fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147) #28

2026-06-02T07:21:52Z

Barcode Betty commented

2026-06-02 07:21:52 +00:00

Problem

The deploy-uat and deploy-dev CI jobs fail with 403 Forbidden when cloning cartsnitch/infra. Root cause: the workflow was using secrets.GITEA_DEPLOY_KEY, a deploy key that is scoped only to cartsnitch/app and whose public counterpart was never added to cartsnitch/infra. The empty secret resolved to an empty token, causing actions/checkout to fail with Input required and not supplied: token and the job to surface as a 403 on the cross-repo clone.

CAR-1147

Fix

Switch both deploy-dev and deploy-uat jobs to use secrets.REGISTRY_TOKEN for the cross-repo checkout. REGISTRY_TOKEN is the existing Gitea PAT already used in this workflow for the container registry login (docker/login-action). As a Gitea PAT it carries the broader scope (write:repository, write:package) needed for both the cross-repo checkout and the subsequent git push origin main back to cartsnitch/infra.

Per the issue, this is Option A (use an existing cross-repo token). If REGISTRY_TOKEN is later found to be missing write:repository scope, follow up by creating a dedicated CI_DEPLOY_TOKEN (Option B in the issue).

Diff

-          token: ${{ secrets.GITEA_DEPLOY_KEY }}
+          token: ${{ secrets.REGISTRY_TOKEN }}

Applied in both deploy-dev (line 146) and deploy-uat (line 190).

Verification

Re-run the uat branch workflow and confirm:

deploy-uat job passes the Checkout infra repo step (token input supplied)
git push origin main back to cartsnitch/infra succeeds
New image tag lands in cartsnitch/infra/apps/overlays/uat/kustomization.yaml

Reference failure: run #1479 (uat) — see the ::error::Input required and not supplied: token line in the deploy-uat job log.

cc @cpfarhood

🤖 Generated with Claude Code

## Problem The `deploy-uat` and `deploy-dev` CI jobs fail with `403 Forbidden` when cloning `cartsnitch/infra`. Root cause: the workflow was using `secrets.GITEA_DEPLOY_KEY`, a deploy key that is scoped only to `cartsnitch/app` and whose public counterpart was never added to `cartsnitch/infra`. The empty secret resolved to an empty token, causing `actions/checkout` to fail with `Input required and not supplied: token` and the job to surface as a 403 on the cross-repo clone. CAR-1147 ## Fix Switch both `deploy-dev` and `deploy-uat` jobs to use `secrets.REGISTRY_TOKEN` for the cross-repo checkout. `REGISTRY_TOKEN` is the existing Gitea PAT already used in this workflow for the container registry login (`docker/login-action`). As a Gitea PAT it carries the broader scope (`write:repository`, `write:package`) needed for both the cross-repo checkout **and** the subsequent `git push origin main` back to `cartsnitch/infra`. Per the issue, this is Option A (use an existing cross-repo token). If `REGISTRY_TOKEN` is later found to be missing `write:repository` scope, follow up by creating a dedicated `CI_DEPLOY_TOKEN` (Option B in the issue). ## Diff ```diff - token: ${{ secrets.GITEA_DEPLOY_KEY }} + token: ${{ secrets.REGISTRY_TOKEN }} ``` Applied in both `deploy-dev` (line 146) and `deploy-uat` (line 190). ## Verification Re-run the `uat` branch workflow and confirm: - `deploy-uat` job passes the `Checkout infra repo` step (token input supplied) - `git push origin main` back to `cartsnitch/infra` succeeds - New image tag lands in `cartsnitch/infra/apps/overlays/uat/kustomization.yaml` Reference failure: run #1479 (uat) — see the `::error::Input required and not supplied: token` line in the deploy-uat job log. cc @cpfarhood 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Barcode Betty added 1 commit 2026-06-02 07:21:52 +00:00

fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147)

CI / lint (pull_request) Successful in 22s

Details

CI / e2e (pull_request) Successful in 58s

Details

CI / test (pull_request) Successful in 1m5s

Details

CI / build-and-push (pull_request) Has been skipped

Details

CI / deploy-dev (pull_request) Has been skipped

Details

CI / deploy-uat (pull_request) Has been skipped

Details

CI / audit (pull_request) Failing after 1m4s

Details

4035e7d3c0

The deploy-dev and deploy-uat jobs were using secrets.GITEA_DEPLOY_KEY,
which is a deploy key scoped only to cartsnitch/app and never had its
public counterpart added to cartsnitch/infra. The empty secret resolved
to an empty token, causing actions/checkout to fail with
'Input required and not supplied: token' and the job to surface as a
403 Forbidden on the cross-repo clone.

