From 2339999d37ccd7771fedde6d708665c589da6dbd Mon Sep 17 00:00:00 2001
From: Rodin <rodin@forgedthought.ai>
Date: Sat, 2 May 2026 10:02:03 -0700
Subject: [PATCH] fix: URL-encode asset filename, truncate error body in
 APIError

- URL-encode filename in release upload query param (MINOR)
- Truncate APIError.Body to 200 chars in Error() to avoid leaking
  verbose server responses into logs (NIT)
---
 .gitea/workflows/release.yml | 2 +-
 gitea/client.go              | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index a7ba4b2..082ede3 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -90,7 +90,7 @@ jobs:
             curl -sSf -X POST \
               -H "Authorization: token ${GITEA_TOKEN}" \
               -H "Content-Type: application/octet-stream" \
-              "${GITEA_URL}/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets?name=${filename}" \
+              "${GITEA_URL}/api/v1/repos/${REPO}/releases/${RELEASE_ID}/assets?name=$(printf '%s' "${filename}" | jq -sRr @uri)" \
               --data-binary "@${file}"
           done
 
diff --git a/gitea/client.go b/gitea/client.go
index 5e202da..4c82a8c 100644
--- a/gitea/client.go
+++ b/gitea/client.go
@@ -26,7 +26,11 @@ type APIError struct {
 }
 
 func (e *APIError) Error() string {
-	return fmt.Sprintf("HTTP %d: %s", e.StatusCode, e.Body)
+	body := e.Body
+	if len(body) > 200 {
+		body = body[:200] + "...(truncated)"
+	}
+	return fmt.Sprintf("HTTP %d: %s", e.StatusCode, body)
 }
 
 // IsNotFound reports whether an error is an API 404 response.