From 96e4a1eaa22fcf7ba14549476e1b7524b660b10c Mon Sep 17 00:00:00 2001
From: GitButler <gitbutler@gitbutler.com>
Date: Thu, 8 Jan 2026 19:30:48 +0100
Subject: [PATCH 1/3] GitButler Workspace Commit

This is placeholder commit and will be replaced by a merge of your virtual branches.

Due to GitButler managing multiple virtual branches, you cannot switch back and
forth between git branches and virtual branches easily.

If you switch to another branch, GitButler will need to be reinitialized.
If you commit on this branch, GitButler will throw it away.

For more information about what we're doing here, check out our docs:
https://docs.gitbutler.com/features/branch-management/integration-branch
-- 
2.52.0


From 0ab0aa8bbade2d7a49eb446e4e44a1c8f60976f9 Mon Sep 17 00:00:00 2001
From: Joakim Olsson <joakim@unbound.se>
Date: Thu, 8 Jan 2026 20:57:06 +0100
Subject: [PATCH 2/3] feat: use file-based release token instead of secret

---
 .gitea/workflows/Release.yml | 28 ++++++++++++++--------------
 README.md                    |  8 +++-----
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/.gitea/workflows/Release.yml b/.gitea/workflows/Release.yml
index 2d7a7fc..03614fa 100644
--- a/.gitea/workflows/Release.yml
+++ b/.gitea/workflows/Release.yml
@@ -8,13 +8,10 @@ on:
         required: false
         default: false
         type: boolean
-    secrets:
-      UNBOUND_RELEASE_TOKEN:
-        description: 'Token with API access to create PRs and releases'
-        required: true
 
 env:
   GITEA_URL: https://git.unbound.se
+  RELEASE_TOKEN_FILE: /runner-secrets/release-token
 
 jobs:
   preconditions:
@@ -24,14 +21,17 @@ jobs:
       image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90
     steps:
       - name: Validate token
-        if: ${{ secrets.UNBOUND_RELEASE_TOKEN == '' }}
         run: |
-          echo "To use Unbound Release, a UNBOUND_RELEASE_TOKEN secret needs to be defined."
-          echo "It needs API access to write repository files, create PRs and releases."
-          echo " "
-          echo "Create a token in Gitea: Settings -> Applications -> Generate New Token"
-          echo "Required scopes: repository (read/write), issue (read/write)"
-          exit 1
+          if [ ! -r "${RELEASE_TOKEN_FILE}" ]; then
+            echo "Release token file not found at ${RELEASE_TOKEN_FILE}"
+            echo "This workflow requires the runner to have RELEASE_TOKEN configured."
+            exit 1
+          fi
+          if [ ! -s "${RELEASE_TOKEN_FILE}" ]; then
+            echo "Release token file is empty"
+            exit 1
+          fi
+          echo "Release token found"
 
   changelog:
     name: Generate Changelog
@@ -99,10 +99,10 @@ jobs:
 
       - name: Create or update release PR
         env:
-          TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }}
           REPOSITORY: ${{ github.repository }}
           DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
+          TOKEN=$(cat "${RELEASE_TOKEN_FILE}")
           VERSION=$(cat VERSION)
           OWNER=$(echo "${REPOSITORY}" | cut -d'/' -f1)
           REPO=$(echo "${REPOSITORY}" | cut -d'/' -f2)
@@ -312,10 +312,10 @@ jobs:
 
       - name: Create release
         env:
-          TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }}
           REPOSITORY: ${{ github.repository }}
           DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
+          TOKEN=$(cat "${RELEASE_TOKEN_FILE}")
           if [ ! -r .version ]; then
             echo "Version file not found"
             exit 0
@@ -375,10 +375,10 @@ jobs:
 
       - name: Create tag
         env:
-          TOKEN: ${{ secrets.UNBOUND_RELEASE_TOKEN }}
           REPOSITORY: ${{ github.repository }}
           DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
+          TOKEN=$(cat "${RELEASE_TOKEN_FILE}")
           if [ ! -r .version ]; then
             echo "Version file not found"
             exit 0
diff --git a/README.md b/README.md
index efbe18f..42bce87 100644
--- a/README.md
+++ b/README.md
@@ -20,21 +20,19 @@ on:
 jobs:
   release:
     uses: unboundsoftware/shared-workflows/.gitea/workflows/Release.yml@main
-    secrets:
-      UNBOUND_RELEASE_TOKEN: ${{ secrets.GIT_API_TOKEN }}
 ```
 
 **Inputs:**
 
 - `tag_only` (boolean, default: `false`): Set to `true` to only create tags without full releases
 
-**Secrets:**
+**Requirements:**
 
-- `UNBOUND_RELEASE_TOKEN` (required): Token with API access to create PRs and releases. Required scopes: `repository` (read/write), `issue` (read/write)
+This workflow reads the release token from `/runner-secrets/release-token`, which is automatically available on Unbound's Gitea runners. No repository secrets need to be configured.
 
 **How it works:**
 
 1. On each push to the default branch, generates a changelog using git-cliff
 2. Creates or updates a `next-release` branch with the updated CHANGELOG.md and .version file
 3. Opens or updates a PR titled "chore(release): prepare for vX.Y.Z"
-4. When the .version file exists (after merging the release PR), creates a GitHub release with the changelog
+4. When the .version file exists (after merging the release PR), creates a Gitea release with the changelog
-- 
2.52.0


From d8ee9e8b103769d109e1efb5dccd122ea87941b8 Mon Sep 17 00:00:00 2001
From: Renovate Bot <renovate@unbound.se>
Date: Thu, 8 Jan 2026 20:10:53 +0000
Subject: [PATCH 3/3] chore(deps): update alpine docker tag to v3.23.2

---
 .gitea/workflows/Release.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/Release.yml b/.gitea/workflows/Release.yml
index 03614fa..b75e346 100644
--- a/.gitea/workflows/Release.yml
+++ b/.gitea/workflows/Release.yml
@@ -18,7 +18,7 @@ jobs:
     name: Check Preconditions
     runs-on: ubuntu-latest
     container:
-      image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90
+      image: amd64/alpine:3.23.2@sha256:f276aafd5da0d02877540e1dbf42bdd6b08191073438dd03f0d3b8078f30fb34
     steps:
       - name: Validate token
         run: |
@@ -87,7 +87,7 @@ jobs:
     needs: changelog
     if: needs.changelog.outputs.has_changes == 'true'
     container:
-      image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90
+      image: amd64/alpine:3.23.2@sha256:f276aafd5da0d02877540e1dbf42bdd6b08191073438dd03f0d3b8078f30fb34
     steps:
       - name: Install dependencies
         run: apk add --no-cache git jq curl
@@ -295,7 +295,7 @@ jobs:
       github.ref_name == github.event.repository.default_branch &&
       inputs.tag_only != true
     container:
-      image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90
+      image: amd64/alpine:3.23.2@sha256:f276aafd5da0d02877540e1dbf42bdd6b08191073438dd03f0d3b8078f30fb34
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -358,7 +358,7 @@ jobs:
       github.ref_name == github.event.repository.default_branch &&
       inputs.tag_only == true
     container:
-      image: amd64/alpine:3.22.2@sha256:b687e78c6e2785808446f45b52f1540a1e58adc07bdcffea354933b18c613d90
+      image: amd64/alpine:3.23.2@sha256:f276aafd5da0d02877540e1dbf42bdd6b08191073438dd03f0d3b8078f30fb34
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-- 
2.52.0