From 0000297e4fba5acbfb0b7cf0f2f21be88a9f5aa9 Mon Sep 17 00:00:00 2001 From: "Debbie (CartSnitch Engineering)" Date: Wed, 18 Mar 2026 23:48:43 +0000 Subject: [PATCH 1/8] Revert GHCR mirror configs to Docker Hub direct pulls Replace ghcr.io/cartsnitch/mirror/* images with Docker Hub originals, restore GHCR login guard, and add Docker Hub auth. Refs: CAR-77 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 7 +++++++ Dockerfile | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f9b668..71f190a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -52,6 +52,7 @@ jobs: - uses: actions/checkout@v4 - name: Log in to GHCR + if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} @@ -67,6 +68,12 @@ jobs: type=sha,prefix=sha- type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and push Docker image uses: docker/build-push-action@v6 with: diff --git a/Dockerfile b/Dockerfile index 4fe4b77..6a8b88d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Stage 1: Build -FROM ghcr.io/cartsnitch/mirror/node:20-alpine AS build +FROM node:20-alpine AS build WORKDIR /app @@ -10,7 +10,7 @@ COPY . . RUN npm run build # Stage 2: Production -FROM ghcr.io/cartsnitch/mirror/nginx:stable-alpine AS prod +FROM nginx:stable-alpine AS prod COPY --from=build /app/dist /usr/share/nginx/html COPY nginx.conf /etc/nginx/conf.d/default.conf From 58844b33fe62ca57361592244b9ee1f795368ced Mon Sep 17 00:00:00 2001 From: "Debbie (CartSnitch Engineering)" Date: Wed, 18 Mar 2026 23:53:50 +0000 Subject: [PATCH 2/8] Fix: make Docker Hub auth conditional Docker Hub login step is now conditional on secret existence to avoid failures when org secrets are not yet provisioned. Refs: CAR-77 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71f190a..d290b2a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,6 +69,7 @@ jobs: type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - name: Log in to Docker Hub + if: ${{ secrets.DOCKERHUB_USERNAME != '' }} uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} From e6f09a0212e66723e15fd0548588d892377dedb8 Mon Sep 17 00:00:00 2001 From: "Debbie (Paperclip Agent)" Date: Thu, 19 Mar 2026 00:52:11 +0000 Subject: [PATCH 3/8] Fix: remove conditional on Docker Hub login Board confirmed DOCKERHUB_USERNAME/DOCKERHUB_TOKEN secrets exist. Remove the conditional (which had a YAML parsing issue with unquoted !=). Refs: CAR-77 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d290b2a..71f190a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,7 +69,6 @@ jobs: type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - name: Log in to Docker Hub - if: ${{ secrets.DOCKERHUB_USERNAME != '' }} uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} From fb6f4a0ed428ee26fc29550775fdc5e0fa6d90cb Mon Sep 17 00:00:00 2001 From: "Debbie (Paperclip Agent)" Date: Thu, 19 Mar 2026 00:55:24 +0000 Subject: [PATCH 4/8] Retrigger CI after org secrets provisioned Co-Authored-By: Paperclip From ec8100426867028f9ff65d07e2bce21b76722ff0 Mon Sep 17 00:00:00 2001 From: "Debbie (Paperclip Agent)" Date: Thu, 19 Mar 2026 00:59:10 +0000 Subject: [PATCH 5/8] Remove Docker Hub auth (secrets not accessible from CI runners) DOCKERHUB_USERNAME/DOCKERHUB_TOKEN secrets are not accessible from the self-hosted runners. Remove credentials blocks and login steps to avoid template validation failures. Docker Hub pulls will use anonymous access. Refs: CAR-77 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71f190a..585655d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,12 +68,6 @@ jobs: type=sha,prefix=sha- type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push Docker image uses: docker/build-push-action@v6 with: From c81e14b8e7419e58341003059a56431233cf35de Mon Sep 17 00:00:00 2001 From: Deploy Debbie Date: Thu, 19 Mar 2026 01:43:34 +0000 Subject: [PATCH 6/8] Re-add Docker Hub auth to test secret accessibility Board confirms DOCKERHUB_USERNAME/DOCKERHUB_TOKEN exist. Testing whether they're now accessible from self-hosted runners. Refs: CAR-77 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 585655d..71f190a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,12 @@ jobs: type=sha,prefix=sha- type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and push Docker image uses: docker/build-push-action@v6 with: From d0c887e29fc4d1e8f25502dffaa269278eb9bdbc Mon Sep 17 00:00:00 2001 From: Deploy Debbie Date: Thu, 19 Mar 2026 01:45:43 +0000 Subject: [PATCH 7/8] Debug: check Docker Hub secret accessibility from CI runners Adding diagnostic step to verify secret length before login attempt. Refs: CAR-77 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71f190a..9c93b7e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,14 @@ jobs: type=sha,prefix=sha- type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + - name: Debug Docker Hub secrets + run: | + echo "DOCKERHUB_USERNAME length: ${#DOCKERHUB_USERNAME}" + echo "DOCKERHUB_TOKEN length: ${#DOCKERHUB_TOKEN}" + env: + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Log in to Docker Hub uses: docker/login-action@v3 with: From b8091e367ee9b4070120719c793c91615135c411 Mon Sep 17 00:00:00 2001 From: Deploy Debbie Date: Thu, 19 Mar 2026 01:48:17 +0000 Subject: [PATCH 8/8] Remove Docker Hub auth and debug step Confirmed secrets are length 0 from CI runners. Docker Hub auth cannot work until secrets are properly scoped to these repos. Refs: CAR-77 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9c93b7e..585655d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,20 +68,6 @@ jobs: type=sha,prefix=sha- type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Debug Docker Hub secrets - run: | - echo "DOCKERHUB_USERNAME length: ${#DOCKERHUB_USERNAME}" - echo "DOCKERHUB_TOKEN length: ${#DOCKERHUB_TOKEN}" - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Build and push Docker image uses: docker/build-push-action@v6 with: