From a0be839632faf577e86a3c5c72ae9ec617f4a892 Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Fri, 5 Jun 2026 00:53:43 +0000 Subject: [PATCH] fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index c9bf74f..5ed5cf5 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -82,7 +82,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.CI_GITEA_TOKEN }} ref: main path: infra @@ -116,7 +116,7 @@ jobs: - name: Commit and push to infra (via PR) if: needs.build-and-push.result == 'success' env: - GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} run: | set -euo pipefail cd infra @@ -135,7 +135,7 @@ jobs: PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ '{head: $head, base: "main", title: ("ci(dev): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') PR_JSON=$(curl -sS -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ -d "$PR_BODY" \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls") @@ -146,7 +146,7 @@ jobs: fi echo "Opened cartsnitch/infra PR #${PR_NUM}" REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"reviewers":["cs_savannah"]}' \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers") @@ -154,7 +154,7 @@ jobs: echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi MERGE_RESP=$(curl -sS -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"Do":"merge","delete_branch_after_merge":true}' \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") @@ -181,7 +181,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.CI_GITEA_TOKEN }} ref: main path: infra @@ -215,7 +215,7 @@ jobs: - name: Commit and push to infra (via PR) if: needs.build-and-push.result == 'success' env: - GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} run: | set -euo pipefail cd infra @@ -234,7 +234,7 @@ jobs: PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ '{head: $head, base: "main", title: ("ci(uat): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') PR_JSON=$(curl -sS -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ -d "$PR_BODY" \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls") @@ -245,7 +245,7 @@ jobs: fi echo "Opened cartsnitch/infra PR #${PR_NUM}" REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"reviewers":["cs_savannah"]}' \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers") @@ -253,7 +253,7 @@ jobs: echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi MERGE_RESP=$(curl -sS -X POST \ - -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"Do":"merge","delete_branch_after_merge":true}' \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge")