From a946e66c6c0b8e493ff828aaa78a83d99a1f2f34 Mon Sep 17 00:00:00 2001
From: Jon Kazama <kontakt@hellion-media.de>
Date: Sat, 13 Jun 2026 23:51:23 +0200
Subject: [PATCH] ci(gitea): Release- und Quality-Workflow nach .gitea/
 portieren, tote .github/-Workflows entfernen

---
 {.github => .gitea}/workflows/quality.yml |  0
 {.github => .gitea}/workflows/release.yml | 58 +++++++++++++++++------
 .github/workflows/security.yml            | 42 ----------------
 3 files changed, 43 insertions(+), 57 deletions(-)
 rename {.github => .gitea}/workflows/quality.yml (100%)
 rename {.github => .gitea}/workflows/release.yml (51%)
 delete mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/quality.yml b/.gitea/workflows/quality.yml
similarity index 100%
rename from .github/workflows/quality.yml
rename to .gitea/workflows/quality.yml
diff --git a/.github/workflows/release.yml b/.gitea/workflows/release.yml
similarity index 51%
rename from .github/workflows/release.yml
rename to .gitea/workflows/release.yml
index 0d56189..dbd6576 100644
--- a/.github/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -1,10 +1,22 @@
-# Release — creates ZIP packages for Chrome, Firefox and Opera on new tag
 name: Release
 
+# Wird bei einem vX.Y.Z-Tag-Push ausgeloest. Baut die drei Web-Extension-ZIPs
+# (Chrome/Firefox/Opera) und haengt sie ans passende Gitea-Release.
+#
+# Portiert von GitHub Actions auf Gitea Actions (2026-06): der fruehere
+# softprops/action-gh-release-Step ist GitHub-spezifisch und laeuft auf Gitea
+# nicht. Ersetzt durch die Gitea-native release-action (volle gitea.com-URL,
+# da DEFAULT_ACTIONS_URL=github nackte Namen sonst von github.com zieht).
+# Muster uebernommen aus HellionChat/.gitea/workflows/release.yml.
+
 on:
   push:
     tags:
       - 'v*'
+  # Manueller Recovery-Trigger: in Gitea "Run workflow" und den Tag (z.B. v2.2.0)
+  # im Ref-Dropdown waehlen, NICHT master. Der Validate-Step unten failt hart
+  # bei einem Nicht-Tag-Ref, weil die release-action GITHUB_REF direkt liest.
+  workflow_dispatch:
 
 permissions:
   contents: write
@@ -13,7 +25,20 @@ jobs:
   build-release:
     name: Build & Release
     runs-on: ubuntu-latest
+    timeout-minutes: 20
+
     steps:
+      # release-action liest GITHUB_REF direkt (kein tag_name-Input). Vorab
+      # validieren, damit manuelle Dispatches von einem Branch-Ref hier laut
+      # scheitern statt nach einem vollen Build.
+      - name: Validate tag ref
+        run: |
+          if [[ "${GITHUB_REF}" != refs/tags/v* ]]; then
+            echo "::error::Release-Workflow muss auf einem v*-Tag laufen, got ${GITHUB_REF}"
+            echo "::error::Tag pushen, oder im workflow_dispatch-Ref-Dropdown den Tag (nicht master) waehlen."
+            exit 1
+          fi
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -26,7 +51,7 @@ jobs:
           mkdir -p dist
           zip -r "dist/hellion-newtab-${{ steps.version.outputs.tag }}-chrome.zip" \
             manifest.json newtab.html src/js/*.js src/css/ assets/ _locales/ \
-            -x "*.git*" "dist/*" ".github/*" "src/js/opera/*"
+            -x "*.git*" "dist/*" ".github/*" ".gitea/*" "src/js/opera/*"
 
