From 912239a97b01d313e8c7e45aacc72f7741be9bab Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 06:44:15 +0000 Subject: [PATCH 1/9] ci: add auth service build/deploy to CI pipeline Add build-and-push-auth job and update deploy-dev/uat to include auth image. - Add AUTH_IMAGE_NAME env var - Add build-and-push-auth job (modeled on build-and-push-api) - Add build-and-push-auth to deploy-dev and deploy-uat needs - Add auth image tag determination and update steps in both deploy jobs - Update commit messages to include auth --- .github/workflows/ci.yml | 131 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 127 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5dc66a7..b871174 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,7 @@ env: IMAGE_NAME: cartsnitch/cartsnitch RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness API_IMAGE_NAME: cartsnitch/api + AUTH_IMAGE_NAME: cartsnitch/auth jobs: lint: @@ -381,9 +382,101 @@ jobs: APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha + build-and-push-auth: + runs-on: runners-cartsnitch + if: github.event_name == 'push' + needs: [lint, test] + outputs: + calver_tag: ${{ steps.calver.outputs.version }} + sha_tag: sha-${{ github.sha }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Generate CalVer tag + id: calver + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + run: | + DATE_TAG=$(date -u +%Y.%m.%d) + EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1) + if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG" + elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2" + else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Log in to Docker Hub + if: github.event_name == 'push' + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Log in to GHCR + if: github.event_name == 'push' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (auth) + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }} + tags: | + type=sha,prefix=sha-,format=long + type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + + - name: Build Docker image + uses: docker/build-push-action@v6 + with: + context: ./auth + file: ./auth/Dockerfile + load: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Scan auth image for vulnerabilities + uses: anchore/scan-action@v5 + id: scan + env: + GRYPE_CONFIG: .grype.yaml + with: + image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}" + fail-build: true + severity-cutoff: high + only-fixed: "true" + output-format: sarif + + - name: Upload auth scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: ./auth + file: ./auth/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} + cache-from: type=gha + deploy-dev: runs-on: runners-cartsnitch - needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api] + needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') steps: - name: Generate GitHub App token @@ -454,6 +547,21 @@ jobs: cd infra/apps/overlays/dev kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + - name: Determine image tag for auth + id: auth_tag + run: | + if [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" + else + echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + fi + + - name: Update auth image tag + if: needs.build-and-push-auth.result == 'success' + run: | + cd infra/apps/overlays/dev + kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + - name: Commit and push to infra run: | cd infra @@ -461,13 +569,13 @@ jobs: git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" git add apps/overlays/dev/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 - git commit -m "ci(dev): update cartsnitch, receiptwitness, and api images" + git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images" git pull --rebase origin main git push origin main deploy-uat: runs-on: runners-cartsnitch - needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api] + needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main') steps: - name: Generate GitHub App token @@ -538,6 +646,21 @@ jobs: cd infra/apps/overlays/uat kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + - name: Determine image tag for auth + id: auth_tag + run: | + if [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" + else + echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + fi + + - name: Update auth image tag + if: needs.build-and-push-auth.result == 'success' + run: | + cd infra/apps/overlays/uat + kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + - name: Commit and push to infra run: | cd infra @@ -545,6 +668,6 @@ jobs: git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" git add apps/overlays/uat/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 - git commit -m "ci(uat): update cartsnitch, receiptwitness, and api images" + git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images" git pull --rebase origin main git push origin main From 752d7ed3d0bf960103983a9efa318054259bdaa9 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 11:11:53 +0000 Subject: [PATCH 2/9] fix(auth): exclude test files from tsc compilation Exclude src/__tests__ from tsconfig to prevent test files from being compiled during Docker build. Fixes build-and-push-auth CI failure. Co-Authored-By: Paperclip --- auth/tsconfig.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/tsconfig.json b/auth/tsconfig.json index 764b72a..a1d4e8e 100644 --- a/auth/tsconfig.json +++ b/auth/tsconfig.json @@ -12,5 +12,5 @@ "resolveJsonModule": true }, "include": ["src"], - "exclude": ["node_modules", "dist"] + "exclude": ["node_modules", "dist", "src/__tests__"] } From 32495b150b3878cea5dd8bacc96455464c50eedd Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Thu, 21 May 2026 03:54:18 +0000 Subject: [PATCH 3/9] ci: convert GitHub Actions to Gitea Actions (ubuntu-latest) - Replace all runs-on: runners-cartsnitch with ubuntu-latest - Remove SARIF upload steps (no Gitea Security tab) - Replace GitHub App token with secrets.GITEA_TOKEN in deploy-dev and deploy-uat Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 68 ++++++++++------------------------------ 1 file changed, 17 insertions(+), 51 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b871174..fe1832b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ env: jobs: lint: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -38,7 +38,7 @@ jobs: run: npx tsc --noEmit test: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -50,7 +50,7 @@ jobs: run: npx vitest run audit: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -62,7 +62,7 @@ jobs: run: npm audit --audit-level=high e2e: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -74,7 +74,7 @@ jobs: - run: npx playwright test lighthouse: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest needs: [test] steps: - uses: actions/checkout@v4 @@ -99,7 +99,7 @@ jobs: CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage" build-and-push: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest if: github.event_name == 'push' needs: [lint, test, e2e] outputs: @@ -175,11 +175,7 @@ jobs: only-fixed: "true" output-format: sarif - - name: Upload frontend scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Push Docker image if: github.event_name == 'push' @@ -199,7 +195,7 @@ jobs: git push origin "v${{ steps.calver.outputs.version }}" build-and-push-receiptwitness: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest if: github.event_name == 'push' needs: [lint, test] outputs: @@ -271,11 +267,7 @@ jobs: only-fixed: "true" output-format: sarif - - name: Upload receiptwitness scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Push Docker image if: github.event_name == 'push' @@ -291,7 +283,7 @@ jobs: cache-from: type=gha build-and-push-api: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest if: github.event_name == 'push' needs: [lint, test] outputs: @@ -363,11 +355,7 @@ jobs: only-fixed: "true" output-format: sarif - - name: Upload api scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Push Docker image if: github.event_name == 'push' @@ -383,7 +371,7 @@ jobs: cache-from: type=gha build-and-push-auth: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest if: github.event_name == 'push' needs: [lint, test] outputs: @@ -455,11 +443,7 @@ jobs: only-fixed: "true" output-format: sarif - - name: Upload auth scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Push Docker image if: github.event_name == 'push' @@ -475,24 +459,15 @@ jobs: cache-from: type=gha deploy-dev: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') steps: - - name: Generate GitHub App token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.CARTSNITCH_APP_ID }} - private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: infra - - name: Checkout infra repo uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ steps.app-token.outputs.token }} + token: ${{ secrets.GITEA_TOKEN }} ref: main path: infra @@ -574,24 +549,15 @@ jobs: git push origin main deploy-uat: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main') steps: - - name: Generate GitHub App token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.CARTSNITCH_APP_ID }} - private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: infra - - name: Checkout infra repo uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ steps.app-token.outputs.token }} + token: ${{ secrets.GITEA_TOKEN }} ref: main path: infra From f4bbddd0dd6794795ec4ac1f42767eb75b06025c Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Thu, 21 May 2026 05:25:36 +0000 Subject: [PATCH 4/9] fix: use GHCR_USERNAME and GHCR_TOKEN for GHCR login in Gitea Actions Gitea's GITHUB_TOKEN authenticates against git.farh.net, not ghcr.io. Use explicit GHCR_USERNAME and GHCR_TOKEN secrets instead. Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fe1832b..8b92dfd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -139,8 +139,8 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ secrets.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} - name: Extract metadata id: meta @@ -229,8 +229,8 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ secrets.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} - name: Extract metadata id: meta @@ -317,8 +317,8 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ secrets.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} - name: Extract metadata (API) id: meta @@ -405,8 +405,8 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ secrets.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} - name: Extract metadata (auth) id: meta From 96331c9fa724bcd72552125c693351218b65fddd Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Thu, 21 May 2026 11:57:33 +0000 Subject: [PATCH 5/9] Move .github/workflows to .gitea/workflows - Relocate all CI workflows from .github/workflows/ to .gitea/workflows/ - Root: .github/workflows/ci.yml -> .gitea/workflows/ci.yml - api/: api/.github/workflows/ci.yml -> api/.gitea/workflows/ci.yml - common/: common/.github/workflows/ci.yml -> common/.gitea/workflows/ci.yml - Gitea uses .gitea/workflows/ for CI configuration Co-Authored-By: Paperclip --- {.github => .gitea}/workflows/ci.yml | 0 api/{.github => .gitea}/workflows/ci.yml | 0 common/{.github => .gitea}/workflows/ci.yml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename {.github => .gitea}/workflows/ci.yml (100%) rename api/{.github => .gitea}/workflows/ci.yml (100%) rename common/{.github => .gitea}/workflows/ci.yml (100%) diff --git a/.github/workflows/ci.yml b/.gitea/workflows/ci.yml similarity index 100% rename from .github/workflows/ci.yml rename to .gitea/workflows/ci.yml diff --git a/api/.github/workflows/ci.yml b/api/.gitea/workflows/ci.yml similarity index 100% rename from api/.github/workflows/ci.yml rename to api/.gitea/workflows/ci.yml diff --git a/common/.github/workflows/ci.yml b/common/.gitea/workflows/ci.yml similarity index 100% rename from common/.github/workflows/ci.yml rename to common/.gitea/workflows/ci.yml From 555ced4fdcbd7ba36f3824610ddb076225a0e48e Mon Sep 17 00:00:00 2001 From: cs_carl Date: Sat, 23 May 2026 14:20:38 +0000 Subject: [PATCH 6/9] ci: migrate image registry from ghcr.io to git.farh.net Replace GitHub Container Registry with Gitea's built-in container registry. - REGISTRY env var: ghcr.io -> git.farh.net - All 4 build-and-push jobs: replace GHCR login with Gitea registry login using cs_carl + GITEA_TOKEN (token already required for infra checkout) - deploy-dev/deploy-uat: update kustomize image refs to git.farh.net/* - Also fix legacy api/.gitea/workflows/ci.yml (non-executing nested file) Required secrets drop from 5 to 3: DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, GITEA_TOKEN. GHCR_USERNAME and GHCR_TOKEN no longer needed. Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 54 ++++++++++++++++++------------------- api/.gitea/workflows/ci.yml | 8 +++--- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 8b92dfd..6ef6b57 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -16,7 +16,7 @@ permissions: security-events: write env: - REGISTRY: ghcr.io + REGISTRY: git.farh.net IMAGE_NAME: cartsnitch/cartsnitch RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness API_IMAGE_NAME: cartsnitch/api @@ -134,13 +134,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata id: meta @@ -175,7 +175,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -224,13 +224,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata id: meta @@ -267,7 +267,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -312,13 +312,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (API) id: meta @@ -355,7 +355,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -400,13 +400,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (auth) id: meta @@ -443,7 +443,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -490,7 +490,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -505,7 +505,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -520,7 +520,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -535,13 +535,13 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/dev/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images" @@ -580,7 +580,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -595,7 +595,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -610,7 +610,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -625,13 +625,13 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/uat/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images" diff --git a/api/.gitea/workflows/ci.yml b/api/.gitea/workflows/ci.yml index 5c61bb7..05549b1 100644 --- a/api/.gitea/workflows/ci.yml +++ b/api/.gitea/workflows/ci.yml @@ -15,7 +15,7 @@ permissions: packages: write env: - REGISTRY: ghcr.io + REGISTRY: git.farh.net IMAGE_NAME: cartsnitch/api jobs: @@ -130,13 +130,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata id: meta From 821f1d20b36ea11f63772eeec8f5df123136f1e3 Mon Sep 17 00:00:00 2001 From: "cartsnitch-ci[bot]" Date: Sat, 23 May 2026 14:27:24 +0000 Subject: [PATCH 7/9] fix(ci): replace hardcoded cs_carl username and fix kustomize image rename syntax - Replace hardcoded 'cs_carl' Gitea registry username with '${{ github.actor }}' in all 5 login steps - Use kustomize 'OLD=NEW:TAG' rename syntax so existing ghcr.io image entries are updated instead of duplicated Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 24 ++++++++++++------------ api/.gitea/workflows/ci.yml | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6ef6b57..15e5dd6 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -139,7 +139,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata @@ -229,7 +229,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata @@ -317,7 +317,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (API) @@ -405,7 +405,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (auth) @@ -490,7 +490,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -505,7 +505,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -520,7 +520,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -535,7 +535,7 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | @@ -580,7 +580,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -595,7 +595,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -610,7 +610,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -625,7 +625,7 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | diff --git a/api/.gitea/workflows/ci.yml b/api/.gitea/workflows/ci.yml index 05549b1..659d06c 100644 --- a/api/.gitea/workflows/ci.yml +++ b/api/.gitea/workflows/ci.yml @@ -135,7 +135,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata From 2c4e9985b1e50def3d43c38edb3fb70fde565d5e Mon Sep 17 00:00:00 2001 From: cs_carl Date: Sat, 23 May 2026 14:29:45 +0000 Subject: [PATCH 8/9] ci: rename GITEA_TOKEN -> REGISTRY_TOKEN to match configured secret name cpfarhood confirmed the Gitea registry token is configured as REGISTRY_TOKEN (not GITEA_TOKEN). This applies to both the registry docker login steps and the infra repo checkout steps in deploy-dev/deploy-uat. Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 12 ++++++------ api/.gitea/workflows/ci.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 15e5dd6..e26c8c9 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -140,7 +140,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta @@ -230,7 +230,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta @@ -318,7 +318,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata (API) id: meta @@ -406,7 +406,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata (auth) id: meta @@ -467,7 +467,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra @@ -557,7 +557,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra diff --git a/api/.gitea/workflows/ci.yml b/api/.gitea/workflows/ci.yml index 659d06c..a7855ae 100644 --- a/api/.gitea/workflows/ci.yml +++ b/api/.gitea/workflows/ci.yml @@ -136,7 +136,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta From 5464e1a6717e6ef2afdbeecd79556aa33d29d828 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Sat, 23 May 2026 15:11:00 +0000 Subject: [PATCH 9/9] Fix API crash: remove dead dispose_engine import ImportError: cannot import name 'dispose_engine' from 'cartsnitch_api.database' The function does not exist and is unused - lifespan already calls close_db() directly. Co-Authored-By: Paperclip --- api/src/cartsnitch_api/main.py | 1 - 1 file changed, 1 deletion(-) diff --git a/api/src/cartsnitch_api/main.py b/api/src/cartsnitch_api/main.py index bfd2755..720959c 100644 --- a/api/src/cartsnitch_api/main.py +++ b/api/src/cartsnitch_api/main.py @@ -6,7 +6,6 @@ from fastapi import APIRouter, FastAPI from cartsnitch_api.auth.routes import router as auth_router from cartsnitch_api.cache import cache_client -from cartsnitch_api.database import dispose_engine from cartsnitch_api.middleware.cors import add_cors_middleware from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware