fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147)
CI / lint (pull_request) Successful in 22s
CI / e2e (pull_request) Successful in 58s
CI / test (pull_request) Successful in 1m5s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / audit (pull_request) Failing after 1m4s
CI / lint (pull_request) Successful in 22s
CI / e2e (pull_request) Successful in 58s
CI / test (pull_request) Successful in 1m5s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / audit (pull_request) Failing after 1m4s
The deploy-dev and deploy-uat jobs were using secrets.GITEA_DEPLOY_KEY, which is a deploy key scoped only to cartsnitch/app and never had its public counterpart added to cartsnitch/infra. The empty secret resolved to an empty token, causing actions/checkout to fail with 'Input required and not supplied: token' and the job to surface as a 403 Forbidden on the cross-repo clone. Switch both jobs to use secrets.REGISTRY_TOKEN, the existing Gitea PAT already used in this workflow for the container registry login. As a Gitea PAT it carries the broader scope (write:repository, write:package) required for both the cross-repo checkout and the subsequent push back to cartsnitch/infra on main. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
@@ -143,7 +143,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
repository: cartsnitch/infra
|
||||
token: ${{ secrets.GITEA_DEPLOY_KEY }}
|
||||
token: ${{ secrets.REGISTRY_TOKEN }}
|
||||
ref: main
|
||||
path: infra
|
||||
|
||||
@@ -187,7 +187,7 @@ jobs:
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
repository: cartsnitch/infra
|
||||
token: ${{ secrets.GITEA_DEPLOY_KEY }}
|
||||
token: ${{ secrets.REGISTRY_TOKEN }}
|
||||
ref: main
|
||||
path: infra
|
||||
|
||||
|
||||
Reference in New Issue
Block a user