Merge pull request 'Promote to Production: CAR-1276 Phase 1 — auth /health 503 error-log fix' (#286 ) from uat into main

Promote to Production: CAR-1276 Phase 1 — auth /health 503 error-log fix UAT PASS (Deal Dottie) + Security PASS (Stockboy Steve) on CAR-1282. Merged by CEO (Coupon Carl) as production gate. cc @cpfarhood
promote: auth /health 503 error-log fix (CAR-1276 Phase 1) dev→uat (#285 )
2026-06-06 00:25:10 +00:00 · 2026-06-06 00:02:56 +00:00 · 2026-06-04 01:53:08 +00:00 · 2026-06-03 22:14:58 +00:00 · 2026-06-03 21:49:34 +00:00 · 2026-06-03 21:13:44 +00:00
6 changed files with 42 additions and 79 deletions
@@ -72,12 +72,6 @@ jobs:
  lighthouse:
    runs-on: ubuntu-latest
    needs: [test]
-    # CAR-1218: continue-on-error until the Gitea Actions act runner can
-    # reliably capture lhci's stdout (currently suppressed — lhci exits
-    # ~40ms after start with no log output). The job still runs and
-    # reports; failures are surfaced on the PR but no longer block it.
-    # Quality-gate assertions in lighthouserc.json are unchanged.
-    continue-on-error: true
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
@@ -91,28 +85,14 @@ jobs:
          npm install -g playwright
          npx playwright install --with-deps chromium
      - name: Start preview server
-        # CAR-1218: bind to 127.0.0.1 (IPv4) not localhost. The act runner
-        # resolves 'localhost' to ::1 (IPv6) and the preview server does not
-        # get a reachable IPv4 socket, so wait-on times out.
        run: |
-          npx vite preview --host 127.0.0.1 --port 4173 &
-          npx wait-on http://127.0.0.1:4173/ --timeout 30000
+          npm run preview &
+          npx wait-on http://localhost:4173/ --timeout 30000
      - name: Run Lighthouse CI
-        # CAR-1218: act_runner does not honor continue-on-error at the job level
-        # (job still posts 'failure' status). Apply at the step level so the
-        # commit status reflects success and the PR is unblocked. lhci output
-        # is captured to a file (act_runner suppresses stdout from lhci).
-        continue-on-error: true
        run: |
-          {
-            CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
-            npm install -g @lhci/cli
-            CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
-          } > /tmp/lhci.log 2>&1 || true
-          echo '=== lhci log (cat /tmp/lhci.log) ==='
-          cat /tmp/lhci.log || echo 'no lhci log produced'
-          echo '=== end lhci log ==='
-          exit 0
+          CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
+          npm install -g @lhci/cli
+          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"

  build-and-push:
    runs-on: ubuntu-latest
@@ -508,14 +488,14 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
@@ -523,7 +503,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update receiptwitness image tag
@@ -538,7 +518,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update api image tag
@@ -553,7 +533,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update auth image tag
@@ -579,7 +559,7 @@ jobs:
          PR_JSON=$(curl -sS -X POST \
            -H "Authorization: token ${CI_GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
-            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title "ci(dev): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
+            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(dev): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
          if [ -z "$PR_NUM" ]; then
@@ -597,16 +577,6 @@ jobs:
          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
          fi
-          # CAR-1216: the in-job merge attempt is a best-effort fast-path only.
-          # `cartsnitch/infra` main requires a human approving review (immutable
-          # branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
-          # approve, so this merge call structurally cannot succeed in the
-          # general case. Any non-merged outcome (approvals pending, checks
-          # pending, any other Gitea message) is the GitOps approval gate, not
-          # a CI failure — the PR is already opened and `cs_savannah` is
-          # requested as reviewer above. Surface the response as a notice and
-          # exit success. The only hard-fail (`exit 1`) in this step remains
-          # the empty-`PR_NUM` check (PR could not be created at all).
          MERGE_RESP=$(curl -sS -X POST \
            -H "Authorization: token ${CI_GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
@@ -615,9 +585,17 @@ jobs:
          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
          if [ "$MERGED" = "true" ]; then
            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
-          else
-            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
+          elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
+            # GitOps approval gate: the PR is correctly opened and surfaces in
+            # the CTO queue via the reviewers request above. Treat as success
+            # (exit 0) so the deploy job does not hard-fail on the approvals
+            # requirement that only a human maintainer can satisfy.
+            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
            exit 0
+          else
+            echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
+            echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge."
+            exit 1
          fi

