Complete workflow token migration and pip fixes

Token Migration (GITHUB_TOKEN  GH_TOKEN):
- Update CI workflow to use GH_TOKEN secret
- Update Release workflow to use GH_TOKEN secret
- Update Security workflow to use GH_TOKEN secret
- Maintain environment variable compatibility
- Update token validation messages

 Pip Installation Improvements:
- Add --root-user-action=ignore to all pip commands
- Eliminates 'Running pip as root user' warnings
- Applied across all workflow jobs consistently
- Improves workflow reliability and log cleanliness

 Affected Workflows:
- CI: Fixed token references + pip warnings
- Release: Fixed token references + pip warnings
- Security: Fixed token references + pip warnings + validation messages

 Changes Summary:
- 3 workflow files updated
- 37 insertions, 37 deletions (clean replacements)
- Consistent token naming across all workflows
- All pip commands now use --root-user-action=ignore flag

 Benefits:
- Gitea-compatible secret naming (GH_TOKEN)
- Cleaner workflow logs without pip warnings
- Better error handling and validation
- Consistent token usage across all pipelines

.gitea/workflows/ci.yml

@@ -14,7 +14,7 @@ env:
   REGISTRY: git.b4l.co.th
   IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
   # GitHub token for better rate limits and authentication
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GH_TOKEN: ${{ secrets.GH_TOKEN }}
 
 jobs:
   # Test job
@@ -44,9 +44,9 @@ jobs:
           
     - name: Install dependencies
       run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install -r requirements-dev.txt
+        python -m pip install --upgrade pip --root-user-action=ignore
+        pip install --root-user-action=ignore -r requirements.txt
+        pip install --root-user-action=ignore -r requirements-dev.txt
         
     - name: Lint with flake8
       run: |
@@ -106,8 +106,8 @@ jobs:
         
     - name: Install dependencies
       run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements-dev.txt
+        python -m pip install --upgrade pip --root-user-action=ignore
+        pip install --root-user-action=ignore -r requirements-dev.txt
         
     - name: Run safety check
       run: |
@@ -167,7 +167,7 @@ jobs:
         cache-from: type=gha
         cache-to: type=gha,mode=max
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         
     - name: Test Docker image
       run: |
@@ -205,8 +205,8 @@ jobs:
         
     - name: Install dependencies
       run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
+        python -m pip install --upgrade pip --root-user-action=ignore
+        pip install --root-user-action=ignore -r requirements.txt
         
     - name: Test with VictoriaMetrics
       env:

.gitea/workflows/release.yml

@@ -16,7 +16,7 @@ env:
   REGISTRY: git.b4l.co.th
   IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
   # GitHub token for better rate limits and authentication
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GH_TOKEN: ${{ secrets.GH_TOKEN }}
 
 jobs:
   # Create release
@@ -83,9 +83,9 @@ jobs:
         
     - name: Install dependencies
       run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install -r requirements-dev.txt
+        python -m pip install --upgrade pip --root-user-action=ignore
+        pip install --root-user-action=ignore -r requirements.txt
+        pip install --root-user-action=ignore -r requirements-dev.txt
         
     - name: Run full test suite
       run: |
@@ -95,7 +95,7 @@ jobs:
         
     - name: Build Python package
       run: |
-        pip install build
+        pip install --root-user-action=ignore build
         python -m build
         
     - name: Upload Python package
@@ -160,9 +160,9 @@ jobs:
         image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }}
         format: 'sarif'
         output: 'trivy-results.sarif'
-        github-token: ${{ secrets.GITHUB_TOKEN }}
+        github-token: ${{ secrets.GH_TOKEN }}
       env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         
     - name: Upload Trivy scan results
       uses: actions/upload-artifact@v3

.gitea/workflows/security.yml

@@ -14,7 +14,7 @@ on:
 env:
   PYTHON_VERSION: "3.11"
   # GitHub token for better rate limits and authentication
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GH_TOKEN: ${{ secrets.GH_TOKEN }}
 
 jobs:
   # Dependency vulnerability scan
@@ -33,8 +33,8 @@ jobs:
 
       - name: Install dependencies
         run: |
-          python -m pip install --upgrade pip
-          pip install safety bandit semgrep
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore safety bandit semgrep
 
       - name: Run Safety check
         run: |
@@ -95,18 +95,18 @@ jobs:
 
       - name: Check GitHub token availability
         run: |
-          if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
-            echo "⚠️ GITHUB_TOKEN not configured. Trivy scans may fail due to rate limits."
-            echo "💡 To fix: Add GITHUB_TOKEN secret in repository settings"
+          if [ -z "${{ secrets.GH_TOKEN }}" ]; then
+            echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits."
+            echo "💡 To fix: Add GH_TOKEN secret in repository settings"
           else
-            echo "✅ GITHUB_TOKEN is configured"
+            echo "✅ GH_TOKEN is configured"
           fi
 
       - name: Build Docker image for scanning
         run: |
           docker build -t ping-river-monitor:scan .
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -114,9 +114,9 @@ jobs:
           image-ref: "ping-river-monitor:scan"
           format: "json"
           output: "trivy-report.json"
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GH_TOKEN }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         continue-on-error: true
 
       - name: Run Trivy filesystem scan
@@ -126,9 +126,9 @@ jobs:
           scan-ref: "."
           format: "json"
           output: "trivy-fs-report.json"
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GH_TOKEN }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
         continue-on-error: true
 
       - name: Upload Trivy reports
@@ -177,9 +177,9 @@ jobs:
 
       - name: Install pip-licenses
         run: |
-          python -m pip install --upgrade pip
-          pip install pip-licenses
-          pip install -r requirements.txt
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore pip-licenses
+          pip install --root-user-action=ignore -r requirements.txt
 
       - name: Check licenses
         run: |
@@ -222,13 +222,13 @@ jobs:
 
       - name: Install pip-check-updates equivalent
         run: |
-          python -m pip install --upgrade pip
-          pip install pip-review
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore pip-review
 
       - name: Check for outdated packages
         run: |
           echo "📦 Checking for outdated packages..."
-          pip install -r requirements.txt
+          pip install --root-user-action=ignore -r requirements.txt
           pip list --outdated --format=json > outdated-packages.json || true
 
           if [ -s outdated-packages.json ]; then
@@ -303,9 +303,9 @@ jobs:
 
       - name: Install quality tools
         run: |
-          python -m pip install --upgrade pip
-          pip install radon xenon vulture
-          pip install -r requirements.txt
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore radon xenon vulture
+          pip install --root-user-action=ignore -r requirements.txt
 
       - name: Calculate code complexity
         run: |