gitea: fix actions visibility

services/gitea/gitea.nix

@@ -50,14 +50,14 @@
   };
 
   # Hide repo Actions/workflow details from anonymous visitors. Gitea's own
-  # REQUIRE_SIGNIN_VIEW=expensive mode does not cover /{user}/{repo}/actions,
-  # so we gate the path at Caddy: forward_auth probes Gitea's /api/v1/user
-  # with the incoming request's Cookie/Authorization headers. A logged-in
-  # session answers 200 and the original request falls through to the
-  # reverse_proxy from mkCaddyReverseProxy; a 401 is turned into a redirect
-  # to the login page so the browser shows the login form instead of the
-  # workflow list. Workflow status badges stay public so README links keep
-  # rendering.
+  # REQUIRE_SIGNIN_VIEW=expensive does not cover /{user}/{repo}/actions, and
+  # the API auth chain (routers/api/v1/api.go buildAuthGroup) deliberately
+  # omits `auth_service.Session`, so an /api/v1/user probe would 401 even
+  # for logged-in browser sessions. We gate at Caddy instead: forward_auth
+  # probes a lightweight *web-UI* endpoint that does accept session cookies,
+  # and Gitea's own reqSignIn middleware answers 303 to /user/login for
+  # anonymous callers which we rewrite to preserve the original URL.
+  # Workflow status badges stay public so README links keep rendering.
   services.caddy.virtualHosts.${service_configs.gitea.domain}.extraConfig = ''
     @repoActionsNotBadge {
       path_regexp ^/[^/]+/[^/]+/actions(/.*)?$
@@ -65,9 +65,9 @@
     }
     handle @repoActionsNotBadge {
       forward_auth :${toString service_configs.ports.private.gitea.port} {
-        uri /api/v1/user
+        uri /user/stopwatches
 
-        @unauthorized status 401
+        @unauthorized status 302 303
         handle_response @unauthorized {
           redir * /user/login?redirect_to={uri} 302
         }