From 4035e7d3c061a631aa05fad877c56d50e0d24453 Mon Sep 17 00:00:00 2001
From: Barcode Betty <betty@cartsnitch.com>
Date: Tue, 2 Jun 2026 07:21:21 +0000
Subject: [PATCH] fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout
 (CAR-1147)

The deploy-dev and deploy-uat jobs were using secrets.GITEA_DEPLOY_KEY,
which is a deploy key scoped only to cartsnitch/app and never had its
public counterpart added to cartsnitch/infra. The empty secret resolved
to an empty token, causing actions/checkout to fail with
'Input required and not supplied: token' and the job to surface as a
403 Forbidden on the cross-repo clone.

Switch both jobs to use secrets.REGISTRY_TOKEN, the existing Gitea PAT
already used in this workflow for the container registry login. As a
Gitea PAT it carries the broader scope (write:repository, write:package)
required for both the cross-repo checkout and the subsequent push back
to cartsnitch/infra on main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .gitea/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index c662448..ba2638b 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -143,7 +143,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_DEPLOY_KEY }}
+          token: ${{ secrets.REGISTRY_TOKEN }}
           ref: main
           path: infra
 
@@ -187,7 +187,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_DEPLOY_KEY }}
+          token: ${{ secrets.REGISTRY_TOKEN }}
           ref: main
           path: infra