From 109cfbd515e5ea00786309d28b0f01fd5185514f Mon Sep 17 00:00:00 2001
From: m3tm3re <p@m3ta.dev>
Date: Sun, 18 Jan 2026 07:17:32 +0100
Subject: [PATCH] wf test

---
 .gitea/workflows/nix-update.yml | 39 ++++++++++++++-------------------
 1 file changed, 16 insertions(+), 23 deletions(-)

diff --git a/.gitea/workflows/nix-update.yml b/.gitea/workflows/nix-update.yml
index ffb7b94..30e8cb4 100644
--- a/.gitea/workflows/nix-update.yml
+++ b/.gitea/workflows/nix-update.yml
@@ -16,42 +16,39 @@ env:
   GIT_COMMITTER_NAME: "nix-update bot"
   GIT_COMMITTER_EMAIL: "bot@m3ta.dev"
   GIT_TERMINAL_PROMPT: "0"
-  GIT_ASKPASS: "/bin/echo"
 
 jobs:
   nix-update:
     runs-on: nixos
     steps:
+      - name: Configure Authentication (.netrc)
+        run: |
+          # Configure .netrc for seamless authentication
+          # This bypasses git credential helpers and works reliably in CI environments
+          cat <<NETRC > $HOME/.netrc
+          machine code.m3ta.dev
+          login m3tam3re
+          password ${{ secrets.NIX_UPDATE_TOKEN }}
+          NETRC
+          chmod 600 $HOME/.netrc
+
       - name: Checkout repository
         run: |
-          # Clean up any previous runs
           if [ -d "/tmp/nixpkgs" ]; then
             rm -rf /tmp/nixpkgs
           fi
 
-          # 1. Configure Credentials Globally using a Credential Helper Script
-          # This is the most robust way to handle auth without leaking tokens in `ps` output
-          # and ensuring it works for all git commands (clone, push, submodules)
-          
-          # Create a dummy askpass script that returns the password (token)
-          echo 'echo "${{ secrets.NIX_UPDATE_TOKEN }}"' > /tmp/git-askpass-helper.sh
-          chmod +x /tmp/git-askpass-helper.sh
-          export GIT_ASKPASS="/tmp/git-askpass-helper.sh"
-
-          # Clone using the username 'm3tam3re' explicitly.
-          # Gitea PATs usually require the username to match the token owner for write operations.
+          # Clone using the HTTPS URL (auth handled by .netrc)
           git clone --no-single-branch \
-            "https://m3tam3re@code.m3ta.dev/m3tam3re/nixpkgs.git" \
+            "https://code.m3ta.dev/m3tam3re/nixpkgs.git" \
             /tmp/nixpkgs
 
           cd /tmp/nixpkgs
           
-          # Configure local git user
           git config user.name "${{ env.GIT_AUTHOR_NAME }}"
           git config user.email "${{ env.GIT_AUTHOR_EMAIL }}"
           git config init.defaultBranch master
 
-          # Verify checkout
           git status
           git log --oneline -5
 
@@ -66,7 +63,6 @@ jobs:
              exit 1
           fi
 
-          # Check if flake.nix exists
           if [ -f "flake.nix" ]; then
             echo "has_flake=true" >> $GITHUB_OUTPUT
           else
@@ -171,10 +167,8 @@ jobs:
           BRANCH="${{ steps.update.outputs.branch_name }}"
           PACKAGES="${{ steps.update.outputs.updated_packages }}"
 
-          # Re-export the helper for this step just in case
-          export GIT_ASKPASS="/tmp/git-askpass-helper.sh"
-
           echo "Pushing branch ${BRANCH}..."
+          # Authentication is handled by .netrc
           git push origin "${BRANCH}"
 
           echo "Creating pull request..."
@@ -184,7 +178,6 @@ jobs:
              exit 1
           fi
 
-          # Reset tea login
           tea login delete m3ta >/dev/null 2>&1 || true
           tea login add --name m3ta --url https://code.m3ta.dev --token "${{ secrets.NIX_UPDATE_TOKEN }}"
 
@@ -197,9 +190,9 @@ jobs:
             --body "$(printf "Automated package updates using nix-update.\n\nUpdated packages:\n%s\n\nCommits:\n%s" "$PACKAGES" "$COMMITS")" \
             --assignees m3tam3re \
             --labels automated-update || echo "PR creation failed"
-
+            
           # Cleanup
-          rm -f /tmp/git-askpass-helper.sh
+          rm -f $HOME/.netrc
 
       - name: Summary
         if: always()