fix:fix workflow

.gitea/workflows/release-offline.yml

@@ -3,14 +3,21 @@ name: offline-release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   package-and-deploy:
     runs-on: build-host
     steps:
       - name: Prepare local worktree
         env:
-          MAIBOT_REPO_URL: http://127.0.0.1:3000/${{ gitea.repository }}.git
           MAIBOT_REPO_SHA: ${{ gitea.sha }}
+          MAIBOT_REPO_REF: ${{ gitea.ref }}
+          MAIBOT_REPOSITORY: ${{ gitea.repository }}
+          MAIBOT_SERVER_URL: ${{ gitea.server_url }}
+          MAIBOT_REPO_URL: ${{ vars.MAIBOT_REPO_URL }}
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
         shell: bash
         run: |
           set -euo pipefail
@@ -20,14 +27,29 @@ jobs:
 
           rm -rf "$worktree"
           mkdir -p "$worktree_root"
+          printf 'MAIBOT_WORKTREE=%s\n' "$worktree" >> "$GITHUB_ENV"
 
-          git clone --no-checkout "$MAIBOT_REPO_URL" "$worktree"
-          git -C "$worktree" checkout --force "$MAIBOT_REPO_SHA"
+          repo_url="${MAIBOT_REPO_URL:-${MAIBOT_SERVER_URL%/}/${MAIBOT_REPOSITORY}.git}"
+          auth_header="Authorization: token ${GITEA_TOKEN}"
+
+          echo "Resolving repository source: $repo_url"
+          git -c http.lowSpeedLimit=1 \
+              -c http.lowSpeedTime=30 \
+              -c http.extraHeader="$auth_header" \
+              ls-remote "$repo_url" "$MAIBOT_REPO_REF"
+
+          git init "$worktree"
+          git -C "$worktree" remote add origin "$repo_url"
+          git -C "$worktree" \
+              -c http.lowSpeedLimit=1 \
+              -c http.lowSpeedTime=30 \
+              -c http.extraHeader="$auth_header" \
+              fetch --depth=1 origin "$MAIBOT_REPO_SHA"
+          git -C "$worktree" checkout --force FETCH_HEAD
           git -C "$worktree" clean -dffx
 
           app_tag="$(git -C "$worktree" rev-parse --short=12 HEAD)"
           printf 'APP_TAG=%s\n' "$app_tag" >> "$GITHUB_ENV"
-          printf 'MAIBOT_WORKTREE=%s\n' "$worktree" >> "$GITHUB_ENV"
 
       - name: Stage release directory
         shell: bash

deploy/server-maibot/README_DEPLOY_STEPS.txt

@@ -22,18 +22,26 @@ Gitea workflow:
 
 Current pipeline mode:
 - single-host release on the repo-level `build-host` runner
-- clones from local Gitea HTTP on `127.0.0.1:3000`
+- fetches the source commit from the workflow repository itself
+- defaults to `${gitea.server_url}/${gitea.repository}.git`
+- can override the clone URL with the repository variable `MAIBOT_REPO_URL`
+- authenticates Git over HTTP(S) with the built-in `GITEA_TOKEN`
+- performs a shallow fetch of the triggering commit instead of a full clone
 - stages source into `/srv/maibot/releases/<commit>`
 - builds `maibot-offline:<commit>` from the staged release using local base image `maibot-offline:latest`
 - tags the same image back to `maibot-offline:latest`
 - deploys from `/root/maibot-offline` with `docker compose up -d`
 
 Optional environment overrides for the workflow runtime:
+- `MAIBOT_REPO_URL`
 - `MAIBOT_RELEASE_ROOT`
 - `MAIBOT_RUNTIME_ROOT`
 - `MAIBOT_BASE_IMAGE`
 
-No repository secrets are required for the default same-host pipeline.
+Runner connectivity note:
+- if the runner cannot access `${gitea.server_url}` directly, set `MAIBOT_REPO_URL` to a runner-reachable HTTPS clone URL
+- for private repositories, the workflow uses the built-in `GITEA_TOKEN`, so no extra personal access token secret is needed
+- the repository or owner Actions settings must allow the job token to read repository contents
 
 Bootstrap note:
 - `deploy/server-maibot/Dockerfile.offline` is only for the first bootstrap or for refreshing the runtime base image.