From ec63ce67014b388a3434e8d571dfbface2967b99 Mon Sep 17 00:00:00 2001
From: Le Serjant <leserjant@proton.me>
Date: Mon, 16 Mar 2026 13:08:11 +0000
Subject: [PATCH 1/2] Use external hostname for container registry push

The Gitea container registry token service scopes tokens to ROOT_URL
(git.schick-web.site). Pushing to the internal hostname (git.kimchi)
causes auth failures because the token domain doesn't match.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 783674c..51947d5 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -5,8 +5,8 @@ on:
     branches: [main]
 
 env:
-  REGISTRY: git.kimchi
-  IMAGE: git.kimchi/tas/major_tom
+  REGISTRY: git.schick-web.site
+  IMAGE: git.schick-web.site/tas/major_tom
   NAMESPACE: jnr-web
   DEPLOYMENT: jnr-web
 
-- 
2.49.1


From c44ace58042e1ef3cd9176bac193400662e6b1b8 Mon Sep 17 00:00:00 2001
From: Le Serjant <leserjant@proton.me>
Date: Mon, 16 Mar 2026 13:21:33 +0000
Subject: [PATCH 2/2] Debug container registry auth: test v2 and token
 endpoints

Revert to git.kimchi, add curl diagnostics to understand why
auth fails even after login succeeds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yaml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 51947d5..5fbaf77 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -5,8 +5,8 @@ on:
     branches: [main]
 
 env:
-  REGISTRY: git.schick-web.site
-  IMAGE: git.schick-web.site/tas/major_tom
+  REGISTRY: git.kimchi
+  IMAGE: git.kimchi/tas/major_tom
   NAMESPACE: jnr-web
   DEPLOYMENT: jnr-web
 
@@ -30,6 +30,16 @@ jobs:
 
           CREDS="${{ secrets.REGISTRY_USER }}:${{ secrets.REGISTRY_PASSWORD }}"
 
+          echo "=== debug: test v2 endpoint ==="
+          curl -sk https://git.kimchi/v2/ || true
+          echo ""
+          echo "=== debug: test v2 auth ==="
+          curl -sk -u "$CREDS" https://git.kimchi/v2/ || true
+          echo ""
+          echo "=== debug: test token endpoint ==="
+          curl -sk -u "$CREDS" "https://git.kimchi/v2/token?scope=repository:tas/major_tom:push,pull&service=container_registry" || true
+          echo ""
+
           echo "=== buildah push tag ==="
           buildah push --tls-verify=false --creds "$CREDS" "$IMAGE_TAG"
 
-- 
2.49.1