From 88952a465190c58a157aff52fc831be180dfb0b3 Mon Sep 17 00:00:00 2001
From: Barcode Betty <32+cs_betty@noreply.git.farh.net>
Date: Tue, 23 Jun 2026 02:50:37 +0000
Subject: [PATCH] ci(auth): update CAR-1446 comment with empirical OCI
 referrers proof

---
 .gitea/workflows/ci.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index fc237e8..07de451 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -84,11 +84,14 @@ jobs:
         with:
           context: .
           push: true
-          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
-          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
-          # would cause the push to fail on the referrer PUT. The Grype scan step
-          # above is the compensating control — it fails the build on any unfixed
-          # high-severity CVE before the image reaches the registry.
+          # CAR-1446: git.farh.net does not implement the OCI referrers API.
+          # Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
+          # HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
+          # does not exist in this Gitea registry version). OCI Distribution Spec
+          # >=1.1 is required for provenance/SBOM attestation manifests; without it
+          # the docker/build-push-action would fail at the attestation PUT.
+          # Compensating control: the Grype scan step above fails the build on any
+          # unfixed HIGH-severity CVE before the image reaches the registry.
           provenance: false
           sbom: false
           tags: ${{ steps.meta.outputs.tags }}