Merge pull request 'Promote uat→main: CAR-994 Docker login fix + CAR-1423 REGISTRY_TOKEN fix' (#43 ) from uat into main

Merge uat into main: CAR-994 Docker login fix + CAR-1423 two-stage build + CAR-1270 CI_GITEA_TOKEN fix
Merge remote-tracking branch 'origin/main' into uat-fresh
2026-06-23 00:19:02 +00:00 · 2026-06-23 00:16:40 +00:00 · 2026-06-23 00:14:25 +00:00 · 2026-06-22 23:40:03 +00:00 · 2026-06-22 23:26:26 +00:00 · 2026-06-22 23:25:50 +00:00
2 changed files with 217 additions and 4 deletions
@@ -0,0 +1 @@
+# CI trigger 20260525231507 - post-DinD verification (CAR-1042)
@@ -37,9 +37,13 @@ jobs:
        run: |
          DATE_TAG=$(date -u +%Y.%m.%d)
          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
-          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
-          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
-          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
+          if [ -z "$EXISTING" ]; then
+            VERSION="$DATE_TAG"
+          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then
+            VERSION="${DATE_TAG}.2"
+          else
+            BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))";
+          fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Gitea Container Registry
@@ -55,11 +59,21 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build and push Docker image
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          load: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
+          provenance: false
+          sbom: false
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

@@ -68,3 +82,201 @@ jobs:
        run: |
          git tag "v${{ steps.calver.outputs.version }}"
          git push origin "v${{ steps.calver.outputs.version }}"
+
+  deploy-dev:
+    runs-on: ubuntu-latest
+    needs: [build-and-push]
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
+    steps:
+      - name: Checkout infra repo
+        uses: actions/checkout@v4
+        with:
+          repository: cartsnitch/infra
+          token: ${{ secrets.CI_GITEA_TOKEN }}
+          ref: main
+          path: infra
+
+      - name: Install kustomize
+        # Install kustomize binary directly. Avoids imranismail/setup-kustomize@v2
+        # which calls the Gitea API to record "kubernetes-sigs" user metrics
+        # against a user that does not exist in this Gitea instance.
+        run: |
+          set -euo pipefail
+          version="5.4.3"
+          url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz"
+          curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize
+          sudo mv /tmp/kustomize /usr/local/bin/kustomize
+          kustomize version
+
+      - name: Determine image tag
+        id: tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update auth image tag in dev overlay
+        if: needs.build-and-push.result == 'success'
+        run: |
+          cd infra/apps/overlays/dev
+          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }}
+
+      - name: Commit and push to infra (via PR)
+        if: needs.build-and-push.result == 'success'
+        env:
+          CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}
+        run: |
+          set -euo pipefail
+          cd infra
+          git config user.name "cartsnitch-ci[bot]"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
+          git add apps/overlays/dev/kustomization.yaml
+          git diff --cached --quiet && { echo "No image changes to deploy"; exit 0; }
+          BRANCH="ci/deploy-dev-${GITHUB_SHA}"
+          git checkout -b "$BRANCH"
+          git commit -m "ci(dev): update auth image (${GITHUB_SHA::12})"
+          git push origin "$BRANCH" 2>&1 | tee /tmp/push.log
+          if grep -q "You are not allowed to push code to protected branches" /tmp/push.log; then
+            echo "::notice::Refusing to push directly to protected branch — falling back to contents API"
+            exit 0
+          fi
+          PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
+            '{head: $head, base: "main", title: ("ci(dev): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}')
+          PR_JSON=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$PR_BODY" \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
+          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
+          if [ -z "$PR_NUM" ]; then
+            echo "::error::Failed to open infra PR: $PR_JSON"
+            exit 1
+          fi
+          echo "Opened cartsnitch/infra PR #${PR_NUM}"
+          REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"reviewers":["cs_savannah"]}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers")
+          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
+            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
+          fi
+          MERGE_RESP=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"Do":"merge","delete_branch_after_merge":true}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge")
+          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
+          if [ "$MERGED" = "true" ]; then
+            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
+          elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
+            # GitOps approval gate: PR is correctly opened and surfaces in
+            # CTO queue via the reviewers request above. Treat as success
+            # so the job does not hard-fail on approvals.
+            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
+            exit 0
+          else
+            echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
+            exit 1
+          fi
+
+  deploy-uat:
+    runs-on: ubuntu-latest
+    needs: [build-and-push]
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
+    steps:
+      - name: Checkout infra repo
+        uses: actions/checkout@v4
+        with:
+          repository: cartsnitch/infra
+          token: ${{ secrets.CI_GITEA_TOKEN }}
+          ref: main
+          path: infra
+
+      - name: Install kustomize
+        # Install kustomize binary directly. Avoids imranismail/setup-kustomize@v2
+        # which calls the Gitea API to record "kubernetes-sigs" user metrics
+        # against a user that does not exist in this Gitea instance.
+        run: |
+          set -euo pipefail
+          version="5.4.3"
+          url="https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_amd64.tar.gz"
+          curl -fsSL --retry 3 "$url" | tar -xz -C /tmp kustomize
+          sudo mv /tmp/kustomize /usr/local/bin/kustomize
+          kustomize version
+
+      - name: Determine image tag
+        id: tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update auth image tag in uat overlay
+        if: needs.build-and-push.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }}
+
+      - name: Commit and push to infra (via PR)
+        if: needs.build-and-push.result == 'success'
+        env:
+          CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}
+        run: |
+          set -euo pipefail
+          cd infra
+          git config user.name "cartsnitch-ci[bot]"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
+          git add apps/overlays/uat/kustomization.yaml
+          git diff --cached --quiet && { echo "No image changes to deploy"; exit 0; }
+          BRANCH="ci/deploy-uat-${GITHUB_SHA}"
+          git checkout -b "$BRANCH"
+          git commit -m "ci(uat): update auth image (${GITHUB_SHA::12})"
+          git push origin "$BRANCH" 2>&1 | tee /tmp/push.log
+          if grep -q "You are not allowed to push code to protected branches" /tmp/push.log; then
+            echo "::notice::Refusing to push directly to protected branch — falling back to contents API"
+            exit 0
+          fi
+          PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
+            '{head: $head, base: "main", title: ("ci(uat): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}')
+          PR_JSON=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$PR_BODY" \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
+          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
+          if [ -z "$PR_NUM" ]; then
+            echo "::error::Failed to open infra PR: $PR_JSON"
+            exit 1
+          fi
+          echo "Opened cartsnitch/infra PR #${PR_NUM}"
+          REVIEW_HTTP=$(curl -sS -o /dev/null -w '%{http_code}' -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"reviewers":["cs_savannah"]}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/requested_reviewers")
+          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
+            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
+          fi
+          MERGE_RESP=$(curl -sS -X POST \
+            -H "Authorization: token ${CI_GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d '{"Do":"merge","delete_branch_after_merge":true}' \
+            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge")
+          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
+          if [ "$MERGED" = "true" ]; then
+            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
+          elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
+            # GitOps approval gate: PR is correctly opened and surfaces in
+            # CTO queue via the reviewers request above. Treat as success
+            # so the job does not hard-fail on approvals.
+            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
+            exit 0
+          else
+            echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
+            exit 1
+          fi
Author	SHA1	Message	Date
Barcode Betty	3a6190a805	Merge pull request 'Promote uat→main: CAR-994 Docker login fix + CAR-1423 REGISTRY_TOKEN fix' (#43 ) from uat into main CI / build-and-push (push) Successful in 11m44s Details CI / deploy-dev (push) Failing after 6s Details CI / deploy-uat (push) Failing after 7s Details Merge uat into main: CAR-994 Docker login fix + CAR-1423 two-stage build + CAR-1270 CI_GITEA_TOKEN fix	2026-06-23 00:19:02 +00:00
Barcode Betty	a2d18c18d8	Merge remote-tracking branch 'origin/main' into uat-fresh CI / build-and-push (push) Successful in 14s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 5s Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details	2026-06-23 00:16:40 +00:00
Barcode Betty	b5151db0ac	fix: resolve ci.yml merge conflict (CAR-994+CAR-1423+CAR-1270) CI / deploy-dev (push) Has been cancelled Details CI / deploy-uat (push) Has been cancelled Details CI / build-and-push (push) Has been cancelled Details CI / deploy-dev (pull_request) Has been cancelled Details CI / deploy-uat (pull_request) Has been cancelled Details CI / build-and-push (pull_request) Has been cancelled Details	2026-06-23 00:14:25 +00:00
Barcode Betty	5cd46571f2	Merge pull request 'ci(CAR-1423): promote two-stage load->push fix to uat' (#42 ) from dev into uat CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 3s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details CI / build-and-push (push) Successful in 9s Details ci(CAR-1423): promote two-stage load->push fix to uat (#42)	2026-06-22 23:40:03 +00:00
Barcode Betty	9c4f9b95a9	Merge pull request 'ci(CAR-1423): two-stage load->push to fix auth manifest push (unknown)' (#41 ) from betty/car-1423-two-stage-build into dev CI / build-and-push (push) Successful in 11s Details CI / deploy-uat (push) Has been skipped Details CI / deploy-dev (push) Failing after 3s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details ci(CAR-1423): two-stage load->push to fix auth manifest push (#41)	2026-06-22 23:26:26 +00:00
Barcode Betty	e22010a907	ci(CAR-1423): two-stage load->push to fix auth manifest push (unknown) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details	2026-06-22 23:25:50 +00:00
Barcode Betty	5cdb4c63b8	Merge pull request 'ci(CAR-1423): disable provenance/sbom attestations on auth build-push' (#40 ) from betty/car-1423-disable-provenance into dev CI / build-and-push (push) Failing after 19s Details CI / deploy-uat (push) Has been skipped Details CI / deploy-dev (push) Successful in 2s Details ci(CAR-1423): disable provenance/sbom attestations on auth build-push (#40)	2026-06-22 22:25:35 +00:00
Barcode Betty	4819d9c7ac	ci(CAR-1423): disable provenance/sbom attestations on auth build-push CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details	2026-06-22 22:24:15 +00:00
Barcode Betty	1233d80c8f	Merge pull request 'ci(CAR-1373): apply dev's deploy-job restoration to uat (dev → uat promotion, 3-way resolved)' (#38 ) from car-1373-uat-merge-resolved into uat CI / build-and-push (push) Failing after 10s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Successful in 2s Details	2026-06-12 02:09:22 +00:00
Barcode Betty	89fb02cdea	ci(CAR-1373): apply dev's deploy-job restoration to uat (resolve 3-way) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details The dev→uat 3-way merge of ci.yml conflicts on: - CalVer logic (dev is the multi-line readable form) - ref: main vs parameterized expression (dev wins, per CAR-1374) - PR body base/head: dev wins (per CAR-1371 + acceptance criteria) - CAR-1216 comment: dev added, uat didn't have it Resolution: take dev's version of ci.yml (the corrected form per CAR-1373). cc @cpfarhood	2026-06-10 22:47:36 +00:00
Barcode Betty	76254d0dbb	Merge pull request 'ci(CAR-1373): re-add deploy-dev/deploy-uat with PR-based base=dev/uat' (#36 ) from betty/car-1373-add-pr-deploy-jobs into dev CI / deploy-uat (push) Has been skipped Details CI / build-and-push (push) Successful in 20s Details CI / deploy-dev (push) Failing after 4s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details	2026-06-10 22:44:40 +00:00
Barcode Betty	c4536afa5f	ci(CAR-1373): re-add deploy-dev/deploy-uat with PR-based base=dev/uat CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Add deploy-dev and deploy-uat jobs to cartsnitch/auth:dev. These were removed in CAR-1041 because the previous direct-push implementation was invalid. Re-add them in the post-CAR-1371+1374 frontend pattern: - base=dev / base=uat (was base=main in main, direct-push in uat) - parameterized ref matches PR base (CAR-1374 sibling) - head=cartsnitch:${BRANCH} (cross-repo PR head, matches frontend) - never-fail on merge outcome (CAR-1216) - request cs_savannah review per GitOps gate cc @cpfarhood	2026-06-10 22:43:33 +00:00
Savannah Savings	72f2568b68	Merge pull request 'fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)' (#35 ) from betty/car-1270-ci-gitea-token-main into main CI / build-and-push (push) Successful in 2m5s Details CI / deploy-dev (push) Failing after 3s Details CI / deploy-uat (push) Failing after 3s Details	2026-06-05 05:12:45 +00:00
Savannah Savings	8a49fc57f1	Merge pull request 'fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)' (#34 ) from betty/car-1270-ci-gitea-token-uat into uat CI / build-and-push (push) Successful in 9s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 7s Details	2026-06-05 05:12:38 +00:00
Barcode Betty	a0be839632	fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:53:43 +00:00
Barcode Betty	d5c5d2b6ba	fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:53:13 +00:00
Barcode Betty	3198b21683	revert: undo CAR-1270 direct commit (will land via PR instead) CI / build-and-push (push) Failing after 12m22s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 27s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:52:22 +00:00
Barcode Betty	ca1a732033	fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) CI / build-and-push (push) Successful in 7s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 5s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:51:07 +00:00
Savannah Savings	0977a7c3b3	Merge pull request 'ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263)' (#33 ) from cs_betty/car-1263-auth-pr-bump-main into main CI / build-and-push (push) Successful in 10s Details CI / deploy-dev (push) Failing after 34s Details CI / deploy-uat (push) Failing after 36s Details	2026-06-05 00:34:48 +00:00
Savannah Savings	eb436e2c31	Merge pull request 'ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263)' (#32 ) from cs_betty/car-1263-auth-pr-bump-uat into uat CI / build-and-push (push) Failing after 6s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 25s Details	2026-06-05 00:34:47 +00:00
