Savannah Savings
e9397e5a2e
Merge pull request 'fix: disable lighthouse CI job to unblock PR #11 merge [CAR-938]' ( #20 ) from betty/car-938-disable-lighthouse into dev
...
CI / test (push) Successful in 42s
CI / lint (pull_request) Successful in 12s
CI / audit (push) Successful in 42s
CI / test (pull_request) Successful in 21s
CI / deploy-dev (push) Failing after 2s
CI / audit (pull_request) Successful in 9s
CI / lint (push) Successful in 1m23s
CI / e2e (push) Successful in 45s
CI / e2e (pull_request) Successful in 44s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / build-and-push (push) Failing after 3m10s
CI / deploy-uat (push) Has been skipped
Merge PR #20 : fix: disable lighthouse CI job [CAR-938]
Remove lighthouse job from .gitea/workflows/ci.yml to unblock dev→uat promotion.
QA approved, CTO reviewed.
2026-05-23 21:26:37 +00:00
05427e8859
fix: disable lighthouse CI job to unblock PR #11 merge
...
CI / lint (pull_request) Successful in 12s
CI / audit (pull_request) Successful in 12s
CI / test (pull_request) Successful in 12s
CI / build-and-push (pull_request) Has been skipped
CI / e2e (pull_request) Successful in 42s
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
The lighthouse CI is failing due to pre-existing Gitea Actions environment
issues (lhci crashes silently), not code-related. CTO has decided to disable
it temporarily to unblock CAR-934.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-23 21:03:44 +00:00
Savannah Savings
af50b940c1
Merge pull request 'fix: remove DinD/GHCR split to fix Docker socket and infra 403 [CAR-987]' ( #19 ) from betty/car-987-fix-ci-docker-socket-and-infra-403 into dev
...
CI / lint (push) Successful in 13s
CI / audit (push) Successful in 12s
CI / audit (pull_request) Successful in 12s
CI / deploy-uat (pull_request) Has been skipped
CI / test (pull_request) Successful in 11s
CI / e2e (pull_request) Failing after 3s
CI / build-and-push (push) Failing after 8s
CI / lighthouse (push) Failing after 45s
CI / lighthouse (pull_request) Failing after 43s
CI / test (push) Successful in 11s
CI / lint (pull_request) Successful in 12s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / e2e (push) Successful in 43s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Failing after 2s
fix: remove DinD/GHCR split to fix Docker socket and infra 403 [CAR-987]
Consolidates build+push into single step (no DinD socket needed).
Switches infra checkout to secrets.GITEA_DEPLOY_KEY for cross-repo access.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-23 19:35:14 +00:00
ddf2b4fda5
fix: change vars.GITEA_DEPLOY_KEY to secrets.GITEA_DEPLOY_KEY per CTO review
CI / e2e (pull_request) Successful in 37s
CI / audit (pull_request) Successful in 10s
CI / test (pull_request) Successful in 15s
CI / lint (pull_request) Successful in 15s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 45s
2026-05-23 19:22:21 +00:00
84571473a3
fix: remove DinD/GHCR scan split, use single push step
...
CI / audit (pull_request) Successful in 35s
CI / lint (pull_request) Successful in 43s
CI / test (pull_request) Successful in 42s
CI / deploy-dev (pull_request) Has been skipped
CI / e2e (pull_request) Successful in 1m3s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 45s
CAR-987: Docker socket missing was caused by load:true requiring
a local Docker daemon (DinD sidecar). Using push:true with registry
authentication removes the need for local Docker daemon access.
Also removed anchore scan step which required the loaded image.
For infra repo access: changed secrets.GITEA_TOKEN to
vars.GITEA_DEPLOY_KEY since Gitea Actions auto-token only has
repo-scoped permissions and cannot access cross-repo resources
like cartsnitch/infra (which is private).
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-23 19:06:16 +00:00
Savannah Savings
43e0fae823
Merge pull request 'fix: resolve npm audit vulnerabilities (CAR-937)' ( #11 ) from betty/car-935-fix-setup-node into dev
...
CI / lint (push) Successful in 1m2s
CI / test (push) Successful in 1m3s
CI / audit (push) Successful in 1m14s
CI / deploy-dev (pull_request) Has been skipped
CI / lighthouse (push) Failing after 50s
CI / deploy-dev (push) Failing after 38s
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 47s
CI / lint (pull_request) Successful in 14s
CI / test (pull_request) Successful in 13s
CI / audit (pull_request) Successful in 11s
CI / e2e (pull_request) Successful in 41s
CI / build-and-push (pull_request) Has been skipped
CI / build-and-push (push) Failing after 2m4s
CI / e2e (push) Successful in 1m48s
CI / deploy-uat (push) Has been skipped
fix: resolve npm audit vulnerabilities (CAR-937)
Fixes npm audit high-severity vulnerabilities.
