From 12ee1f054ba85281bead455be8c80af046b43f05 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 20 May 2026 11:38:07 +0000
Subject: [PATCH] fix(ci): Docker push auth + E2E DinD networking for Gitea

- Use git.farh.net registry with REGISTRY_TOKEN instead of ghcr.io/GITHUB_TOKEN
- Migrate all image tags from ghcr.io/groombook/* to git.fars.net/groombook/*
- Replace GHA cache with OCI registry cache (type=registry)
- Replace tibdex/github-app-token with oauth2+REGISTRY_TOKEN for infra clone
- Replace gh pr create/merge with Gitea API curl calls
- Replace actions/github-script@v7 Comment on PR with Gitea issues API curl
- Remove permissions: blocks from deploy-dev and cd jobs (Gitea-native)
- Update deploy-dev kubectl image refs to git.farh.net/groombook/*

Refs: GRO-1344
---
 .github/workflows/ci.yml | 156 ++++++++++++++++++---------------------
 1 file changed, 73 insertions(+), 83 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cf86865..d8dda36 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -152,12 +152,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GitHub Container Registry
+      - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: git.farh.net
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and push API image
         uses: docker/build-push-action@v6
@@ -167,10 +167,10 @@ jobs:
           target: runner
           push: true
           tags: |
-            ghcr.io/groombook/api:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/api:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:api
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max
 
       - name: Build and push Migrate image
         uses: docker/build-push-action@v6
@@ -180,10 +180,10 @@ jobs:
           target: migrate
           push: true
           tags: |
-            ghcr.io/groombook/migrate:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/migrate:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max
 
       - name: Build and push Seed image
         uses: docker/build-push-action@v6
@@ -193,10 +193,10 @@ jobs:
           target: seed
           push: true
           tags: |
-            ghcr.io/groombook/seed:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/seed:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:seed
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max
 
       - name: Build and push Reset image
         uses: docker/build-push-action@v6
@@ -206,10 +206,10 @@ jobs:
           target: reset
           push: true
           tags: |
-            ghcr.io/groombook/reset:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/reset:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max
 
       - name: Build and push Web image
         uses: docker/build-push-action@v6
@@ -218,19 +218,16 @@ jobs:
           file: apps/web/Dockerfile
           push: true
           tags: |
-            ghcr.io/groombook/web:${{ steps.version.outputs.tag }}
-            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/web:latest' || '' }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+            git.farh.net/groombook/web:${{ steps.version.outputs.tag }}
+            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/web:latest' || '' }}
+          cache-from: type=registry,ref=git.farh.net/groombook/cache:web
+          cache-to: type=registry,ref=git.farh.net/groombook/cache:web,mode=max
 
   deploy-dev:
     name: Deploy PR to groombook-dev
     runs-on: runners-groombook
     needs: [docker]
     if: github.event_name == 'pull_request'
-    permissions:
-      contents: read
-      pull-requests: write
     steps:
       - name: Install kubectl
         run: |
@@ -247,7 +244,6 @@ jobs:
           TAG="pr-$PR_NUM-${SHA::7}"
           echo "Deploying images tagged $TAG to groombook-dev..."
 
-          # Run migration with PR image
           kubectl delete job "migrate-pr-$PR_NUM" -n groombook-dev --ignore-not-found
           cat <<EOF | kubectl apply -n groombook-dev -f -
           apiVersion: batch/v1
@@ -262,7 +258,7 @@ jobs:
                 restartPolicy: Never
                 containers:
                 - name: migrate
-                  image: ghcr.io/groombook/migrate:$TAG
+                  image: git.farh.net/groombook/migrate:$TAG
                   env:
                   - name: DATABASE_URL
                     valueFrom:
@@ -273,35 +269,33 @@ jobs:
           kubectl wait --for=condition=complete "job/migrate-pr-$PR_NUM" \
             -n groombook-dev --timeout=120s
 
-          # Update deployments
-          kubectl set image deployment/api api=ghcr.io/groombook/api:$TAG -n groombook-dev
-          kubectl set image deployment/web web=ghcr.io/groombook/web:$TAG -n groombook-dev
+          kubectl set image deployment/api api=git.farh.net/groombook/api:$TAG -n groombook-dev
+          kubectl set image deployment/web web=git.farh.net/groombook/web:$TAG -n groombook-dev
 
-          # Wait for rollout
           kubectl rollout status deployment/api -n groombook-dev --timeout=300s
           kubectl rollout status deployment/web -n groombook-dev --timeout=300s
 
           echo "Deployment complete."
 
