cartsnitch/auth
12
0
Fork 1
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: cartsnitch/auth:car-1436-fix-deploy-jq-title
Branches Tags
cartsnitch/auth:main cartsnitch/auth:uat cartsnitch/auth:dev cartsnitch/auth:barcode-betty/car-1428-revert-deploy-base cartsnitch/auth:car-1436-uat-merge-resolved cartsnitch/auth:car-1438-graceful-exit-fix cartsnitch/auth:car-1436-fix-deploy-jq-title cartsnitch/auth:betty/car-1423-two-stage-build cartsnitch/auth:betty/car-1423-disable-provenance cartsnitch/auth:car-1373-uat-merge-resolved cartsnitch/auth:betty/car-1237-fix-uat-ci cartsnitch/auth:cs_savannah/car-1147-ci-infra-checkout cartsnitch/auth:betty/remove-deploy-jobs cartsnitch/auth:betty/car-1034-trustedorigins-fix cartsnitch/auth:car-1023-use-registry-token cartsnitch/auth:betty/car-1027-trustedorigins-fix cartsnitch/auth:car-994-fix-docker-login cartsnitch/auth:betty/fix-docker-login cartsnitch/auth:car-959-gitea-registry cartsnitch/auth:betty/car-964-gitea-registry-v2 cartsnitch/auth:barcode-betty/gitea-registry cartsnitch/auth:barcode-betty/car-959-gitea-registry cartsnitch/auth:barcode-betty/car-931-ghcr-auth cartsnitch/auth:barcode-betty/move-workflows-to-gitea cartsnitch/auth:betty/car-892-gitea-actions-ghcr-auth cartsnitch/auth:betty/car-869-gitea-actions-auth cartsnitch/auth:add-ci-grype
cartsnitch/auth:v2026.06.23.3 cartsnitch/auth:v2026.06.23.2 cartsnitch/auth:v2026.06.23 cartsnitch/auth:v2026.06.07 cartsnitch/auth:v2026.06.05.2 cartsnitch/auth:v2026.06.05 cartsnitch/auth:v2026.04.22 cartsnitch/auth:v2026.04.21
...
pull from: cartsnitch/auth:main
Branches Tags
cartsnitch/auth:main cartsnitch/auth:uat cartsnitch/auth:dev cartsnitch/auth:barcode-betty/car-1428-revert-deploy-base cartsnitch/auth:car-1436-uat-merge-resolved cartsnitch/auth:car-1438-graceful-exit-fix cartsnitch/auth:car-1436-fix-deploy-jq-title cartsnitch/auth:betty/car-1423-two-stage-build cartsnitch/auth:betty/car-1423-disable-provenance cartsnitch/auth:car-1373-uat-merge-resolved cartsnitch/auth:betty/car-1237-fix-uat-ci cartsnitch/auth:cs_savannah/car-1147-ci-infra-checkout cartsnitch/auth:betty/remove-deploy-jobs cartsnitch/auth:betty/car-1034-trustedorigins-fix cartsnitch/auth:car-1023-use-registry-token cartsnitch/auth:betty/car-1027-trustedorigins-fix cartsnitch/auth:car-994-fix-docker-login cartsnitch/auth:betty/fix-docker-login cartsnitch/auth:car-959-gitea-registry cartsnitch/auth:betty/car-964-gitea-registry-v2 cartsnitch/auth:barcode-betty/gitea-registry cartsnitch/auth:barcode-betty/car-959-gitea-registry cartsnitch/auth:barcode-betty/car-931-ghcr-auth cartsnitch/auth:barcode-betty/move-workflows-to-gitea cartsnitch/auth:betty/car-892-gitea-actions-ghcr-auth cartsnitch/auth:betty/car-869-gitea-actions-auth cartsnitch/auth:add-ci-grype
cartsnitch/auth:v2026.06.23.3 cartsnitch/auth:v2026.06.23.2 cartsnitch/auth:v2026.06.23 cartsnitch/auth:v2026.06.07 cartsnitch/auth:v2026.06.05.2 cartsnitch/auth:v2026.06.05 cartsnitch/auth:v2026.04.22 cartsnitch/auth:v2026.04.21

46 Commits
car-1436-fix-deploy-jq-title ... main

Author SHA1 Message Date
Barcode Betty d5ec25e91b Merge pull request 'ci(auth): add Grype scan + defu/kysely CVE bumps (CAR-1446) [uat→main]' (#55) from uat into main
CI / build-and-push (push) Successful in 30s
Details
CI / deploy-dev (push) Successful in 6s
Details
CI / deploy-uat (push) Successful in 6s
Details 
ci(auth): add Grype scan + defu/kysely CVE bumps (CAR-1446) [uat→main]
 2026-06-23 04:14:02 +00:00
Barcode Betty 9c15e29aa9 Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI limitation (CAR-1446)' (#53) from dev into uat
CI / build-and-push (push) Successful in 33s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Successful in 6s
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
ci(auth): promote CAR-1446 Grype scan + dep fix to uat (PR #53)

Merges dev→uat: adds Grype supply-chain scan between Build and Push,
documents OCI referrers limitation with HTTP 404 proof, and patches
three HIGH transitive CVEs in better-auth deps (defu, kysely) via
npm overrides.

