fix(ci): robust fallback secrets for docker login and gitea npm registry to prevent 401 errors

.gitea/workflows/deploy.yml

@@ -199,12 +199,23 @@ jobs:
         run: git clone https://git.infra.mintel.me/mmintel/at-mintel.git _at-mintel
       - name: 🐳 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      - name: 🔐 Prepare Registry Token
+        id: prep_token
+        run: |
+          TOKEN="${{ secrets.NPM_TOKEN }}"
+          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.MINTEL_PRIVATE_TOKEN }}"; fi
+          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.GITEA_PAT }}"; fi
+          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.REGISTRY_PASS }}"; fi
+          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.GITHUB_TOKEN }}"; fi
+          echo "token=$TOKEN" >> $GITHUB_OUTPUT
+
       - name: 🔐 Registry Login
         uses: docker/login-action@v3
         with:
           registry: git.infra.mintel.me
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.NPM_TOKEN }}
+          password: ${{ steps.prep_token.outputs.token }}
+
       - name: 🏗️ Build and Push
         uses: docker/build-push-action@v5
         with:
@@ -216,12 +227,12 @@ jobs:
             NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }}
             NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
             DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }}
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+            NPM_TOKEN=${{ steps.prep_token.outputs.token }}
           tags: git.infra.mintel.me/mmintel/mintel.me:${{ needs.prepare.outputs.image_tag }}
           cache-from: type=registry,ref=git.infra.mintel.me/mmintel/mintel.me:buildcache
           cache-to: type=registry,ref=git.infra.mintel.me/mmintel/mintel.me:buildcache,mode=max
           secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+            NPM_TOKEN=${{ steps.prep_token.outputs.token }}
 
       - name: 🚨 Extract Build Error Logs
         if: failure()
@@ -232,12 +243,13 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null
           echo "Re-running docker build with plain progress to capture exact logs..."
-          echo "${{ secrets.NPM_TOKEN }}" | docker login git.infra.mintel.me -u "${{ github.repository_owner }}" --password-stdin > login.log 2>&1
-          echo "${{ secrets.REGISTRY_PASS }}" > /tmp/npm_token.txt
+          echo "${{ steps.prep_token.outputs.token }}" | docker login git.infra.mintel.me -u "${{ github.repository_owner }}" --password-stdin > login.log 2>&1
+          echo "${{ steps.prep_token.outputs.token }}" > /tmp/npm_token.txt
           docker build \
              --build-arg NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }} \
              --build-arg NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }} \
              --build-arg DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }} \
+             --build-arg NPM_TOKEN=${{ steps.prep_token.outputs.token }} \
              --secret id=NPM_TOKEN,src=/tmp/npm_token.txt \
              --progress plain \
              -t temp-image . > docker_build_failed.log 2>&1