2026-05-22 10:43:17 +00:00
a9a7db63b8
fix: improve preview server startup detection in lighthouse CI [CAR-937]
...
CI / lint (pull_request) Successful in 13s
CI / test (pull_request) Successful in 14s
CI / audit (pull_request) Successful in 10s
CI / e2e (pull_request) Successful in 39s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 42s
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 20:46:37 +00:00
75700fbb5e
fix: increase timeout for preview server in lighthouse CI [CAR-937]
...
CI / audit (pull_request) Successful in 10s
CI / test (pull_request) Successful in 13s
CI / lint (pull_request) Successful in 14s
CI / e2e (pull_request) Successful in 43s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m53s
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 20:41:58 +00:00
a729b7e21a
fix: add sleep before wait-on to ensure preview server is ready [CAR-937]
...
CI / audit (pull_request) Successful in 12s
CI / test (pull_request) Successful in 12s
CI / lint (pull_request) Successful in 14s
CI / e2e (pull_request) Successful in 41s
CI / build-and-push (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m20s
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 20:37:53 +00:00
4d5a5545e6
fix: use queueMicrotask before setState in VerifyEmail effect [CAR-937]
...
CI / lint (pull_request) Successful in 12s
CI / e2e (pull_request) Successful in 42s
CI / audit (pull_request) Successful in 11s
CI / test (pull_request) Successful in 13s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m15s
Avoids lint error 'Avoid calling setState() directly within an effect'.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 20:34:29 +00:00
92edcc716d
chore: trigger CI re-run
CI / audit (pull_request) Successful in 11s
CI / test (pull_request) Successful in 14s
CI / lighthouse (pull_request) Failing after 1m14s
CI / lint (pull_request) Failing after 14s
CI / e2e (pull_request) Successful in 39s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
2026-05-21 20:31:25 +00:00
aed8d58a94
fix: add overrides for remaining audit vulnerabilities [CAR-937]
...
CI / e2e (pull_request) Successful in 39s
CI / lighthouse (pull_request) Failing after 1m14s
CI / lint (pull_request) Failing after 13s
CI / test (pull_request) Successful in 12s
CI / deploy-uat (pull_request) Has been skipped
CI / audit (pull_request) Successful in 10s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
- Add @babel/plugin-transform-modules-systemjs >=7.29.4 for GHSA-fv7c-fp4j-7gwp
- Add fast-uri >=3.1.2 for GHSA-q3j6-qgpj-74h6 and GHSA-v39h-62p7-jpjc
- Raise brace-expansion to >=1.1.15 for GHSA-jxxr-4gwj-5jf2
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 20:20:27 +00:00
f78b9a4cc1
chore: trigger CI re-run after rebase [CAR-937]
CI / lint (pull_request) Successful in 14s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m15s
CI / audit (pull_request) Failing after 11s
CI / test (pull_request) Successful in 12s
CI / e2e (pull_request) Successful in 43s
CI / deploy-dev (pull_request) Has been skipped
2026-05-21 20:14:24 +00:00
a65bb0ef19
fix: update better-auth to 1.6.11 to resolve GHSA-wxw3-q3m9-c3jr
...
CI / audit (pull_request) Failing after 11s
CI / test (pull_request) Successful in 12s
CI / lint (pull_request) Successful in 14s
CI / deploy-uat (pull_request) Has been skipped
CI / e2e (pull_request) Successful in 42s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m15s
Resolves moderate severity OAuth state mismatch vulnerability in better-auth.
Updated package-lock.json to reflect patched transitive dependencies.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 20:06:22 +00:00
Savannah Savings
9af0e36db0
Merge pull request 'ci: pin setup-node to SHA to fix Gitea Actions module error [CAR-935]' ( #9 ) from betty/car-935-fix-setup-node into dev
...
CI / audit (push) Failing after 10s
CI / lint (push) Successful in 13s
CI / deploy-uat (push) Has been skipped
CI / test (push) Successful in 12s
CI / e2e (push) Successful in 38s
CI / build-and-push (push) Failing after 9s
CI / deploy-dev (push) Failing after 33s
CI / lighthouse (push) Failing after 1m18s
CI / lint (pull_request) Successful in 14s
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m13s
CI / audit (pull_request) Failing after 4s
CI / test (pull_request) Successful in 13s
CI / e2e (pull_request) Successful in 42s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
Merge: ci: pin setup-node to SHA to fix Gitea Actions module error [CAR-935]
2026-05-21 19:34:39 +00:00
1ffc9466fc
ci: pin setup-node to SHA 49933ea5288caeca8642d1e84afbd3f7d6820020
...
