fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330) #50

Merged

Savannah Savings merged 4 commits from betty/car-1330-buildpush-registry-token-dev into dev 2026-06-09 17:47:11 +00:00

Conversation 1 Commits 4 Files Changed 4

+2 -7

Barcode Betty commented 2026-06-09 17:27:41 +00:00

Member

Copy Link

Copy Source

fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330)

Parity fix with uat (PR #49). Prevents reintroduction on next dev→uat promotion.

Primary change

One-line change at line 121 — swap github.token for secrets.REGISTRY_TOKEN,
matching the proven-green cartsnitch/auth ci.yml (dev line 46, CAR-1009):

-        run: echo "${{ github.token }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
+        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin

Additional commits (dev-only, for mergeability)

The dev branch HEAD 3860a5d has pre-existing lint + typecheck failures
blocking this PR's CI. The same fixes are in PR #48 (betty/car-1330-dev-ci-fix,
commit 8deaf6e) which is open, green, and awaiting merge. To unblock this PR
without coupling it to PR #48's merge timing, I cherry-picked those three
fixes onto this branch as separate commits:

1. tests/conftest.py — remove extra blank line (ruff format)
2. src/cartsnitch_api/middleware/rate_limit.py — delete duplicate
   _public_limiter/_auth_limiter/_auth_strict_limiter forward-decl block
   (mypy no-redef)
3. src/cartsnitch_api/cache.py:38 — annotate value: str | bytes | None
   so mypy doesn't widen redis client return to Any (no-any-return)

When PR #48 is merged to dev, this PR's base will move forward and these
three commits will need a rebase (they'll become no-op duplicates). Trivial
rebase.

Note on "Same diff" with uat

The uat PR (#49) is a clean one-line diff. This dev PR deviates to absorb the
lint+typecheck fix because the dev branch is currently broken at HEAD. The
primary change on both PRs is the same one-line REGISTRY_TOKEN swap at
.gitea/workflows/ci.yml line 121.

Verification

• build-and-push reaches "Log in to Gitea Container Registry" successfully
• image git.farh.net/cartsnitch/cartsnitch_api:sha-<sha> pushed
• lint/typecheck/test remain green

cc @cpfarhood

## fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330) Parity fix with uat (PR #49). Prevents reintroduction on next dev→uat promotion. ### Primary change One-line change at line 121 — swap `github.token` for `secrets.REGISTRY_TOKEN`, matching the proven-green `cartsnitch/auth` ci.yml (dev line 46, CAR-1009): ```diff - run: echo "${{ github.token }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin + run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin ``` ### Additional commits (dev-only, for mergeability) The dev branch HEAD `3860a5d` has pre-existing lint + typecheck failures blocking this PR's CI. The same fixes are in **PR #48** (`betty/car-1330-dev-ci-fix`, commit `8deaf6e`) which is open, green, and awaiting merge. To unblock this PR **without** coupling it to PR #48's merge timing, I cherry-picked those three fixes onto this branch as separate commits: 1. `tests/conftest.py` — remove extra blank line (ruff format) 2. `src/cartsnitch_api/middleware/rate_limit.py` — delete duplicate `_public_limiter`/`_auth_limiter`/`_auth_strict_limiter` forward-decl block (mypy no-redef) 3. `src/cartsnitch_api/cache.py:38` — annotate `value: str | bytes | None` so mypy doesn't widen redis client return to Any (no-any-return) When **PR #48** is merged to dev, this PR's base will move forward and these three commits will need a rebase (they'll become no-op duplicates). Trivial rebase. ### Note on "Same diff" with uat The uat PR (#49) is a clean one-line diff. This dev PR deviates to absorb the lint+typecheck fix because the dev branch is currently broken at HEAD. The **primary** change on both PRs is the same one-line REGISTRY_TOKEN swap at `.gitea/workflows/ci.yml` line 121. ### Verification - [ ] build-and-push reaches "Log in to Gitea Container Registry" successfully - [ ] image `git.farh.net/cartsnitch/cartsnitch_api:sha-<sha>` pushed - [ ] lint/typecheck/test remain green cc @cpfarhood

Barcode Betty self-assigned this 2026-06-09 17:27:42 +00:00

Barcode Betty added 1 commit 2026-06-09 17:27:42 +00:00

fix(ci): use REGISTRY_TOKEN for build-and-push registry login (CAR-1330) ... 14b0e73cee

Parity fix with uat. Prevents reintroduction on next dev->uat promotion.
The automatic github.token has no package/registry write scope; auth's
proven-green ci.yml uses secrets.REGISTRY_TOKEN instead.

cc @cpfarhood

Barcode Betty referenced this issue from a commit 2026-06-09 17:34:04 +00:00

fix(ci): format tests/conftest.py (CAR-1330 dev lint fix)

Barcode Betty added 1 commit 2026-06-09 17:34:04 +00:00

fix(ci): format tests/conftest.py (CAR-1330 dev lint fix) ... f59668bf0a

Remove extra blank line at line 120. Pre-existing dev branch issue
blocking CAR-1356 PR #50. Mirrors CAR-1340 uat fix (2b20946).

Barcode Betty added 1 commit 2026-06-09 17:34:13 +00:00

fix(ci): dedupe _public_limiter/_auth_limiter declarations in rate_limit.py (CAR-1330 dev lint fix) ... 94d6173054

mypy no-redef: the second forward-decl block at line 124 was a duplicate
of the block at line 111. Pre-existing dev branch issue blocking CAR-1356.
Mirrors CAR-1340 uat fix (2b20946).

Barcode Betty added 1 commit 2026-06-09 17:34:24 +00:00

fix(ci): annotate cache.py:38 redis return type (CAR-1330 dev lint fix) ... c1147590dd

mypy no-any-return: annotate value: str | bytes | None so mypy doesn't
widen redis client return to Any. Pre-existing dev branch issue blocking
CAR-1356. Mirrors CAR-1340 uat fix (2b20946).

Checkout Charlie approved these changes 2026-06-09 17:43:21 +00:00

Checkout Charlie left a comment

Member

Copy Link

Copy Source

QA PASS — CAR-1356 (dev). Diff verified: ci.yml line 121 is secrets.REGISTRY_TOKEN (+1/-1 on ci.yml). Additional files (+1/-1 cache.py, 0/-4 rate_limit.py, 0/-1 conftest.py) are the absorbed PR #48 lint+typecheck fixes — documented in PR body, expected. CI run 3443: lint ✓, typecheck ✓, test ✓. build-and-push skipped by design on PR events. Fix matches spec.

QA PASS — CAR-1356 (dev). Diff verified: ci.yml line 121 is `secrets.REGISTRY_TOKEN` (+1/-1 on ci.yml). Additional files (+1/-1 cache.py, 0/-4 rate_limit.py, 0/-1 conftest.py) are the absorbed PR #48 lint+typecheck fixes — documented in PR body, expected. CI run 3443: lint ✓, typecheck ✓, test ✓. build-and-push skipped by design on PR events. Fix matches spec.

Savannah Savings merged commit 79e8baa609 into dev 2026-06-09 17:47:11 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Checkout Charlie

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) cs_betty (Barcode Betty) cs_charlie (Checkout Charlie) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) cs_carl (Coupon Carl) cs_dottie (Deal Dottie) flux (Flux CD) admin (Gitea Admin) cs_martha (Markdown Martha) renovate (Mend Renovate) cs_savannah (Savannah Savings) cs_steve (Stockboy Steve)

No Assignees Barcode Betty

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cartsnitch/api#50