feat: add Gitea Actions support (secrets, variables, workflows, runs, jobs, logs) (#110)

# Add Gitea Actions support (secrets, variables, workflows, runs, jobs, logs)

## Summary

This PR adds comprehensive support for Gitea Actions API to the MCP server, enabling users to manage Actions secrets, variables, workflows, runs, jobs, and logs through the Model Context Protocol interface.

## New Features

### Actions Secrets (Repository & Organization Level)
- `list_repo_action_secrets` - List repository secrets (metadata only, values never exposed)
- `upsert_repo_action_secret` - Create or update a repository secret
- `delete_repo_action_secret` - Delete a repository secret
- `list_org_action_secrets` - List organization secrets
- `upsert_org_action_secret` - Create or update an organization secret
- `delete_org_action_secret` - Delete an organization secret

### Actions Variables (Repository & Organization Level)
- `list_repo_action_variables` - List repository variables
- `get_repo_action_variable` - Get a specific repository variable
- `create_repo_action_variable` - Create a repository variable
- `update_repo_action_variable` - Update a repository variable
- `delete_repo_action_variable` - Delete a repository variable
- `list_org_action_variables` - List organization variables
- `get_org_action_variable` - Get a specific organization variable
- `create_org_action_variable` - Create an organization variable
- `update_org_action_variable` - Update an organization variable
- `delete_org_action_variable` - Delete an organization variable

### Actions Workflows
- `list_repo_action_workflows` - List repository workflows
- `get_repo_action_workflow` - Get a specific workflow by ID
- `dispatch_repo_action_workflow` - Trigger (dispatch) a workflow run with optional inputs

### Actions Runs
- `list_repo_action_runs` - List workflow runs with optional status filtering
- `get_repo_action_run` - Get a specific run by ID
- `cancel_repo_action_run` - Cancel a running workflow
- `rerun_repo_action_run` - Rerun a workflow (with fallback routes for version compatibility)

### Actions Jobs
- `list_repo_action_jobs` - List all jobs in a repository
- `list_repo_action_run_jobs` - List jobs for a specific workflow run

### Actions Job Logs
- `get_repo_action_job_log_preview` - Get log preview with tail/limit support (chat-friendly)
- `download_repo_action_job_log` - Download full job logs to file (default: `~/.gitea-mcp/artifacts/actions-logs/`)

## Implementation Details

### Architecture
- Follows existing codebase patterns: new `operation/actions/` package with tools registered via `Tool.RegisterRead/Write()`
- Uses Gitea SDK (`code.gitea.io/sdk/gitea v0.22.1`) where endpoints are available
- Shared REST helper (`pkg/gitea/rest.go`) for endpoints not yet in SDK (workflows, runs, jobs, logs)

### Security
- **Secrets never expose values**: List/get operations return only safe metadata (name, description, created_at)
- Request-scoped token support: HTTP Bearer tokens properly respected (fixes issue where wiki REST calls were hardcoding `flag.Token`)

### Compatibility
- Fallback route logic for dispatch/rerun endpoints (handles Gitea version differences)
- Clear error messages when endpoints aren't available, referencing Gitea 1.24 API docs
- Graceful handling of 404/405 responses for unsupported endpoints

### Testing
- Unit tests for REST helper token precedence
- Unit tests for log truncation/formatting helpers
- All existing tests pass

## Files Changed

- **New**: `operation/actions/*` - Complete Actions module (secrets, variables, runs, logs)
- **New**: `pkg/gitea/rest.go` - Shared REST helper with token context support
- **New**: `pkg/gitea/rest_test.go` - Tests for REST helper
- **Modified**: `operation/operation.go` - Register Actions tools
- **Modified**: `operation/wiki/wiki.go` - Refactored to use shared REST helper (removed hardcoded token)
- **Modified**: `README.md` - Added all new tools to documentation

## Testing

```bash
# All tests pass
go test ./...

# Build succeeds
make build
```

## Example Usage

```python
# List repository secrets
mcp.call_tool("list_repo_action_secrets", {"owner": "user", "repo": "myrepo"})

# Trigger a workflow
mcp.call_tool("dispatch_repo_action_workflow", {
    "owner": "user",
    "repo": "myrepo",
    "workflow_id": 123,
    "ref": "main",
    "inputs": {"deploy_env": "production"}
})

# Get job log preview (last 100 lines)
mcp.call_tool("get_repo_action_job_log_preview", {
    "owner": "user",
    "repo": "myrepo",
    "job_id": 456,
    "tail_lines": 100
})
```

## Breaking Changes

None - this is a purely additive change.

