fix: use docker login CLI instead of login-action for Gitea compat

docker/login-action@v3 fails with 'Username and password required' on
Gitea Actions — secrets not passed to action with: inputs. Switch to
direct docker login CLI which reliably interpolates secrets in run: steps.

.gitea/workflows/build-push.yaml

@@ -8,8 +8,9 @@ on:
 
 env:
   NTFY_URL: http://ntfy.observability.svc.cluster.local:80
-  REGISTRY: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs
-  REGISTRY_HOST: gitea-http.gitea.svc.cluster.local:3000
+  GOPRIVATE: git.daviestechlabs.io
+  REGISTRY: registry.lab.daviestechlabs.io/daviestechlabs
+  REGISTRY_HOST: registry.lab.daviestechlabs.io
   IMAGE_NAME: stt-module
 
 jobs:
@@ -26,6 +27,9 @@ jobs:
           go-version-file: go.mod
           cache: true
 
+      - name: Configure private modules
+        run: git config --global url."https://gitea-actions:${{ secrets.DISPATCH_TOKEN }}@git.daviestechlabs.io/".insteadOf "https://git.daviestechlabs.io/"
+
       - name: Run go vet
         run: go vet ./...
 
@@ -50,6 +54,9 @@ jobs:
           go-version-file: go.mod
           cache: true
 
+      - name: Configure private modules
+        run: git config --global url."https://gitea-actions:${{ secrets.DISPATCH_TOKEN }}@git.daviestechlabs.io/".insteadOf "https://git.daviestechlabs.io/"
+
       - name: Verify dependencies
         run: go mod verify
 
@@ -116,40 +123,13 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        with:
-          buildkitd-config-inline: |
-            [registry."gitea-http.gitea.svc.cluster.local:3000"]
-              http = true
-              insecure = true
+
+      - name: Login to Gitea Registry
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login "${{ env.REGISTRY_HOST }}" -u "${{ secrets.REGISTRY_USER }}" --password-stdin
 
       - name: Login to Docker Hub
         if: vars.DOCKERHUB_USERNAME != ''
-        uses: docker/login-action@v3
-        with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Configure Docker for insecure registry
-        run: |
-          sudo mkdir -p /etc/docker
-          echo '{"insecure-registries": ["${{ env.REGISTRY_HOST }}"]}' | sudo tee /etc/docker/daemon.json
-          sudo systemctl restart docker || sudo service docker restart || true
-          sleep 2
-
-      - name: Login to Gitea Registry
-        run: |
-          AUTH=$(echo -n "${{ secrets.REGISTRY_USER }}:${{ secrets.REGISTRY_TOKEN }}" | base64 -w0)
-          mkdir -p ~/.docker
-          cat > ~/.docker/config.json << EOF
-          {
-            "auths": {
-              "${{ env.REGISTRY_HOST }}": {
-                "auth": "$AUTH"
-              }
-            }
-          }
-          EOF
-          echo "Auth configured for ${{ env.REGISTRY_HOST }}"
+        run: echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login -u "${{ vars.DOCKERHUB_USERNAME }}" --password-stdin
 
       - name: Extract metadata
         id: meta
@@ -168,8 +148,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+
 
   notify:
     name: Notify

.gitea/workflows/ci.yml

@@ -1,201 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-env:
-  NTFY_URL: http://ntfy.observability.svc.cluster.local:80
-  REGISTRY: gitea-http.gitea.svc.cluster.local:3000/daviestechlabs
-  REGISTRY_HOST: gitea-http.gitea.svc.cluster.local:3000
-  IMAGE_NAME: stt-module
-
-jobs:
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up uv
-        run: curl -LsSf https://astral.sh/uv/install.sh | sh && echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Set up Python
-        run: uv python install 3.12
-
-      - name: Install dependencies
-        run: uv sync --frozen --extra dev
-
-      - name: Run ruff check
-        run: uv run ruff check .
-
-      - name: Run ruff format check
-        run: uv run ruff format --check .
-
-  test:
-    name: Test
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up uv
-        run: curl -LsSf https://astral.sh/uv/install.sh | sh && echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-      - name: Set up Python
-        run: uv python install 3.12
-
-      - name: Install dependencies
-        run: uv sync --frozen --extra dev
-
-      - name: Run tests
-        run: uv run pytest -v
-
-  release:
-    name: Release
-    runs-on: ubuntu-latest
-    needs: [lint, test]
-    if: gitea.ref == 'refs/heads/main' && gitea.event_name == 'push'
-    outputs:
-      version: ${{ steps.version.outputs.version }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Determine version bump
-        id: version
-        run: |
-          # Get latest tag or default to v0.0.0
-          LATEST=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
-          VERSION=${LATEST#v}
-          IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
-
-          # Check commit message for keywords
-          MSG="${{ gitea.event.head_commit.message }}"
-          if echo "$MSG" | grep -qiE "^major:|BREAKING CHANGE"; then
-            MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0
-            BUMP="major"
-          elif echo "$MSG" | grep -qiE "^(minor:|feat:)"; then
-            MINOR=$((MINOR + 1)); PATCH=0
-            BUMP="minor"
-          else
-            PATCH=$((PATCH + 1))
-            BUMP="patch"
-          fi
-
-          NEW_VERSION="v${MAJOR}.${MINOR}.${PATCH}"
-          echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
-          echo "bump=$BUMP" >> $GITHUB_OUTPUT
-          echo "Bumping $LATEST → $NEW_VERSION ($BUMP)"
-
-      - name: Create and push tag
-        run: |
-          git config user.name "gitea-actions[bot]"
-          git config user.email "actions@git.daviestechlabs.io"
-          git tag -a ${{ steps.version.outputs.version }} -m "Release ${{ steps.version.outputs.version }}"
-          git push origin ${{ steps.version.outputs.version }}
-
-  docker:
-    name: Docker Build & Push
-    runs-on: ubuntu-latest
-    needs: [lint, test, release]
-    if: gitea.ref == 'refs/heads/main' && gitea.event_name == 'push'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          buildkitd-config-inline: |
-            [registry."gitea-http.gitea.svc.cluster.local:3000"]
-              http = true
-              insecure = true
-
-      - name: Login to Docker Hub
-        if: vars.DOCKERHUB_USERNAME != ''
-        uses: docker/login-action@v3
-        with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Configure Docker for insecure registry
-        run: |
-          sudo mkdir -p /etc/docker
-          echo '{"insecure-registries": ["${{ env.REGISTRY_HOST }}"]}' | sudo tee /etc/docker/daemon.json
-          sudo systemctl restart docker || sudo service docker restart || true
-          sleep 2
-
-      - name: Login to Gitea Registry
-        run: |
-          AUTH=$(echo -n "${{ secrets.REGISTRY_USER }}:${{ secrets.REGISTRY_TOKEN }}" | base64 -w0)
-          mkdir -p ~/.docker
-          cat > ~/.docker/config.json << EOF
-          {
-            "auths": {
-              "${{ env.REGISTRY_HOST }}": {
-                "auth": "$AUTH"
-              }
-            }
-          }
-          EOF
-          echo "Auth configured for ${{ env.REGISTRY_HOST }}"
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=semver,pattern={{version}},value=${{ needs.release.outputs.version }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ needs.release.outputs.version }}
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Build and push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-  notify:
-    name: Notify
-    runs-on: ubuntu-latest
-    needs: [lint, test, release, docker]
-    if: always()
-    steps:
-      - name: Notify on success
-        if: needs.lint.result == 'success' && needs.test.result == 'success'
-        run: |
-          curl -s \
-            -H "Title: ✅ CI Passed: ${{ gitea.repository }}" \
-            -H "Priority: default" \
-            -H "Tags: white_check_mark,github" \
-            -H "Click: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \
-            -d "Branch: ${{ gitea.ref_name }}
-          Commit: ${{ gitea.event.head_commit.message || gitea.sha }}
-          Release: ${{ needs.release.result == 'success' && needs.release.outputs.version || 'skipped' }}
-          Docker: ${{ needs.docker.result }}" \
-            ${{ env.NTFY_URL }}/gitea-ci
-
-      - name: Notify on failure
-        if: needs.lint.result == 'failure' || needs.test.result == 'failure'
-        run: |
-          curl -s \
-            -H "Title: ❌ CI Failed: ${{ gitea.repository }}" \
-            -H "Priority: high" \
-            -H "Tags: x,github" \
-            -H "Click: ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}" \
-            -d "Branch: ${{ gitea.ref_name }}
-          Commit: ${{ gitea.event.head_commit.message || gitea.sha }}
-          Lint: ${{ needs.lint.result }}
-          Test: ${{ needs.test.result }}" \
-            ${{ env.NTFY_URL }}/gitea-ci

