feat: initial repo — docs and scripts for Gitea read-only token access

Three-layer access scheme: owner -> reader account -> scoped API token. Includes 6 automation scripts, config template, EN/RU docs, and manual curl guide. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 14:47:04 +00:00
commit 295afe9b2a
12 changed files with 950 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,108 @@
+# gitea-token-access
+
+Scripts and documentation for setting up restricted read-only access to private Gitea repositories.
+
+## Problem
+
+You have private repos on a Gitea server and need to give automated tools (installers, CI/CD, scripts) read access — without exposing your admin credentials.
+
+## Solution
+
+A three-layer scheme:
+
+1. **Owner account** — full admin access, owns all repos
+2. **Reader account** — restricted "hobo" account with no admin rights, only sees repos where explicitly added as collaborator
+3. **API token** — scoped to `read:repository`, can only read what the reader account can see
+
+If the token leaks, revoke it and rotate — no admin credentials are exposed.
+
+## Quick Start
+
+```bash
+# 1. Copy and fill in your config
+cp config.example.ini config.ini
+nano config.ini
+
+# 2. Create reader account and token
+bash scripts/setup-reader.sh
+
+# 3. Grant access to a specific repo
+bash scripts/grant-access.sh my-private-repo
+
+# 4. Verify it works
+bash scripts/test-access.sh my-private-repo
+```
+
+## Scripts
+
+| Script | Description |
+|--------|-------------|
+| `setup-reader.sh` | Create reader account + API token |
+| `grant-access.sh <repo>` | Grant read access to a repo |
+| `revoke-access.sh <repo>` | Revoke access from a repo |
+| `list-access.sh` | List all accessible repos |
+| `rotate-token.sh` | Delete old token, create new one |
+| `test-access.sh [repo]` | Verify token and access work |
+
+## Configuration
+
+Copy `config.example.ini` to `config.ini` and fill in your values:
+
+```ini
+[gitea]
+url = https://git.example.com
+api_url = https://git.example.com/api/v1
+
+[owner]
+username = admin-user
+password = admin-password
+
+[reader]
+username = readonly-user
+password = reader-password
+email = reader@noreply.local
+token_name = installer-readonly
+token_scope = read:repository
+```
+
+The `config.ini` file is gitignored and will never be committed.
+
+## Using the Token
+
+### In scripts (curl)
+```bash
+curl -H "Authorization: token YOUR_TOKEN" \
+  https://git.example.com/api/v1/repos/owner/repo/raw/file.txt
+```
+
+### Git clone
+```bash
+git clone https://reader:YOUR_TOKEN@git.example.com/owner/repo.git
+```
+
+### Git credential store
+```bash
+echo "https://reader:YOUR_TOKEN@git.example.com" >> ~/.git-credentials
+git config --global credential.helper store
+git clone https://git.example.com/owner/repo.git
+```
+
+## Documentation
+
+- [Architecture](docs/architecture.md) — how the owner/reader/token scheme works
+- [Manual Setup](docs/manual-setup.md) — step-by-step curl commands
+- [README (Russian)](README_ru.md)
+
+## Security Notes
+
+- The token has `read:repository` scope only — it cannot write, delete, or access admin APIs
+- Access is per-repo: the reader only sees repos where they are an explicit collaborator
+- If the token is compromised: run `rotate-token.sh` to invalidate old token and create a new one
+- `config.ini` contains credentials — it is gitignored and must never be committed
+
+## Requirements
+
+- Gitea instance with API enabled
+- Owner account with admin privileges
+- `curl` and `bash`
+- No external dependencies (no jq, python, etc.)