## Related Issues

Fixes #[issue-number] (if applicable)

## Checklist

- [x] Code follows existing patterns and conventions
- [x] All tests pass
- [x] Documentation updated (README.md)
- [x] No breaking changes
- [x] Security considerations addressed (secrets never expose values)
- [x] Error handling implemented with clear messages
- [x] Version compatibility considered (fallback routes)

Reviewed-on: https://gitea.com/gitea/gitea-mcp/pulls/110
Reviewed-by: hiifong <f@f.style>
Co-authored-by: Shawn Anderson <sanderson@eye-catcher.com>
Co-committed-by: Shawn Anderson <sanderson@eye-catcher.com>

operation/actions/logs.go

@@ -0,0 +1,198 @@
+package actions
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/url"
+	"os"
+	"path/filepath"
+
+	"gitea.com/gitea/gitea-mcp/pkg/gitea"
+	"gitea.com/gitea/gitea-mcp/pkg/log"
+	"gitea.com/gitea/gitea-mcp/pkg/to"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+)
+
+const (
+	GetRepoActionJobLogPreviewToolName = "get_repo_action_job_log_preview"
+	DownloadRepoActionJobLogToolName   = "download_repo_action_job_log"
+)
+
+var (
+	GetRepoActionJobLogPreviewTool = mcp.NewTool(
+		GetRepoActionJobLogPreviewToolName,
+		mcp.WithDescription("Get a repository Actions job log preview (tail/limited for chat-friendly output)"),
+		mcp.WithString("owner", mcp.Required(), mcp.Description("repository owner")),
+		mcp.WithString("repo", mcp.Required(), mcp.Description("repository name")),
+		mcp.WithNumber("job_id", mcp.Required(), mcp.Description("job ID")),
+		mcp.WithNumber("tail_lines", mcp.Description("number of lines from the end of the log"), mcp.DefaultNumber(200), mcp.Min(1)),
+		mcp.WithNumber("max_bytes", mcp.Description("max bytes to return"), mcp.DefaultNumber(65536), mcp.Min(1024)),
+	)
+
+	DownloadRepoActionJobLogTool = mcp.NewTool(
+		DownloadRepoActionJobLogToolName,
+		mcp.WithDescription("Download a repository Actions job log to a file on the MCP server filesystem"),
+		mcp.WithString("owner", mcp.Required(), mcp.Description("repository owner")),
+		mcp.WithString("repo", mcp.Required(), mcp.Description("repository name")),
+		mcp.WithNumber("job_id", mcp.Required(), mcp.Description("job ID")),
+		mcp.WithString("output_path", mcp.Description("optional output file path; if omitted, uses ~/.gitea-mcp/artifacts/actions-logs/...")),
+	)
+)
+
+func init() {
+	Tool.RegisterRead(server.ServerTool{Tool: GetRepoActionJobLogPreviewTool, Handler: GetRepoActionJobLogPreviewFn})
+	Tool.RegisterRead(server.ServerTool{Tool: DownloadRepoActionJobLogTool, Handler: DownloadRepoActionJobLogFn})
+}
+
+func logPaths(owner, repo string, jobID int64) []string {
+	// Primary candidate endpoints, plus a few commonly-seen variants across versions.
+	// We try these in order; 404/405 falls through.
+	return []string{
+		fmt.Sprintf("repos/%s/%s/actions/jobs/%d/logs", url.PathEscape(owner), url.PathEscape(repo), jobID),
+		fmt.Sprintf("repos/%s/%s/actions/jobs/%d/log", url.PathEscape(owner), url.PathEscape(repo), jobID),
+		fmt.Sprintf("repos/%s/%s/actions/tasks/%d/log", url.PathEscape(owner), url.PathEscape(repo), jobID),
+		fmt.Sprintf("repos/%s/%s/actions/task/%d/log", url.PathEscape(owner), url.PathEscape(repo), jobID),
+	}
+}
+
+func fetchJobLogBytes(ctx context.Context, owner, repo string, jobID int64) ([]byte, string, error) {
+	var lastErr error
+	for _, p := range logPaths(owner, repo, jobID) {
+		b, _, err := gitea.DoBytes(ctx, "GET", p, nil, nil, "text/plain")
+		if err == nil {
+			return b, p, nil
+		}
+		lastErr = err
+		var httpErr *gitea.HTTPError
+		if errors.As(err, &httpErr) && (httpErr.StatusCode == 404 || httpErr.StatusCode == 405) {