Barcode Betty	21fba7a842	ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat jobs from direct 'git push origin main' to cartsnitch/infra to the CAR-1195 PR-bump pattern. Brings auth in line with cartsnitch/cartsnitch and stops the red deploy-dev/deploy-uat jobs on main pushes. Also fixes the registry-login password to use REGISTRY_TOKEN (CAR-1009 standard) instead of GITEA_TOKEN — uat already had this fix (CAR-1237); main was lagging. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:23:07 +00:00
Barcode Betty	70398efeea	ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat jobs from direct 'git push origin main' to cartsnitch/infra to the CAR-1195 PR-bump pattern (open + (attempt) auto-merge an infra PR; never hard-fail on approval gate, per CAR-1216). Brings auth in line with cartsnitch/cartsnitch and stops the red deploy-uat job on every uat push. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:23:05 +00:00
Savannah Savings	806843b9c7	Merge pull request 'ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)' (#30 ) from betty/car-1237-fix-uat-ci into uat CI / build-and-push (push) Successful in 15s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 37s Details ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237) Reviewed and merged by Savannah (CTO). Byte-identical to proven main except the spec-mandated REGISTRY_TOKEN registry-login (CAR-1009 standard). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-04 20:41:13 +00:00
Barcode Betty	91ab376f38	ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details - Change A: replace build-and-push with runner-native Docker (no DinD service container) - Change B: deploy-dev/deploy-uat use secrets.GITEA_TOKEN for infra checkout Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-04 20:33:08 +00:00
Savannah Savings	3496653d33	Merge dev into uat: use direct docker login for Gitea registry (CAR-994) CI / build-and-push (push) Successful in 6s Details	2026-06-04 18:52:32 +00:00
Barcode Betty	02b732e24c	chore(ci): re-trigger auth UAT build after act-runner DinD fix (CAR-973) CI / build-and-push (push) Failing after 15s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-04 11:46:31 +00:00
Flea Flicker	1099037db1	fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout CI / build-and-push (push) Failing after 8s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details Replaces CI_GITEA_TOKEN (which lacks cross-repo access) with REGISTRY_TOKEN for checkout of cartsnitch/infra in deploy-uat/deploy-dev jobs. Fixes CAR-1147	2026-06-02 10:07:31 +00:00
Flea Flicker	8c37c764e9	fix(ci): add DinD service to enable image builds (CAR-1042) CI / build-and-push (push) Failing after 15s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-30 08:56:47 +00:00
Flea Flicker	6f392bbbed	test(ci): trigger CI after DinD fix (CAR-1042) CI / build-and-push (push) Failing after 5s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-25 23:15:07 +00:00
Barcode Betty	4a63bc1da8	fix(ci): apply CAR-985 and CAR-986 fixes to uat CI / build-and-push (push) Failing after 5s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-25 22:53:44 +00:00
Savannah Savings	ca423073f1	Merge pull request 'Promote dev to uat (CAR-1034 - auth *.farh.net trustedOrigins fix)' (#27 ) from dev into uat CI / build-and-push (push) Failing after 7s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-25 21:28:19 +00:00
Savannah Savings	8bf80a9890	fix(ci): use REGISTRY_TOKEN for container registry auth (CAR-973) CI / build-and-push (push) Failing after 7s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details The REGISTRY_TOKEN secret has write:package scope for git.farh.net. This fixes the unauthorized error at docker login. Related: CAR-1023 (REGISTRY_TOKEN setup), CAR-1009 (CI registry token standardization) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-25 00:04:25 +00:00
Savannah Savings	a520a65f1b	fix(ci): use GITEA_TOKEN secret for docker login CI / build-and-push (push) Failing after 4s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details The github.token (automatic workflow token) in Gitea Actions doesn't inherit packages:write permission for container registry. Use the GITEA_TOKEN secret instead with direct docker login. Ref: CAR-973, CAR-1009	2026-05-24 20:38:35 +00:00
Savannah Savings	bb8d7f159c	fix(ci): use direct docker login with github.token for registry auth (CAR-973) CI / build-and-push (push) Failing after 6s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details docker/login-action@v3 fails with Gitea's automatic token. Use direct docker login with github.token instead, which has the necessary write:package scope for the container registry. Related: CAR-1009 (CI registry token standardization)	2026-05-24 20:37:22 +00:00
Barcode Betty	a92f578dcf	chore: re-trigger CI after DNS fix (CAR-968) CI / build-and-push (push) Failing after 5s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-24 20:34:39 +00:00
				`@@ -0,0 +1 @@`
				`# CI trigger 20260525231507 - post-DinD verification (CAR-1042)`