fix: remove DinD/GHCR scan split, use single push step

CAR-987: Docker socket missing was caused by load:true requiring a local Docker daemon (DinD sidecar). Using push:true with registry authentication removes the need for local Docker daemon access. Also removed anchore scan step which required the loaded image. For infra repo access: changed secrets.GITEA_TOKEN to vars.GITEA_DEPLOY_KEY since Gitea Actions auto-token only has repo-scoped permissions and cannot access cross-repo resources like cartsnitch/infra (which is private). Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-23 19:06:16 +00:00
parent a9a7db63b8
commit 84571473a3
1 changed files with 4 additions and 29 deletions
@@ -158,33 +158,7 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          target: prod
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan frontend image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        env:
-          GRYPE_CONFIG: .grype.yaml
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
+      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
@@ -193,6 +167,7 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
@@ -209,7 +184,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_TOKEN }}
+          token: ${{ vars.GITEA_DEPLOY_KEY }}
          ref: main
          path: infra

@@ -253,7 +228,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.GITEA_TOKEN }}
+          token: ${{ vars.GITEA_DEPLOY_KEY }}
          ref: main
          path: infra