+			continue
+		}
+		return nil, p, err
+	}
+	return nil, "", lastErr
+}
+
+func tailByLines(data []byte, tailLines int) []byte {
+	if tailLines <= 0 || len(data) == 0 {
+		return data
+	}
+	// Find the start index of the last N lines by scanning backwards.
+	lines := 0
+	i := len(data) - 1
+	for i >= 0 {
+		if data[i] == '\n' {
+			lines++
+			if lines > tailLines {
+				return data[i+1:]
+			}
+		}
+		i--
+	}
+	return data
+}
+
+func limitBytes(data []byte, maxBytes int) ([]byte, bool) {
+	if maxBytes <= 0 {
+		return data, false
+	}
+	if len(data) <= maxBytes {
+		return data, false
+	}
+	// Keep the tail so the most recent log content is preserved.
+	return data[len(data)-maxBytes:], true
+}
+
+func GetRepoActionJobLogPreviewFn(ctx context.Context, req mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+	log.Debugf("Called GetRepoActionJobLogPreviewFn")
+	owner, ok := req.GetArguments()["owner"].(string)
+	if !ok || owner == "" {
+		return to.ErrorResult(fmt.Errorf("owner is required"))
+	}
+	repo, ok := req.GetArguments()["repo"].(string)
+	if !ok || repo == "" {
+		return to.ErrorResult(fmt.Errorf("repo is required"))
+	}
+	jobIDFloat, ok := req.GetArguments()["job_id"].(float64)
+	if !ok || jobIDFloat <= 0 {
+		return to.ErrorResult(fmt.Errorf("job_id is required"))
+	}
+	tailLinesFloat, _ := req.GetArguments()["tail_lines"].(float64)
+	maxBytesFloat, _ := req.GetArguments()["max_bytes"].(float64)
+	tailLines := int(tailLinesFloat)
+	if tailLines <= 0 {
+		tailLines = 200
+	}
+	maxBytes := int(maxBytesFloat)
+	if maxBytes <= 0 {
+		maxBytes = 65536
+	}
+
+	jobID := int64(jobIDFloat)
+	raw, usedPath, err := fetchJobLogBytes(ctx, owner, repo, jobID)
+	if err != nil {
+		return to.ErrorResult(fmt.Errorf("get job log err: %v", err))
+	}
+
+	tailed := tailByLines(raw, tailLines)
+	limited, truncated := limitBytes(tailed, maxBytes)
+
+	return to.TextResult(map[string]any{
+		"endpoint":     usedPath,
+		"job_id":       jobID,
+		"bytes":        len(raw),
+		"tail_lines":   tailLines,
+		"max_bytes":    maxBytes,
+		"truncated":    truncated,
+		"log":          string(limited),
+	})
+}
+
+func DownloadRepoActionJobLogFn(ctx context.Context, req mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+	log.Debugf("Called DownloadRepoActionJobLogFn")
+	owner, ok := req.GetArguments()["owner"].(string)
+	if !ok || owner == "" {
+		return to.ErrorResult(fmt.Errorf("owner is required"))
+	}
+	repo, ok := req.GetArguments()["repo"].(string)
+	if !ok || repo == "" {
+		return to.ErrorResult(fmt.Errorf("repo is required"))
+	}
+	jobIDFloat, ok := req.GetArguments()["job_id"].(float64)
+	if !ok || jobIDFloat <= 0 {
+		return to.ErrorResult(fmt.Errorf("job_id is required"))
+	}
+	outputPath, _ := req.GetArguments()["output_path"].(string)
+	jobID := int64(jobIDFloat)
+
+	raw, usedPath, err := fetchJobLogBytes(ctx, owner, repo, jobID)
+	if err != nil {
+		return to.ErrorResult(fmt.Errorf("download job log err: %v", err))
+	}
+
+	if outputPath == "" {
+		home, _ := os.UserHomeDir()
+		if home == "" {
+			home = os.TempDir()
+		}
+		outputPath = filepath.Join(home, ".gitea-mcp", "artifacts", "actions-logs", owner, repo, fmt.Sprintf("%d.log", jobID))
+	}
+
+	if err := os.MkdirAll(filepath.Dir(outputPath), 0o700); err != nil {
+		return to.ErrorResult(fmt.Errorf("create output dir err: %v", err))
+	}
+	if err := os.WriteFile(outputPath, raw, 0o600); err != nil {
+		return to.ErrorResult(fmt.Errorf("write log file err: %v", err))
+	}
+
+	return to.TextResult(map[string]any{
+		"endpoint": usedPath,
+		"job_id":   jobID,
+		"path":     outputPath,
+		"bytes":    len(raw),
+	})
+}
+
+