aibot777/gitea-token-access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gitea-token-access/docs/architecture.md
delta-cloud-208e 295afe9b2a feat: initial repo — docs and scripts for Gitea read-only token access 
Three-layer access scheme: owner -> reader account -> scoped API token.
Includes 6 automation scripts, config template, EN/RU docs, and manual curl guide.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 14:47:04 +00:00

2.4 KiB
Raw Permalink Blame History

Architecture: Read-Only Token Access for Gitea

Overview

This scheme provides controlled, minimal-privilege access to private Gitea repositories without sharing the owner's credentials.

Components

+-------------------+
|   Owner Account   |   Full admin access to Gitea
|   (e.g. aibot777) |   Owns all repositories
+--------+----------+
         |
         | Creates & manages via Admin API
         v
+-------------------+
|  Reader Account   |   Restricted account ("hobo account")
| (e.g. uclaude-    |   No admin rights
|     reader)       |   Can only access repos where explicitly
+--------+----------+   added as collaborator (read permission)
         |
         | Authenticates via
         v
+-------------------+
|   API Token       |   scope: read:repository
|   (sha1_xxx...)   |   Can only READ repos the reader
+--------+----------+   account has access to
         |
         | Used by
         v
+-------------------+
| Scripts/Installers|   git clone, curl, wget
| CI/CD pipelines   |   Any tool that needs read access
+-------------------+

Access Flow

  1. Owner creates the reader account (one-time setup)
  2. Owner grants the reader access to specific repos (per-repo)
  3. Reader's token is used by automated tools to read those repos
  4. If the token leaks — revoke it, rotate, no owner credentials exposed

Security Properties

Property Status
Owner credentials exposed No
Token can write to repos No (read:repository scope)
Token can access admin API No
Token can access repos not granted No
Token can be rotated independently Yes
Access is per-repo granular Yes

Gitea API Endpoints Used

Action Method Endpoint Auth
Create user POST /admin/users Owner (admin)
Activate user PATCH /admin/users/{username} Owner (admin)
Create token POST /users/{username}/tokens Reader (basic)
Delete token DELETE /users/{username}/tokens/{name} Reader (basic)
Add collaborator PUT /repos/{owner}/{repo}/collaborators/{user} Owner
Remove collaborator DELETE /repos/{owner}/{repo}/collaborators/{user} Owner
List repos GET /user/repos Reader (token)
Get repo GET /repos/{owner}/{repo} Reader (token)
Get raw file GET /repos/{owner}/{repo}/raw/{path} Reader (token)
Reference in New Issue View Git Blame Copy Permalink