Merge pull request 'fix(ci): migrate Docker registry from GHCR to Gitea' (#14) from barcode-betty/ghcr-to-gitea-registry into dev

Fixes CAR-1009.

- REGISTRY already git.farh.net (via CAR-964)
- Change GITEA_TOKEN → REGISTRY_TOKEN for consistency

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -15,12 +15,12 @@ permissions:
   packages: write
 
 env:
-  REGISTRY: ghcr.io
+  REGISTRY: git.farh.net
   IMAGE_NAME: cartsnitch/receiptwitness
 
 jobs:
   lint:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -33,7 +33,7 @@ jobs:
         run: ruff check src/ tests/
 
   test:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -46,7 +46,7 @@ jobs:
         run: pytest tests/ -v
 
   build-and-push:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     if: github.event_name == 'push'
     needs: [lint, test]
     outputs:
@@ -69,12 +69,12 @@ jobs:
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "CalVer tag: $VERSION"
 
-      - name: Log in to GHCR
+      - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Extract metadata
         id: meta
@@ -102,7 +102,7 @@ jobs:
           git push origin "v${{ steps.calver.outputs.version }}"
 
   grype:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [build-and-push]
     if: github.event_name == 'push'
     steps:
@@ -126,24 +126,15 @@ jobs:
           ignore-file: .grype.yaml
 
   deploy-dev:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [grype]
     if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/dev'
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - name: Checkout infra repo
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -156,7 +147,7 @@ jobs:
       - name: Update receiptwitness image tag
         run: |
           cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:sha-${{ github.sha }}
+          kustomize edit set image git.farh.net/cartsnitch/receiptwitness:sha-${{ github.sha }}
 
       - name: Commit and push to infra
         run: |
@@ -169,24 +160,15 @@ jobs:
           git push origin main
 
   deploy-uat:
-    runs-on: runners-cartsnitch
+    runs-on: ubuntu-latest
     needs: [grype]
     if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/uat'
     steps:
-      - name: Generate GitHub App token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
-          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-          repositories: infra
-
       - name: Checkout infra repo
         uses: actions/checkout@v4
         with:
           repository: cartsnitch/infra
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ secrets.GITEA_TOKEN }}
           ref: main
           path: infra
 
@@ -199,7 +181,7 @@ jobs:
       - name: Update receiptwitness image tag
         run: |
           cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push.outputs.calver_tag }}
+          kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ needs.build-and-push.outputs.calver_tag }}
 
       - name: Commit and push to infra
         run: |

src/receiptwitness/config.py

@@ -3,7 +3,6 @@
 from pydantic import model_validator
 from pydantic_settings import BaseSettings
 
-
 _PLACEHOLDER_VALUES = {"change-me-in-production"}
 
 
@@ -40,7 +39,8 @@ class ReceiptWitnessSettings(BaseSettings):
         if not self.session_encryption_key or self.session_encryption_key in _PLACEHOLDER_VALUES:
             errors.append(
                 "RW_SESSION_ENCRYPTION_KEY must be set to a secure value. "
-                'Generate one with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
+                "Generate one with: python -c "
+                '"from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"'
             )
         if self.notifications_enabled and not self.resend_api_key:
             errors.append(

src/receiptwitness/events.py

@@ -7,12 +7,12 @@ from datetime import UTC, datetime
 from decimal import Decimal
 
 import redis.asyncio as aioredis
-from receiptwitness.shared.database import get_async_session_factory
-from receiptwitness.shared.models import User
 from sqlalchemy import select
 
 from receiptwitness.config import settings
 from receiptwitness.notifications.email import send_receipt_notification
+from receiptwitness.shared.database import get_async_session_factory
+from receiptwitness.shared.models import User
 
 logger = logging.getLogger(__name__)
 

src/receiptwitness/pipeline/matching.py

@@ -7,9 +7,6 @@ and batch matching for purchase ingestion.
 import uuid
 from dataclasses import dataclass
 
