No registry credentials provided - using insecure/public registry"
+            echo "⚠️ No registry credentials provided - using insecure/public registry (no login required)"
           fi
 
       - name: 🏗️ Build Docker image
@@ -146,6 +160,9 @@ jobs:
       - name: 🔎 Checkout code (for docker-compose file)
         uses: actions/checkout@v4
 
+      # Optional: Validate registry access if authentication is configured
+      # For insecure registries, this step only logs status without failing workflow
+      # Actual registry access is tested during image pull in deployment step
       - name: 🔐 Validate Registry Access on Production Server
         uses: appleboy/ssh-action@v1.0.3
         env:
@@ -162,13 +179,14 @@ jobs:
             echo "=== Validating Docker Registry access ==="
             if [ -n "$REGISTRY_USERNAME" ] && [ -n "$REGISTRY_PASSWORD" ]; then
               echo "Logging into $REGISTRY_URL with credentials..."
-              echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin
-              echo "✅ Registry authentication successful"
+              if echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin 2>/dev/null; then
+                echo "✅ Registry authentication successful"
+              else
+                echo "⚠️ Login failed - registry might not require authentication"
+              fi
             else
-              echo "⚠️ No registry credentials - using insecure/public registry"
-              echo "Testing registry connectivity..."
-              curl -f "http://$REGISTRY_URL/v2/" || { echo "❌ Registry not accessible"; exit 1; }
-              echo "✅ Registry is accessible"
+              echo "⚠️ No registry credentials configured - using insecure/public registry"
+              echo "ℹ️ Registry connectivity will be validated during image pull"
             fi
 
       - name: 📁 Ensure application directory structure
@@ -220,6 +238,7 @@ jobs:
       - name: 🐳 Deploy application via Docker Compose
         uses: appleboy/ssh-action@v1.0.3
         env:
+          # Optional: only needed if registry requires authentication
           REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD || '' }}
           REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME || '' }}
           REGISTRY_URL: ${{ env.REGISTRY }}
@@ -235,11 +254,15 @@ jobs:
             echo "=== Starting deployment to production server ==="
             cd /opt/mypage
 
-            # Log in to Docker registry (if credentials are configured)
+            # Log in to Docker registry (skip if credentials not configured)
+            # For insecure/private registries (repository.workspace:5000), login is optional
             if [ -n "$REGISTRY_USERNAME" ] && [ -n "$REGISTRY_PASSWORD" ]; then
               echo "=== Logging in to Docker registry ==="
-              echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin
-              echo "✅ Registry login successful"
+              if echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" -u "$REGISTRY_USERNAME" --password-stdin 2>/dev/null; then
+                echo "✅ Registry login successful"
+              else
+                echo "⚠️ Login failed - continuing anyway (registry might not require auth)"
+              fi
             else
               echo "⚠️ No registry credentials - using insecure/public registry (no login required)"
             fi