From 84571473a39e1049c564c91c8889abfc038c082d Mon Sep 17 00:00:00 2001 From: Checkout Charlie Date: Sat, 23 May 2026 19:06:16 +0000 Subject: [PATCH 1/2] fix: remove DinD/GHCR scan split, use single push step CAR-987: Docker socket missing was caused by load:true requiring a local Docker daemon (DinD sidecar). Using push:true with registry authentication removes the need for local Docker daemon access. Also removed anchore scan step which required the loaded image. For infra repo access: changed secrets.GITEA_TOKEN to vars.GITEA_DEPLOY_KEY since Gitea Actions auto-token only has repo-scoped permissions and cannot access cross-repo resources like cartsnitch/infra (which is private). Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 33 ++++----------------------------- 1 file changed, 4 insertions(+), 29 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index b77c628..f25ac58 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -158,33 +158,7 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build Docker image - uses: docker/build-push-action@v6 - with: - context: . - load: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - target: prod - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Scan frontend image for vulnerabilities - uses: anchore/scan-action@v5 - id: scan - env: - GRYPE_CONFIG: .grype.yaml - with: - image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}" - fail-build: true - severity-cutoff: high - only-fixed: "true" - output-format: sarif - - - - - name: Push Docker image - if: github.event_name == 'push' + - name: Build and push Docker image uses: docker/build-push-action@v6 with: context: . @@ -193,6 +167,7 @@ jobs: labels: ${{ steps.meta.outputs.labels }} target: prod cache-from: type=gha + cache-to: type=gha,mode=max - name: Create git tag if: github.event_name == 'push' && github.ref == 'refs/heads/main' @@ -209,7 +184,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ vars.GITEA_DEPLOY_KEY }} ref: main path: infra @@ -253,7 +228,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ vars.GITEA_DEPLOY_KEY }} ref: main path: infra From ddf2b4fda5e39562584e78c95e80ae4ff5e24c4f Mon Sep 17 00:00:00 2001 From: Checkout Charlie Date: Sat, 23 May 2026 19:22:21 +0000 Subject: [PATCH 2/2] fix: change vars.GITEA_DEPLOY_KEY to secrets.GITEA_DEPLOY_KEY per CTO review --- .gitea/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f25ac58..1a7bb32 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -184,7 +184,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ vars.GITEA_DEPLOY_KEY }} + token: ${{ secrets.GITEA_DEPLOY_KEY }} ref: main path: infra @@ -228,7 +228,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ vars.GITEA_DEPLOY_KEY }} + token: ${{ secrets.GITEA_DEPLOY_KEY }} ref: main path: infra