Merge pull request 'fix(ci): migrate Docker registry from GHCR to Gitea' (#14) from barcode-betty/ghcr-to-gitea-registry into dev

Fixes CAR-1009.

- REGISTRY already git.farh.net (via CAR-964)
- Change GITEA_TOKEN → REGISTRY_TOKEN for consistency

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -15,12 +15,12 @@ permissions:
   packages: write
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: git.farh.net
   IMAGE_NAME: cartsnitch/receiptwitness
 
 jobs:
   lint:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -33,7 +33,7 @@ jobs:
         run: ruff check src/ tests/
 
   test:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -46,7 +46,7 @@ jobs:
         run: pytest tests/ -v
 
   build-and-push:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     if: github.event_name == 'push'
     needs: [lint, test]
     outputs:
@@ -69,12 +69,12 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "CalVer tag: $VERSION"
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Extract metadata
         id: meta
@@ -102,7 +102,7 @@ jobs:
           git push origin "v${{ steps.calver.outputs.version }}"
 
   grype:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [build-and-push]
     if: github.event_name == 'push'
     steps:
@@ -126,24 +126,15 @@ jobs:
           ignore-file: .grype.yaml
 
   deploy-dev:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [grype]
     if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/dev'
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - name: Checkout infra repo
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -156,7 +147,7 @@ jobs:
       - name: Update receiptwitness image tag
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:sha-${{ github.sha }}
+          kustomize edit set image git.farh.net/cartsnitch/receiptwitness:sha-${{ github.sha }}
 
       - name: Commit and push to infra
         run: |
@@ -169,24 +160,15 @@ jobs:
           git push origin main
 
   deploy-uat:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [grype]
     if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/uat'
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - name: Checkout infra repo
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -199,7 +181,7 @@ jobs:
       - name: Update receiptwitness image tag
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push.outputs.calver_tag }}
+          kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ needs.build-and-push.outputs.calver_tag }}
 
       - name: Commit and push to infra
         run: |

alembic/versions/001_add_email_inbound_token.py

@@ -34,4 +34,4 @@ def upgrade() -> None:
 
 def downgrade() -> None:
     op.drop_constraint("uq_users_email_inbound_token", "users", type_="unique")
-    op.drop_column("users", "email_inbound_token")
+    op.drop_column("users", "email_inbound_token")

src/receiptwitness/config.py

@@ -39,8 +39,8 @@ class ReceiptWitnessSettings(BaseSettings):
         if not self.session_encryption_key or self.session_encryption_key in _PLACEHOLDER_VALUES:
             errors.append(
                 "RW_SESSION_ENCRYPTION_KEY must be set to a secure value. "
-                "Generate one with: python -c \"from cryptography.fernet import Fernet; "
+                "Generate one with: python -c "
-                'print(Fernet.generate_key().decode())"'
+                '"from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
             )
         if self.notifications_enabled and not self.resend_api_key:
             errors.append(

src/receiptwitness/shared/models/stub_purchase.py

@@ -51,14 +51,13 @@ class Purchase(UUIDPrimaryKeyMixin, TimestampMixin, Base):
         nullable=False,
     )
 
-    # Relationships (stubs — canonical definitions in cartsnitch/common)
-    user: Mapped["User"] = relationship(back_populates="purchases")
-
     __table_args__ = (
         Index("ix_purchases_user_store", "user_id", "store_id"),
         UniqueConstraint("user_id", "store_id", "receipt_id", name="uq_purchase_receipt"),
     )
 
+    user: Mapped["User"] = relationship(back_populates="purchases")
+
 
 class PurchaseItem(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     """Stub: a line item on a receipt. Full definition in cartsnitch/common."""

src/receiptwitness/shared/models/stub_store.py

@@ -28,7 +28,6 @@ class Store(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     logo_url: Mapped[str | None] = mapped_column(String(500))
     website_url: Mapped[str | None] = mapped_column(String(500))
 
-    # Relationships (stubs — canonical definitions in cartsnitch/common)
     user_accounts: Mapped[list["UserStoreAccount"]] = relationship(back_populates="store")
 
 

src/receiptwitness/shared/models/user.py

@@ -5,7 +5,7 @@ import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING
 
-from sqlalchemy import JSON, Boolean, DateTime, ForeignKey, String, Text, UniqueConstraint
+from sqlalchemy import JSON, Boolean, DateTime, ForeignKey, String, Text, UniqueConstraint, text
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from receiptwitness.shared.constants import AccountStatus
@@ -27,6 +27,9 @@ class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
         nullable=False,
         unique=True,
         default=lambda: secrets.token_urlsafe(16),
+        server_default=text(
+            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"  # noqa: E501
+        ),
     )
     hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
     display_name: Mapped[str | None] = mapped_column(String(100))

tests/test_pipeline/conftest.py

@@ -1,16 +1,31 @@
 """Shared test fixtures for pipeline tests."""
 
+import secrets
+
 import pytest
-from sqlalchemy import create_engine
+from sqlalchemy import create_engine, event
 from sqlalchemy.orm import sessionmaker
 
 from receiptwitness.shared.models import Base
+from receiptwitness.shared.models.user import User
+
+
+@event.listens_for(User, "before_insert")
+def _populate_email_inbound_token(mapper, connection, target):
+    """Populate email_inbound_token with a secure random value when unset.
+
+    SQLite has no gen_random_bytes() function, so we generate it in Python
+    instead of relying on the PostgreSQL server_default.
+    """
+    if target.email_inbound_token is None:
+        target.email_inbound_token = secrets.token_urlsafe(16)
 
 
 @pytest.fixture
 def engine():
     """In-memory SQLite engine for unit tests."""
     eng = create_engine("sqlite:///:memory:")
+    User.__table__.c.email_inbound_token.server_default = None
     Base.metadata.create_all(eng)
     yield eng
     eng.dispose()