From a92f578dcf2bf9ec47dae5cb31e8a3024428b52a Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Sun, 24 May 2026 20:34:39 +0000 Subject: [PATCH 01/14] chore: re-trigger CI after DNS fix (CAR-968) -- 2.52.0 From bb8d7f159c54f28bac57ab7477dce95a904a7c24 Mon Sep 17 00:00:00 2001 From: Savannah Savings Date: Sun, 24 May 2026 20:37:22 +0000 Subject: [PATCH 02/14] fix(ci): use direct docker login with github.token for registry auth (CAR-973) docker/login-action@v3 fails with Gitea's automatic token. Use direct docker login with github.token instead, which has the necessary write:package scope for the container registry. Related: CAR-1009 (CI registry token standardization) --- .gitea/workflows/ci.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 1c86e8c..a453141 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -43,11 +43,8 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Log in to Gitea Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + run: | + echo "${{ github.token }}" | docker login ${{ env.REGISTRY }} --username "${{ github.actor }}" --password-stdin - name: Extract metadata id: meta -- 2.52.0 From a520a65f1b1614fbd77bb2750bfadf27d4e6aded Mon Sep 17 00:00:00 2001 From: Savannah Savings Date: Sun, 24 May 2026 20:38:35 +0000 Subject: [PATCH 03/14] fix(ci): use GITEA_TOKEN secret for docker login The github.token (automatic workflow token) in Gitea Actions doesn't inherit packages:write permission for container registry. Use the GITEA_TOKEN secret instead with direct docker login. Ref: CAR-973, CAR-1009 --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index a453141..d563893 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: - name: Log in to Gitea Container Registry run: | - echo "${{ github.token }}" | docker login ${{ env.REGISTRY }} --username "${{ github.actor }}" --password-stdin + echo "${{ secrets.GITEA_TOKEN }}" | docker login ${{ env.REGISTRY }} --username "cs_betty" --password-stdin - name: Extract metadata id: meta -- 2.52.0 From f0291e8827cdc075f432d2674918edc91f169e5a Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Sun, 24 May 2026 20:46:48 +0000 Subject: [PATCH 04/14] ci: use REGISTRY_TOKEN instead of GITEA_TOKEN for docker login (CAR-1024) Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 1c86e8c..46a8e04 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -47,7 +47,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta -- 2.52.0 From 8bf80a9890081d5eca4c33d6fcdf0f8369dea20b Mon Sep 17 00:00:00 2001 From: Savannah Savings Date: Mon, 25 May 2026 00:04:25 +0000 Subject: [PATCH 05/14] fix(ci): use REGISTRY_TOKEN for container registry auth (CAR-973) The REGISTRY_TOKEN secret has write:package scope for git.farh.net. This fixes the unauthorized error at docker login. Related: CAR-1023 (REGISTRY_TOKEN setup), CAR-1009 (CI registry token standardization) Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index d563893..46a8e04 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -43,8 +43,11 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Log in to Gitea Container Registry - run: | - echo "${{ secrets.GITEA_TOKEN }}" | docker login ${{ env.REGISTRY }} --username "cs_betty" --password-stdin + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta -- 2.52.0 From 23ab939d2fcdaa4ea79702dc324b74d1e48e47ed Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Mon, 25 May 2026 09:43:43 +0000 Subject: [PATCH 06/14] Add *.farh.net origins back to trustedOrigins Fixes 403 errors on UAT auth endpoints (cartsnitch.uat.farh.net). The previous change removed *.farh.net origins causing Better Auth to reject requests from UAT environment. Co-Authored-By: Paperclip --- src/auth.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/auth.ts b/src/auth.ts index 09b493f..4a62b53 100644 --- a/src/auth.ts +++ b/src/auth.ts @@ -115,6 +115,9 @@ export const auth = betterAuth({ trustedOrigins: [ "http://localhost:3000", "http://localhost:5173", + "https://cartsnitch.farh.net", + "https://cartsnitch.dev.farh.net", + "https://cartsnitch.uat.farh.net", "https://cartsnitch.com", "https://dev.cartsnitch.com", "https://uat.cartsnitch.com", -- 2.52.0 From 4a63bc1da8fd1f5d3c5cc31bd29dc3e64df8b41c Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Mon, 25 May 2026 22:53:44 +0000 Subject: [PATCH 07/14] fix(ci): apply CAR-985 and CAR-986 fixes to uat --- .gitea/workflows/ci.