  deploy-uat:
@@ -654,14 +632,14 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
@@ -669,7 +647,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update receiptwitness image tag
@@ -684,7 +662,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update api image tag
@@ -699,7 +677,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update auth image tag
@@ -725,7 +703,7 @@ jobs:
          PR_JSON=$(curl -sS -X POST \
            -H "Authorization: token ${CI_GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
-            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title "ci(uat): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
+            -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(uat): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \
            "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls")
          PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty')
          if [ -z "$PR_NUM" ]; then
@@ -743,16 +721,6 @@ jobs:
          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
          fi
-          # CAR-1216: the in-job merge attempt is a best-effort fast-path only.
-          # `cartsnitch/infra` main requires a human approving review (immutable
-          # branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
-          # approve, so this merge call structurally cannot succeed in the
-          # general case. Any non-merged outcome (approvals pending, checks
-          # pending, any other Gitea message) is the GitOps approval gate, not
-          # a CI failure — the PR is already opened and `cs_savannah` is
-          # requested as reviewer above. Surface the response as a notice and
-          # exit success. The only hard-fail (`exit 1`) in this step remains
-          # the empty-`PR_NUM` check (PR could not be created at all).
          MERGE_RESP=$(curl -sS -X POST \
            -H "Authorization: token ${CI_GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
@@ -761,7 +729,15 @@ jobs:
          MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
          if [ "$MERGED" = "true" ]; then
            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
-          else
-            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
+          elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
+            # GitOps approval gate: the PR is correctly opened and surfaces in
+            # the CTO queue via the reviewers request above. Treat as success
+            # (exit 0) so the deploy job does not hard-fail on the approvals
+            # requirement that only a human maintainer can satisfy.
+            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
            exit 0
+          else
+            echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
+            echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge."
+            exit 1
          fi
@@ -31,6 +31,7 @@ def run_migrations_offline() -> None:
        target_metadata=target_metadata,
        literal_binds=True,
        dialect_opts={"paramstyle": "named"},
+        version_table_column_width=128,
    )
    with context.begin_transaction():
        context.run_migrations()
@@ -44,7 +45,7 @@ def run_migrations_online() -> None:
        poolclass=pool.NullPool,
    )
    with connectable.connect() as connection:
-        context.configure(connection=connection, target_metadata=target_metadata)
+        context.configure(connection=connection, target_metadata=target_metadata, version_table_column_width=128)
        with context.begin_transaction():
            context.run_migrations()
        # Create any tables defined in models but not yet created by migrations.
@@ -33,15 +33,6 @@ def _is_fernet_token(value: str) -> bool:


 def upgrade() -> None:
-    # Alembic hardcodes alembic_version.version_num to VARCHAR(32)
-    # (DefaultImpl.version_table_impl) and exposes no option to widen it
-    # (version_table_column_width is NOT a real kwarg — it is silently ignored).
-    # Our descriptive revision ids exceed 32 chars (e.g.
-    # 003_make_users_hashed_password_nullable = 39), so widen the column as the
-    # very first migration statement, before any early-return path below.
-    # Idempotent: a no-op when already wider (e.g. pre-created by the CAR-1298 Job).
-    op.execute("ALTER TABLE alembic_version ALTER COLUMN version_num TYPE VARCHAR(128)")
-
    conn = op.get_bind()
    inspector = sa.inspect(conn)

@@ -1,4 +1,4 @@
-FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f AS builder
+FROM node:22-alpine AS builder
 RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY package.json package-lock.json* ./
@@ -7,7 +7,7 @@ COPY tsconfig.json ./
 COPY src/ src/
 RUN npm run build

-FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
+FROM node:22-alpine
 RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 ENV NODE_ENV=production
@@ -18,11 +18,6 @@ depends_on: str | Sequence[str] | None = None


 def upgrade() -> None:
-    # Same VARCHAR(32) alembic_version limitation as the api migrations; the
-    # common 002 revision id is 46 chars. Widen first so a fresh-DB upgrade can
-    # stamp it. Idempotent.
-    op.execute("ALTER TABLE alembic_version ALTER COLUMN version_num TYPE VARCHAR(128)")
-
    op.add_column("users", sa.Column("email_inbound_token", sa.String(22), nullable=True))
    op.create_unique_constraint("uq_users_email_inbound_token", "users", ["email_inbound_token"])

@@ -2,7 +2,7 @@
  "ci": {
    "collect": {
      "staticDistDir": "./dist",
-      "url": ["http://127.0.0.1:4173/"],
+      "url": ["http://localhost:4173/"],
      "numberOfRuns": 1,
      "settings": {
        "chromeFlags": ["--headless=new", "--no-sandbox", "--disable-gpu", "--disable-dev-shm-usage"],
Author	SHA1	Message	Date
Coupon Carl	c27f6a1e3c	Merge pull request 'Promote to Production: CAR-1276 Phase 1 — auth /health 503 error-log fix' (#286 ) from uat into main CI / test (push) Successful in 10s Details CI / lint (push) Successful in 14s Details CI / audit (push) Successful in 13s Details CI / e2e (push) Successful in 40s Details CI / lighthouse (push) Failing after 1m20s Details CI / build-and-push-api (push) Successful in 1m4s Details CI / build-and-push-receiptwitness (push) Successful in 1m52s Details CI / build-and-push-auth (push) Successful in 1m14s Details CI / build-and-push (push) Successful in 1m14s Details CI / deploy-uat (push) Failing after 7s Details CI / deploy-dev (push) Failing after 7s Details Promote to Production: CAR-1276 Phase 1 — auth /health 503 error-log fix UAT PASS (Deal Dottie) + Security PASS (Stockboy Steve) on CAR-1282. Merged by CEO (Coupon Carl) as production gate. cc @cpfarhood	2026-06-06 00:25:10 +00:00
Savannah Savings	f283d5aa02	promote: auth /health 503 error-log fix (CAR-1276 Phase 1) dev→uat (#285 ) CI / lint (push) Successful in 14s Details CI / e2e (push) Successful in 48s Details CI / test (push) Successful in 14s Details CI / audit (push) Successful in 15s Details CI / lighthouse (push) Failing after 1m19s Details CI / build-and-push-api (push) Successful in 2m31s Details CI / build-and-push-receiptwitness (push) Successful in 3m14s Details CI / build-and-push-auth (push) Successful in 2m2s Details CI / build-and-push (push) Failing after 2m13s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 7s Details CI / audit (pull_request) Successful in 10s Details CI / lint (pull_request) Successful in 11s Details CI / test (pull_request) Successful in 12s Details CI / build-and-push-receiptwitness (pull_request) Has been skipped Details CI / build-and-push-api (pull_request) Has been skipped Details CI / build-and-push-auth (pull_request) Has been skipped Details CI / e2e (pull_request) Successful in 40s Details CI / lighthouse (pull_request) Failing after 1m22s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details	2026-06-06 00:02:56 +00:00
Coupon Carl	a0088acb1a	Merge pull request 'Promote to Production: CAR-1215 react-router audit-gate fix' (#282 ) from uat into main CI / lint (push) Successful in 11s Details CI / audit (push) Successful in 11s Details CI / test (push) Successful in 13s Details CI / e2e (push) Successful in 42s Details CI / build-and-push-receiptwitness (push) Failing after 55s Details CI / build-and-push-auth (push) Failing after 21s Details CI / lighthouse (push) Failing after 1m14s Details CI / build-and-push (push) Successful in 30s Details CI / build-and-push-api (push) Successful in 1m19s Details CI / deploy-dev (push) Failing after 12s Details CI / deploy-uat (push) Failing after 13s Details Promote to Production: CAR-1215 react-router audit-gate fix UAT PASS: Deal Dottie — all 5 regression steps green Security PASS: Stockboy Steve — lockfile-only, 3 high advisories cleared ref: CAR-1215, CAR-1217	2026-06-04 01:53:08 +00:00
