fix(ci): remove GHA cache + simplify Push to match auth (CAR-1357, CAR-1362)

Two related fixes for build-and-push on Gitea: 1. Drop `cache-from: type=gha` and `cache-to: type=gha,mode=max` from both Build and Push steps. `type=gha` is the GitHub Actions Cache backend, which does not exist on git.farh.net. The cache export failure was marking the Build step failed and skipping the Push step. 2. Simplify the Push step to match the proven-green `cartsnitch/auth/ci.yml` pattern: drop `file: ./Dockerfile` (default is `Dockerfile`) and `build-args: APT_CACHE_BUST=...` (only used to bust apt cache in stage 1 of multi-stage build). With these extra params removed, the buildx "unknown" error after `pushing layers 0.2s done` resolves itself. Combined diff: 6 lines removed from .gitea/workflows/ci.yml. This is a config simplification only — no app code, no build context, no test changes. Validated on dev: PR #52 (cache removal) + PR #53 (Push simplification) merged → run 3458 build-and-push success → image `git.farh.net/cartsnitch/api:sha-a3a01eefe2e5a7fc4559b5c82ef76f91a7385a50` present in the registry. Refs: CAR-1362, CAR-1356, CAR-1330, CAR-1357. Co-authored-by: Paperclip <noreply@paperclip.ing>
fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330)
2026-06-10 04:16:21 +00:00 · 2026-06-09 17:46:32 +00:00 · 2026-06-09 17:25:21 +00:00 · 2026-06-09 17:24:34 +00:00 · 2026-06-09 11:23:33 +00:00 · 2026-06-09 08:30:56 +00:00
4 changed files with 2 additions and 13 deletions
@@ -118,7 +118,7 @@ jobs:
          echo "CalVer tag: $VERSION"

      - name: Log in to Gitea Container Registry
-        run: echo "${{ github.token }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin

      - name: Extract metadata
        id: meta
@@ -140,8 +140,6 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max

      - name: Scan api image for vulnerabilities
        uses: anchore/scan-action@v5
@@ -162,13 +160,9 @@ jobs:
        uses: docker/build-push-action@v6
        with:
          context: .
-          file: ./Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha

      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -35,7 +35,7 @@ class CacheClient:
    async def get(self, key: str) -> str | None:
        if not self._client:
            return None
-        value = await self._client.get(key)
+        value: str | bytes | None = await self._client.get(key)
        if value is None:
            return None
        if isinstance(value, bytes):
@@ -121,10 +121,6 @@ if settings.rate_limit_redis_enabled:
        logger.warning("Failed to connect to Redis for rate limiting, using in-memory: %s", e)
        _use_redis = False

-_public_limiter: RateLimitBackend
-_auth_limiter: RateLimitBackend
-_auth_strict_limiter: RateLimitBackend
-
 if _use_redis and _redis_client:
    _public_limiter = RedisSlidingWindow(
        _redis_client, settings.rate_limit_requests, settings.rate_limit_window_seconds
@@ -117,7 +117,6 @@ def _register_event_listeners():
            event.listen(cls, "before_insert", _set_timestamp_defaults)


