From 0b6211cf5f7b8c82c632f7357b7fa1d8444a1d49 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Thu, 12 Feb 2026 15:18:59 +0100
Subject: [PATCH] fix(pipeline): conditional upstream status check (verified
 via git ls-remote)

---
 .gitea/workflows/deploy.yml | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 93040b0d..ec16f6ec 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -112,23 +112,28 @@ jobs:
             TAG_TO_WAIT="v$UPSTREAM_VERSION"
             
             if [[ -n "$UPSTREAM_VERSION" && "$UPSTREAM_VERSION" != "workspace:"* ]]; then
-              echo "⏳ This release depends on @mintel v$UPSTREAM_VERSION. Waiting for upstream build..."
-              # Fetch script from monorepo (main)
-              # Standard discovery (works without token for public at-mintel)
+              # 1. Discovery (Works without token for public repositories)
               UPSTREAM_SHA=$(git ls-remote --tags https://git.infra.mintel.me/mmintel/at-mintel.git "$TAG_TO_WAIT" | grep "$TAG_TO_WAIT" | tail -n1 | awk '{print $1}')
+              
               if [[ -z "$UPSTREAM_SHA" ]]; then
                 echo "❌ Error: Tag $TAG_TO_WAIT not found in mmintel/at-mintel."
                 exit 1
               fi
-              echo "✅ Found upstream SHA $UPSTREAM_SHA for $TAG_TO_WAIT"
+              echo "✅ Tag verified: Found upstream SHA $UPSTREAM_SHA for $TAG_TO_WAIT"
 
-              curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-                "https://git.infra.mintel.me/mmintel/at-mintel/raw/branch/main/packages/infra/scripts/wait-for-upstream.sh" > wait-for-upstream.sh
-              chmod +x wait-for-upstream.sh
+              # 2. Status Check (Requires GITEA_PAT for cross-repo API access)
+              POLL_TOKEN="${{ secrets.GITEA_PAT || secrets.MINTEL_PRIVATE_TOKEN }}"
               
-              # Use dedicated PAT if available, otherwise fallback to GITHUB_TOKEN
-              POLL_TOKEN="${{ secrets.GITEA_PAT || secrets.MINTEL_PRIVATE_TOKEN || secrets.GITHUB_TOKEN }}"
-              GITEA_TOKEN="$POLL_TOKEN" ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT"
+              if [[ -n "$POLL_TOKEN" ]]; then
+                echo "⏳ GITEA_PAT found. Checking upstream build status..."
+                curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+                  "https://git.infra.mintel.me/mmintel/at-mintel/raw/branch/main/packages/infra/scripts/wait-for-upstream.sh" > wait-for-upstream.sh
+                chmod +x wait-for-upstream.sh
+                GITEA_TOKEN="$POLL_TOKEN" ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT"
+              else
+                echo "ℹ️ No GITEA_PAT secret found. Skipping build status wait (Actions API is restricted)."
+                echo "   If this build fails, ensure that mmintel/at-mintel $TAG_TO_WAIT has finished its Docker build."
+              fi
             fi
           fi