ci: harden gitea package workflow

Make checkout idempotent for reused runner workspaces and add a safe test-tag path that validates builds without pushing images or calling the deploy webhook.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.gitea/workflows/package.yml

@@ -16,9 +16,38 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        env:
-        with:
+          SERVER_URL: ${{ github.server_url }}
-          github-server-url: ${{ github.server_url }}
+          REPOSITORY: ${{ github.repository }}
+          COMMIT_SHA: ${{ github.sha }}
+          GIT_USERNAME: ${{ github.actor }}
+          GIT_TOKEN: ${{ github.token }}
+        run: |
+          case "$SERVER_URL" in
+            http://*)
+              AUTH_SERVER_URL="http://${GIT_USERNAME}:${GIT_TOKEN}@${SERVER_URL#http://}"
+              ;;
+            https://*)
+              AUTH_SERVER_URL="https://${GIT_USERNAME}:${GIT_TOKEN}@${SERVER_URL#https://}"
+              ;;
+            *)
+              AUTH_SERVER_URL="$SERVER_URL"
+              ;;
+          esac
+
+          if [ ! -d .git ]; then
+            git init .
+          fi
+
+          if git remote get-url origin >/dev/null 2>&1; then
+            git remote set-url origin "${AUTH_SERVER_URL}/${REPOSITORY}.git"
+          else
+            git remote add origin "${AUTH_SERVER_URL}/${REPOSITORY}.git"
+          fi
+
+          git fetch --depth=1 origin "$COMMIT_SHA"
+          git checkout --force --detach FETCH_HEAD
+          git clean -ffdx
 
       - name: Normalize image metadata
         env:
@@ -31,16 +60,26 @@ jobs:
           REGISTRY_HOST="${REGISTRY_HOST%/}"
           REPOSITORY_PATH="${RAW_REPOSITORY#/}"
           IMAGE_NAME="${REGISTRY_HOST}/${REPOSITORY_PATH}"
+          case "$IMAGE_TAG" in
+            *-test) IS_TEST_TAG=true ;;
+            *) IS_TEST_TAG=false ;;
+          esac
           {
             echo "REGISTRY_HOST=${REGISTRY_HOST}"
             echo "REPOSITORY_PATH=${REPOSITORY_PATH}"
             echo "IMAGE_NAME=${IMAGE_NAME}"
             echo "IMAGE_TAG=${IMAGE_TAG}"
             echo "IMAGE_REF=${IMAGE_NAME}:${IMAGE_TAG}"
+            echo "IS_TEST_TAG=${IS_TEST_TAG}"
           } >> "$GITHUB_ENV"
 
       - name: Login to Gitea Container Registry
         run: |
+          if [ "$IS_TEST_TAG" = "true" ]; then
+            echo "Test tag detected; skipping registry login."
+            exit 0
+          fi
+
           echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login "$REGISTRY_HOST" \
             --username "${{ secrets.REGISTRY_USERNAME }}" \
             --password-stdin
@@ -61,12 +100,21 @@ jobs:
             --build-arg NEXT_PUBLIC_MAPBOX_TOKEN="${{ secrets.NEXT_PUBLIC_MAPBOX_TOKEN }}" \
             --build-arg NEXT_PUBLIC_TIANDITU_TOKEN="${{ secrets.NEXT_PUBLIC_TIANDITU_TOKEN }}" \
             .
+          if [ "$IS_TEST_TAG" = "true" ]; then
+            echo "Test tag detected; build completed without pushing images."
+            exit 0
+          fi
           docker push "${IMAGE_NAME}:${IMAGE_TAG}"
           docker push "${IMAGE_NAME}:latest"
 
       - name: Notify Deploy Server
         if: success()
         run: |
+          if [ "$IS_TEST_TAG" = "true" ]; then
+            echo "Test tag detected; skipping deploy webhook."
+            exit 0
+          fi
+
           curl -fsSL -X POST "${{ vars.DEPLOY_WEBHOOK_URL }}" \
             -H "Content-Type: application/json" \
             -H "Authorization: Bearer ${{ secrets.DEPLOY_WEBHOOK_TOKEN }}" \

memery.md

@@ -0,0 +1,10 @@
+# CI build notes
+
+## 2026-04-24
+
+- **Observed failure while reproducing workflow checkout locally:** the `Checkout code` step ran `git remote add origin ...` unconditionally. In a workspace that already had an `origin` remote, the job failed with `error: remote origin already exists.` and exited before `docker build`.
+- **Why this matters for act_runner:** self-hosted Gitea runners can reuse working directories or start from repositories that already contain Git metadata, so checkout logic must be idempotent.
+- **Applied fix:** changed `.gitea/workflows/package.yml` to initialize Git only when needed, use `git remote set-url origin ...` when `origin` already exists, and force-clean the workspace after checking out `FETCH_HEAD`.
+- **Safety improvement for remote validation:** tags ending with `-test` now run the build verification path only. They skip registry login, image push, `latest` updates, and the deploy webhook so act_runner can be tested without deployment side effects.
+- **Current local result:** `npm run lint`, `npm run test -- --runInBand`, `npm run build`, `docker build ...`, and `npm run build` inside `gitea/runner-images:ubuntu-22.04` all completed successfully after the workflow adjustment.
+- **Non-blocking note:** local Jest run reported a haste-map naming collision between `package.json` and `.next/standalone/package.json`; tests still passed, and this does not affect the current image-build workflow.