.gitea/workflows/ci.yml

@@ -31,16 +31,29 @@ jobs:
           git --version
 
       - name: Checkout source (native git)
+        env:
+          CI_GIT_TOKEN: ${{ secrets.CI_GIT_TOKEN }}
         run: |
+          if [ -z "${CI_GIT_TOKEN:-}" ]; then
+            echo "Missing secret CI_GIT_TOKEN. Add it in repository Actions secrets."
+            exit 1
+          fi
+
+          auth_server="${GITHUB_SERVER_URL#https://}"
+          auth_server="${auth_server#http://}"
+          remote_url="https://oauth2:${CI_GIT_TOKEN}@${auth_server}/${GITHUB_REPOSITORY}.git"
+
           if [ -n "${GITHUB_WORKSPACE:-}" ]; then
             cd "$GITHUB_WORKSPACE"
           fi
 
           if [ ! -d .git ]; then
             git init
-            git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
           fi
 
+          git remote remove origin >/dev/null 2>&1 || true
+          git remote add origin "$remote_url"
+
           git fetch --depth 1 origin "$GITHUB_SHA"
           git checkout --force FETCH_HEAD
 

CHANGELOG.md

@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - `CHANGELOG.md` — this file; established changelog tracking for the project
 - `.gitea/workflows/ci.yml` — Gitea Actions CI workflow for push and pull request events
 - Gitea CI now uses native `git` checkout and system Python setup to avoid host-executor JavaScript action path issues
+- Gitea native checkout now uses `CI_GIT_TOKEN` repository secret for authenticated fetch from private repos
 - Python package scaffold with `src` layout and project metadata in `pyproject.toml`
 - Initial CLI entrypoint with agreed SSH flags: `--identity-file`, `--jump-host`, and `--ignore-ssh-config`
 - Input parsing/validation module and core request model