From 791ac3156f5b4751048e65d6658147d44fcf0e5c Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.ai>
Date: Thu, 21 May 2026 04:01:09 +0000
Subject: [PATCH 1/6] ci: convert GitHub Actions to Gitea Actions
 (ubuntu-latest)

- Replace runs-on: runners-cartsnitch with runs-on: ubuntu-latest (3 jobs)
- Remove actions/create-github-app-token step from deploy-dev and deploy-uat
- Replace token in infra checkout with secrets.GITEA_TOKEN

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 28 +++++-----------------------
 1 file changed, 5 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 94e9c91..e297d2a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ env:
 
 jobs:
   build-and-push:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     if: github.event_name == 'push'
     outputs:
       calver_tag: ${{ steps.calver.outputs.version }}
@@ -76,23 +76,14 @@ jobs:
           git push origin "v${{ steps.calver.outputs.version }}"
 
   deploy-dev:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [build-and-push]
     if: github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -124,23 +115,14 @@ jobs:
           git push origin main
 
   deploy-uat:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [build-and-push]
     if: github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 

From dad3132fdbe168db6b32651b78352a36c75474c0 Mon Sep 17 00:00:00 2001
From: Barcode Betty <betty@paperclip.ing>
Date: Thu, 21 May 2026 11:30:57 +0000
Subject: [PATCH 2/6] fix: use GITEA_TOKEN for GHCR login in Gitea Actions

Replace ${{ secrets.GITHUB_TOKEN }} with ${{ secrets.GITEA_TOKEN }}
for docker/login-action in Gitea Actions. GITHUB_TOKEN is not available
in Gitea Actions and was causing 'authentication required' failures for
ghcr.io push, leaving the auth service with a stale image on UAT.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e297d2a..54146a0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,7 +47,7 @@ jobs:
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.GITEA_TOKEN }}
 
       - name: Extract metadata
         id: meta

From 8bf7c08950ff2eb9d3293566dbc9f3c2b74341c9 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.ai>
Date: Thu, 21 May 2026 12:33:43 +0000
Subject: [PATCH 3/6] chore: move workflows from .github to .gitea

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 {.github => .gitea}/workflows/ci.yml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {.github => .gitea}/workflows/ci.yml (100%)

diff --git a/.github/workflows/ci.yml b/.gitea/workflows/ci.yml
similarity index 100%
rename from .github/workflows/ci.yml
rename to .gitea/workflows/ci.yml

From 6d6c872962d095091e8a3ddb16eb8a57e8979063 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.dev>
Date: Sat, 23 May 2026 15:15:07 +0000
Subject: [PATCH 4/6] ci: switch Docker image push from GHCR to Gitea container
 registry

- REGISTRY: ghcr.io -> git.farh.net
- Renamed login step to Gitea Container Registry
- kustomize rename form: ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:TAG
- Removed GHA cache-from/cache-to (not guaranteed on Gitea runners)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .gitea/workflows/ci.yml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 54146a0..1c86e8c 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -16,7 +16,7 @@ permissions:
   security-events: write
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: git.farh.net
   IMAGE_NAME: cartsnitch/auth
 
 jobs:
@@ -42,7 +42,7 @@ jobs:
           else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
@@ -66,8 +66,6 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
 
       - name: Create git tag
         if: github.ref == 'refs/heads/main'
@@ -101,7 +99,7 @@ jobs:
       - name: Update auth image tag in dev overlay
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }}
 
       - name: Commit and push to infra
         run: |
@@ -140,7 +138,7 @@ jobs:
       - name: Update auth image tag in uat overlay
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }}
 
       - name: Commit and push to infra
         run: |

From 5d2701ef525fc28a9f87ace909b074c91322a17b Mon Sep 17 00:00:00 2001
From: Checkout Charlie <charlie@cartsnitch.qa>
Date: Sat, 23 May 2026 18:37:10 +0000
Subject: [PATCH 5/6] chore: re-trigger CI for UAT registry verification
 (CAR-983)


From 9ae3161860692a73ecdd77afb45d88bf7aedd9d8 Mon Sep 17 00:00:00 2001
From: Barcode Betty <barcode-betty@cartsnitch.ing>
Date: Sat, 23 May 2026 20:43:31 +0000
Subject: [PATCH 6/6] fix: update trustedOrigins to match current domains

Replace stale .farh.net subdomains with correct *.cartsnitch.com domains to fix
CORS Origin validation blocking UAT auth (403 on sign-up/sign-in).

Refs: CAR-992
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 src/auth.ts | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/auth.ts b/src/auth.ts
index b439590..09b493f 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -116,8 +116,7 @@ export const auth = betterAuth({
     "http://localhost:3000",
     "http://localhost:5173",
     "https://cartsnitch.com",
-    "https://cartsnitch.farh.net",
-    "https://cartsnitch.dev.farh.net",
-    "https://cartsnitch.uat.farh.net",
+    "https://dev.cartsnitch.com",
+    "https://uat.cartsnitch.com",
   ],
 });
\ No newline at end of file