Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI limitation (CAR-1446)' (#53) from dev into uat

ci(auth): promote CAR-1446 Grype scan + dep fix to uat (PR #53)

Merges dev→uat: adds Grype supply-chain scan between Build and Push,
documents OCI referrers limitation with HTTP 404 proof, and patches
three HIGH transitive CVEs in better-auth deps (defu, kysely) via
npm overrides.

QA APPROVED (cs_charlie, review 4846). Security reviewed (Stockboy Steve).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -67,11 +67,31 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Scan Docker image
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
       - name: Push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
+          # CAR-1446: git.farh.net does not implement the OCI referrers API.
+          # Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
+          # HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
+          # does not exist in this Gitea registry version). OCI Distribution Spec
+          # >=1.1 is required for provenance/SBOM attestation manifests; without it
+          # the docker/build-push-action would fail at the attestation PUT.
+          # Compensating control: the Grype scan step above fails the build on any
+          # unfixed HIGH-severity CVE before the image reaches the registry.
           provenance: false
           sbom: false
           tags: ${{ steps.meta.outputs.tags }}