Previous run 3303 had a stuck runner — lint job hung on 'Fetching the
repository' for 5+ minutes before being killed. Force a fresh CI run.
Refs CAR-1335.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The audit job runs `npm audit --audit-level=high` after `npm ci`. Vitest
3.0.0-3.2.4 carries a critical CVE (GHSA-5xrq-8626-4rwp, CVSS 9.8) in the
UI server that allows arbitrary file read and execute. The fix ships in
3.2.6 and is a patch release (no breaking changes), so the existing
vitest API surface (vi.mock, vi.useFakeTimers, vi.setSystemTime) is
unchanged.
The audit failure is unrelated to the REGISTRY_TOKEN fix in this PR
(CAR-1147) but the audit gate runs on every PR and blocks this one. The
vitest bump is the smallest possible fix.
Refs CAR-1335, CAR-1147.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The deploy-dev and deploy-uat jobs were using secrets.GITEA_DEPLOY_KEY,
which is a deploy key scoped only to cartsnitch/app and never had its
public counterpart added to cartsnitch/infra. The empty secret resolved
to an empty token, causing actions/checkout to fail with
'Input required and not supplied: token' and the job to surface as a
403 Forbidden on the cross-repo clone.
Switch both jobs to use secrets.REGISTRY_TOKEN, the existing Gitea PAT
already used in this workflow for the container registry login. As a
Gitea PAT it carries the broader scope (write:repository, write:package)
required for both the cross-repo checkout and the subsequent push back
to cartsnitch/infra on main.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Barcode Betty
Barcode Betty