CI / audit (pull_request) Failing after 42s
CI / e2e (pull_request) Successful in 38s
CI / test (pull_request) Successful in 43s
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m13s
CI / lint (pull_request) Successful in 42s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
Fixes 'Cannot find module .../dist/setup/index.js' error in Gitea Actions runner.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 19:25:45 +00:00
Savannah Savings
456e938310
Merge pull request 'chore: move workflows from .github to .gitea' ( #5 ) from barcode-betty/move-workflows-to-gitea into dev
...
CI / lint (pull_request) Failing after 4s
CI / test (pull_request) Successful in 11s
CI / audit (pull_request) Failing after 11s
CI / e2e (pull_request) Successful in 46s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m13s
chore: move workflows from .github to .gitea (CAR-896)
Merge PR #5 to dev. QA verified by Checkout Charlie.
2026-05-21 12:14:16 +00:00
Savannah Savings
23ddc8b8e2
Merge pull request 'ci: convert GitHub Actions to Gitea Actions (ubuntu-latest)' ( #4 ) from betty/car-869-gitea-actions-app into dev
...
CI / audit (push) Failing after 11s
CI / test (push) Successful in 13s
CI / lint (push) Successful in 14s
CI / test (pull_request) Successful in 12s
CI / lint (pull_request) Successful in 14s
CI / e2e (push) Successful in 42s
CI / audit (pull_request) Failing after 12s
CI / e2e (pull_request) Successful in 41s
CI / build-and-push (push) Failing after 7s
CI / build-and-push (pull_request) Has been skipped
CI / lighthouse (push) Failing after 1m18s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (push) Failing after 27s
CI / lighthouse (pull_request) Failing after 1m16s
ci: convert GitHub Actions to Gitea Actions (ubuntu-latest)
CTO-approved. QA passed. Mechanical CI migration.
cc @cpfarhood
2026-05-21 11:55:47 +00:00
5076f12486
chore: move workflows from .github to .gitea
...
CI / lint (pull_request) Has been cancelled
CI / test (pull_request) Has been cancelled
CI / audit (pull_request) Has been cancelled
CI / e2e (pull_request) Has been cancelled
CI / lighthouse (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 11:54:10 +00:00
95466ccfef
ci: convert GitHub Actions to Gitea Actions (ubuntu-latest)
...
CI / audit (pull_request) Failing after 11s
CI / test (pull_request) Successful in 14s
CI / lint (pull_request) Successful in 15s
CI / e2e (pull_request) Successful in 37s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m14s
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-21 04:10:33 +00:00
7ae6382f8b
docs: update CLAUDE.md for standalone frontend repo
CI / lint (push) Has been cancelled
CI / test (push) Has been cancelled
CI / audit (push) Has been cancelled
CI / e2e (push) Has been cancelled
CI / lighthouse (push) Has been cancelled
CI / build-and-push (push) Has been cancelled
CI / deploy-dev (push) Has been cancelled
CI / deploy-uat (push) Has been cancelled
CI / lighthouse (pull_request) Has been cancelled
CI / lint (pull_request) Has been cancelled
CI / test (pull_request) Has been cancelled
CI / audit (pull_request) Has been cancelled
CI / e2e (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
2026-04-19 12:39:12 +00:00
92ab66d737
ci: add frontend-only CI workflow
2026-04-19 12:38:19 +00:00
fefea2aabc
release: fix HIGH-severity CVEs in receiptwitness image (UAT+Security PASS)
...
release: fix HIGH-severity CVEs in receiptwitness image (UAT+Security PASS)
2026-04-19 02:40:14 +00:00
0a9e936400
Merge pull request #228 from cartsnitch/dev
...
chore: promote dev to UAT — receiptwitness CVE fixes
2026-04-19 02:19:20 +00:00
48f5d9287d
Merge pull request #227 from cartsnitch/fix/car-709-receiptwitness-grype-cves
...
fix: resolve HIGH-severity CVEs in receiptwitness image
2026-04-19 02:17:54 +00:00
66ad941549
fix: resolve HIGH-severity CVEs in receiptwitness image
...
- Bump cryptography>=46.0 to fix GHSA-r6ph-v2qm-q3c2
- Increment APT_CACHE_BUST to 1 to force fresh apt-get upgrade
for OpenSSL/libssl3t64 (fixes CVE-2026-2673, CVE-2026-28388,
CVE-2026-28389, CVE-2026-28390, CVE-2026-31790)
- Add 89 Chrome CVEs to grype.yaml ignore (Playwright bundles
Chromium — CVEs can only be resolved by upgrading Playwright)
- Add node CVE-2026-21710 to grype.yaml ignore (Playwright
bundled tooling dependency)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-19 00:48:02 +00:00
b5f83dfbb3
release: bcrypt cost factor 10→12, Grype CVE ignores, Dockerfile cache-bust (UAT+Security PASS)
...
release: bcrypt cost factor 10→12, Grype CVE ignores, Dockerfile cache-bust (UAT+Security PASS)
2026-04-19 00:24:10 +00:00
276157dbf8
Merge pull request #225 from cartsnitch/dev
...
