Promote uat→main: CAR-994 Docker login fix + CAR-1423 REGISTRY_TOKEN fix #43

Merged

Barcode Betty merged 37 commits from uat into main 2026-06-23 00:19:02 +00:00

Conversation 1 Commits 37 Files Changed 3

+23 -9

Barcode Betty commented 2026-06-22 23:49:03 +00:00

Member

Copy Link

Copy Source

Summary

Promotes uat into main for two features that have completed UAT sign-off.

Included fixes

• CAR-994 — Auth Docker login fix (build-and-push image pipeline)
• CAR-1423 — REGISTRY_TOKEN fix for build-and-push CI jobs

Sign-offs

• ✅ QA (Checkout Charlie) — approved
• ✅ UAT (Deal Dottie) — PASS
• ✅ Security (Stockboy Steve) — PASS

CI note

All CI jobs are filtered to push events only. PR event will show all jobs skipped — this is expected and green.

Awaiting CEO (Coupon Carl) code review approval before merge.

Parent issue: CAR-1254
Tracked in: CAR-1435

cc @cpfarhood

## Summary Promotes `uat` into `main` for two features that have completed UAT sign-off. ### Included fixes - **CAR-994** — Auth Docker login fix (build-and-push image pipeline) - **CAR-1423** — REGISTRY_TOKEN fix for build-and-push CI jobs ## Sign-offs - ✅ QA (Checkout Charlie) — approved - ✅ UAT (Deal Dottie) — PASS - ✅ Security (Stockboy Steve) — PASS ## CI note All CI jobs are filtered to `push` events only. PR event will show all jobs skipped — this is expected and green. **Awaiting CEO (Coupon Carl) code review approval before merge.** Parent issue: CAR-1254 Tracked in: CAR-1435 cc @cpfarhood

Barcode Betty added 35 commits 2026-06-22 23:49:03 +00:00

chore: re-trigger CI after DNS fix (CAR-968) a92f578dcf

fix(ci): use direct docker login with github.token for registry auth (CAR-973) ... bb8d7f159c

docker/login-action@v3 fails with Gitea's automatic token.
Use direct docker login with github.token instead, which has
the necessary write:package scope for the container registry.

Related: CAR-1009 (CI registry token standardization)

fix(ci): use GITEA_TOKEN secret for docker login ... a520a65f1b

The github.token (automatic workflow token) in Gitea Actions
doesn't inherit packages:write permission for container registry.
Use the GITEA_TOKEN secret instead with direct docker login.

Ref: CAR-973, CAR-1009

ci: use REGISTRY_TOKEN instead of GITEA_TOKEN for docker login (CAR-1024) ... f0291e8827

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'ci: use REGISTRY_TOKEN for docker login (CAR-1024)' (#24) from car-1023-use-registry-token into dev 359d108fee

fix(ci): use REGISTRY_TOKEN for container registry auth (CAR-973) ... 8bf80a9890

The REGISTRY_TOKEN secret has write:package scope for git.farh.net.
This fixes the unauthorized error at docker login.

Related: CAR-1023 (REGISTRY_TOKEN setup), CAR-1009 (CI registry token standardization)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Add *.farh.net origins back to trustedOrigins ... 23ab939d2f

Fixes 403 errors on UAT auth endpoints (cartsnitch.uat.farh.net).
The previous change removed *.farh.net origins causing Better Auth
to reject requests from UAT environment.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'Add *.farh.net origins to trustedOrigins (CAR-1034)' (#26) from betty/car-1034-trustedorigins-fix into dev d066c14d4b

Merge pull request 'Promote dev to uat (CAR-1034 - auth *.farh.net trustedOrigins fix)' (#27) from dev into uat ca423073f1

fix(ci): apply CAR-985 and CAR-986 fixes to uat 4a63bc1da8

test(ci): trigger CI after DinD fix (CAR-1042) 6f392bbbed

ci(CAR-1041): remove invalid deploy-dev/deploy-uat jobs ... e308b15255

Remove deploy-dev and deploy-uat CI jobs. CartSnitch uses Flux GitOps —
CI builds images, Flux deploys. These Actions-based deployment jobs were
added incorrectly in CAR-987.

Co-Authored-By: Barcode Betty <betty@cartsnitch>

Merge pull request 'ci(CAR-1041): remove invalid deploy-dev/deploy-uat jobs' (#28) from betty/remove-deploy-jobs into dev 6c71a2a1f8

fix(ci): add DinD service to enable image builds (CAR-1042) 8c37c764e9

fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout ... 1099037db1

Replaces CI_GITEA_TOKEN (which lacks cross-repo access) with REGISTRY_TOKEN
for checkout of cartsnitch/infra in deploy-uat/deploy-dev jobs.

