From 555ced4fdcbd7ba36f3824610ddb076225a0e48e Mon Sep 17 00:00:00 2001 From: cs_carl Date: Sat, 23 May 2026 14:20:38 +0000 Subject: [PATCH 1/3] ci: migrate image registry from ghcr.io to git.farh.net Replace GitHub Container Registry with Gitea's built-in container registry. - REGISTRY env var: ghcr.io -> git.farh.net - All 4 build-and-push jobs: replace GHCR login with Gitea registry login using cs_carl + GITEA_TOKEN (token already required for infra checkout) - deploy-dev/deploy-uat: update kustomize image refs to git.farh.net/* - Also fix legacy api/.gitea/workflows/ci.yml (non-executing nested file) Required secrets drop from 5 to 3: DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, GITEA_TOKEN. GHCR_USERNAME and GHCR_TOKEN no longer needed. Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 54 ++++++++++++++++++------------------- api/.gitea/workflows/ci.yml | 8 +++--- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 8b92dfd..6ef6b57 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -16,7 +16,7 @@ permissions: security-events: write env: - REGISTRY: ghcr.io + REGISTRY: git.farh.net IMAGE_NAME: cartsnitch/cartsnitch RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness API_IMAGE_NAME: cartsnitch/api @@ -134,13 +134,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata id: meta @@ -175,7 +175,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -224,13 +224,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata id: meta @@ -267,7 +267,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -312,13 +312,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (API) id: meta @@ -355,7 +355,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -400,13 +400,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME }} - password: ${{ secrets.GHCR_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (auth) id: meta @@ -443,7 +443,7 @@ jobs: only-fixed: "true" output-format: sarif - + - name: Push Docker image if: github.event_name == 'push' @@ -490,7 +490,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -505,7 +505,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -520,7 +520,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -535,13 +535,13 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/dev/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images" @@ -580,7 +580,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -595,7 +595,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -610,7 +610,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -625,13 +625,13 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/uat/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images" diff --git a/api/.gitea/workflows/ci.yml b/api/.gitea/workflows/ci.yml index 5c61bb7..05549b1 100644 --- a/api/.gitea/workflows/ci.yml +++ b/api/.gitea/workflows/ci.yml @@ -15,7 +15,7 @@ permissions: packages: write env: - REGISTRY: ghcr.io + REGISTRY: git.farh.net IMAGE_NAME: cartsnitch/api jobs: @@ -130,13 +130,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: cs_carl + password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata id: meta From 821f1d20b36ea11f63772eeec8f5df123136f1e3 Mon Sep 17 00:00:00 2001 From: "cartsnitch-ci[bot]" Date: Sat, 23 May 2026 14:27:24 +0000 Subject: [PATCH 2/3] fix(ci): replace hardcoded cs_carl username and fix kustomize image rename syntax - Replace hardcoded 'cs_carl' Gitea registry username with '${{ github.actor }}' in all 5 login steps - Use kustomize 'OLD=NEW:TAG' rename syntax so existing ghcr.io image entries are updated instead of duplicated Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 24 ++++++++++++------------ api/.gitea/workflows/ci.yml | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6ef6b57..15e5dd6 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -139,7 +139,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata @@ -229,7 +229,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata @@ -317,7 +317,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (API) @@ -405,7 +405,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata (auth) @@ -490,7 +490,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -505,7 +505,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -520,7 +520,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -535,7 +535,7 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | @@ -580,7 +580,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -595,7 +595,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -610,7 +610,7 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Determine image tag for auth id: auth_tag @@ -625,7 +625,7 @@ jobs: if: needs.build-and-push-auth.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | diff --git a/api/.gitea/workflows/ci.yml b/api/.gitea/workflows/ci.yml index 05549b1..659d06c 100644 --- a/api/.gitea/workflows/ci.yml +++ b/api/.gitea/workflows/ci.yml @@ -135,7 +135,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: cs_carl + username: ${{ github.actor }} password: ${{ secrets.GITEA_TOKEN }} - name: Extract metadata From 2c4e9985b1e50def3d43c38edb3fb70fde565d5e Mon Sep 17 00:00:00 2001 From: cs_carl Date: Sat, 23 May 2026 14:29:45 +0000 Subject: [PATCH 3/3] ci: rename GITEA_TOKEN -> REGISTRY_TOKEN to match configured secret name cpfarhood confirmed the Gitea registry token is configured as REGISTRY_TOKEN (not GITEA_TOKEN). This applies to both the registry docker login steps and the infra repo checkout steps in deploy-dev/deploy-uat. Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 12 ++++++------ api/.gitea/workflows/ci.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 15e5dd6..e26c8c9 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -140,7 +140,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta @@ -230,7 +230,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta @@ -318,7 +318,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata (API) id: meta @@ -406,7 +406,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata (auth) id: meta @@ -467,7 +467,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra @@ -557,7 +557,7 @@ jobs: uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ secrets.GITEA_TOKEN }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra diff --git a/api/.gitea/workflows/ci.yml b/api/.gitea/workflows/ci.yml index 659d06c..a7855ae 100644 --- a/api/.gitea/workflows/ci.yml +++ b/api/.gitea/workflows/ci.yml @@ -136,7 +136,7 @@ jobs: with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITEA_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta