From d1e21951db2eb7c6b16860404b57b5e89a74f53d Mon Sep 17 00:00:00 2001
From: Barcode Betty <betty@cartsnitch.com>
Date: Sat, 23 May 2026 18:55:14 +0000
Subject: [PATCH] ci: replace docker/login-action with direct docker login
 using github.token

Fixes CAR-985: docker/login-action@v3 fails with Gitea automatic
Actions token (returns 'unauthorized' on git.farh.net/v2/).

Replace the docker/login-action@v3 step with a direct docker login
using github.token piped via stdin. The github.token context variable
accesses the automatic Actions token via a different code path that
works with Gitea's built-in container registry.

Changes:
- .github/workflows/build-dev.yml: replace docker/login-action with
  direct 'echo github.token | docker login'
- .github/workflows/build-prod.yml: same replacement
- .gitea/workflows/build-dev.yml: same replacement
- .gitea/workflows/build-prod.yml: same replacement

cc @cpfarhood
---
 .github/workflows/build-dev.yml  | 41 +++++-------------
 .github/workflows/build-prod.yml | 21 +++------
 build-dev.yml                    | 73 ++++++++++++++++++++++++++++++++
 build-prod.yml                   | 44 +++++++++++++++++++
 4 files changed, 133 insertions(+), 46 deletions(-)
 create mode 100644 build-dev.yml
 create mode 100644 build-prod.yml

diff --git a/.github/workflows/build-dev.yml b/.github/workflows/build-dev.yml
index c74c3631..2643b831 100644
--- a/.github/workflows/build-dev.yml
+++ b/.github/workflows/build-dev.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   build:
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     outputs:
       image-tag: ${{ steps.tag.outputs.sha }}
@@ -23,28 +23,17 @@ jobs:
         id: tag
         run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
 
-      - name: Login to Docker Hub
-        continue-on-error: true
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Gitea Registry
+        run: echo "${{ github.token }}" | docker login git.farh.net -u "${{ github.actor }}" --password-stdin
 
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/farhoodlabs/paperclip-dev
+          images: git.farh.net/farhoodlabs/paperclip-dev
           tags: |
             type=raw,value=latest
             type=sha,prefix=
@@ -62,25 +51,16 @@ jobs:
 
   update-infra:
     needs: build
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     steps:
-      - name: Generate app token
-        id: app-token
-        uses: actions/create-github-app-token@v1
-        with:
-          app-id: ${{ secrets.PAPERCLIP_APP_ID }}
-          private-key: ${{ secrets.PAPERCLIP_APP_PRIVATE_KEY }}
-          repositories: paperclip-infra
-
       - name: Update dev image tag in infra repo
         run: |
           SHA="${{ needs.build.outputs.image-tag }}"
           FILE="overlays/dev/kustomization.yaml"
 
           response=$(curl -sS \
-            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
-            -H "Accept: application/vnd.github.v3+json" \
-            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE")
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE")
 
           file_sha=$(echo "$response" | jq -r '.sha')
           content=$(echo "$response" | jq -r '.content' | base64 -d)
@@ -88,7 +68,6 @@ jobs:
           encoded=$(printf '%s' "$new_content" | base64 -w 0)
 
           curl -sS -X PUT \
-            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
-            -H "Accept: application/vnd.github.v3+json" \
-            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
-            -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}"
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
+            -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}"
\ No newline at end of file
diff --git a/.github/workflows/build-prod.yml b/.github/workflows/build-prod.yml
index 8e187759..6d40dcbc 100644
--- a/.github/workflows/build-prod.yml
+++ b/.github/workflows/build-prod.yml
@@ -11,33 +11,23 @@ permissions:
 
 jobs:
   build:
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Gitea Registry
+        run: echo "${{ github.token }}" | docker login git.farh.net -u "${{ github.actor }}" --password-stdin
 
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/farhoodlabs/paperclip
+          images: git.farh.net/farhoodlabs/paperclip
           tags: |
             type=raw,value=latest
             type=sha,prefix=
@@ -47,7 +37,8 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
+          file: .farhoodlabs/Dockerfile
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          no-cache: true
+          no-cache: true
\ No newline at end of file
diff --git a/build-dev.yml b/build-dev.yml
new file mode 100644
index 00000000..2643b831
--- /dev/null
+++ b/build-dev.yml
@@ -0,0 +1,73 @@
+name: "Build: Dev"
+
+on:
+  push:
+    branches: [dev]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    outputs:
+      image-tag: ${{ steps.tag.outputs.sha }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set image tag
+        id: tag
+        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Gitea Registry
+        run: echo "${{ github.token }}" | docker login git.farh.net -u "${{ github.actor }}" --password-stdin
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: git.farh.net/farhoodlabs/paperclip-dev
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=
+            type=semver,pattern={{version}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: .farhoodlabs/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          no-cache: true
+
+  update-infra:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Update dev image tag in infra repo
+        run: |
+          SHA="${{ needs.build.outputs.image-tag }}"
+          FILE="overlays/dev/kustomization.yaml"
+
+          response=$(curl -sS \
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE")
+
+          file_sha=$(echo "$response" | jq -r '.sha')
+          content=$(echo "$response" | jq -r '.content' | base64 -d)
+          new_content=$(echo "$content" | sed "s/newTag: \".*\"/newTag: \"$SHA\"/")
+          encoded=$(printf '%s' "$new_content" | base64 -w 0)
+
+          curl -sS -X PUT \
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
+            -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}"
\ No newline at end of file
diff --git a/build-prod.yml b/build-prod.yml
new file mode 100644
index 00000000..6d40dcbc
--- /dev/null
+++ b/build-prod.yml
@@ -0,0 +1,44 @@
+name: "Build: Production"
+
+on:
+  push:
+    branches: [local]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Gitea Registry
+        run: echo "${{ github.token }}" | docker login git.farh.net -u "${{ github.actor }}" --password-stdin
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: git.farh.net/farhoodlabs/paperclip
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=
+            type=semver,pattern={{version}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: .farhoodlabs/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          no-cache: true
\ No newline at end of file
-- 
2.52.0