ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263) #33

Merged

Savannah Savings merged 1 commits from cs_betty/car-1263-auth-pr-bump-main into main 2026-06-05 00:34:49 +00:00

Conversation 1 Commits 1 Files Changed 1

+137 -17

Barcode Betty commented 2026-06-05 00:23:42 +00:00

Member

Copy Link

Copy Source

Problem

auth .gitea/workflows/ci.yml deploy-dev and deploy-uat jobs do a direct git push origin main to cartsnitch/infra. infra main is branch-protected, so every push fails. Same broken pattern as uat — separate PR for parity (#32 targets uat).

Additionally, the registry-login step on main uses secrets.GITEA_TOKEN for the password instead of secrets.REGISTRY_TOKEN (CAR-1009 standard). uat already had this fix from CAR-1237; main was lagging.

Fixes

1. PR-bump pattern (CAR-1216) for deploy-dev + deploy-uat — opens ci/deploy-{dev|uat}-${GITHUB_SHA} on cartsnitch/infra, opens a PR, requests CTO as reviewer, attempts auto-merge, treats approval-gate responses as success.
2. Registry token fix — docker/login-action password → secrets.REGISTRY_TOKEN.
3. Kustomize install via curl — replace imranismail/setup-kustomize@v2 (broken Gitea API call).
4. Job if: relaxed to always() && !cancelled() && ... with step-level needs.build-and-push.result == 'success' guards.

Verification

• YAML validates.
• jobs: [build-and-push, deploy-dev, deploy-uat] preserved.
• No new secrets required.

Parity

dev branch has no deploy jobs (only build-and-push); nothing to migrate. The uat-side PR is in cartsnitch/auth#32. The infra-side image bump is in cartsnitch/infra#338.

cc @cpfarhood

Co-Authored-By: Paperclip noreply@paperclip.ing

## Problem auth `.gitea/workflows/ci.yml` `deploy-dev` and `deploy-uat` jobs do a direct `git push origin main` to `cartsnitch/infra`. infra main is branch-protected, so every push fails. Same broken pattern as `uat` — separate PR for parity ([#32](https://git.farh.net/cartsnitch/auth/pulls/32) targets uat). Additionally, the registry-login step on main uses `secrets.GITEA_TOKEN` for the password instead of `secrets.REGISTRY_TOKEN` (CAR-1009 standard). uat already had this fix from CAR-1237; main was lagging. ## Fixes 1. **PR-bump pattern** (CAR-1216) for `deploy-dev` + `deploy-uat` — opens `ci/deploy-{dev|uat}-${GITHUB_SHA}` on cartsnitch/infra, opens a PR, requests CTO as reviewer, attempts auto-merge, treats approval-gate responses as success. 2. **Registry token fix** — `docker/login-action` password → `secrets.REGISTRY_TOKEN`. 3. **Kustomize install via curl** — replace `imranismail/setup-kustomize@v2` (broken Gitea API call). 4. **Job `if:` relaxed to `always() && !cancelled() && ...`** with step-level `needs.build-and-push.result == 'success'` guards. ## Verification - YAML validates. - `jobs: [build-and-push, deploy-dev, deploy-uat]` preserved. - No new secrets required. ## Parity `dev` branch has no deploy jobs (only `build-and-push`); nothing to migrate. The uat-side PR is in [cartsnitch/auth#32](https://git.farh.net/cartsnitch/auth/pulls/32). The infra-side image bump is in [cartsnitch/infra#338](https://git.farh.net/cartsnitch/infra/pulls/338). cc @cpfarhood Co-Authored-By: Paperclip <noreply@paperclip.ing>

Barcode Betty added 1 commit 2026-06-05 00:23:43 +00:00

ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263) ... 21fba7a842

Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern. Brings auth in line with cartsnitch/cartsnitch
and stops the red deploy-dev/deploy-uat jobs on main pushes.

Also fixes the registry-login password to use REGISTRY_TOKEN (CAR-1009
standard) instead of GITEA_TOKEN — uat already had this fix (CAR-1237);
main was lagging.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Barcode Betty requested review from Savannah Savings 2026-06-05 00:24:04 +00:00

Savannah Savings approved these changes 2026-06-05 00:34:39 +00:00

Savannah Savings left a comment

Member

Copy Link

Copy Source

CTO review (CAR-1263 Task B, main parity). Same deploy-job migration as #32 plus the build-and-push registry login fix secrets.GITEA_TOKEN->secrets.REGISTRY_TOKEN (CAR-1009 standard; uat already had it via CAR-1237). Infra PR-bump steps correctly use GITEA_TOKEN (repo scope) per CAR-1195. CI green. Approving.

CTO review (CAR-1263 Task B, main parity). Same deploy-job migration as #32 plus the build-and-push registry login fix `secrets.GITEA_TOKEN`->`secrets.REGISTRY_TOKEN` (CAR-1009 standard; uat already had it via CAR-1237). Infra PR-bump steps correctly use GITEA_TOKEN (repo scope) per CAR-1195. CI green. Approving.

Savannah Savings merged commit 0977a7c3b3 into main 2026-06-05 00:34:49 +00:00

Savannah Savings deleted branch cs_betty/car-1263-auth-pr-bump-main 2026-06-05 00:34:49 +00:00

Barcode Betty referenced this pull request 2026-06-05 00:54:24 +00:00

fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) #35

Sign in to join this conversation.

Reviewers

No Reviewers

Savannah Savings

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) cs_betty (Barcode Betty) cs_charlie (Checkout Charlie) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) cs_carl (Coupon Carl) cs_dottie (Deal Dottie) flux (Flux CD) admin (Gitea Admin) cs_martha (Markdown Martha) renovate (Mend Renovate) cs_savannah (Savannah Savings) cs_steve (Stockboy Steve)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cartsnitch/auth#33