fix(pipeline): implement clean PAT-based upstream wait logic

.gitea/workflows/deploy.yml

@@ -114,18 +114,21 @@ jobs:
             if [[ -n "$UPSTREAM_VERSION" && "$UPSTREAM_VERSION" != "workspace:"* ]]; then
               echo "⏳ This release depends on @mintel v$UPSTREAM_VERSION. Waiting for upstream build..."
               # Fetch script from monorepo (main)
+              # Standard discovery (works without token for public at-mintel)
+              UPSTREAM_SHA=$(git ls-remote --tags https://git.infra.mintel.me/mmintel/at-mintel.git "$TAG_TO_WAIT" | grep "$TAG_TO_WAIT" | tail -n1 | awk '{print $1}')
+              if [[ -z "$UPSTREAM_SHA" ]]; then
+                echo "❌ Error: Tag $TAG_TO_WAIT not found in mmintel/at-mintel."
+                exit 1
+              fi
+              echo "✅ Found upstream SHA $UPSTREAM_SHA for $TAG_TO_WAIT"
+
               curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
                 "https://git.infra.mintel.me/mmintel/at-mintel/raw/branch/main/packages/infra/scripts/wait-for-upstream.sh" > wait-for-upstream.sh
               chmod +x wait-for-upstream.sh
               
-              # Robust SHA discovery (bypasses restricted Gitea API)
+              # Use dedicated PAT if available, otherwise fallback to GITHUB_TOKEN
-              UPSTREAM_SHA=$(git ls-remote --tags https://git.infra.mintel.me/mmintel/at-mintel.git "$TAG_TO_WAIT" | grep "$TAG_TO_WAIT" | tail -n1 | awk '{print $1}')
+              POLL_TOKEN="${{ secrets.GITEA_PAT || secrets.MINTEL_PRIVATE_TOKEN || secrets.GITHUB_TOKEN }}"
-              if [[ -n "$UPSTREAM_SHA" ]]; then
+              GITEA_TOKEN="$POLL_TOKEN" ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT"
-                echo "✅ Found upstream SHA $UPSTREAM_SHA for $TAG_TO_WAIT (via git ls-remote)"
-                sed -i "s#TARGET_SHA=.*#TARGET_SHA=$UPSTREAM_SHA#g" wait-for-upstream.sh
-              fi
-              
-              GITEA_TOKEN=${{ secrets.GITHUB_TOKEN }} ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT"
             fi
           fi