       - name: Create Firefox ZIP (Manifest V3)
         run: |
@@ -34,7 +59,7 @@ jobs:
           cp manifest.firefox.json manifest.json
           zip -r "dist/hellion-newtab-${{ steps.version.outputs.tag }}-firefox.zip" \
             manifest.json newtab.html src/js/*.js src/css/ assets/ _locales/ \
-            -x "*.git*" "dist/*" ".github/*" "manifest.chrome-backup.json" "manifest.firefox.json" "src/js/opera/*"
+            -x "*.git*" "dist/*" ".github/*" ".gitea/*" "manifest.chrome-backup.json" "manifest.firefox.json" "src/js/opera/*"
           mv manifest.chrome-backup.json manifest.json
 
       - name: Create Opera/Opera GX ZIP (Manifest V3 + workaround)
@@ -43,7 +68,7 @@ jobs:
           cp manifest.opera.json manifest.json
           zip -r "dist/hellion-newtab-${{ steps.version.outputs.tag }}-opera.zip" \
             manifest.json newtab.html src/js/*.js src/js/opera/ src/css/ assets/ _locales/ \
-            -x "*.git*" "dist/*" ".github/*" "manifest.chrome-backup.json" "manifest.opera.json"
+            -x "*.git*" "dist/*" ".github/*" ".gitea/*" "manifest.chrome-backup.json" "manifest.opera.json"
           mv manifest.chrome-backup.json manifest.json
 
       - name: Generate SHA256 checksums
@@ -52,10 +77,19 @@ jobs:
           sha256sum *.zip > checksums-sha256.txt
           cat checksums-sha256.txt
 
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
+      # Gitea-native Release-Action. Legt das Release an, falls der Tag noch
+      # keins hat, oder aktualisiert das bestehende und haengt die Assets an.
+      # Der auto-injizierte GITHUB_TOKEN auf Gitea Actions hat Gitea-API-Scope
+      # und reicht fuer Release-Write.
+      - name: Attach to Gitea release
+        uses: https://gitea.com/actions/release-action@main
         with:
-          name: "Hellion NewTab ${{ steps.version.outputs.tag }}"
+          files: |-
+            dist/hellion-newtab-${{ steps.version.outputs.tag }}-chrome.zip
+            dist/hellion-newtab-${{ steps.version.outputs.tag }}-firefox.zip
+            dist/hellion-newtab-${{ steps.version.outputs.tag }}-opera.zip
+            dist/checksums-sha256.txt
+          api_key: ${{ secrets.GITHUB_TOKEN }}
           body: |
             ## Hellion NewTab ${{ steps.version.outputs.tag }}
 
@@ -64,13 +98,7 @@ jobs:
             - **Firefox:** `hellion-newtab-${{ steps.version.outputs.tag }}-firefox.zip`
             - **Opera / Opera GX:** `hellion-newtab-${{ steps.version.outputs.tag }}-opera.zip`
 
-            See [README](README.md) for the full installation instructions.
+            Vollstaendige Installationsanleitung siehe README.
 
             ### Checksums
-            See `checksums-sha256.txt` to verify file integrity.
-          files: |
-            dist/hellion-newtab-${{ steps.version.outputs.tag }}-chrome.zip
-            dist/hellion-newtab-${{ steps.version.outputs.tag }}-firefox.zip
-            dist/hellion-newtab-${{ steps.version.outputs.tag }}-opera.zip
-            dist/checksums-sha256.txt
-          generate_release_notes: true
\ No newline at end of file
+            `checksums-sha256.txt` zum Verifizieren der Dateiintegritaet.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
deleted file mode 100644
index 729bde5..0000000
--- a/.github/workflows/security.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-# Sicherheitsprüfung — läuft bei Push und PR auf main/master
-name: Security Scan
-
-on:
-  push:
-    branches: [main, master]
-  pull_request:
-    branches: [main, master]
-  schedule:
-    # Wöchentlich Montag 06:00 UTC
-    - cron: '0 6 * * 1'
-
-permissions:
-  contents: read
-  security-events: write
-
-jobs:
-  codeql:
-    name: CodeQL Analysis
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
-        with:
-          languages: javascript
-
-      - name: Run CodeQL Analysis
-        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
-
-  dependency-review:
-    name: Dependency Review
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Dependency Review
-        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0