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 46a8e04..bc33b40 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -43,11 +43,7 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Log in to Gitea Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.REGISTRY_TOKEN }} + run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin - name: Extract metadata id: meta @@ -81,7 +77,7 @@ jobs: - uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.CI_GITEA_TOKEN }} ref: main path: infra @@ -120,7 +116,7 @@ jobs: - uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.CI_GITEA_TOKEN }} ref: main path: infra -- 2.52.0 From 6f392bbbed22e0796a7d16f84f52e62d7c9fff96 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Mon, 25 May 2026 23:15:07 +0000 Subject: [PATCH 08/14] test(ci): trigger CI after DinD fix (CAR-1042) --- .gitea/CI_TRIGGER.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitea/CI_TRIGGER.md diff --git a/.gitea/CI_TRIGGER.md b/.gitea/CI_TRIGGER.md new file mode 100644 index 0000000..b7eb537 --- /dev/null +++ b/.gitea/CI_TRIGGER.md @@ -0,0 +1 @@ +# CI trigger 20260525231507 - post-DinD verification (CAR-1042) -- 2.52.0 From e308b15255742799573592d9ede6cc416975b75e Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Thu, 28 May 2026 19:47:39 +0000 Subject: [PATCH 09/14] ci(CAR-1041): remove invalid deploy-dev/deploy-uat jobs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove deploy-dev and deploy-uat CI jobs. CartSnitch uses Flux GitOps — CI builds images, Flux deploys. These Actions-based deployment jobs were added incorrectly in CAR-987. Co-Authored-By: Barcode Betty --- .gitea/workflows/ci.yml | 78 ----------------------------------------- 1 file changed, 78 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 1c86e8c..afdaa08 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -72,81 +72,3 @@ jobs: run: | git tag "v${{ steps.calver.outputs.version }}" git push origin "v${{ steps.calver.outputs.version }}" - - deploy-dev: - runs-on: ubuntu-latest - needs: [build-and-push] - if: github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') - steps: - - uses: actions/checkout@v4 - with: - repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} - ref: main - path: infra - - - uses: imranismail/setup-kustomize@v2 - - - name: Determine image tag - id: tag - run: | - if [ "${{ github.ref }}" == "refs/heads/main" ]; then - echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" - else - echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" - fi - - - name: Update auth image tag in dev overlay - run: | - cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }} - - - name: Commit and push to infra - run: | - cd infra - git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" - git add apps/overlays/dev/kustomization.yaml - git diff --cached --quiet && echo "No changes" && exit 0 - git commit -m "ci(dev): update auth image from cartsnitch/auth CI" - git pull --rebase origin main - git push origin main - - deploy-uat: - runs-on: ubuntu-latest - needs: [build-and-push] - if: github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main') - steps: - - uses: actions/checkout@v4 - with: - repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} - ref: main - path: infra - - - uses: imranismail/setup-kustomize@v2 - - - name: Determine image tag - id: tag - run: | - if [ "${{ github.ref }}" == "refs/heads/main" ]; then - echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" - else - echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" - fi - - - name: Update auth image tag in uat overlay - run: | - cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }} - - - name: Commit and push to infra - run: | - cd infra - git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" - git add apps/overlays/uat/kustomization.yaml - git diff --cached --quiet && echo "No changes" && exit 0 - git commit -m "ci(uat): update auth image from cartsnitch/auth CI" - git pull --rebase origin main - git push origin main -- 2.52.0 From 8c37c764e9ff5de548675477cbbe3a120883320e Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Sat, 30 May 2026 08:56:47 +0000 Subject: [PATCH 10/14] fix(ci): add DinD service to enable image builds (CAR-1042) --- .gitea/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index bc33b40..cd3dde0 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -23,6 +23,13 @@ jobs: build-and-push: runs-on: ubuntu-latest if: github.event_name == 'push' + services: + docker: + image: docker:dind + privileged: true + env: + DOCKER_HOST: tcp://docker:2375 + DOCKER_TLS_CERTDIR: "" outputs: calver_tag: ${{ steps.calver.outputs.version }} sha_tag: sha-${{ github.sha }} -- 2.52.0 From 1099037db14c4687784cc4f125672ac0654128e5 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Tue, 2 Jun 2026 10:07:31 +0000 Subject: [PATCH 11/14] fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout Replaces CI_GITEA_TOKEN (which lacks cross-repo access) with REGISTRY_TOKEN for checkout of cartsnitch/infra in deploy-uat/deploy-dev jobs. Fixes CAR-1147 --- .gitea/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index cd3dde0..05607b3 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -84,7 +84,7 @@ jobs: - uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.CI_GITEA_TOKEN }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra @@ -123,7 +123,7 @@ jobs: - uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.CI_GITEA_TOKEN }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra -- 2.52.0 From b4420b3f8794b8126e5d99a47e29af249a85b2e2 Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Tue, 2 Jun 2026 14:16:15 +0000 Subject: [PATCH 12/14] fix(ci): use direct docker login for Gitea registry (CAR-994) docker/login-action@v3 exits 1 against git.farh.net. Replace with a direct docker login shell command using secrets.REGISTRY_TOKEN via --password-stdin. cc @cpfarhood --- .gitea/workflows/ci.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f115862..04f89a8 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -43,11 +43,7 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Log in to Gitea Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.REGISTRY_TOKEN }} + run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u "${{ github.actor }}" --password-stdin - name: Extract metadata id: meta -- 2.52.0 From 02b732e24cace04330287e179bd735099f04b16b Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Thu, 4 Jun 2026 11:46:31 +0000 Subject: [PATCH 13/14] chore(ci): re-trigger auth UAT build after act-runner DinD fix (CAR-973) Co-Authored-By: Paperclip -- 2.52.0 From 91ab376f383b5b32bf3b7022ddd002a676ba37d3 Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Thu, 4 Jun 2026 20:33:08 +0000 Subject: [PATCH 14/14] ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237) - Change A: replace build-and-push with runner-native Docker (no DinD service container) - Change B: deploy-dev/deploy-uat use secrets.GITEA_TOKEN for infra checkout Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 84 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 04f89a8..46a8e04 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -43,7 +43,11 @@ jobs: echo "version=$VERSION" >> "$GITHUB_OUTPUT" - name: Log in to Gitea Container Registry - run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ${{ env.REGISTRY }} -u "${{ github.actor }}" --password-stdin + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta @@ -68,3 +72,81 @@ jobs: run: | git tag "v${{ steps.calver.outputs.version }}" git push origin "v${{ steps.calver.outputs.version }}" + + deploy-dev: + runs-on: ubuntu-latest + needs: [build-and-push] + if: github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') + steps: + - uses: actions/checkout@v4 + with: + repository: cartsnitch/infra + token: ${{ secrets.GITEA_TOKEN }} + ref: main + path: infra + + - uses: imranismail/setup-kustomize@v2 + + - name: Determine image tag + id: tag + run: | + if [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" + else + echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + fi + + - name: Update auth image tag in dev overlay + run: | + cd infra/apps/overlays/dev + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }} + + - name: Commit and push to infra + run: | + cd infra + git config user.name "cartsnitch-ci[bot]" + git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git add apps/overlays/dev/kustomization.yaml + git diff --cached --quiet && echo "No changes" && exit 0 + git commit -m "ci(dev): update auth image from cartsnitch/auth CI" + git pull --rebase origin main + git push origin main + + deploy-uat: + runs-on: ubuntu-latest + needs: [build-and-push] + if: github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main') + steps: + - uses: actions/checkout@v4 + with: + repository: cartsnitch/infra + token: ${{ secrets.GITEA_TOKEN }} + ref: main + path: infra + + - uses: imranismail/setup-kustomize@v2 + + - name: Determine image tag + id: tag + run: | + if [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" + else + echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + fi + + - name: Update auth image tag in uat overlay + run: | + cd infra/apps/overlays/uat + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.tag.outputs.tag }} + + - name: Commit and push to infra + run: | + cd infra + git config user.name "cartsnitch-ci[bot]" + git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git add apps/overlays/uat/kustomization.yaml + git diff --cached --quiet && echo "No changes" && exit 0 + git commit -m "ci(uat): update auth image from cartsnitch/auth CI" + git pull --rebase origin main + git push origin main -- 2.52.0