From d212078420ecf8ba8dc9f7ef85bf4dd76094db6d Mon Sep 17 00:00:00 2001
From: b3nw <b3nw@duck.com>
Date: Sat, 25 Apr 2026 00:58:43 +0000
Subject: [PATCH] fix(ci): install git in builder and pass token for private
 dependency

The builder image needs git to clone the schwab-scraper SSH dependency.
Uses git insteadOf to redirect SSH URLs to HTTPS with CR_PAT in CI.
---
 .gitea/workflows/build.yaml |  2 ++
 Dockerfile                  | 10 ++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml
index 56d4a7a..86da3d0 100644
--- a/.gitea/workflows/build.yaml
+++ b/.gitea/workflows/build.yaml
@@ -28,3 +28,5 @@ jobs:
           context: .
           push: true
           tags: gitea.ext.ben.io/${{ gitea.repository }}:latest
+          build-args: |
+            GIT_TOKEN=${{ secrets.CR_PAT }}
diff --git a/Dockerfile b/Dockerfile
index c1b3ff9..82f398c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,13 +2,19 @@ FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
 
 ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
 
+RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 
-# Copy dependency files and install
+ARG GIT_TOKEN=""
+RUN if [ -n "$GIT_TOKEN" ]; then \
+      git config --global url."https://${GIT_TOKEN}@gitea.ext.ben.io/".insteadOf "ssh://gitea@git.local.ben.io/" && \
+      git config --global --add url."https://${GIT_TOKEN}@gitea.ext.ben.io/".insteadOf "ssh://git.local.ben.io/"; \
+    fi
+
 COPY pyproject.toml uv.lock ./
 RUN uv sync --frozen --no-dev --no-install-project
 
-# Copy project files
 COPY . .
 RUN uv sync --frozen --no-dev