From ef82ac053139b9645f8c52057a23394e000a103a Mon Sep 17 00:00:00 2001
From: b3nw <b3nw@duck.com>
Date: Tue, 28 Apr 2026 01:30:40 +0000
Subject: [PATCH] fix(ci): use URL-embedded token for cross-repo clone

actions/checkout@v3's Basic auth header fails with 403 Forbidden when
accessing a different private repository (CR_PAT only works for the
current repo's scope via that method).

Switch to a plain git clone with the token embedded in the HTTPS URL,
which matches how previous builds successfully cloned schwab-scraper.
---
 .gitea/workflows/build.yaml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index b272da0..e1973d9 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -15,13 +15,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Checkout schwab-scraper
-        uses: actions/checkout@v3
-        with:
-          repository: b3nw/schwab-scraper
-          path: vendor/schwab-scraper
-          token: ${{ secrets.CR_PAT }}
-          ref: main
+      - name: Clone schwab-scraper
+        run: |
+          mkdir -p vendor
+          # Use URL-embedded token for cross-repo access (CR_PAT has registry
+          # scope; actions/checkout@v3's Basic auth header fails with 403).
+          git clone --depth=1 --branch main \
+            "https://${{ gitea.actor }}:${{ secrets.CR_PAT }}@gitea.ext.ben.io/b3nw/schwab-scraper.git" \
+            vendor/schwab-scraper
 
       - name: Login to Gitea Container Registry
         uses: docker/login-action@v2