Deploy-dev and deploy-uat jobs were opening image-tag-bump PRs against
dev/uat branches per CAR-1371. Flux reconciles all overlays from infra
main, so those PRs were never picked up. Revert --arg base back to main.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438)
Any non-merged outcome after successful PR creation is now treated
as the GitOps approval gate (exit 0). Only empty PR_NUM hard-fails.
The dev→uat 3-way merge of ci.yml conflicts on:
- CalVer logic (dev is the multi-line readable form)
- ref: main vs parameterized expression (dev wins, per CAR-1374)
- PR body base/head: dev wins (per CAR-1371 + acceptance criteria)
- CAR-1216 comment: dev added, uat didn't have it
Resolution: take dev's version of ci.yml (the corrected form per CAR-1373).
cc @cpfarhood
Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern. Brings auth in line with cartsnitch/cartsnitch
and stops the red deploy-dev/deploy-uat jobs on main pushes.
Also fixes the registry-login password to use REGISTRY_TOKEN (CAR-1009
standard) instead of GITEA_TOKEN — uat already had this fix (CAR-1237);
main was lagging.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern (open + (attempt) auto-merge an infra PR;
never hard-fail on approval gate, per CAR-1216). Brings auth in line
with cartsnitch/cartsnitch and stops the red deploy-uat job on every
uat push.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)
Reviewed and merged by Savannah (CTO). Byte-identical to proven main except the spec-mandated REGISTRY_TOKEN registry-login (CAR-1009 standard).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Change A: replace build-and-push with runner-native Docker (no DinD service container)
- Change B: deploy-dev/deploy-uat use secrets.GITEA_TOKEN for infra checkout
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replaces CI_GITEA_TOKEN (which lacks cross-repo access) with REGISTRY_TOKEN
for checkout of cartsnitch/infra in deploy-uat/deploy-dev jobs.
Fixes CAR-1147
The REGISTRY_TOKEN secret has write:package scope for git.farh.net.
This fixes the unauthorized error at docker login.
Related: CAR-1023 (REGISTRY_TOKEN setup), CAR-1009 (CI registry token standardization)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The github.token (automatic workflow token) in Gitea Actions
doesn't inherit packages:write permission for container registry.
Use the GITEA_TOKEN secret instead with direct docker login.
Ref: CAR-973, CAR-1009
docker/login-action@v3 fails with Gitea's automatic token.
Use direct docker login with github.token instead, which has
the necessary write:package scope for the container registry.
Related: CAR-1009 (CI registry token standardization)
echo "::notice::Refusing to push directly to protected branch — falling back to contents API"
exit 0
fi
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title ("ci(dev): update auth image (" + env.GITHUB_SHA[:12] + ")") --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
echo "PR #${PR_NUM} merged into cartsnitch/infra dev"
elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
exit 0
else
echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
exit 1
# CAR-1438: PR opened successfully; any non-merged outcome (empty body,
# approval-gate, pending checks) is the GitOps gate — not a failure.
echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge"
exit 0
fi
deploy-uat:
@@ -233,7 +243,8 @@ jobs:
echo "::notice::Refusing to push directly to protected branch — falling back to contents API"
exit 0
fi
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title ("ci(uat): update auth image (" + env.GITHUB_SHA[:12] + ")") --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
echo "PR #${PR_NUM} merged into cartsnitch/infra uat"
elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
exit 0
else
echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
exit 1
# CAR-1438: PR opened successfully; any non-merged outcome (empty body,
# approval-gate, pending checks) is the GitOps gate — not a failure.
echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge"
exit 0
fi
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Barcode Betty
Barcode Betty
Savannah Savings