ci: unify registry authentication across all jobs with dynamic token verification

.gitea/workflows/deploy.yml

@@ -175,10 +175,20 @@ jobs:
           sed -i 's|../../../at-mintel|../../_at-mintel|g' apps/web/tsconfig.json || true
       - name: 🔐 Registry Auth
         run: |
-          TOKEN="${{ secrets.NPM_TOKEN }}"
+          echo "Testing available secrets against git.infra.mintel.me Docker registry..."
-          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.MINTEL_PRIVATE_TOKEN }}"; fi
+          TOKENS=( "${{ secrets.GITEA_PAT }}" "${{ secrets.MINTEL_PRIVATE_TOKEN }}" "${{ secrets.NPM_TOKEN }}" )
-          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.GITEA_PAT }}"; fi
+          VALID_TOKEN=""
-          if [ -z "$TOKEN" ]; then echo "❌ Missing NPM_TOKEN / MINTEL_PRIVATE_TOKEN / GITEA_PAT secret!"; exit 1; fi
+          for T in "${TOKENS[@]}"; do
+            if [ -n "$T" ]; then
+              if echo "$T" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > /dev/null 2>&1; then
+                echo "✅ Successfully authenticated with a token."
+                VALID_TOKEN="$T"
+                break
+              fi
+            fi
+          done
+          if [ -z "$VALID_TOKEN" ]; then echo "❌ All tokens failed to authenticate!"; exit 1; fi
+          TOKEN="$VALID_TOKEN"
 
           # Mask token in logs (just in case, but Gitea usually does this automatically)
           echo "::add-mask::$TOKEN"
@@ -276,12 +286,24 @@ jobs:
           if [ -z "$TOKEN" ]; then echo "Missing NPM_TOKEN secret! Add it to Gitea repo settings."; exit 1; fi
           echo "token=$TOKEN" >> $GITHUB_OUTPUT
 
-      - name: 🔐 Registry Login
+      - name: 🔐 Discover Valid Registry Token
-        uses: docker/login-action@v3
+        id: discover_token
-        with:
+        run: |
-          registry: git.infra.mintel.me
+          echo "Testing available secrets against git.infra.mintel.me Docker registry..."
-          username: mmintel
+          TOKENS=( "${{ secrets.GITEA_PAT }}" "${{ secrets.MINTEL_PRIVATE_TOKEN }}" "${{ secrets.NPM_TOKEN }}" )
-          password: ${{ secrets.NPM_TOKEN }}
+
+          for TOKEN in "${TOKENS[@]}"; do
+            if [ -n "$TOKEN" ]; then
+              if echo "$TOKEN" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > /dev/null 2>&1; then
+                echo "✅ Successfully authenticated with a token."
+                echo "::add-mask::$TOKEN"
+                echo "token=$TOKEN" >> $GITHUB_OUTPUT
+                exit 0
+              fi
+            fi
+          done
+          echo "❌ All available tokens (GITEA_PAT, MINTEL_PRIVATE_TOKEN, NPM_TOKEN) failed to authenticate!"
+          exit 1
 
       - name: 🏗️ Build and Push
         uses: docker/build-push-action@v5
@@ -299,7 +321,7 @@ jobs:
           cache-from: type=registry,ref=git.infra.mintel.me/mmintel/mintel.me:buildcache
           cache-to: type=registry,ref=git.infra.mintel.me/mmintel/mintel.me:buildcache,mode=max
           secrets: |
-            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+            NPM_TOKEN=${{ steps.discover_token.outputs.token }}
 
