From cd88c2f20fd6b1f9814b68ceaf1944ed6c72cb9e Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Tue, 3 Mar 2026 20:50:49 +0100
Subject: [PATCH] chore(ci): harden dependency redirection and registry auth

---
 .gitea/workflows/deploy.yml | 24 ++++++++++++------------
 Dockerfile                  |  1 +
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index a64a6be..9c15224 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -159,14 +159,14 @@ jobs:
 
           # Force ALL @mintel packages to use the local clone instead of the registry
           # This handles root package.json
-          perl -pi -e 's/"@mintel\/([^"]+)": "[^"]+"/"\@mintel\/$1": "link:.\/_at-mintel\/packages\/$1"/g' package.json
+          perl -pi -e 's/"\@mintel\/([^"]+)"\s*:\s*"[^"]+"/"\@mintel\/$1": "link:.\/_at-mintel\/packages\/$1"/g' package.json
           # Special case for pdf -> pdf-library
-          perl -pi -e 's/link:.\/_at-mintel\/packages\/pdf"/link:.\/_at-mintel\/packages\/pdf-library"/g' package.json
+          perl -pi -e 's/link:\.\/_at-mintel\/packages\/pdf"/link:.\/_at-mintel\/packages\/pdf-library"/g' package.json
 
           # Handle apps/web/package.json
-          perl -pi -e 's/"@mintel\/([^"]+)": "[^"]+"/"\@mintel\/$1": "link:..\/\.\.\/_at-mintel\/packages\/$1"/g' apps/web/package.json
+          perl -pi -e 's/"\@mintel\/([^"]+)"\s*:\s*"[^"]+"/"\@mintel\/$1": "link:..\/\.\.\/_at-mintel\/packages\/$1"/g' apps/web/package.json
           # Special case for pdf -> pdf-library
-          perl -pi -e 's/link:..\/\.\.\/_at-mintel\/packages\/pdf"/link:..\/\.\.\/_at-mintel\/packages\/pdf-library"/g' apps/web/package.json
+          perl -pi -e 's/link:\.\.\/\.\.\/_at-mintel\/packages\/pdf"/link:..\/\.\.\/_at-mintel\/packages\/pdf-library"/g' apps/web/package.json
 
           # Fix tsconfig paths if they exist
           sed -i 's|../../../at-mintel|../../_at-mintel|g' apps/web/tsconfig.json || true
@@ -261,10 +261,10 @@ jobs:
         run: |
           git clone https://git.infra.mintel.me/mmintel/at-mintel.git _at-mintel
           # Force ALL @mintel packages to use the local clone instead of the registry
-          perl -pi -e 's/"@mintel\/([^"]+)": "[^"]+"/"\@mintel\/$1": "link:.\/_at-mintel\/packages\/$1"/g' package.json
-          perl -pi -e 's/link:.\/_at-mintel\/packages\/pdf"/link:.\/_at-mintel\/packages\/pdf-library"/g' package.json
-          perl -pi -e 's/"@mintel\/([^"]+)": "[^"]+"/"\@mintel\/$1": "link:..\/\.\.\/_at-mintel\/packages\/$1"/g' apps/web/package.json
-          perl -pi -e 's/link:..\/\.\.\/_at-mintel\/packages\/pdf"/link:..\/\.\.\/_at-mintel\/packages\/pdf-library"/g' apps/web/package.json
+          perl -pi -e 's/"\@mintel\/([^"]+)"\s*:\s*"[^"]+"/"\@mintel\/$1": "link:.\/_at-mintel\/packages\/$1"/g' package.json
+          perl -pi -e 's/link:\.\/_at-mintel\/packages\/pdf"/link:.\/_at-mintel\/packages\/pdf-library"/g' package.json
+          perl -pi -e 's/"\@mintel\/([^"]+)"\s*:\s*"[^"]+"/"\@mintel\/$1": "link:..\/\.\.\/_at-mintel\/packages\/$1"/g' apps/web/package.json
+          perl -pi -e 's/link:\.\.\/\.\.\/_at-mintel\/packages\/pdf"/link:..\/\.\.\/_at-mintel\/packages\/pdf-library"/g' apps/web/package.json
       - name: 🐳 Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: 🔐 Prepare Registry Token
@@ -524,10 +524,10 @@ jobs:
           git clone https://git.infra.mintel.me/mmintel/at-mintel.git _at-mintel
 
           # Force ALL @mintel packages to use the local clone instead of the registry
-          perl -pi -e 's/"@mintel\/([^"]+)": "[^"]+"/"\@mintel\/$1": "link:.\/_at-mintel\/packages\/$1"/g' package.json
-          perl -pi -e 's/link:.\/_at-mintel\/packages\/pdf"/link:.\/_at-mintel\/packages\/pdf-library"/g' package.json
-          perl -pi -e 's/"@mintel\/([^"]+)": "[^"]+"/"\@mintel\/$1": "link:..\/\.\.\/_at-mintel\/packages\/$1"/g' apps/web/package.json
-          perl -pi -e 's/link:..\/\.\.\/_at-mintel\/packages\/pdf"/link:..\/\.\.\/_at-mintel\/packages\/pdf-library"/g' apps/web/package.json
+          perl -pi -e 's/"\@mintel\/([^"]+)"\s*:\s*"[^"]+"/"\@mintel\/$1": "link:.\/_at-mintel\/packages\/$1"/g' package.json
+          perl -pi -e 's/link:\.\/_at-mintel\/packages\/pdf"/link:.\/_at-mintel\/packages\/pdf-library"/g' package.json
+          perl -pi -e 's/"\@mintel\/([^"]+)"\s*:\s*"[^"]+"/"\@mintel\/$1": "link:..\/\.\.\/_at-mintel\/packages\/$1"/g' apps/web/package.json
+          perl -pi -e 's/link:\.\.\/\.\.\/_at-mintel\/packages\/pdf"/link:..\/\.\.\/_at-mintel\/packages\/pdf-library"/g' apps/web/package.json
 
           # Fix tsconfig paths if they exist
           sed -i 's|../../../at-mintel|../../_at-mintel|g' apps/web/tsconfig.json || true
diff --git a/Dockerfile b/Dockerfile
index bc52df7..523f4d7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,6 +27,7 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     export NPM_TOKEN=$(cat /run/secrets/NPM_TOKEN 2>/dev/null || echo $NPM_TOKEN) && \
     echo "@mintel:registry=https://git.infra.mintel.me/api/packages/mmintel/npm/" > .npmrc && \
     echo "//git.infra.mintel.me/api/packages/mmintel/npm/:_authToken=\${NPM_TOKEN}" >> .npmrc && \
+    echo "always-auth=true" >> .npmrc && \
     cd _at-mintel && pnpm install --no-frozen-lockfile && pnpm build && \
     cd /app && pnpm install --no-frozen-lockfile && \
     rm .npmrc