- username: admin (was gitea.repository_owner — the org name, which fails
Gitea's per-scope token exchange during buildkit blob HEAD requests)
- :latest only on semver tag pushes (was every push to dev — dev pushes
don't carry semver tags so :latest just won't be re-emitted, which is
the right behavior for SHA-tracked dev deploys)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Gitea's docker login is lenient and accepts the org name as a username
at handshake time, but the per-scope token exchange that buildkit
performs for blob operations needs to resolve a real user identity.
Using admin (the user that owns REGISTRY_TOKEN) prevents 401s on
blob HEAD requests during push.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tagging :latest on every push to local made every CI run try to
overwrite the existing :latest manifest. The Gitea registry rejected
the overwrite, causing builds to fail. Branch builds now produce
only the immutable SHA tag; :latest is reserved for vX.Y.Z tag pushes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Change runner from runners-farhoodlabs to ubuntu-latest across all fork
workflows. Update container registry from ghcr.io to git.farh.net and
authenticate with REGISTRY_TOKEN. Migrate update-infra API calls from
GitHub to Gitea. Disable refresh-lockfile.yml (requires GitHub gh CLI).
Update CLAUDE.md references.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Pulls the prod image up to the same toolset as the dev image (kubectl,
kubeseal, uv/uvx, forgejo CLIs, nano, vim) without diverging the upstream
root Dockerfile. Both build-dev.yml and build-prod.yml now share the same
fork-overlay Dockerfile; only the image tag and trigger branch differ.
The self-hosted runner has been hitting context-deadline timeouts to
docker.io. The actual image push goes to GHCR, so the Docker Hub login
is only there to avoid pull rate limits. Mark it continue-on-error so
transient docker.io connectivity issues don't fail the whole build —
base image pulls fall back to anonymous and proceed.