gitea: hide actions when not logged in

services/gitea/gitea.nix

@@ -49,6 +49,32 @@
     };
   };
 
+  # Hide repo Actions/workflow details from anonymous visitors. Gitea's own
+  # REQUIRE_SIGNIN_VIEW=expensive mode does not cover /{user}/{repo}/actions,
+  # so we gate the path at Caddy: forward_auth probes Gitea's /api/v1/user
+  # with the incoming request's Cookie/Authorization headers. A logged-in
+  # session answers 200 and the original request falls through to the
+  # reverse_proxy from mkCaddyReverseProxy; a 401 is turned into a redirect
+  # to the login page so the browser shows the login form instead of the
+  # workflow list. Workflow status badges stay public so README links keep
+  # rendering.
+  services.caddy.virtualHosts.${service_configs.gitea.domain}.extraConfig = ''
+    @repoActionsNotBadge {
+      path_regexp ^/[^/]+/[^/]+/actions(/.*)?$
+      not path_regexp ^/[^/]+/[^/]+/actions/workflows/[^/]+/badge\.svg$
+    }
+    handle @repoActionsNotBadge {
+      forward_auth :${toString service_configs.ports.private.gitea.port} {
+        uri /api/v1/user
+
+        @unauthorized status 401
+        handle_response @unauthorized {
+          redir * /user/login?redirect_to={uri} 302
+        }
+      }
+    }
+  '';
+
   services.postgresql = {
     ensureDatabases = [ config.services.gitea.user ];
     ensureUsers = [