       - name: Comment on PR
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const pr = context.issue.number;
-            const tag = `pr-${pr}`;
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: pr,
-              body: [
-                '## Deployed to groombook-dev',
-                '',
-                `**Images:** \`${tag}\``,
-                '**URL:** https://dev.groombook.farh.net',
-                '',
-                'Ready for UAT validation.'
-              ].join('\n')
-            });
+        env:
+          PR_NUM: ${{ github.event.pull_request.number }}
+        run: |
+          PR_NUM="$PR_NUM"
+          BODY=$(cat <<'EOFBODY'
+          ## Deployed to groombook-dev
+
+          **Images:** `pr-'"$PR_NUM"'`
+
+          **URL:** https://dev.groombook.farh.net
+
+          Ready for UAT validation.
+          EOFBODY
+          )
+          curl -s -X POST "https://git.farh.net/api/v1/repos/groombook/app/issues/${PR_NUM}/comments" \
+            -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"body\": $(echo "$BODY" | jq -Rs .)}"
 
   web-e2e:
     name: Web E2E (Dev)
@@ -343,20 +337,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [docker]
     if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push'
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
-      - name: Generate infra repo token
-        id: infra-token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ vars.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-
       - name: Clone groombook/infra
         run: |
-          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra
+          git clone https://oauth2:${{ secrets.REGISTRY_TOKEN }}@git.farh.net/groombook/infra.git /tmp/infra
 
       - name: Install yq
         run: |
@@ -376,27 +360,23 @@ jobs:
           echo "Updating migration/seed Job names with SHA: $SHORT_SHA"
           cd /tmp/infra
           DEV_KUST="apps/overlays/dev/kustomization.yaml"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
-          yq -i '(.images[] | select(.name == "ghcr.io/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
+          yq -i '(.images[] | select(.name == "git.farh.net/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"
 
-          # Update migrate Job name to include short SHA (immutable template fix)
           MIGRATE_JOB="apps/base/migrate-job.yaml"
           if [ -f "$MIGRATE_JOB" ]; then
             yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
-            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
             yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$MIGRATE_JOB"
           fi
 
-          # Update seed Job name to include short SHA (immutable template fix)
           SEED_JOB="apps/base/seed-job.yaml"
           if [ -f "$SEED_JOB" ]; then
             yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
             yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
-            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
             yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$SEED_JOB"
           fi
 
@@ -405,7 +385,6 @@ jobs:
       - name: Create PR on groombook/infra
         env:
           TAG: ${{ needs.docker.outputs.tag }}
-          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
         run: |
           if [ -z "$TAG" ]; then
             TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
@@ -420,17 +399,28 @@ jobs:
 
           git push -u origin "chore/update-image-tags-${TAG}"
 
-          # Check if PR already exists for this branch
-          EXISTING_PR=$(gh pr list --repo groombook/infra --head "chore/update-image-tags-${TAG}" --state open --json number -q '.[0].number' || true)
-          if [ -n "$EXISTING_PR" ]; then
+          EXISTING_PR=$(curl -s "https://git.farh.net/api/v1/repos/groombook/infra/pulls?state=open&head=groombook:chore/update-image-tags-${TAG}" \
+            -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" | jq -r '.[0].number')
+          if [ -n "$EXISTING_PR" ] && [ "$EXISTING_PR" != "null" ]; then
             echo "PR #$EXISTING_PR already exists for this tag, merging existing PR"
-            gh pr merge "$EXISTING_PR" --repo groombook/infra --merge
+            curl -s -X PUT "https://git.farh.net/api/v1/repos/groombook/infra/pulls/${EXISTING_PR}/merge" \
+              -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              -d '{"do": "merge"}'
           else
-            PR_URL=$(gh pr create \
-              --repo groombook/infra \
-              --base main \
-              --head "chore/update-image-tags-${TAG}" \
-              --title "chore: deploy ${TAG} to dev" \
-              --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge")
-            gh pr merge "$PR_URL" --merge
+            PR_RESPONSE=$(curl -s -X POST "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
+              -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              -d "{
+                \"base\": \"main\",
+                \"head\": \"chore/update-image-tags-${TAG}\",
+                \"title\": \"chore: deploy ${TAG} to dev\",
+                \"body\": \"[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge\"
+              }")
+            PR_NUM=$(echo "$PR_RESPONSE" | jq -r '.number')
+            echo "Created PR #$PR_NUM"
+            curl -s -X PUT "https://git.farh.net/api/v1/repos/groombook/infra/pulls/${PR_NUM}/merge" \
+              -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
+              -H "Content-Type: application/json" \
+              -d '{"do": "merge"}'
           fi