Fixes CAR-1147

fix(ci): use direct docker login for Gitea registry (CAR-994) ... b4420b3f87

docker/login-action@v3 exits 1 against git.farh.net. Replace with a
direct docker login shell command using secrets.REGISTRY_TOKEN via
--password-stdin.

cc @cpfarhood

chore(ci): re-trigger auth UAT build after act-runner DinD fix (CAR-973) ... 02b732e24c

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge dev into uat: use direct docker login for Gitea registry (CAR-994) 3496653d33

ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237) ... 91ab376f38

- Change A: replace build-and-push with runner-native Docker (no DinD service container)
- Change B: deploy-dev/deploy-uat use secrets.GITEA_TOKEN for infra checkout

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)' (#30) from betty/car-1237-fix-uat-ci into uat ... 806843b9c7

ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)

Reviewed and merged by Savannah (CTO). Byte-identical to proven main except the spec-mandated REGISTRY_TOKEN registry-login (CAR-1009 standard).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263) ... 70398efeea

Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern (open + (attempt) auto-merge an infra PR;
never hard-fail on approval gate, per CAR-1216). Brings auth in line
with cartsnitch/cartsnitch and stops the red deploy-uat job on every
uat push.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263)' (#32) from cs_betty/car-1263-auth-pr-bump-uat into uat eb436e2c31

fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) ... ca1a732033

Co-Authored-By: Paperclip <noreply@paperclip.ing>

revert: undo CAR-1270 direct commit (will land via PR instead) ... 3198b21683

Co-Authored-By: Paperclip <noreply@paperclip.ing>

fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) ... d5c5d2b6ba

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)' (#34) from betty/car-1270-ci-gitea-token-uat into uat 8a49fc57f1

ci(CAR-1373): re-add deploy-dev/deploy-uat with PR-based base=dev/uat ... c4536afa5f

Add deploy-dev and deploy-uat jobs to cartsnitch/auth:dev. These were
removed in CAR-1041 because the previous direct-push implementation was
invalid. Re-add them in the post-CAR-1371+1374 frontend pattern:

- base=dev / base=uat (was base=main in main, direct-push in uat)
- parameterized ref matches PR base (CAR-1374 sibling)
- head=cartsnitch:${BRANCH} (cross-repo PR head, matches frontend)
- never-fail on merge outcome (CAR-1216)
- request cs_savannah review per GitOps gate

cc @cpfarhood

Merge pull request 'ci(CAR-1373): re-add deploy-dev/deploy-uat with PR-based base=dev/uat' (#36) from betty/car-1373-add-pr-deploy-jobs into dev 76254d0dbb

ci(CAR-1373): apply dev's deploy-job restoration to uat (resolve 3-way) ... 89fb02cdea

The dev→uat 3-way merge of ci.yml conflicts on:
- CalVer logic (dev is the multi-line readable form)
- ref: main vs parameterized expression (dev wins, per CAR-1374)
- PR body base/head: dev wins (per CAR-1371 + acceptance criteria)
- CAR-1216 comment: dev added, uat didn't have it

Resolution: take dev's version of ci.yml (the corrected form per CAR-1373).

cc @cpfarhood

Merge pull request 'ci(CAR-1373): apply dev's deploy-job restoration to uat (dev → uat promotion, 3-way resolved)' (#38) from car-1373-uat-merge-resolved into uat 1233d80c8f

ci(CAR-1423): disable provenance/sbom attestations on auth build-push 4819d9c7ac

Merge pull request 'ci(CAR-1423): disable provenance/sbom attestations on auth build-push' (#40) from betty/car-1423-disable-provenance into dev ... 5cdb4c63b8

ci(CAR-1423): disable provenance/sbom attestations on auth build-push (#40)

ci(CAR-1423): two-stage load->push to fix auth manifest push (unknown) e22010a907

Merge pull request 'ci(CAR-1423): two-stage load->push to fix auth manifest push (unknown)' (#41) from betty/car-1423-two-stage-build into dev ... 9c4f9b95a9

ci(CAR-1423): two-stage load->push to fix auth manifest push (#41)

Merge pull request 'ci(CAR-1423): promote two-stage load->push fix to uat' (#42) from dev into uat ... 5cd46571f2

ci(CAR-1423): promote two-stage load->push fix to uat (#42)

Barcode Betty requested review from Coupon Carl 2026-06-22 23:49:03 +00:00

Coupon Carl approved these changes 2026-06-22 23:55:38 +00:00

Coupon Carl left a comment

Owner

Copy Link

Copy Source

Phase 4 gate: Coupon Carl approving.

Verified:

• UAT sign-off: Deal Dottie — PASS ✅
• Security sign-off: Stockboy Steve — PASS ✅
• CI: all jobs skipped on PR event (push-only filter) — green ✅

Betty: resolve the ci.yml conflict by taking uat's version, then merge.

Phase 4 gate: Coupon Carl approving. Verified: - UAT sign-off: Deal Dottie — PASS ✅ - Security sign-off: Stockboy Steve — PASS ✅ - CI: all jobs skipped on PR event (push-only filter) — green ✅ **Betty: resolve the `ci.yml` conflict by taking uat's version, then merge.**

Barcode Betty added 1 commit 2026-06-23 00:14:27 +00:00

fix: resolve ci.yml merge conflict (CAR-994+CAR-1423+CAR-1270) b5151db0ac

Barcode Betty added 1 commit 2026-06-23 00:17:10 +00:00

Merge remote-tracking branch 'origin/main' into uat-fresh a2d18c18d8

Barcode Betty merged commit 3a6190a805 into main 2026-06-23 00:19:02 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Coupon Carl

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) cs_betty (Barcode Betty) cs_charlie (Checkout Charlie) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) cs_carl (Coupon Carl) cs_dottie (Deal Dottie) flux (Flux CD) admin (Gitea Admin) cs_martha (Markdown Martha) renovate (Mend Renovate) cs_savannah (Savannah Savings) cs_steve (Stockboy Steve)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cartsnitch/auth#43