       - name: 🚨 Extract Build Error Logs
         if: failure()
@@ -310,13 +332,13 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null
           echo "Re-running docker build with plain progress to capture exact logs..."
-          echo "${{ secrets.NPM_TOKEN }}" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > login.log 2>&1
+          echo "${{ steps.discover_token.outputs.token }}" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > login.log 2>&1
-          echo "${{ secrets.NPM_TOKEN }}" > /tmp/npm_token.txt
+          echo "${{ steps.discover_token.outputs.token }}" > /tmp/npm_token.txt
           docker build \
              --build-arg NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }} \
              --build-arg NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }} \
              --build-arg DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }} \
-             --build-arg NPM_TOKEN=${{ secrets.NPM_TOKEN }} \
+             --build-arg NPM_TOKEN=${{ steps.discover_token.outputs.token }} \
              --secret id=NPM_TOKEN,src=/tmp/npm_token.txt \
              --progress plain \
              -t temp-image . > docker_build_failed.log 2>&1
@@ -478,10 +500,20 @@ jobs:
           scp docker-compose.yml root@alpha.mintel.me:$SITE_DIR/docker-compose.yml
 
           # Deploy
-          TOKEN="${{ secrets.NPM_TOKEN }}"
+          echo "Testing available secrets against git.infra.mintel.me Docker registry..."
-          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.MINTEL_PRIVATE_TOKEN }}"; fi
+          TOKENS=( "${{ secrets.GITEA_PAT }}" "${{ secrets.MINTEL_PRIVATE_TOKEN }}" "${{ secrets.NPM_TOKEN }}" )
-          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.GITEA_PAT }}"; fi
+          VALID_TOKEN=""
-          if [ -z "$TOKEN" ]; then echo "Missing NPM_TOKEN secret! Add it to Gitea repo settings."; exit 1; fi
+          for T in "${TOKENS[@]}"; do
+            if [ -n "$T" ]; then
+              if echo "$T" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > /dev/null 2>&1; then
+                echo "✅ Successfully authenticated with a token."
+                VALID_TOKEN="$T"
+                break
+              fi
+            fi
+          done
+          if [ -z "$VALID_TOKEN" ]; then echo "❌ All tokens failed to authenticate!"; exit 1; fi
+          TOKEN="$VALID_TOKEN"
 
           DB_CONTAINER="${{ needs.prepare.outputs.project_name }}-postgres-db-1"
           ssh root@alpha.mintel.me bash <<DEPLOYEOF
@@ -533,10 +565,20 @@ jobs:
           sed -i 's|../../../at-mintel|../../_at-mintel|g' apps/web/tsconfig.json || true
       - name: 🔐 Registry Auth
         run: |
-          TOKEN="${{ secrets.NPM_TOKEN }}"
+          echo "Testing available secrets against git.infra.mintel.me Docker registry..."
-          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.MINTEL_PRIVATE_TOKEN }}"; fi
+          TOKENS=( "${{ secrets.GITEA_PAT }}" "${{ secrets.MINTEL_PRIVATE_TOKEN }}" "${{ secrets.NPM_TOKEN }}" )
-          if [ -z "$TOKEN" ]; then TOKEN="${{ secrets.GITEA_PAT }}"; fi
+          VALID_TOKEN=""
-          if [ -z "$TOKEN" ]; then echo "❌ Missing NPM_TOKEN / MINTEL_PRIVATE_TOKEN / GITEA_PAT secret!"; exit 1; fi
+          for T in "${TOKENS[@]}"; do
+            if [ -n "$T" ]; then
+              if echo "$T" | docker login git.infra.mintel.me -u "mmintel" --password-stdin > /dev/null 2>&1; then
+                echo "✅ Successfully authenticated with a token."
+                VALID_TOKEN="$T"
+                break
+              fi
+            fi
+          done
+          if [ -z "$VALID_TOKEN" ]; then echo "❌ All tokens failed to authenticate!"; exit 1; fi
+          TOKEN="$VALID_TOKEN"
           echo "Configuring .npmrc for git.infra.mintel.me..."
           echo "@mintel:registry=https://git.infra.mintel.me/api/packages/mmintel/npm/" > .npmrc
           echo "//git.infra.mintel.me/api/packages/mmintel/npm/:_authToken=${TOKEN}" >> .npmrc