-
 TEST_JWT_SECRET = secrets.token_urlsafe(32)
 TEST_SERVICE_KEY = secrets.token_urlsafe(32)
 TEST_FERNET_KEY = "7reF42nmTwbdN21PBoubGp7h_FU8qSimstmlaMLoRK8="
Author	SHA1	Message	Date
Barcode Betty	96ae9314bf	fix(ci): remove GHA cache + simplify Push to match auth (CAR-1357, CAR-1362) CI / lint (pull_request) Successful in 6s Details CI / typecheck (pull_request) Successful in 20s Details CI / test (pull_request) Successful in 26s Details CI / build-and-push (pull_request) Has been skipped Details Two related fixes for build-and-push on Gitea: 1. Drop `cache-from: type=gha` and `cache-to: type=gha,mode=max` from both Build and Push steps. `type=gha` is the GitHub Actions Cache backend, which does not exist on git.farh.net. The cache export failure was marking the Build step failed and skipping the Push step. 2. Simplify the Push step to match the proven-green `cartsnitch/auth/ci.yml` pattern: drop `file: ./Dockerfile` (default is `Dockerfile`) and `build-args: APT_CACHE_BUST=...` (only used to bust apt cache in stage 1 of multi-stage build). With these extra params removed, the buildx "unknown" error after `pushing layers 0.2s done` resolves itself. Combined diff: 6 lines removed from .gitea/workflows/ci.yml. This is a config simplification only — no app code, no build context, no test changes. Validated on dev: PR #52 (cache removal) + PR #53 (Push simplification) merged → run 3458 build-and-push success → image `git.farh.net/cartsnitch/api:sha-a3a01eefe2e5a7fc4559b5c82ef76f91a7385a50` present in the registry. Refs: CAR-1362, CAR-1356, CAR-1330, CAR-1357. Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-06-10 04:16:21 +00:00
Barcode Betty	e41cd3c6f0	fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330) CI / lint (push) Successful in 5s Details CI / typecheck (push) Successful in 18s Details CI / test (push) Successful in 21s Details CI / build-and-push (push) Failing after 55s Details Squashed fix swaps github.token → secrets.REGISTRY_TOKEN at .gitea/workflows/ci.yml:121, matching the proven-green cartsnitch/auth pattern (CAR-1009). Unblocks CAR-1132 production deploy by making the build-and-push job pass registry auth. QA: PR #49 approved by @cs_charlie (review id 4615); CI run 3439 lint/typecheck/test all green. Co-authored-by: Barcode Betty <32+cs_betty@noreply.git.farh.net> Co-committed-by: Barcode Betty <32+cs_betty@noreply.git.farh.net>	2026-06-09 17:46:32 +00:00
cs_betty	8ace5f0f30	revert: undo accidental build-and-push token change (CAR-1356 fix scope creep) CI / lint (push) Successful in 4s Details CI / typecheck (push) Successful in 18s Details CI / test (push) Successful in 23s Details CI / build-and-push (push) Failing after 5s Details Restoring line 121 to github.token until CAR-1356 PR branch is created via the proper contents-API + new_branch flow.	2026-06-09 17:25:21 +00:00
cs_betty	02649a76d3	fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330) CI / typecheck (push) Failing after 7s Details CI / lint (push) Successful in 8s Details CI / test (push) Successful in 22s Details CI / build-and-push (push) Has been cancelled Details	2026-06-09 17:24:34 +00:00
Savannah Savings	f687097ad1	Merge pull request 'fix(ci): resolve uat lint + typecheck failures (CAR-1340)' (#47 ) from betty/car-1340-uat-ci-fix into uat CI / lint (push) Successful in 5s Details CI / typecheck (push) Successful in 19s Details CI / test (push) Successful in 23s Details CI / build-and-push (push) Failing after 6s Details fix(ci): resolve uat lint + typecheck failures (CAR-1340) Merges betty/car-1340-uat-ci-fix into uat. Makes uat CI green to unblock CEO uat->main production merge for CAR-1132. Reviewed-by: Checkout Charlie (QA, APPROVED) Merged-by: Savannah Savings (CTO)	2026-06-09 11:23:33 +00:00
Savannah Savings	806d30a064	fix(ci): resolve uat lint + typecheck failures (CAR-1340) CI / lint (pull_request) Successful in 5s Details CI / typecheck (pull_request) Successful in 18s Details CI / test (pull_request) Successful in 22s Details CI / build-and-push (pull_request) Has been skipped Details - cache.py:38: Add explicit type annotation for redis.get() return value to resolve mypy no-any-return - rate_limit.py: Remove duplicate forward-declaration block (dead code, mypy no-redef) - conftest.py: Remove one excess blank line to satisfy ruff format check All three fixes verified locally: ruff check ✅, ruff format ✅, mypy ✅ Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-09 08:30:56 +00:00