From 2573de86d56fd7f249fe90f75c4e7b8adcf3ec5e Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Wed, 3 Jun 2026 20:09:56 +0000 Subject: [PATCH 1/3] Update .gitea/workflows/ci.yml --- .gitea/workflows/ci.yml | 66 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 60 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index a305abd..673f0a4 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -542,16 +542,43 @@ jobs: cd infra/apps/overlays/dev kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - - name: Commit and push to infra + - name: Commit and push to infra (via PR) + env: + CI_GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | cd infra git config user.name "cartsnitch-ci[bot]" git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/dev/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 + BRANCH="ci/deploy-dev-${GITHUB_SHA}" + git checkout -b "$BRANCH" git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images" - git pull --rebase origin main - git push origin main + git push origin "$BRANCH" + PR_BODY=$(printf 'Auto-opened by deploy-dev (CAR-1195).\n\nBuild SHA: %s' "${GITHUB_SHA}") + PR_JSON=$(curl -sS -X POST \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ + -H "Content-Type: application/json" \ + -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(dev): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \ + "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls") + PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty') + if [ -z "$PR_NUM" ]; then + echo "::error::Failed to open PR against cartsnitch/infra: $PR_JSON" + exit 1 + fi + echo "Opened cartsnitch/infra PR #${PR_NUM} (head=${BRANCH})" + MERGE_RESP=$(curl -sS -X POST \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ + -H "Content-Type: application/json" \ + -d '{"Do":"merge"}' \ + "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") + MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') + if [ "$MERGED" != "true" ]; then + echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP" + echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge." + exit 1 + fi + echo "PR #${PR_NUM} merged into cartsnitch/infra main" deploy-uat: runs-on: ubuntu-latest @@ -641,13 +668,40 @@ jobs: cd infra/apps/overlays/uat kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - - name: Commit and push to infra + - name: Commit and push to infra (via PR) + env: + CI_GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} run: | cd infra git config user.name "cartsnitch-ci[bot]" git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/uat/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 + BRANCH="ci/deploy-uat-${GITHUB_SHA}" + git checkout -b "$BRANCH" git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images" - git pull --rebase origin main - git push origin main + git push origin "$BRANCH" + PR_BODY=$(printf 'Auto-opened by deploy-uat (CAR-1195).\n\nBuild SHA: %s' "${GITHUB_SHA}") + PR_JSON=$(curl -sS -X POST \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ + -H "Content-Type: application/json" \ + -d "$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "ci(uat): update overlay image tags (${GITHUB_SHA::12})" --arg body "$PR_BODY" '{head:$head,base:$base,title:$title,body:$body}')" \ + "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls") + PR_NUM=$(echo "$PR_JSON" | jq -r '.number // empty') + if [ -z "$PR_NUM" ]; then + echo "::error::Failed to open PR against cartsnitch/infra: $PR_JSON" + exit 1 + fi + echo "Opened cartsnitch/infra PR #${PR_NUM} (head=${BRANCH})" + MERGE_RESP=$(curl -sS -X POST \ + -H "Authorization: token ${CI_GITEA_TOKEN}" \ + -H "Content-Type: application/json" \ + -d '{"Do":"merge"}' \ + "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") + MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') + if [ "$MERGED" != "true" ]; then + echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP" + echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge." + exit 1 + fi + echo "PR #${PR_NUM} merged into cartsnitch/infra main" From 3a69ec29b5e225288f17e8c431bfe7f71a55ec85 Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Wed, 3 Jun 2026 20:39:21 +0000 Subject: [PATCH 2/3] fix(ci): bind deploy PR API to secrets.CI_GITEA_TOKEN (CAR-1195) deploy-dev and deploy-uat had CI_GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} which is the package-scoped container-registry token. PR creation and auto-merge against cartsnitch/infra would 403 on the first real push. Bind to secrets.CI_GITEA_TOKEN (the token the infra checkout already uses for branch push) so the Gitea API calls have repo-write scope. Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 673f0a4..662dc7b 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -544,7 +544,7 @@ jobs: - name: Commit and push to infra (via PR) env: - CI_GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} + CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} run: | cd infra git config user.name "cartsnitch-ci[bot]" @@ -670,7 +670,7 @@ jobs: - name: Commit and push to infra (via PR) env: - CI_GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }} + CI_GITEA_TOKEN: ${{ secrets.CI_GITEA_TOKEN }} run: | cd infra git config user.name "cartsnitch-ci[bot]" From 83b553b58ec0ec5d5b0337c18ed0c27d2e0dddd8 Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Wed, 3 Jun 2026 20:53:54 +0000 Subject: [PATCH 3/3] ci: delete overlay deploy branches after merge Set delete_branch_after_merge:true on the auto-merge POST in both deploy-dev and deploy-uat so the per-deploy branches in cartsnitch/infra (ci/deploy-{dev,uat}-${GITHUB_SHA}) are removed once their overlay image-tag bump lands on main. Without this flag every successful deploy would leave a branch behind, accumulating in cartsnitch/infra and making future re-runs of the same SHA un-actionable from the existing branch name. Refs CAR-1195 (CTO fix #2). --- .gitea/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 662dc7b..27e95eb 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -570,7 +570,7 @@ jobs: MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ - -d '{"Do":"merge"}' \ + -d '{"Do":"merge","delete_branch_after_merge":true}' \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" != "true" ]; then @@ -696,7 +696,7 @@ jobs: MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ - -d '{"Do":"merge"}' \ + -d '{"Do":"merge","delete_branch_after_merge":true}' \ "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" != "true" ]; then