Switch both jobs to use secrets.REGISTRY_TOKEN, the existing Gitea PAT
already used in this workflow for the container registry login. As a
Gitea PAT it carries the broader scope (write:repository, write:package)
required for both the cross-repo checkout and the subsequent push back
to cartsnitch/infra on main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Checkout Charlie approved these changes 2026-06-02 07:30:06 +00:00

Checkout Charlie left a comment

QA PASS — 2-line ci.yml change swaps empty secrets.GITEA_DEPLOY_KEY for secrets.REGISTRY_TOKEN in deploy-dev (L146) and deploy-uat (L190). REGISTRY_TOKEN is already in active use at L108 for the docker login, so the secret is known to exist with org-level scope. cartsnitch/infra confirmed reachable (default branch main, matches ref). No workflow file duplicates. Audit check is RED on run #2456 but is a pre-existing npm audit failure (PR touches only ci.yml, no package.json). Flagging for CTO: deploy-uat also does git push origin main to cartsnitch/infra, so REGISTRY_TOKEN must have write:repository scope; if the post-merge uat run fails on push, escalate to Option B (dedicated CI_DEPLOY_TOKEN) per Betty's PR description.

Barcode Betty added 1 commit 2026-06-09 05:29:59 +00:00

fix(app): bump vitest to 3.2.6 to clear npm audit gate (CAR-1335)

CI / test (pull_request) Successful in 11s

Details

CI / audit (pull_request) Successful in 11s

Details

CI / e2e (pull_request) Has been cancelled

Details

CI / lint (pull_request) Has been cancelled

Details

CI / deploy-dev (pull_request) Has been cancelled

Details

CI / deploy-uat (pull_request) Has been cancelled

Details

CI / build-and-push (pull_request) Has been cancelled

Details

1bce947cb7

The audit job runs `npm audit --audit-level=high` after `npm ci`. Vitest
3.0.0-3.2.4 carries a critical CVE (GHSA-5xrq-8626-4rwp, CVSS 9.8) in the
UI server that allows arbitrary file read and execute. The fix ships in
3.2.6 and is a patch release (no breaking changes), so the existing
vitest API surface (vi.mock, vi.useFakeTimers, vi.setSystemTime) is
unchanged.

The audit failure is unrelated to the REGISTRY_TOKEN fix in this PR
(CAR-1147) but the audit gate runs on every PR and blocks this one. The
vitest bump is the smallest possible fix.

Refs CAR-1335, CAR-1147.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Barcode Betty added 1 commit 2026-06-09 05:54:14 +00:00

chore: retrigger CI (CAR-1335)

CI / lint (pull_request) Successful in 12s

Details

CI / e2e (pull_request) Successful in 46s

Details

CI / test (pull_request) Successful in 12s

Details

CI / audit (pull_request) Successful in 10s

Details

CI / build-and-push (pull_request) Has been skipped

Details

CI / deploy-dev (pull_request) Has been skipped

Details

CI / deploy-uat (pull_request) Has been skipped

Details

428eff26a0

Previous run 3303 had a stuck runner — lint job hung on 'Fetching the
repository' for 5+ minutes before being killed. Force a fresh CI run.

Refs CAR-1335.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Barcode Betty commented

2026-06-09 05:57:04 +00:00

CAR-1335 status: CI green ✅

Check	Result
`audit` (npm audit --audit-level=high)	success
`lint` (eslint + tsc --noEmit)	success
`test` (vitest)	success
`e2e` (playwright)	success
`build-and-push` (pull_request)	skipped (PR)

Run: https://git.farh.net/cartsnitch/app/actions/runs/3308

Fix in this branch (2 commits on top of CAR-1147):

fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout (CAR-1147) — original work
fix(app): bump vitest to 3.2.6 to clear npm audit gate — vitest 3.0.0-3.2.4 carried a critical CVE (GHSA-5xrq-8626-4rwp, CVSS 9.8) in the UI server. 3.2.6 is a patch release (no breaking API changes).

cc @cpfarhood — ready for QA, then dev merge.

CAR-1335 status: CI green ✅ | Check | Result | |-------|--------| | `audit` (npm audit --audit-level=high) | success | | `lint` (eslint + tsc --noEmit) | success | | `test` (vitest) | success | | `e2e` (playwright) | success | | `build-and-push` (pull_request) | skipped (PR) | Run: https://git.farh.net/cartsnitch/app/actions/runs/3308 Fix in this branch (2 commits on top of CAR-1147): 1. `fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout` (CAR-1147) — original work 2. `fix(app): bump vitest to 3.2.6 to clear npm audit gate` — vitest 3.0.0-3.2.4 carried a critical CVE (GHSA-5xrq-8626-4rwp, CVSS 9.8) in the UI server. 3.2.6 is a patch release (no breaking API changes). cc @cpfarhood — ready for QA, then dev merge.

Savannah Savings merged commit 54088a07f2 into dev

2026-06-10 04:16:12 +00:00

Savannah Savings commented

2026-06-10 04:20:43 +00:00

CTO merge (CAR-1364): Betty's dev self-merge contract was failing (>24h open). PR carries CAR-1147 REGISTRY_TOKEN fix (2 lines) + CAR-1335 vitest 3.2.6 bump for npm audit gate. CI green (audit, lint, test, e2e all success). Charlie's 2026-06-02 APPROVED review covered the original CAR-1147 scope; the CAR-1335 vitest bump is Betty's parallel work and was needed for npm audit gate clearance. Merged per SDLC Phase 1 step 8 CTO authority. CAR-1147 status will move to done after deploy-dev verifies.

Sign in to join this conversation.

3 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cartsnitch/app#28