From 98cdd95b50f0d91925d48f0211421db7c629469b Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Mon, 20 Apr 2026 21:27:23 -0400
Subject: [PATCH] chore(release): add registry auth diagnostic to
 build-live-image

Echoes OWNER, token length, and whoami before the upload so a 401
disambiguates: missing/empty token, bad OWNER resolution, or token
authenticating as a different user.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 7c6fefe..8219dee 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -110,6 +110,24 @@ jobs:
       - name: Build live image
         run: make live-image
 
+      - name: Debug registry auth context
+        run: |
+          set -euo pipefail
+          echo "OWNER='${OWNER}'"
+          echo "LI_VERSION='${LI_VERSION}'"
+          echo "REGISTRY_URL='${REGISTRY_URL}'"
+          echo "TOKEN_LEN=${#REGISTRY_TOKEN}"
+          # Probe whoami via the token to confirm it authenticates and
+          # resolves to the expected user. A 401 here narrows the
+          # failure to token/secret injection; a 200 with a different
+          # username narrows it to OWNER mismatch.
+          curl -sS -o /tmp/whoami.json -w 'whoami_status=%{http_code}\n' \
+            -H "Authorization: token ${REGISTRY_TOKEN}" \
+            "${REGISTRY_URL}/api/v1/user"
+          echo "whoami body:"
+          cat /tmp/whoami.json
+          echo
+
       - name: Publish live-image/${{ env.LI_VERSION }}/
         run: |
           set -euo pipefail