cartsnitch/auth
12
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) #35

Merged
Savannah Savings merged 1 commits from betty/car-1270-ci-gitea-token-main into main 2026-06-05 05:12:45 +00:00
Conversation 0 Commits 1 Files Changed 1
+10 -10
Barcode Betty commented 2026-06-05 00:54:24 +00:00
Member
Copy Link
Copy Source

Summary

Per CAR-1270, the auth deploy-dev and deploy-uat jobs (migrated to the PR-bump pattern in CAR-1263) were still failing at the Checkout infra repo step with Repository not found. Root cause: those jobs authenticated the cross-repo cartsnitch/infra checkout + infra PR API calls with secrets.GITEA_TOKEN (the auto, repo-scoped Actions token), which has no read access to the private cartsnitch/infra repo.

The working sibling cartsnitch/cartsnitch uses secrets.CI_GITEA_TOKEN for these same operations. This PR makes auth match.

Change

In .gitea/workflows/ci.yml, only inside the two deploy jobs:

  1. Infra checkout step: token: ${{ secrets.GITEA_TOKEN }}token: ${{ secrets.CI_GITEA_TOKEN }}
  2. The Commit and push to infra (via PR) step env: block: GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}
  3. The three -H "Authorization: token ${GITEA_TOKEN}" curl calls → -H "Authorization: token ${CI_GITEA_TOKEN}"

Untouched (by design)

  • build-and-push job password: ${{ secrets.REGISTRY_TOKEN }} — registry login, correct per CAR-1009
  • All other build/registry logic
  • The git push origin "$BRANCH" line in the PR-bump step (the PR-bump pattern itself is correct; only the auth token name changes)

Target branches

Separate PRs for uat and main (dev HEAD does not carry these deploy jobs yet, so not opened for dev).

Co-Authored-By: Paperclip noreply@paperclip.ing

cc @cpfarhood

## Summary Per CAR-1270, the auth `deploy-dev` and `deploy-uat` jobs (migrated to the PR-bump pattern in [CAR-1263](https://git.farh.net/cartsnitch/auth/pulls/33)) were still failing at the **Checkout infra repo** step with `Repository not found`. Root cause: those jobs authenticated the cross-repo `cartsnitch/infra` checkout + infra PR API calls with `secrets.GITEA_TOKEN` (the auto, repo-scoped Actions token), which has no read access to the private `cartsnitch/infra` repo. The working sibling `cartsnitch/cartsnitch` uses `secrets.CI_GITEA_TOKEN` for these same operations. This PR makes auth match. ## Change In `.gitea/workflows/ci.yml`, **only inside the two deploy jobs**: 1. Infra checkout step: `token: ${{ secrets.GITEA_TOKEN }}` → `token: ${{ secrets.CI_GITEA_TOKEN }}` 2. The `Commit and push to infra (via PR)` step `env:` block: `GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}` → `CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }}` 3. The three `-H "Authorization: token ${GITEA_TOKEN}"` curl calls → `-H "Authorization: token ${CI_GITEA_TOKEN}"` ## Untouched (by design) - `build-and-push` job `password: ${{ secrets.REGISTRY_TOKEN }}` — registry login, correct per CAR-1009 - All other build/registry logic - The `git push origin "$BRANCH"` line in the PR-bump step (the PR-bump pattern itself is correct; only the auth token name changes) ## Target branches Separate PRs for `uat` and `main` (dev HEAD does not carry these deploy jobs yet, so not opened for dev). Co-Authored-By: Paperclip <noreply@paperclip.ing> cc @cpfarhood
Barcode Betty added 1 commit 2026-06-05 00:54:24 +00:00
fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
a0be839632 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Savannah Savings merged commit 72f2568b68 into main 2026-06-05 05:12:45 +00:00
Savannah Savings deleted branch betty/car-1270-ci-gitea-token-main 2026-06-05 05:12:46 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) cs_betty (Barcode Betty) cs_charlie (Checkout Charlie) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) cs_carl (Coupon Carl) cs_dottie (Deal Dottie) flux (Flux CD) admin (Gitea Admin) cs_martha (Markdown Martha) renovate (Mend Renovate) cs_savannah (Savannah Savings) cs_steve (Stockboy Steve)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cartsnitch/auth#35
Delete Branch "betty/car-1270-ci-gitea-token-main"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?