From 11e2bfc6dea18831a31aef88d28812f15ae05f46 Mon Sep 17 00:00:00 2001
From: Joseph Doherty <dohejw01@gmail.com>
Date: Fri, 20 Feb 2026 13:46:20 -0500
Subject: [PATCH] Require explicit NuGet PAT for Gitea package publishing

---
 .gitea/workflows/nuget.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/nuget.yml b/.gitea/workflows/nuget.yml
index 4ef3431..08d0f37 100644
--- a/.gitea/workflows/nuget.yml
+++ b/.gitea/workflows/nuget.yml
@@ -47,14 +47,15 @@ jobs:
         shell: bash
         env:
           NUGET_SOURCE_URL: ${{ github.server_url }}/api/packages/${{ github.repository_owner }}/nuget/index.json
-          NUGET_USERNAME: ${{ secrets.NUGET_USERNAME || github.actor }}
-          NUGET_TOKEN: ${{ secrets.NUGET_TOKEN || secrets.PACKAGE_TOKEN || secrets.GITHUB_TOKEN }}
+          NUGET_USERNAME: ${{ secrets.NUGET_USERNAME || github.repository_owner }}
+          NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }}
         run: |
           set -euo pipefail
 
           if [ -z "${NUGET_TOKEN:-}" ]; then
-            echo "NUGET_TOKEN and GITHUB_TOKEN are both unavailable."
-            echo "Configure one of: secrets.NUGET_TOKEN (preferred) or secrets.GITHUB_TOKEN."
+            echo "Missing required secret: NUGET_TOKEN"
+            echo "Set repository Actions secret NUGET_TOKEN to a Gitea PAT with package write permission."
+            echo "Optional: set NUGET_USERNAME if your PAT owner differs from repository owner."
             exit 1
           fi