From 3a4fd1d06d4f9695ef78799eec3902453e03469d Mon Sep 17 00:00:00 2001 From: Marc Mintel Date: Wed, 4 Mar 2026 10:09:46 +0100 Subject: [PATCH] ci: unify registry authentication across all jobs with dynamic token verification --- .gitea/workflows/deploy.yml | 86 +++++++++++++++++++++++++++---------- 1 file changed, 64 insertions(+), 22 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 7d75a42..1a9a1e3 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -175,10 +175,20 @@ jobs: sed -i 's|../../../at-mintel|../../_at-mintel|g' apps/web/tsconfig.json || true - name: 🔐 Registry Auth run: | - TOKEN="${{ secrets.NPM_TOKEN }}" - if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.MINTEL_PRIVATE_TOKEN }}"; fi - if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.GITEA_PAT }}"; fi - if [ -z "$TOKEN" ]; then echo "❌ Missing NPM_TOKEN / MINTEL_PRIVATE_TOKEN / GITEA_PAT secret!"; exit 1; fi + echo "Testing available secrets against git.infra.mintel.me Docker registry..." + TOKENS=( "${{ secrets.GITEA_PAT }}" "${{ secrets.MINTEL_PRIVATE_TOKEN }}" "${{ secrets.NPM_TOKEN }}" ) + VALID_TOKEN="" + for T in "${TOKENS[@]}"; do + if [ -n "$T" ]; then + if echo "$T" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > /dev/null 2>&1; then + echo "✅ Successfully authenticated with a token." + VALID_TOKEN="$T" + break + fi + fi + done + if [ -z "$VALID_TOKEN" ]; then echo "❌ All tokens failed to authenticate!"; exit 1; fi + TOKEN="$VALID_TOKEN" # Mask token in logs (just in case, but Gitea usually does this automatically) echo "::add-mask::$TOKEN" @@ -276,12 +286,24 @@ jobs: if [ -z "$TOKEN" ]; then echo "Missing NPM_TOKEN secret! Add it to Gitea repo settings."; exit 1; fi echo "token=$TOKEN" >> $GITHUB_OUTPUT - - name: 🔐 Registry Login - uses: docker/login-action@v3 - with: - registry: git.infra.mintel.me - username: mmintel - password: ${{ secrets.NPM_TOKEN }} + - name: 🔐 Discover Valid Registry Token + id: discover_token + run: | + echo "Testing available secrets against git.infra.mintel.me Docker registry..." + TOKENS=( "${{ secrets.GITEA_PAT }}" "${{ secrets.MINTEL_PRIVATE_TOKEN }}" "${{ secrets.NPM_TOKEN }}" ) + + for TOKEN in "${TOKENS[@]}"; do + if [ -n "$TOKEN" ]; then + if echo "$TOKEN" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > /dev/null 2>&1; then + echo "✅ Successfully authenticated with a token." + echo "::add-mask::$TOKEN" + echo "token=$TOKEN" >> $GITHUB_OUTPUT + exit 0 + fi + fi + done + echo "❌ All available tokens (GITEA_PAT, MINTEL_PRIVATE_TOKEN, NPM_TOKEN) failed to authenticate!" + exit 1 - name: 🏗️ Build and Push uses: docker/build-push-action@v5 @@ -299,7 +321,7 @@ jobs: cache-from: type=registry,ref=git.infra.mintel.me/mmintel/mintel.me:buildcache cache-to: type=registry,ref=git.infra.mintel.me/mmintel/mintel.me:buildcache,mode=max secrets: | - NPM_TOKEN=${{ secrets.NPM_TOKEN }} + NPM_TOKEN=${{ steps.discover_token.outputs.token }} - name: 🚨 Extract Build Error Logs if: failure() @@ -310,13 +332,13 @@ jobs: chmod 600 ~/.ssh/id_ed25519 ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null echo "Re-running docker build with plain progress to capture exact logs..." - echo "${{ secrets.NPM_TOKEN }}" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > login.log 2>&1 - echo "${{ secrets.NPM_TOKEN }}" > /tmp/npm_token.txt + echo "${{ steps.discover_token.outputs.token }}" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > login.log 2>&1 + echo "${{ steps.discover_token.outputs.token }}" > /tmp/npm_token.txt docker build \ --build-arg NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }} \ --build-arg NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }} \ --build-arg DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }} \ - --build-arg NPM_TOKEN=${{ secrets.NPM_TOKEN }} \ + --build-arg NPM_TOKEN=${{ steps.discover_token.outputs.token }} \ --secret id=NPM_TOKEN,src=/tmp/npm_token.txt \ --progress plain \ -t temp-image . > docker_build_failed.log 2>&1 @@ -478,10 +500,20 @@ jobs: scp docker-compose.yml root@alpha.mintel.me:$SITE_DIR/docker-compose.yml # Deploy - TOKEN="${{ secrets.NPM_TOKEN }}" - if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.MINTEL_PRIVATE_TOKEN }}"; fi - if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.GITEA_PAT }}"; fi - if [ -z "$TOKEN" ]; then echo "Missing NPM_TOKEN secret! Add it to Gitea repo settings."; exit 1; fi + echo "Testing available secrets against git.infra.mintel.me Docker registry..." + TOKENS=( "${{ secrets.GITEA_PAT }}" "${{ secrets.MINTEL_PRIVATE_TOKEN }}" "${{ secrets.NPM_TOKEN }}" ) + VALID_TOKEN="" + for T in "${TOKENS[@]}"; do + if [ -n "$T" ]; then + if echo "$T" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > /dev/null 2>&1; then + echo "✅ Successfully authenticated with a token." + VALID_TOKEN="$T" + break + fi + fi + done + if [ -z "$VALID_TOKEN" ]; then echo "❌ All tokens failed to authenticate!"; exit 1; fi + TOKEN="$VALID_TOKEN" DB_CONTAINER="${{ needs.prepare.outputs.project_name }}-postgres-db-1" ssh root@alpha.mintel.me bash < /dev/null 2>&1; then + echo "✅ Successfully authenticated with a token." + VALID_TOKEN="$T" + break + fi + fi + done + if [ -z "$VALID_TOKEN" ]; then echo "❌ All tokens failed to authenticate!"; exit 1; fi + TOKEN="$VALID_TOKEN" echo "Configuring .npmrc for git.infra.mintel.me..." echo "@mintel:registry=https://git.infra.mintel.me/api/packages/mmintel/npm/" > .npmrc echo "//git.infra.mintel.me/api/packages/mmintel/npm/:_authToken=${TOKEN}" >> .npmrc