From 68380a3af9c28baa2395ee36c3916407cfd8b25b Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 4 Mar 2026 16:10:24 +0100
Subject: [PATCH] fix(ci): use SCP credentials file for docker auth on remote
 server

---
 .gitea/workflows/deploy.yml | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index f6f562d5..f71d673e 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -438,15 +438,12 @@ jobs:
           scp docker-compose.yml root@alpha.mintel.me:$SITE_DIR/docker-compose.yml
           
           # Execute remote commands
-          TOKEN_VALUE="$REGISTRY_PASS"
-          USER_VALUE="$REGISTRY_USER"
-          ssh root@alpha.mintel.me bash <<DEPLOYEOF
-          set -e
-          cd ${SITE_DIR}
-          printf '%s' "${TOKEN_VALUE}" | docker login git.infra.mintel.me -u "${USER_VALUE}" --password-stdin
-          docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '${ENV_FILE}' pull
-          docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '${ENV_FILE}' up -d --remove-orphans
-          DEPLOYEOF
+          # Write docker credentials to a temp file on local, scp it, then use it on remote
+          B64_AUTH=$(printf '%s:%s' "$REGISTRY_USER" "$REGISTRY_PASS" | base64 -w 0)
+          printf '{"auths":{"git.infra.mintel.me":{"auth":"%s"}}}' "$B64_AUTH" > /tmp/docker_creds.json
+          scp /tmp/docker_creds.json root@alpha.mintel.me:/tmp/docker_creds.json
+          rm /tmp/docker_creds.json
+          ssh root@alpha.mintel.me "mkdir -p ~/.docker && cp /tmp/docker_creds.json ~/.docker/config.json && rm /tmp/docker_creds.json && cd $SITE_DIR && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans"
           
           # Sanitize Payload Migrations: Replace 'dev' push entries with proper migration names.
           # Without this, Payload prompts interactively for confirmation and blocks forever in Docker.