fix(ci): migrate from ghcr.io to Gitea built-in registry

- Update REGISTRY env var from ghcr.io to git.farh.net - Remove Docker Hub and GHCR login steps (no longer needed) - Remove postgres and redis credentials blocks that referenced Docker Hub secrets Co-Authored-By: Paperclip <noreply@paperclip.ing>
release: promote API migration to production
2026-05-23 22:03:04 +00:00 · 2026-04-19 12:27:19 +00:00 · 2026-04-19 12:11:48 +00:00
5 changed files with 43 additions and 64 deletions
@@ -2,9 +2,9 @@ name: CI

 on:
  push:
-    branches: [main, dev, uat]
+    branches: [main, dev]
  pull_request:
-    branches: [main, dev, uat]
+    branches: [main, dev]

 concurrency:
  group: ci-${{ github.ref }}
@@ -15,17 +15,18 @@ permissions:
  packages: write

 env:
-  REGISTRY: ghcr.io
+  REGISTRY: git.farh.net
  IMAGE_NAME: cartsnitch/api

 jobs:
  lint:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
+          cache: pip
      - run: pip install ruff
      - name: Ruff lint
        run: ruff check .
@@ -33,13 +34,14 @@ jobs:
        run: ruff format --check .

  typecheck:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
+          cache: pip
      - name: Install system dependencies
        run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
      - run: pip install -e ".[dev]" mypy
@@ -47,47 +49,19 @@ jobs:
        run: mypy src/cartsnitch_api

  test:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    services:
-      postgres:
-        image: postgres:15-alpine
-        credentials:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        env:
-          POSTGRES_USER: cartsnitch
-          POSTGRES_PASSWORD: cartsnitch_test
-          POSTGRES_DB: cartsnitch_test
-        ports:
-          - 5432:5432
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
      redis:
-        image: redis:7-alpine
-        credentials:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        ports:
-          - 6379:6379
-        options: >-
-          --health-cmd "redis-cli ping"
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
    env:
      CARTSNITCH_DATABASE_URL: postgresql+asyncpg://cartsnitch:cartsnitch_test@localhost:5432/cartsnitch_test
      CARTSNITCH_REDIS_URL: redis://localhost:6379/0
      CARTSNITCH_JWT_SECRET_KEY: test-secret-do-not-use-in-prod
-      CARTSNITCH_SERVICE_KEY: test-service-key-do-not-use-in-prod
-      CARTSNITCH_FERNET_KEY: wXWQsC0FZlhSz2t_tfVQjNUSP8vgAGG3o3pkjrX8Bw0=
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
+          cache: pip
      - name: Install system dependencies
        run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
      - run: pip install -e ".[dev]"
@@ -95,7 +69,7 @@ jobs:
        run: pytest --tb=short -q

  build-and-push:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    needs: [lint, test]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
@@ -122,20 +96,6 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
          echo "CalVer tag: $VERSION"

-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
@@ -171,7 +131,11 @@ jobs:
          only-fixed: "true"
          output-format: sarif

-      
+      - name: Upload api scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Push Docker image
        if: github.event_name == 'push'
@@ -193,15 +157,24 @@ jobs:
          git push origin "v${{ steps.calver.outputs.version }}"

  deploy-dev:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    needs: [build-and-push]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
      - name: Checkout infra repo
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
          ref: main
          path: infra

@@ -237,15 +210,24 @@ jobs:
          git push origin main

  deploy-uat:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    needs: [build-and-push]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
      - name: Checkout infra repo
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
          ref: main
          path: infra

@@ -5,8 +5,7 @@ Sessions are verified by querying the shared sessions table directly.
 """

 from datetime import UTC, datetime
-
-from fastapi import Depends, Header, HTTPException, Request, status
+from fastapi import Cookie, Depends, Header, HTTPException, Request, status
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from sqlalchemy import text
 from sqlalchemy.ext.asyncio import AsyncSession
@@ -6,10 +6,13 @@ endpoints that query our own user data from the shared database.
 """

 from fastapi import APIRouter, Depends, HTTPException, status
+from pydantic import BaseModel
+from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession

 from cartsnitch_api.auth.dependencies import get_current_user
 from cartsnitch_api.database import get_db
+from cartsnitch_api.models import User
 from cartsnitch_api.schemas import (
    UpdateUserRequest,
    UserResponse,
@@ -23,12 +23,7 @@ class Settings(BaseSettings):

    auth_service_url: str = "http://auth:3001"

-    cors_origins: list[str] = [
-        "http://localhost:3000",
-        "https://cartsnitch.com",
-        "https://dev.cartsnitch.com",
-        "https://uat.cartsnitch.com",
-    ]
+    cors_origins: list[str] = ["http://localhost:3000", "https://cartsnitch.com"]

    receiptwitness_url: str = "http://receiptwitness:8001"
    stickershock_url: str = "http://stickershock:8002"
@@ -7,10 +7,10 @@ from fastapi import APIRouter, FastAPI
 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.cache import cache_client
 from cartsnitch_api.database import dispose_engine
-from cartsnitch_api.middleware.audit import add_audit_middleware
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
+from cartsnitch_api.middleware.audit import add_audit_middleware
 from cartsnitch_api.routes.alerts import router as alerts_router
 from cartsnitch_api.routes.coupons import router as coupons_router
 from cartsnitch_api.routes.health import router as health_router
Author	SHA1	Message	Date
Flea Flicker	d527336da5	fix(ci): migrate from ghcr.io to Gitea built-in registry CI / lint (pull_request) Has been cancelled Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / build-and-push (pull_request) Has been cancelled Details CI / deploy-dev (pull_request) Has been cancelled Details CI / deploy-uat (pull_request) Has been cancelled Details - Update REGISTRY env var from ghcr.io to git.farh.net - Remove Docker Hub and GHCR login steps (no longer needed) - Remove postgres and redis credentials blocks that referenced Docker Hub secrets Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-23 22:03:04 +00:00
cartsnitch-ceo[bot]	cb180b511f	release: promote API migration to production Production merge approved by CEO (Coupon Carl). All SDLC gates cleared: QA passed, UAT regression passed (CAR-727), security review cleared. Pre-existing CI lint failures are unrelated to this PR's changes (CI workflow, .grype.yaml, CLAUDE.md only).	2026-04-19 12:27:19 +00:00
savannah-savings-cto[bot]	556b43b424	Merge pull request #2 from cartsnitch/dev chore: promote dev to uat	2026-04-19 12:11:48 +00:00