.gitea/workflows/update-dependency.yml

@@ -0,0 +1,60 @@
+name: Update handler-base
+
+on:
+  repository_dispatch:
+    types: [handler-base-release]
+
+env:
+  NTFY_URL: http://ntfy.observability.svc.cluster.local:80
+  GOPRIVATE: git.daviestechlabs.io
+
+jobs:
+  update:
+    name: Update handler-base dependency
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.DISPATCH_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Configure Git
+        run: |
+          git config user.name "gitea-actions[bot]"
+          git config user.email "actions@git.daviestechlabs.io"
+          git config --global url."https://gitea-actions:${{ secrets.DISPATCH_TOKEN }}@git.daviestechlabs.io/".insteadOf "https://git.daviestechlabs.io/"
+
+      - name: Update handler-base
+        run: |
+          VERSION="${{ gitea.event.client_payload.version }}"
+          echo "Updating handler-base to ${VERSION}"
+          go get git.daviestechlabs.io/daviestechlabs/handler-base@${VERSION}
+          go mod tidy
+
+      - name: Commit and push
+        run: |
+          VERSION="${{ gitea.event.client_payload.version }}"
+          if git diff --quiet go.mod go.sum; then
+            echo "No changes to commit"
+            exit 0
+          fi
+          git add go.mod go.sum
+          git commit -m "chore(deps): bump handler-base to ${VERSION}"
+          git push
+
+      - name: Notify
+        if: success()
+        run: |
+          VERSION="${{ gitea.event.client_payload.version }}"
+          curl -s \
+            -H "Title: 📦 Dep Update: ${{ gitea.repository }}" \
+            -H "Priority: default" \
+            -H "Tags: package,github" \
+            -d "handler-base updated to ${VERSION}" \
+            ${{ env.NTFY_URL }}/gitea-ci

Dockerfile

@@ -3,10 +3,13 @@ FROM golang:1.25-alpine AS builder
 
 WORKDIR /app
 
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates git
+
+ENV GOPRIVATE=git.daviestechlabs.io
+ENV GONOSUMCHECK=git.daviestechlabs.io
 
 COPY go.mod go.sum ./
-RUN go mod download
+RUN --mount=type=secret,id=netrc,target=/root/.netrc go mod download
 
 COPY . .
 

e2e_test.go

@@ -150,12 +150,12 @@ func TestTranscriptionE2E_MockWhisper(t *testing.T) {
 			if err != nil {
 				t.Errorf("missing 'file' field: %v", err)
 			} else {
-				file.Close()
+				_ = file.Close()
 			}
 		}
 
 		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(map[string]string{"text": "hello world"})
+		_ = json.NewEncoder(w).Encode(map[string]string{"text": "hello world"})
 	}))
 	defer whisperSrv.Close()
 
@@ -166,20 +166,20 @@ func TestTranscriptionE2E_MockWhisper(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	part.Write(make([]byte, 8000)) // simulated audio
-	writer.Close()
+	_, _ = part.Write(make([]byte, 8000)) // simulated audio
+	_ = writer.Close()
 
 	resp, err := http.Post(whisperSrv.URL+"/v1/audio/transcriptions", writer.FormDataContentType(), &buf)
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 	if resp.StatusCode != 200 {
 		t.Errorf("status = %d", resp.StatusCode)
 	}
 
 	var result map[string]string
-	json.NewDecoder(resp.Body).Decode(&result)
+	_ = json.NewDecoder(resp.Body).Decode(&result)
 	if result["text"] != "hello world" {
 		t.Errorf("text = %q, want %q", result["text"], "hello world")
 	}

go.mod

@@ -3,9 +3,9 @@ module git.daviestechlabs.io/daviestechlabs/stt-module
 go 1.25.1
 
 require (
-	git.daviestechlabs.io/daviestechlabs/handler-base v0.0.0
+	git.daviestechlabs.io/daviestechlabs/handler-base v1.0.0
 	github.com/nats-io/nats.go v1.48.0
-	github.com/vmihailenco/msgpack/v5 v5.4.1
+	google.golang.org/protobuf v1.36.11
 )
 
 require (
@@ -19,7 +19,6 @@ require (
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/nats-io/nkeys v0.4.11 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect
-	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel v1.40.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 // indirect
@@ -37,7 +36,4 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/grpc v1.78.0 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
 )
-
-replace git.daviestechlabs.io/daviestechlabs/handler-base => ../handler-base

go.sum

@@ -1,3 +1,5 @@
+git.daviestechlabs.io/daviestechlabs/handler-base v1.0.0 h1:pB3ehOKaDYQfbyRBKQXrB9curqSFteLrDveoElRKnBY=
+git.daviestechlabs.io/daviestechlabs/handler-base v1.0.0/go.mod h1:zocOHFt8yY3cW4+Xi37sNr5Tw7KcjGFSZqgWYxPWyqA=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -31,10 +33,6 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
-github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
-github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
-github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=

main.go

@@ -20,7 +20,7 @@ import (
 	"time"
 
