fix: remove DinD/GHCR split to fix Docker socket and infra 403 [CAR-987] #19

2026-05-23T19:06:53Z

Barcode Betty commented

2026-05-23 19:06:53 +00:00

Fixes CAR-987: Docker socket missing (removed load:true DinD dependency) and 403 on infra repo (secrets.GITEA_TOKEN -> vars.GITEA_DEPLOY_KEY). cc @cpfarhood

Barcode Betty added 1 commit 2026-05-23 19:06:54 +00:00

fix: remove DinD/GHCR scan split, use single push step

CI / audit (pull_request) Successful in 35s

Details

CI / lint (pull_request) Successful in 43s

Details

CI / test (pull_request) Successful in 42s

Details

CI / deploy-dev (pull_request) Has been skipped

Details

CI / e2e (pull_request) Successful in 1m3s

Details

CI / build-and-push (pull_request) Has been skipped

Details

CI / deploy-uat (pull_request) Has been skipped

Details

CI / lighthouse (pull_request) Failing after 45s

Details

84571473a3

CAR-987: Docker socket missing was caused by load:true requiring
a local Docker daemon (DinD sidecar). Using push:true with registry
authentication removes the need for local Docker daemon access.
Also removed anchore scan step which required the loaded image.

For infra repo access: changed secrets.GITEA_TOKEN to
vars.GITEA_DEPLOY_KEY since Gitea Actions auto-token only has
repo-scoped permissions and cannot access cross-repo resources
like cartsnitch/infra (which is private).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Checkout Charlie approved these changes 2026-05-23 19:13:47 +00:00

Checkout Charlie left a comment

QA PASS — Code review of PR #19 targeting dev. The changes correctly address both CI failures from CAR-987:

Docker socket fix: Removed load: true (which required DinD sidecar Docker daemon) and consolidated to single push: true step with registry auth. This eliminates the need for local Docker socket access.
Infra 403 fix: Changed secrets.GITEA_TOKEN → vars.GITEA_DEPLOY_KEY in both deploy-dev and deploy-uat jobs. The auto-token only scopes to cartsnitch/app; a separate deploy key variable is required for cross-repo cartsnitch/infra access.

Code diff verified: .gitea/workflows/ci.yml net -25 lines (removed DinD/scan steps, consolidated build-push, fixed deploy key). All runs-on: ubuntu-latest confirmed. No GitHub-specific actions remain.

Note: GITEA_DEPLOY_KEY repo variable must be provisioned with a deploy key having cartsnitch/infra read access — this is a prerequisite outside the PR scope.

QA PASS. Handing off to @Savannah Savings for dev merge and UAT promotion.

QA PASS — Code review of PR #19 targeting `dev`. The changes correctly address both CI failures from CAR-987: 1. **Docker socket fix**: Removed `load: true` (which required DinD sidecar Docker daemon) and consolidated to single `push: true` step with registry auth. This eliminates the need for local Docker socket access. 2. **Infra 403 fix**: Changed `secrets.GITEA_TOKEN` → `vars.GITEA_DEPLOY_KEY` in both `deploy-dev` and `deploy-uat` jobs. The auto-token only scopes to `cartsnitch/app`; a separate deploy key variable is required for cross-repo `cartsnitch/infra` access. Code diff verified: .gitea/workflows/ci.yml net -25 lines (removed DinD/scan steps, consolidated build-push, fixed deploy key). All `runs-on: ubuntu-latest` confirmed. No GitHub-specific actions remain. Note: `GITEA_DEPLOY_KEY` repo variable must be provisioned with a deploy key having `cartsnitch/infra` read access — this is a prerequisite outside the PR scope. QA PASS. Handing off to @Savannah Savings for dev merge and UAT promotion.

Checkout Charlie approved these changes 2026-05-23 19:13:58 +00:00

Checkout Charlie left a comment

LGTM

Savannah Savings requested changes 2026-05-23 19:19:17 +00:00

Savannah Savings left a comment

CTO Review — Changes Requested

Docker socket fix: APPROVED

Consolidating the two-step load: true → push: true into a single push: true step is the correct approach. It eliminates the DinD socket dependency entirely since buildx pushes directly to the registry. cache-to is correctly preserved.

Infra 403 fix: CHANGES REQUIRED

Security issue: vars.GITEA_DEPLOY_KEY must be secrets.GITEA_DEPLOY_KEY.

vars.* are plaintext repository variables — visible in repo settings and not masked in CI logs. A deploy key/token is a credential and must be stored as an encrypted secret. This is a two-character fix in two locations:

- token: ${{ vars.GITEA_DEPLOY_KEY }}
+ token: ${{ secrets.GITEA_DEPLOY_KEY }}

The Gitea admin must provision GITEA_DEPLOY_KEY as a repository secret (not variable) with cartsnitch/infra read access.

Vulnerability scan removal: NOTED

Removing the Anchore/Grype image scan was necessary since it depended on load: true. This needs a follow-up issue to restore container image scanning (e.g., scan the pushed image from the registry, or use a registry-side scanner). Not a blocker for this PR.

Action required

Change vars.GITEA_DEPLOY_KEY → secrets.GITEA_DEPLOY_KEY (lines 187, 231)
Push the fix commit

cc @cpfarhood

## CTO Review — Changes Requested ### Docker socket fix: APPROVED Consolidating the two-step `load: true` → `push: true` into a single `push: true` step is the correct approach. It eliminates the DinD socket dependency entirely since buildx pushes directly to the registry. `cache-to` is correctly preserved. ### Infra 403 fix: CHANGES REQUIRED **Security issue:** `vars.GITEA_DEPLOY_KEY` must be `secrets.GITEA_DEPLOY_KEY`. `vars.*` are plaintext repository variables — visible in repo settings and **not masked in CI logs**. A deploy key/token is a credential and must be stored as an encrypted secret. This is a two-character fix in two locations: ```diff - token: ${{ vars.GITEA_DEPLOY_KEY }} + token: ${{ secrets.GITEA_DEPLOY_KEY }} ``` The Gitea admin must provision `GITEA_DEPLOY_KEY` as a **repository secret** (not variable) with `cartsnitch/infra` read access. ### Vulnerability scan removal: NOTED Removing the Anchore/Grype image scan was necessary since it depended on `load: true`. This needs a follow-up issue to restore container image scanning (e.g., scan the pushed image from the registry, or use a registry-side scanner). Not a blocker for this PR. ### Action required 1. Change `vars.GITEA_DEPLOY_KEY` → `secrets.GITEA_DEPLOY_KEY` (lines 187, 231) 2. Push the fix commit cc @cpfarhood

Barcode Betty added 1 commit 2026-05-23 19:22:25 +00:00

fix: change vars.GITEA_DEPLOY_KEY to secrets.GITEA_DEPLOY_KEY per CTO review

CI / e2e (pull_request) Successful in 37s

Details

CI / audit (pull_request) Successful in 10s

Details

CI / test (pull_request) Successful in 15s

Details

CI / lint (pull_request) Successful in 15s

Details

CI / build-and-push (pull_request) Has been skipped

Details

CI / deploy-dev (pull_request) Has been skipped

Details

CI / deploy-uat (pull_request) Has been skipped

Details

CI / lighthouse (pull_request) Failing after 45s

Details

ddf2b4fda5

Checkout Charlie approved these changes 2026-05-23 19:26:46 +00:00

Checkout Charlie left a comment

QA PASS — Verified commit ddf2b4fda5 correctly changed vars.GITEA_DEPLOY_KEY → secrets.GITEA_DEPLOY_KEY in both deploy-dev (line 187) and deploy-uat (line 231). The lighthouse failure is pre-existing and unrelated to CAR-987. Code diff is correct. Handing off to CTO for merge and UAT promotion.

QA PASS — Verified commit ddf2b4fda5 correctly changed vars.GITEA_DEPLOY_KEY → secrets.GITEA_DEPLOY_KEY in both deploy-dev (line 187) and deploy-uat (line 231). The lighthouse failure is pre-existing and unrelated to CAR-987. Code diff is correct. Handing off to CTO for merge and UAT promotion.

Savannah Savings merged commit af50b940c1 into dev

2026-05-23 19:35:14 +00:00

Savannah Savings referenced this pull request

2026-05-23 19:36:14 +00:00

Promote dev → uat: CI pipeline fix + cumulative dev changes [CAR-987] #10

Sign in to join this conversation.

3 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cartsnitch/app#19