fix(ci): publish images with registry bearer token

2026-06-14 15:16:52 +02:00
parent 5ac4c453b8
commit 9020670bb3
1 changed files with 22 additions and 6 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -17,6 +17,7 @@ jobs:
      - name: Build OCI image
        shell: bash -l {0}
        run: |
+          set -euo pipefail
          nix build .#docker \
            --accept-flake-config \
            --option lazy-trees false \
@@ -27,14 +28,27 @@ jobs:
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
        run: |
+          set -euo pipefail
          SHA=$(git rev-parse --short HEAD)
-          skopeo copy docker-archive:result \
-            "docker://gitea.coulomb.social/coulomb/inter-hub:${SHA}" \
-            --dest-creds "tegwick:${GITEA_TOKEN}"
+          TOKEN=$(
+            curl -fsS \
+              "https://gitea.coulomb.social/v2/token?service=container_registry&scope=repository:coulomb/inter-hub:push,pull" \
+              -u "tegwick:${GITEA_TOKEN}" \
+              | awk -F'"' '/token/{print $4}'
+          )
+          if [ -z "${TOKEN}" ]; then
+            echo "Failed to obtain Gitea registry token" >&2
+            exit 1
+          fi
+          skopeo copy --insecure-policy \
+            --dest-registry-token "${TOKEN}" \
+            docker-archive:result \
+            "docker://gitea.coulomb.social/coulomb/inter-hub:${SHA}"
          # Also tag as latest
-          skopeo copy docker-archive:result \
-            "docker://gitea.coulomb.social/coulomb/inter-hub:latest" \
-            --dest-creds "tegwick:${GITEA_TOKEN}"
+          skopeo copy --insecure-policy \
+            --dest-registry-token "${TOKEN}" \
+            docker-archive:result \
+            "docker://gitea.coulomb.social/coulomb/inter-hub:latest"
          echo "Pushed inter-hub:${SHA} and inter-hub:latest"

      - name: Deploy to Railiance01
@@ -42,6 +56,7 @@ jobs:
        env:
          KUBECONFIG: ${{ secrets.RAILIANCE01_KUBECONFIG }}
        run: |
+          set -euo pipefail
          SHA=$(git rev-parse --short HEAD)
          helm upgrade --install inter-hub deploy/helm/inter-hub \
            --namespace inter-hub --create-namespace \
@@ -50,6 +65,7 @@ jobs:

      - name: Smoke test
        run: |
+          set -euo pipefail
          # Give the new pod time to start
          sleep 15
          curl -sf --retry 5 --retry-delay 5 https://hub.coulomb.social/ \