-from receiptwitness.shared.constants import MatchConfidence
-from receiptwitness.shared.models import NormalizedProduct
-from receiptwitness.shared.schemas import PurchaseItemCreate
 from sqlalchemy.orm import Session
 
 from receiptwitness.pipeline.normalization import (
@@ -18,6 +15,9 @@ from receiptwitness.pipeline.normalization import (
     extract_size_info,
     normalize_product,
 )
+from receiptwitness.shared.constants import MatchConfidence
+from receiptwitness.shared.models import NormalizedProduct
+from receiptwitness.shared.schemas import PurchaseItemCreate
 
 # Re-export for convenience
 ConfidenceLevel = MatchConfidence

src/receiptwitness/pipeline/normalization.py

@@ -10,11 +10,12 @@ import re
 from dataclasses import dataclass
 from enum import StrEnum
 
-from receiptwitness.shared.models import NormalizedProduct
-from sqlalchemy import cast, func, select, String
+from sqlalchemy import String, cast, func, select
 from sqlalchemy.dialects.postgresql import JSONB
 from sqlalchemy.orm import Session
 
+from receiptwitness.shared.models import NormalizedProduct
+
 
 class MatchMethod(StrEnum):
     """How a product match was determined."""

src/receiptwitness/shared/models/__init__.py

@@ -2,12 +2,12 @@
 
 from receiptwitness.shared.models.base import Base, TimestampMixin, UUIDPrimaryKeyMixin
 from receiptwitness.shared.models.product import NormalizedProduct
-from receiptwitness.shared.models.user import User, UserStoreAccount
+from receiptwitness.shared.models.stub_purchase import Purchase, PurchaseItem
 
 # Stub models — needed for relationship resolution but not directly used by receiptwitness.
 # Full definitions live in cartsnitch/common.
 from receiptwitness.shared.models.stub_store import Store, StoreLocation
-from receiptwitness.shared.models.stub_purchase import Purchase, PurchaseItem
+from receiptwitness.shared.models.user import User, UserStoreAccount
 
 __all__ = [
     "Base",

src/receiptwitness/shared/models/stub_purchase.py

@@ -8,12 +8,26 @@ UserStoreAccount. The canonical definitions live in cartsnitch/common.
 import uuid
 from datetime import date, datetime
 from decimal import Decimal
+from typing import TYPE_CHECKING
 
-from sqlalchemy import JSON, Date, DateTime, ForeignKey, Index, Numeric, String, UniqueConstraint, func
-from sqlalchemy.orm import Mapped, mapped_column
+from sqlalchemy import (
+    JSON,
+    Date,
+    DateTime,
+    ForeignKey,
+    Index,
+    Numeric,
+    String,
+    UniqueConstraint,
+    func,
+)
+from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from receiptwitness.shared.models.base import Base, TimestampMixin, UUIDPrimaryKeyMixin
 
+if TYPE_CHECKING:
+    from receiptwitness.shared.models.user import User
+
 
 class Purchase(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     """Stub: a shopping trip/receipt. Full definition in cartsnitch/common."""
@@ -42,6 +56,8 @@ class Purchase(UUIDPrimaryKeyMixin, TimestampMixin, Base):
         UniqueConstraint("user_id", "store_id", "receipt_id", name="uq_purchase_receipt"),
     )
 
+    user: Mapped["User"] = relationship(back_populates="purchases")
+
 
 class PurchaseItem(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     """Stub: a line item on a receipt. Full definition in cartsnitch/common."""

src/receiptwitness/shared/models/stub_store.py

@@ -6,6 +6,7 @@ UserStoreAccount. The canonical definitions live in cartsnitch/common.
 """
 
 import uuid
+from typing import TYPE_CHECKING
 
 from sqlalchemy import Float, ForeignKey, String
 from sqlalchemy.orm import Mapped, mapped_column, relationship
@@ -13,6 +14,9 @@ from sqlalchemy.orm import Mapped, mapped_column, relationship
 from receiptwitness.shared.constants import StoreSlug
 from receiptwitness.shared.models.base import Base, TimestampMixin, UUIDPrimaryKeyMixin
 
+if TYPE_CHECKING:
+    from receiptwitness.shared.models.user import UserStoreAccount
+
 
 class Store(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     """Stub: canonical retailer. Full definition in cartsnitch/common."""
@@ -24,6 +28,8 @@ class Store(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     logo_url: Mapped[str | None] = mapped_column(String(500))
     website_url: Mapped[str | None] = mapped_column(String(500))
 