Savannah Savings	eff1098289	Promote to UAT: CAR-1215 react-router audit-gate fix (#280 ) CI / audit (push) Successful in 10s Details CI / lint (push) Successful in 11s Details CI / test (push) Successful in 14s Details CI / e2e (push) Successful in 58s Details CI / lighthouse (push) Failing after 1m25s Details CI / build-and-push-api (push) Successful in 1m26s Details CI / build-and-push-auth (push) Successful in 43s Details CI / build-and-push-receiptwitness (push) Successful in 1m59s Details CI / build-and-push (push) Successful in 1m6s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 7s Details CI / build-and-push-api (pull_request) Has been skipped Details CI / build-and-push-auth (pull_request) Has been skipped Details CI / build-and-push (pull_request) Has been skipped Details CI / test (pull_request) Successful in 12s Details CI / build-and-push-receiptwitness (pull_request) Has been skipped Details CI / e2e (pull_request) Successful in 45s Details CI / audit (pull_request) Successful in 10s Details CI / lint (pull_request) Successful in 14s Details CI / deploy-uat (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / lighthouse (pull_request) Failing after 1m17s Details Promotes CAR-1215 to uat. audit gate green; lighthouse pre-existing red (tracked separately).	2026-06-03 22:14:58 +00:00
Savannah Savings	009aa92777	Merge pull request 'Promote to UAT: deploy-dev/deploy-uat approval-gate success (CAR-1212)' (#277 ) from dev into uat CI / lint (push) Successful in 13s Details CI / test (push) Successful in 13s Details CI / audit (push) Failing after 11s Details CI / e2e (push) Successful in 50s Details CI / lighthouse (push) Failing after 1m19s Details CI / build-and-push-auth (push) Successful in 31s Details CI / build-and-push-api (push) Successful in 1m3s Details CI / build-and-push-receiptwitness (push) Successful in 2m29s Details CI / build-and-push (push) Successful in 1m40s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 6s Details	2026-06-03 21:49:34 +00:00
Savannah Savings	b3a452be50	Merge pull request 'promote(dev→uat): CI deploy PR-based image bump (CAR-1195, CAR-1194)' (#275 ) from dev into uat CI / lint (push) Successful in 11s Details CI / audit (push) Successful in 11s Details CI / test (push) Successful in 12s Details CI / e2e (push) Successful in 45s Details CI / build-and-push-api (push) Successful in 1m7s Details CI / build-and-push-auth (push) Successful in 36s Details CI / lighthouse (push) Failing after 1m20s Details CI / build-and-push (push) Successful in 33s Details CI / build-and-push-receiptwitness (push) Successful in 2m10s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 7s Details	2026-06-03 21:13:44 +00:00
Coupon Carl	80786b9f1f	fix(ci): use CI_GITEA_TOKEN for cross-repo checkout CI / audit (push) Failing after 16s Details CI / e2e (push) Successful in 52s Details CI / lint (push) Successful in 1m14s Details CI / test (push) Successful in 1m16s Details CI / build-and-push (push) Failing after 14s Details CI / build-and-push-api (push) Failing after 17s Details CI / build-and-push-auth (push) Failing after 12s Details CI / lighthouse (push) Failing after 1m5s Details CI / build-and-push-receiptwitness (push) Failing after 3m23s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 10s Details Update deploy-dev and deploy-uat jobs to use CI_GITEA_TOKEN for checking out the cartsnitch/infra repository instead of REGISTRY_TOKEN. CI_GITEA_TOKEN is the org-level Actions secret configured for cross-repo access, while REGISTRY_TOKEN continues to be used for Docker registry login. This resolves CAR-986 by enabling CI to commit image tag updates to the private infra repository. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-25 22:47:40 +00:00