tea login: Authenticate the Gitea CLI in CI
tea login add registers a Gitea host and token so subsequent tea commands can talk to your instance.
tea is the CLI for Gitea and Forgejo. Because these are usually self-hosted, tea always needs an explicit instance URL plus an access token before pr or issue commands work.
What it does
tea login add stores a named login: a Gitea instance URL and an access token. tea login list shows configured logins and tea login default sets which one commands use when --login is omitted.
Common usage
# non-interactive token login for a self-hosted Gitea
tea login add --name ci --url https://gitea.example.com --token "$GITEA_TOKEN"
tea login default ci
# verify
tea login listOptions
| Flag | What it does |
|---|---|
| --name <name> | A label for this login (referenced by --login later) |
| --url <url> | The Gitea/Forgejo instance base URL |
| --token <token> | API access token (non-interactive) |
| --user / --password | Basic-auth alternative (avoid in CI) |
| --insecure | Skip TLS verification (self-signed instances) |
| --ssh-key <path> | Associate an SSH key with the login |
In CI
Use --token with a Gitea access token, never --user/--password. tea persists logins in ~/.config/tea/config.yml, so on ephemeral runners run tea login add every job or bake the config in. For self-signed test instances add --insecure rather than disabling TLS globally.
Common errors in CI
"Error: token is required" or "could not detect base url" means --token or --url was omitted. "Post \"https://.../api/v1/...\": x509: certificate signed by unknown authority" on a self-signed host is fixed with --insecure or a trusted CA. "401 Unauthorized" means the token is wrong or revoked. "unknown login" from a later command means the --login name does not match one added here.