feat: use file-based release token instead of secret

.gitea/workflows/Release.yml

@@ -8,13 +8,10 @@ on:
         required: false
         default: false
         type: boolean
-    secrets:
-      UNBOUND_RELEASE_TOKEN:
-        description: 'Token with API access to create PRs and releases'
-        required: true
 
 env:
   GITEA_URL: https://git.unbound.se
+  RELEASE_TOKEN_FILE: /runner-secrets/release-token
 
 jobs:
   preconditions:
@@ -24,14 +21,17 @@ jobs:
       image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90
     steps:
       - name: Validate token
-        if: ${{ secrets.UNBOUND_RELEASE_TOKEN == '' }}
         run: |
-          echo "To use Unbound Release, a UNBOUND_RELEASE_TOKEN secret needs to be defined."
+          if [ ! -r "${RELEASE_TOKEN_FILE}" ]; then
-          echo "It needs API access to write repository files, create PRs and releases."
+            echo "Release token file not found at ${RELEASE_TOKEN_FILE}"
-          echo " "
+            echo "This workflow requires the runner to have RELEASE_TOKEN configured."
-          echo "Create a token in Gitea: Settings -> Applications -> Generate New Token"
+            exit 1
-          echo "Required scopes: repository (read/write), issue (read/write)"
+          fi
-          exit 1
+          if [ ! -s "${RELEASE_TOKEN_FILE}" ]; then
+            echo "Release token file is empty"
+            exit 1
+          fi
+          echo "Release token found"
 
   changelog:
     name: Generate Changelog
@@ -99,10 +99,10 @@ jobs:
 
       - name: Create or update release PR
         env:
-          TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }}
           REPOSITORY: ${{ github.repository }}
           DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
+          TOKEN=$(cat "${RELEASE_TOKEN_FILE}")
           VERSION=$(cat VERSION)
           OWNER=$(echo "${REPOSITORY}" | cut -d'/' -f1)
           REPO=$(echo "${REPOSITORY}" | cut -d'/' -f2)
@@ -312,10 +312,10 @@ jobs:
 
       - name: Create release
         env:
-          TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }}
           REPOSITORY: ${{ github.repository }}
           DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
+          TOKEN=$(cat "${RELEASE_TOKEN_FILE}")
           if [ ! -r .version ]; then
             echo "Version file not found"
             exit 0
@@ -375,10 +375,10 @@ jobs:
 
       - name: Create tag
         env:
-          TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }}
           REPOSITORY: ${{ github.repository }}
           DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
+          TOKEN=$(cat "${RELEASE_TOKEN_FILE}")
           if [ ! -r .version ]; then
             echo "Version file not found"
             exit 0

README.md

@@ -20,21 +20,19 @@ on:
 jobs:
   release:
     uses: unboundsoftware/shared-workflows/.gitea/workflows/Release.yml@main
-    secrets:
-      UNBOUND_RELEASE_TOKEN: ${{ secrets.GIT_API_TOKEN }}
 ```
 
 **Inputs:**
 
 - `tag_only` (boolean, default: `false`): Set to `true` to only create tags without full releases
 
-**Secrets:**
+**Requirements:**
 
-- `UNBOUND_RELEASE_TOKEN` (required): Token with API access to create PRs and releases. Required scopes: `repository` (read/write), `issue` (read/write)
+This workflow reads the release token from `/runner-secrets/release-token`, which is automatically available on Unbound's Gitea runners. No repository secrets need to be configured.
 
 **How it works:**
 
 1. On each push to the default branch, generates a changelog using git-cliff
 2. Creates or updates a `next-release` branch with the updated CHANGELOG.md and .version file
 3. Opens or updates a PR titled "chore(release): prepare for vX.Y.Z"
-4. When the .version file exists (after merging the release PR), creates a GitHub release with the changelog
+4. When the .version file exists (after merging the release PR), creates a Gitea release with the changelog