 	"github.com/nats-io/nats.go"
-	"github.com/vmihailenco/msgpack/v5"
+	"google.golang.org/protobuf/proto"
 
 	"git.daviestechlabs.io/daviestechlabs/handler-base/config"
 	"git.daviestechlabs.io/daviestechlabs/handler-base/health"
@@ -264,8 +264,8 @@ func main() {
 		if err != nil {
 			return "", err
 		}
-		part.Write(audioData)
-		w.Close()
+		_, _ = part.Write(audioData)
+		_ = w.Close()
 
 		req, err := http.NewRequestWithContext(ctx, http.MethodPost, whisperURL+"/v1/audio/transcriptions", &buf)
 		if err != nil {
@@ -277,7 +277,7 @@ func main() {
 		if err != nil {
 			return "", fmt.Errorf("whisper request: %w", err)
 		}
-		defer resp.Body.Close()
+		defer func() { _ = resp.Body.Close() }()
 		body, _ := io.ReadAll(resp.Body)
 
 		if resp.StatusCode >= 400 {
@@ -324,18 +324,18 @@ func main() {
 
 		if transcript != "" {
 			result := &messages.STTTranscription{
-				SessionID:        sessionID,
+				SessionId:        sessionID,
 				Transcript:       transcript,
-				Sequence:         seq,
+				Sequence:         int32(seq),
 				IsPartial:        !complete,
 				IsFinal:          complete,
 				Timestamp:        time.Now().Unix(),
-				SpeakerID:        speakerID,
+				SpeakerId:        speakerID,
 				HasVoiceActivity: hasVoice,
 				State:            state,
 			}
-			packed, _ := msgpack.Marshal(result)
-			nc.Conn().Publish(fmt.Sprintf("%s.%s", transcriptionSubjectPrefix, sessionID), packed)
+			packed, _ := proto.Marshal(result)
+			_ = nc.Conn().Publish(fmt.Sprintf("%s.%s", transcriptionSubjectPrefix, sessionID), packed)
 			slog.Info("published transcription", "session", sessionID, "seq", seq)
 		}
 
@@ -378,8 +378,8 @@ func main() {
 		}
 		sessionID := parts[3]
 
-		streamMsg, err := natsutil.Decode[messages.STTStreamMessage](natMsg.Data)
-		if err != nil {
+		var streamMsg messages.STTStreamMessage
+		if err := natsutil.Decode(natMsg.Data, &streamMsg); err != nil {
 			slog.Error("decode error", "error", err)
 			return
 		}
@@ -391,8 +391,8 @@ func main() {
 			if streamMsg.State != "" {
 				buf.setState(streamMsg.State)
 			}
-			if streamMsg.SpeakerID != "" {
-				buf.speakerID = streamMsg.SpeakerID
+			if streamMsg.SpeakerId != "" {
+				buf.speakerID = streamMsg.SpeakerId
 			}
 			sessionsMu.Lock()
 			sessions[sessionID] = buf
@@ -442,13 +442,13 @@ func main() {
 			// Check for interrupt
 			if buffer.checkInterrupt(streamMsg.Audio, enableInterrupt, audioLevelThreshold, interruptDuration) {
 				interruptMsg := &messages.STTInterrupt{
-					SessionID: sessionID,
+					SessionId: sessionID,
 					Type:      "interrupt",
 					Timestamp: time.Now().Unix(),
-					SpeakerID: buffer.speakerID,
+					SpeakerId: buffer.speakerID,
 				}
-				packed, _ := msgpack.Marshal(interruptMsg)
-				nc.Conn().Publish(fmt.Sprintf("%s.%s", transcriptionSubjectPrefix, sessionID), packed)
+				packed, _ := proto.Marshal(interruptMsg)
+				_ = nc.Conn().Publish(fmt.Sprintf("%s.%s", transcriptionSubjectPrefix, sessionID), packed)
 				slog.Info("published interrupt", "session", sessionID)
 				buffer.setState(stateListening)
 			}

main_test.go

@@ -155,7 +155,7 @@ func TestTranscribeHTTP(t *testing.T) {
 			t.Errorf("expected POST, got %s", r.Method)
 		}
 		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(map[string]string{"text": "hello world"})
+		_ = json.NewEncoder(w).Encode(map[string]string{"text": "hello world"})
 	}))
 	defer ts.Close()
 
@@ -164,7 +164,7 @@ func TestTranscribeHTTP(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 	if resp.StatusCode != 200 {
 		t.Errorf("status = %d", resp.StatusCode)
 	}