(in reply to: https://community.harness.io/t/gitea-and-multiple-users/10225 ; I don't have enough reputation to post this whole thing there yet)
Since you must have DRONE_GITEA_CLIENT_ID/DRONE_GITEA_CLIENT_SECRET, and Gitea only allows OAuth to be attached to users, I solved it by creating a puppet ci-admin
account in Gitea, at https://data.dev.neuropoly.org/ci-admin. My deployment script scrambles and throws away its password once finished, and marks ci-admin
as non-admin and unable to log in.
Within that account's settings, at https://data.dev.neuropoly.org/user/settings/applications, the connection to Drone looks like
(for what it's worth I set that up via Gitea's API -- today is the first time I've ever bothered to look at Drone's OAuth credentials on the web)
The upshot is that when someone logs in they see
If they click the "@ci-admin" link they see this profile page explaining
(but I don't expect anyone will ever click that)
And yes anyone logging in with this can access all their own repositories, even while ci-admin
cannot:
The OAuth for sign-in has nothing to do with the OAuth for repositories. When someone signs in to Drone via Gitea, Gitea sends an OAuth token to Drone that grants access to whatever the signing in user can see. If I sign in as ci-admin
I see nothing:
I suppose, in theory, a malicious user could deploy a modified Drone that relays all the OAuth tokens to them. That's the risk people take whenever they click that big red "Authorize Application" button. But Drone as it exists protects those credentials.
tl;dr: make a dummy user in Gitea.