From 0c27e3b5d809aafa0bd57d7cbb25a6d5b02a84ab Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 4 Mar 2026 11:07:01 +0100
Subject: [PATCH] fix(ci): implement robust gitea registry auth token discovery
 to replace docker/login-action

---
 .gitea/workflows/pipeline.yml          | 33 ++++++++++++++++++------
 packages/infra/gitea/deploy-action.yml | 35 ++++++++++++++++++++------
 2 files changed, 53 insertions(+), 15 deletions(-)

diff --git a/.gitea/workflows/pipeline.yml b/.gitea/workflows/pipeline.yml
index 682b4bc..967f0f0 100644
--- a/.gitea/workflows/pipeline.yml
+++ b/.gitea/workflows/pipeline.yml
@@ -199,12 +199,31 @@ jobs:
       - name: 🐳 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: 🔐 Registry Login
-        uses: docker/login-action@v3
-        with:
-          registry: git.infra.mintel.me
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.NPM_TOKEN }}
+      - name: 🔐 Discover Valid Registry Token
+        id: discover_token
+        run: |
+          echo "Testing available secrets against git.infra.mintel.me Docker registry..."
+          TOKENS="${{ secrets.GITEA_PAT }} ${{ secrets.MINTEL_PRIVATE_TOKEN }} ${{ secrets.NPM_TOKEN }}"
+          USERS="${{ github.repository_owner }} ${{ github.actor }} marcmintel mintel mmintel"
+
+          for TOKEN in $TOKENS; do
+            if [ -n "$TOKEN" ]; then
+              for U in $USERS; do
+                if [ -n "$U" ]; then
+                  echo "Attempting docker login for a token with user $U..."
+                  if echo "$TOKEN" | docker login git.infra.mintel.me -u "$U" --password-stdin > /dev/null 2>&1; then
+                    echo "✅ Successfully authenticated with a token."
+                    echo "::add-mask::$TOKEN"
+                    echo "token=$TOKEN" >> $GITHUB_OUTPUT
+                    echo "user=$U" >> $GITHUB_OUTPUT
+                    exit 0
+                  fi
+                fi
+              done
+            fi
+          done
+          echo "❌ All available tokens failed to authenticate!"
+          exit 1
 
       - name: 🏗️ Build & Push ${{ matrix.name }}
         uses: docker/build-push-action@v5
@@ -216,7 +235,7 @@ jobs:
           provenance: false
           push: true
           secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+            NPM_TOKEN=${{ steps.discover_token.outputs.token }}
           tags: |
             git.infra.mintel.me/mmintel/${{ matrix.image }}:${{ github.ref_name }}
             git.infra.mintel.me/mmintel/${{ matrix.image }}:latest
diff --git a/packages/infra/gitea/deploy-action.yml b/packages/infra/gitea/deploy-action.yml
index 0116f5f..26f0d97 100644
--- a/packages/infra/gitea/deploy-action.yml
+++ b/packages/infra/gitea/deploy-action.yml
@@ -177,12 +177,31 @@ jobs:
       - name: 🐳 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: 🔐 Registry Login
-        uses: docker/login-action@v3
-        with:
-          registry: git.infra.mintel.me
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.NPM_TOKEN }}
+      - name: 🔐 Discover Valid Registry Token
+        id: discover_token
+        run: |
+          echo "Testing available secrets against git.infra.mintel.me Docker registry..."
+          TOKENS="${{ secrets.GITEA_PAT }} ${{ secrets.MINTEL_PRIVATE_TOKEN }} ${{ secrets.NPM_TOKEN }}"
+          USERS="${{ github.repository_owner }} ${{ github.actor }} marcmintel mintel mmintel"
+
+          for TOKEN in $TOKENS; do
+            if [ -n "$TOKEN" ]; then
+              for U in $USERS; do
+                if [ -n "$U" ]; then
+                  echo "Attempting docker login for a token with user $U..."
+                  if echo "$TOKEN" | docker login git.infra.mintel.me -u "$U" --password-stdin > /dev/null 2>&1; then
+                    echo "✅ Successfully authenticated with a token."
+                    echo "::add-mask::$TOKEN"
+                    echo "token=$TOKEN" >> $GITHUB_OUTPUT
+                    echo "user=$U" >> $GITHUB_OUTPUT
+                    exit 0
+                  fi
+                fi
+              done
+            fi
+          done
+          echo "❌ All available tokens failed to authenticate!"
+          exit 1
 
       - name: 🏗️ Docker Build & Push
         uses: docker/build-push-action@v5
@@ -197,7 +216,7 @@ jobs:
             NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
           push: true
           secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+            NPM_TOKEN=${{ steps.discover_token.outputs.token }}
           tags: git.infra.mintel.me/mmintel/${{ github.event.repository.name }}:${{ needs.prepare.outputs.image_tag }}
 
   # ──────────────────────────────────────────────────────────────────────────────
@@ -262,7 +281,7 @@ jobs:
             set -e
             cd "/home/deploy/sites/${{ github.event.repository.name }}"
             chmod 600 "$ENV_FILE"
-            echo "${{ secrets.NPM_TOKEN }}" | docker login git.infra.mintel.me -u "${{ github.repository_owner }}" --password-stdin
+            echo "${{ steps.discover_token.outputs.token }}" | docker login git.infra.mintel.me -u "${{ steps.discover_token.outputs.user }}" --password-stdin
             docker compose -p "$PROJECT_NAME" --env-file "$ENV_FILE" pull
             docker compose -p "$PROJECT_NAME" --env-file "$ENV_FILE" up -d --remove-orphans
             docker system prune -f --filter "until=24h"