Capture HTTP status code and full response body separately so failures
show the actual error from the server instead of silently dying.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Gitea doesn't implement Actions OIDC tokens yet. Drop the experimental
id_token steps and use VAULT_ROLE_ID/VAULT_SECRET_ID/K8S_CA_CERT as
standard Gitea repo secrets.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Use ${VAR:-} default-empty syntax so set -u doesn't abort when
ACTIONS_ID_TOKEN_REQUEST_TOKEN/URL are absent (stock Gitea runners
don't set them).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Switch VAULT_ROLE_ID, VAULT_SECRET_ID, and K8S_CA_CERT from Gitea repo
secrets to shell env vars, which are injected via the runner host's
systemd EnvironmentFile — keeping credentials off Gitea entirely.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Split curl calls into separate variables and log intermediate
responses to stderr to identify which request is failing.
Added set -euxo pipefail for immediate failure visibility.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
