cartsnitch/auth
12
0
Fork 1
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI limitation (CAR-1446)' (#53) from dev into uat
CI / deploy-uat (pull_request) Has been skipped
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / build-and-push (push) Successful in 33s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Successful in 6s
Details

Browse Source 
ci(auth): promote CAR-1446 Grype scan + dep fix to uat (PR #53)

Merges dev→uat: adds Grype supply-chain scan between Build and Push,
documents OCI referrers limitation with HTTP 404 proof, and patches
three HIGH transitive CVEs in better-auth deps (defu, kysely) via
npm overrides.

QA APPROVED (cs_charlie, review 4846). Security reviewed (Stockboy Steve).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit was merged in pull request #53.
This commit is contained in:
Barcode Betty
2026-06-23 03:55:28 +00:00
parent f99dc97528 92015fc5e9
commit 9c15e29aa9
3 changed files with 32 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/ci.yml
+20
View File
@@ -67,11 +67,31 @@ jobs:
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
- name: Scan Docker image
uses: anchore/scan-action@v5
id: scan
env:
GRYPE_CONFIG: .grype.yaml
with:
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
severity-cutoff: high
only-fixed: "true"
output-format: sarif
- name: Push Docker image - name: Push Docker image
uses: docker/build-push-action@v6 uses: docker/build-push-action@v6
with: with:
context: . context: .
push: true push: true
# CAR-1446: git.farh.net does not implement the OCI referrers API.
# Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
# HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
# does not exist in this Gitea registry version). OCI Distribution Spec
# >=1.1 is required for provenance/SBOM attestation manifests; without it
# the docker/build-push-action would fail at the attestation PUT.
# Compensating control: the Grype scan step above fails the build on any
# unfixed HIGH-severity CVE before the image reaches the registry.
provenance: false provenance: false
sbom: false sbom: false
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
package-lock.json
Generated
+6 -6
View File
@@ -818,9 +818,9 @@
} }
}, },
"node_modules/defu": { "node_modules/defu": {
"version": "6.1.4", "version": "6.1.7",
"resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz", "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.7.tgz",
"integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==", "integrity": "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==",
"license": "MIT" "license": "MIT"
}, },
"node_modules/esbuild": { "node_modules/esbuild": {
@@ -909,9 +909,9 @@
} }
}, },
"node_modules/kysely": { "node_modules/kysely": {
"version": "0.28.14", "version": "0.28.17",
"resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.14.tgz", "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.17.tgz",
"integrity": "sha512-SU3lgh0rPvq7upc6vvdVrCsSMUG1h3ChvHVOY7wJ2fw4C9QEB7X3d5eyYEyULUX7UQtxZJtZXGuT6U2US72UYA==", "integrity": "sha512-nbD8lB9EB3wNdMhOCdx5Li8DxnLbvKByylRLcJ1h+4SkrowVeECAyZlyiKMThF7xFdRz0jSQ2MoJr+wXux2y0Q==",
"license": "MIT", "license": "MIT",
"engines": { "engines": {
"node": ">=20.0.0" "node": ">=20.0.0"
package.json
+5
View File
@@ -21,5 +21,10 @@
"@types/pg": "^8.11.0", "@types/pg": "^8.11.0",
"tsx": "^4.19.0", "tsx": "^4.19.0",
"typescript": "^5.7.0" "typescript": "^5.7.0"
},
"overrides": {
"picomatch": "^4.0.4",
"defu": "^6.1.5",
"kysely": "^0.28.17"
} }
} }