Promote dev to UAT: bcrypt cost factor fix
2026-04-19 00:04:07 +00:00
ea7b29c571
Merge pull request #215 from cartsnitch/fix/car-663-bcrypt-cost-factor
...
fix: increase bcrypt cost factor from 10 to 12
2026-04-19 00:02:28 +00:00
614dcbb21f
chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)
...
chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)
2026-04-18 23:59:42 +00:00
d508863d98
Merge pull request #223 from cartsnitch/dev
...
chore: promote dev to UAT (Grype ignores + cache-bust)
2026-04-18 03:55:23 +00:00
90eb37b3c0
Merge pull request #214 from cartsnitch/fix/car-620-grype-ignore-and-cache-bust
...
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
2026-04-18 03:55:06 +00:00
cd7421de90
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 21:53:34 +00:00
e32c27621b
fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 21:50:09 +00:00
46724b1db9
fix: e2e route mocking and color contrast accessibility ( #221 )
...
Fixes CAR-673, CAR-676. Replaces VITE_MOCK_AUTH with Playwright route mocking for all e2e tests. Fixes color contrast (text-gray-400 → text-gray-600).
2026-04-15 21:49:55 +00:00
3e8eeb108a
chore: promote UAT to production (CAR-662, audit logging middleware)
...
chore: promote UAT to production (CAR-662, audit logging middleware)
2026-04-15 04:29:39 +00:00
87b39d6ef4
Merge branch 'main' into uat
2026-04-15 04:17:24 +00:00
b74ed926c6
Merge pull request #217 from cartsnitch/dev
...
Promote to UAT: ESLint lint fix (PR #216 )
2026-04-15 04:04:25 +00:00
ba31df67df
Merge pull request #216 from cartsnitch/fix/car-665-eslint-unused-vars
...
fix: remove unused navigate variable from Register.tsx
2026-04-15 03:59:45 +00:00
710a9ab47a
fix: remove unused navigate variable from Register.tsx
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:57:01 +00:00
1b9acf1f30
Merge pull request #213 from cartsnitch/dev
...
Promote to UAT: vite, mock-auth, Redis rate-limit, Redis cache, email verification
2026-04-15 03:33:42 +00:00
bef0e8fc3e
feat(auth): enable email verification with Resend ( #173 )
...
feat(auth): enable email verification with Resend
2026-04-15 03:32:23 +00:00
b97ceef60e
fix: remove VITE_MOCK_AUTH bypass from production code ( #193 )
...
fix: remove VITE_MOCK_AUTH bypass from production code
2026-04-15 03:32:02 +00:00
61ce773538
fix: update vite to 6.4.2 to patch high-severity vulnerabilities ( #191 )
...
fix: update vite to 6.4.2 to patch high-severity vulnerabilities
2026-04-15 03:31:34 +00:00
7651e0e72c
Enable Better-Auth email verification with Resend
...
- Add emailVerification.sendVerificationEmail config to auth/src/auth.ts
using Resend to send verification emails on sign-up
- Add resend npm package to auth/package.json
- Update auth/.env.example with RESEND_API_KEY and FROM_EMAIL
- Create VerifyEmail.tsx page with token verification flow,
spinner UX, success/Error states, and resend option
- Update Register.tsx to redirect to /verify-email after signup
instead of auto-navigating to dashboard
- Add /verify-email route to App.tsx
- Frontend shows 'check your email' step after registration
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:30:48 +00:00
6fe91c748c
feat(auth): enable email verification with Resend
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 03:30:44 +00:00
65528213b8
Merge pull request #212 from cartsnitch/dev
...
Promote to UAT: input validation + audit logging (PR #171 , #183 )
2026-04-15 03:30:04 +00:00
2beae3352d
feat: implement audit logging middleware for sensitive API operations ( #183 )
...
feat: implement audit logging middleware for sensitive API operations
2026-04-15 03:23:37 +00:00
836b8509d5
chore: promote UAT to production (CAR-630)
...
Promotes UAT to main including PR #209 (N+1 UPC query fix with SQL containment).
UAT regression: passed (Deal Dottie)
Security review: passed (Stockboy Steve)
CI required checks: all green
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-15 02:16:12 +00:00
4f4f9a67ab
chore: promote dev to UAT
...
chore: promote dev to UAT
2026-04-15 02:00:15 +00:00
Savannah Savings
Barcode Betty