+    user_accounts: Mapped[list["UserStoreAccount"]] = relationship(back_populates="store")
+
 
 class StoreLocation(UUIDPrimaryKeyMixin, TimestampMixin, Base):
     """Stub: physical store location. Full definition in cartsnitch/common."""

src/receiptwitness/shared/models/user.py

@@ -28,7 +28,7 @@ class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
         unique=True,
         default=lambda: secrets.token_urlsafe(16),
         server_default=text(
-            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"
+            "replace(replace(trim(trailing '=' from encode(gen_random_bytes(16), 'base64')), '+', '-'), '/', '_')"  # noqa: E501
         ),
     )
     hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)

src/receiptwitness/worker/email_worker.py

@@ -3,8 +3,6 @@
 import asyncio
 import logging
 
-from receiptwitness.shared.database import get_async_session_factory
-from receiptwitness.shared.models import User
 from sqlalchemy import select
 
 from receiptwitness.config import settings
@@ -15,6 +13,8 @@ from receiptwitness.parsers.email.kroger import KrogerEmailParser
 from receiptwitness.parsers.email.meijer import MeijerEmailParser
 from receiptwitness.parsers.email.target import TargetEmailParser
 from receiptwitness.queue.email import ack_email, consume_emails, get_redis
+from receiptwitness.shared.database import get_async_session_factory
+from receiptwitness.shared.models import User
 
 logger = logging.getLogger(__name__)
 

tests/test_config.py

@@ -1,4 +1,5 @@
 import pytest
+
 from receiptwitness.config import ReceiptWitnessSettings
 
 

tests/test_pipeline/conftest.py

@@ -1,15 +1,31 @@
 """Shared test fixtures for pipeline tests."""
 
+import secrets
+
 import pytest
-from receiptwitness.shared.models import Base
-from sqlalchemy import create_engine
+from sqlalchemy import create_engine, event
 from sqlalchemy.orm import sessionmaker
 
+from receiptwitness.shared.models import Base
+from receiptwitness.shared.models.user import User
+
+
+@event.listens_for(User, "before_insert")
+def _populate_email_inbound_token(mapper, connection, target):
+    """Populate email_inbound_token with a secure random value when unset.
+
+    SQLite has no gen_random_bytes() function, so we generate it in Python
+    instead of relying on the PostgreSQL server_default.
+    """
+    if target.email_inbound_token is None:
+        target.email_inbound_token = secrets.token_urlsafe(16)
+
 
 @pytest.fixture
 def engine():
     """In-memory SQLite engine for unit tests."""
     eng = create_engine("sqlite:///:memory:")
+    User.__table__.c.email_inbound_token.server_default = None
     Base.metadata.create_all(eng)
     yield eng
     eng.dispose()

tests/test_pipeline/test_matching.py

@@ -4,16 +4,15 @@ import uuid
 from datetime import UTC, datetime
 from decimal import Decimal
 
-from receiptwitness.shared.constants import MatchConfidence
-from receiptwitness.shared.models import NormalizedProduct
-from receiptwitness.shared.schemas import PurchaseItemCreate
-
 from receiptwitness.pipeline.matching import (
     ProductMatcher,
     classify_confidence,
     match_purchase_item,
 )
 from receiptwitness.pipeline.normalization import MatchMethod
+from receiptwitness.shared.constants import MatchConfidence
+from receiptwitness.shared.models import NormalizedProduct
+from receiptwitness.shared.schemas import PurchaseItemCreate
 
 
 class TestClassifyConfidence:

tests/test_pipeline/test_normalization.py

@@ -3,8 +3,6 @@
 import uuid
 from datetime import UTC, datetime
 
-from receiptwitness.shared.models import NormalizedProduct
-
 from receiptwitness.pipeline.normalization import (
     MatchMethod,
     clean_name,
@@ -14,6 +12,7 @@ from receiptwitness.pipeline.normalization import (
     match_by_upc,
     normalize_product,
 )
+from receiptwitness.shared.models import NormalizedProduct
 
 
 class TestCleanName: