Merge pull request 'fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147)' (#28 ) from betty/car-1147-fix-infra-403 into dev

chore: retrigger CI (CAR-1335)
Previous run 3303 had a stuck runner — lint job hung on 'Fetching the repository' for 5+ minutes before being killed. Force a fresh CI run. Refs CAR-1335. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 04:16:12 +00:00 · 2026-06-09 05:54:13 +00:00 · 2026-06-09 05:29:53 +00:00 · 2026-06-02 07:21:21 +00:00
3 changed files with 43 additions and 43 deletions
@@ -143,7 +143,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_DEPLOY_KEY }}
+          token: ${{ secrets.REGISTRY_TOKEN }}
          ref: main
          path: infra
@@ -187,7 +187,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_DEPLOY_KEY }}
+          token: ${{ secrets.REGISTRY_TOKEN }}
          ref: main
          path: infra
@@ -40,7 +40,7 @@
        "typescript-eslint": "^8.56.1",
        "vite": "^6.4.2",
        "vite-plugin-pwa": "^0.21.2",
-        "vitest": "^3.2.4"
+        "vitest": "^3.2.6"
      }
    },
    "node_modules/@adobe/css-tools": {
@@ -4234,15 +4234,15 @@
      }
    },
    "node_modules/@vitest/expect": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-3.2.6.tgz",
-      "integrity": "sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig==",
+      "integrity": "sha512-1+7q9BtaKzEmO+fmNT3kYvoNn5Y71XWAx2Q5HRim4tTVRQVRv4uJFAQ5FbK0OPUeNP/WmVCpxYxoJdvuHVjzBQ==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
        "@types/chai": "^5.2.2",
-        "@vitest/spy": "3.2.4",
+        "@vitest/spy": "3.2.6",
-        "@vitest/utils": "3.2.4",
+        "@vitest/utils": "3.2.6",
        "chai": "^5.2.0",
        "tinyrainbow": "^2.0.0"
      },
@@ -4251,13 +4251,13 @@
      }
    },
    "node_modules/@vitest/mocker": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-3.2.6.tgz",
-      "integrity": "sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==",
+      "integrity": "sha512-EZOrpDbkKotFAP7wPAQV1UIyoGOk4oX7ynWhBhLB7v+meMHbQhU16oPpIYGTTe4oFlhpryGpgpcZP/sin3hYuw==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
-        "@vitest/spy": "3.2.4",
+        "@vitest/spy": "3.2.6",
        "estree-walker": "^3.0.3",
        "magic-string": "^0.30.17"
      },
@@ -4278,9 +4278,9 @@
      }
    },
    "node_modules/@vitest/pretty-format": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-3.2.6.tgz",
-      "integrity": "sha512-IVNZik8IVRJRTr9fxlitMKeJeXFFFN0JaB9PHPGQ8NKQbGpfjlTx9zO4RefN8gp7eqjNy8nyK3NZmBzOPeIxtA==",
+      "integrity": "sha512-lb7XXXzmm2h2ASzFnRvQpDo6onT1NmMJA3tkGTWiBFtRJ9lxGY3d3mm/Apt36gej2bkkOVLL/yTOtufDaFa/jA==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
@@ -4291,13 +4291,13 @@
      }
    },
    "node_modules/@vitest/runner": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-3.2.6.tgz",
-      "integrity": "sha512-oukfKT9Mk41LreEW09vt45f8wx7DordoWUZMYdY/cyAk7w5TWkTRCNZYF7sX7n2wB7jyGAl74OxgwhPgKaqDMQ==",
+      "integrity": "sha512-HYcoSj1w5tcgUnzoF0HcyaAQjpA1gj9ftUJ7iSJSuipc02jW9gKkigwZbjFldAfYHA1fa8UZVRftdMY5msWM9Q==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
-        "@vitest/utils": "3.2.4",
+        "@vitest/utils": "3.2.6",
        "pathe": "^2.0.3",
        "strip-literal": "^3.0.0"
      },
@@ -4306,13 +4306,13 @@
      }
    },
    "node_modules/@vitest/snapshot": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-3.2.6.tgz",
-      "integrity": "sha512-dEYtS7qQP2CjU27QBC5oUOxLE/v5eLkGqPE0ZKEIDGMs4vKWe7IjgLOeauHsR0D5YuuycGRO5oSRXnwnmA78fQ==",
+      "integrity": "sha512-H+ZjNTWGpObenh0YnlBctAPnJSI20P81PL8BPzWpx54YXLLTm8hEsWawtcYLMrwvpK48hGxLLbCS+1KRXhsKhw==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
-        "@vitest/pretty-format": "3.2.4",
+        "@vitest/pretty-format": "3.2.6",
        "magic-string": "^0.30.17",
        "pathe": "^2.0.3"
      },
@@ -4321,9 +4321,9 @@
      }
    },
    "node_modules/@vitest/spy": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-3.2.6.tgz",
-      "integrity": "sha512-vAfasCOe6AIK70iP5UD11Ac4siNUNJ9i/9PZ3NKx07sG6sUxeag1LWdNrMWeKKYBLlzuK+Gn65Yd5nyL6ds+nw==",
+      "integrity": "sha512-oq6BbH68WzcWmwtBrU9nqLeaXTR4XwJF7FSLkKEZo4i6eoXcrxjcwSuTvWBIRUTC6VC72nXYunzqgZA+IKdtxg==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
@@ -4334,13 +4334,13 @@
      }
    },
    "node_modules/@vitest/utils": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-3.2.6.tgz",
-      "integrity": "sha512-fB2V0JFrQSMsCo9HiSq3Ezpdv4iYaXRG1Sx8edX3MwxfyNn83mKiGzOcH+Fkxt4MHxr3y42fQi1oeAInqgX2QA==",
+      "integrity": "sha512-lI23nIs4bnT3T8NIoh+vFaz5s2/DdP0Jgt2jxwgWljvwn82cLJtyi/If+fjFyoLMGIOz0U/fKvWE0d4jsNQEfg==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
-        "@vitest/pretty-format": "3.2.4",
+        "@vitest/pretty-format": "3.2.6",
        "loupe": "^3.1.4",
        "tinyrainbow": "^2.0.0"
      },
@@ -10054,20 +10054,20 @@
      }
    },
    "node_modules/vitest": {
-      "version": "3.2.4",
+      "version": "3.2.6",
-      "resolved": "https://registry.npmjs.org/vitest/-/vitest-3.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-3.2.6.tgz",
-      "integrity": "sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==",
+      "integrity": "sha512-xejya+bT/j/+R/AGa1XOfRxLmNUlLtlwjRsFUILF+xHfzElmGcmFydy2gqqIrd62ptIEfwVMofd19uNWD9L7Nw==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
        "@types/chai": "^5.2.2",
-        "@vitest/expect": "3.2.4",
+        "@vitest/expect": "3.2.6",
-        "@vitest/mocker": "3.2.4",
+        "@vitest/mocker": "3.2.6",
-        "@vitest/pretty-format": "^3.2.4",
+        "@vitest/pretty-format": "^3.2.6",
-        "@vitest/runner": "3.2.4",
+        "@vitest/runner": "3.2.6",
-        "@vitest/snapshot": "3.2.4",
+        "@vitest/snapshot": "3.2.6",
-        "@vitest/spy": "3.2.4",
+        "@vitest/spy": "3.2.6",
-        "@vitest/utils": "3.2.4",
+        "@vitest/utils": "3.2.6",
        "chai": "^5.2.0",
        "debug": "^4.4.1",
        "expect-type": "^1.2.1",
@@ -10097,8 +10097,8 @@
        "@edge-runtime/vm": "*",
        "@types/debug": "^4.1.12",
        "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0",
-        "@vitest/browser": "3.2.4",
+        "@vitest/browser": "3.2.6",
-        "@vitest/ui": "3.2.4",
+        "@vitest/ui": "3.2.6",
        "happy-dom": "*",
        "jsdom": "*"
      },
@@ -45,7 +45,7 @@
    "typescript-eslint": "^8.56.1",
    "vite": "^6.4.2",
    "vite-plugin-pwa": "^0.21.2",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.6"
  },
  "overrides": {
    "@babel/plugin-transform-modules-systemjs": ">=7.29.4",
Author	SHA1	Message	Date
Savannah Savings	54088a07f2	Merge pull request 'fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147)' (#28 ) from betty/car-1147-fix-infra-403 into dev CI / test (push) Successful in 14s Details CI / lint (push) Successful in 14s Details CI / audit (push) Successful in 11s Details CI / e2e (push) Successful in 48s Details CI / build-and-push (push) Failing after 37s Details CI / deploy-dev (push) Failing after 51s Details CI / deploy-uat (push) Has been skipped Details	2026-06-10 04:16:12 +00:00
Barcode Betty	428eff26a0	chore: retrigger CI (CAR-1335) CI / lint (pull_request) Successful in 12s Details CI / e2e (pull_request) Successful in 46s Details CI / test (pull_request) Successful in 12s Details CI / audit (pull_request) Successful in 10s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Previous run 3303 had a stuck runner — lint job hung on 'Fetching the repository' for 5+ minutes before being killed. Force a fresh CI run. Refs CAR-1335. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-09 05:54:13 +00:00
Barcode Betty	1bce947cb7	fix(app): bump vitest to 3.2.6 to clear npm audit gate (CAR-1335) CI / test (pull_request) Successful in 11s Details CI / audit (pull_request) Successful in 11s Details CI / e2e (pull_request) Has been cancelled Details CI / lint (pull_request) Has been cancelled Details CI / deploy-dev (pull_request) Has been cancelled Details CI / deploy-uat (pull_request) Has been cancelled Details CI / build-and-push (pull_request) Has been cancelled Details The audit job runs `npm audit --audit-level=high` after `npm ci`. Vitest 3.0.0-3.2.4 carries a critical CVE (GHSA-5xrq-8626-4rwp, CVSS 9.8) in the UI server that allows arbitrary file read and execute. The fix ships in 3.2.6 and is a patch release (no breaking changes), so the existing vitest API surface (vi.mock, vi.useFakeTimers, vi.setSystemTime) is unchanged. The audit failure is unrelated to the REGISTRY_TOKEN fix in this PR (CAR-1147) but the audit gate runs on every PR and blocks this one. The vitest bump is the smallest possible fix. Refs CAR-1335, CAR-1147. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-09 05:29:53 +00:00
Barcode Betty	4035e7d3c0	fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147) CI / lint (pull_request) Successful in 22s Details CI / e2e (pull_request) Successful in 58s Details CI / test (pull_request) Successful in 1m5s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details CI / audit (pull_request) Failing after 1m4s Details The deploy-dev and deploy-uat jobs were using secrets.GITEA_DEPLOY_KEY, which is a deploy key scoped only to cartsnitch/app and never had its public counterpart added to cartsnitch/infra. The empty secret resolved to an empty token, causing actions/checkout to fail with 'Input required and not supplied: token' and the job to surface as a 403 Forbidden on the cross-repo clone. Switch both jobs to use secrets.REGISTRY_TOKEN, the existing Gitea PAT already used in this workflow for the container registry login. As a Gitea PAT it carries the broader scope (write:repository, write:package) required for both the cross-repo checkout and the subsequent push back to cartsnitch/infra on main. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-02 07:21:21 +00:00