Merge pull request 'fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147)' (#28 ) from betty/car-1147-fix-infra-403 into dev

chore: retrigger CI (CAR-1335)
Previous run 3303 had a stuck runner — lint job hung on 'Fetching the repository' for 5+ minutes before being killed. Force a fresh CI run. Refs CAR-1335. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 04:16:12 +00:00 · 2026-06-09 05:54:13 +00:00 · 2026-06-09 05:29:53 +00:00 · 2026-06-02 07:21:21 +00:00 · 2026-05-24 18:48:27 +00:00 · 2026-05-24 18:40:48 +00:00
4 changed files with 939 additions and 1049 deletions
@@ -21,10 +21,10 @@ env:

 jobs:
  lint:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: "20"
          cache: npm
@@ -35,10 +35,10 @@ jobs:
        run: npx tsc --noEmit

  test:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: "20"
          cache: npm
@@ -47,10 +47,10 @@ jobs:
        run: npx vitest run

  audit:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: "20"
          cache: npm
@@ -59,10 +59,10 @@ jobs:
        run: npm audit --audit-level=high

  e2e:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
        with:
          node-version: "20"
          cache: npm
@@ -70,33 +70,8 @@ jobs:
      - run: npx playwright install --with-deps chromium
      - run: npx playwright test

-  lighthouse:
-    runs-on: runners-cartsnitch
-    needs: [test]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: npm
-      - run: npm ci
-      - run: npm run build
-      - name: Install Chromium for Lighthouse
-        run: |
-          npm install -g playwright
-          npx playwright install --with-deps chromium
-      - name: Start preview server
-        run: |
-          npm run preview &
-          npx wait-on http://localhost:4173/ --timeout 30000
-      - name: Run Lighthouse CI
-        run: |
-          CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
-          npm install -g @lhci/cli
-          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
-
  build-and-push:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    needs: [lint, test, e2e]
    outputs:
@@ -142,37 +117,7 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          target: prod
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan frontend image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        env:
-          GRYPE_CONFIG: .grype.yaml
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload frontend scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
+      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
@@ -181,6 +126,7 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -189,24 +135,15 @@ jobs:
          git push origin "v${{ steps.calver.outputs.version }}"

  deploy-dev:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
    needs: [build-and-push]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
      - name: Checkout infra repo
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.REGISTRY_TOKEN }}
          ref: main
          path: infra

@@ -229,7 +166,7 @@ jobs:
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}

      - name: Commit and push to infra
        run: |
@@ -242,24 +179,15 @@ jobs:
          git push origin main

  deploy-uat:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
    needs: [build-and-push]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
    steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
      - name: Checkout infra repo
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.REGISTRY_TOKEN }}
          ref: main
          path: infra

@@ -282,7 +210,7 @@ jobs:
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/app:${{ steps.frontend_tag.outputs.tag }}

      - name: Commit and push to infra
        run: |
@@ -45,13 +45,15 @@
    "typescript-eslint": "^8.56.1",
    "vite": "^6.4.2",
    "vite-plugin-pwa": "^0.21.2",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.6"
  },
  "overrides": {
+    "@babel/plugin-transform-modules-systemjs": ">=7.29.4",
    "@rollup/pluginutils": "5.3.0",
+    "brace-expansion": ">=1.1.15",
+    "fast-uri": ">=3.1.2",
    "flatted": "^3.4.2",
    "serialize-javascript": "7.0.5",
-    "brace-expansion": ">=1.1.13",
    "lodash": ">=4.17.24",
    "minimatch": "^10.2.4"
  }
@@ -16,7 +16,7 @@ export function VerifyEmail() {
    const callbackURL = searchParams.get("callbackURL") || "/";

    if (!token) {
-      setStatus("error");
+      queueMicrotask(() => setStatus("error"));
      return;
    }