QA APPROVED (cs_charlie, review 4846). Security reviewed (Stockboy Steve).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 03:55:28 +00:00
Barcode Betty 92015fc5e9 fix(deps): regenerate lockfile with defu 6.1.7, kysely 0.28.17 (CAR-1446)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / build-and-push (push) Successful in 36s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (push) Successful in 6s
Details 
Applied npm overrides from previous commit. Grype scan now passes
at --fail-on high with only MEDIUM-severity remaining CVEs in uuid
(GHSA-w5hq-g745-h8pq, major bump to v11 required, not a blocking risk)
and better-auth (GHSA-wxw3-q3m9-c3jr, updating to 1.6.2 separately).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 03:43:04 +00:00
Barcode Betty 6722b0e796 fix(deps): add npm overrides to pin patched versions of defu, kysely, picomatch (CAR-1446)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / build-and-push (push) Failing after 10s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (push) Successful in 2s
Details 
Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4

All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 03:42:45 +00:00
Barcode Betty 88952a4651 ci(auth): update CAR-1446 comment with empirical OCI referrers proof
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / build-and-push (push) Failing after 11m7s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (push) Successful in 3s
Details
2026-06-23 02:50:37 +00:00
Barcode Betty 9ec0a7b56c Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)' (#52) from betty/car-1446-sbom-provenance-scan into dev
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / deploy-dev (push) Has been cancelled
Details
CI / deploy-uat (push) Has been cancelled
Details
CI / build-and-push (push) Has been cancelled
Details 
ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 02:41:17 +00:00
Barcode Betty 30fa99a717 ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
- Insert anchore/scan-action@v5 step between Build and Push
- severity-cutoff: high, only-fixed: true (matches monorepo pattern)
- Add inline comment on provenance:false/sbom:false explaining OCI distribution
  spec >=1.1 limitation on git.farh.net registry

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 02:39:55 +00:00
Barcode Betty 0f375815f2 Merge pull request 'fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [uat→main]' (#49) from uat into main
CI / build-and-push (push) Successful in 11s
Details
CI / deploy-dev (push) Successful in 7s
Details
CI / deploy-uat (push) Successful in 14s
Details 
fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [uat→main]

All Phase 3 gates passed:
- UAT regression: PASS (CAR-1442, Deal Dottie)
- Security review: PASS (CAR-1443, Stockboy Steve)
- CEO code review: APPROVED (Carl, review #4830)
 2026-06-23 01:37:29 +00:00
Barcode Betty f99dc97528 Merge pull request 'fix(ci): promote revert deploy PR base dev/uat → main to uat (CAR-1431)' (#51) from dev into uat
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / build-and-push (push) Successful in 8s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Successful in 5s
Details 
fix(ci): promote revert deploy PR base to uat (CAR-1431)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 01:11:16 +00:00
Barcode Betty 35b3b8406e Merge pull request 'fix(ci): revert deploy PR base dev/uat → main (CAR-1431)' (#50) from barcode-betty/car-1428-revert-deploy-base into dev
CI / build-and-push (push) Successful in 9s
Details
CI / deploy-dev (push) Successful in 4s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
fix(ci): revert deploy PR base dev/uat → main (CAR-1431)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 01:10:47 +00:00
Barcode Betty 88da9ee771 fix(ci): revert deploy PR base dev/uat → main (CAR-1431)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
Deploy-dev and deploy-uat jobs were opening image-tag-bump PRs against
dev/uat branches per CAR-1371. Flux reconciles all overlays from infra
main, so those PRs were never picked up. Revert --arg base back to main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 01:07:17 +00:00
Barcode Betty ba7bcef05e Merge pull request 'fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [dev→uat]' (#48) from dev into uat
CI / build-and-push (push) Successful in 9s
Details
CI / deploy-uat (push) Successful in 8s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [dev→uat]

QA PASS Charlie review #4825. Promotes CAR-1436+CAR-1438 fixes to UAT.
 2026-06-23 00:52:23 +00:00
Barcode Betty 1af633a619 Merge pull request 'fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438)' (#46) from car-1438-graceful-exit-fix into dev
CI / build-and-push (push) Successful in 10s
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / deploy-dev (push) Successful in 10s
Details 
fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438)

Any non-merged outcome after successful PR creation is now treated
as the GitOps approval gate (exit 0). Only empty PR_NUM hard-fails.
 2026-06-23 00:47:23 +00:00
Barcode Betty 9600de923c Merge pull request 'fix(ci): apply jq title fix to uat (CAR-1436 resolved)' (#47) from car-1436-uat-merge-resolved into uat
CI / build-and-push (push) Successful in 11s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 5s
Details 
fix(ci): apply CAR-1436 jq title fix to uat (via 3-way resolution)
 2026-06-23 00:42:32 +00:00
Barcode Betty 011264a87b fix(ci): resolve dev→uat merge conflict, apply jq title fix (CAR-1436)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
2026-06-23 00:42:02 +00:00
Barcode Betty 7ff805c3a5 fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
2026-06-23 00:38:36 +00:00
Barcode Betty 3a6190a805 Merge pull request 'Promote uat→main: CAR-994 Docker login fix + CAR-1423 REGISTRY_TOKEN fix' (#43) from uat into main
CI / build-and-push (push) Successful in 11m44s
Details
CI / deploy-dev (push) Failing after 6s
Details
CI / deploy-uat (push) Failing after 7s
Details 
Merge uat into main: CAR-994 Docker login fix + CAR-1423 two-stage build + CAR-1270 CI_GITEA_TOKEN fix
 2026-06-23 00:19:02 +00:00
Barcode Betty a2d18c18d8 Merge remote-tracking branch 'origin/main' into uat-fresh
CI / build-and-push (push) Successful in 14s
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 5s
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
2026-06-23 00:16:40 +00:00
Barcode Betty b5151db0ac fix: resolve ci.yml merge conflict (CAR-994+CAR-1423+CAR-1270)
CI / deploy-dev (push) Has been cancelled
Details
CI / deploy-uat (push) Has been cancelled
Details
CI / build-and-push (push) Has been cancelled
Details
CI / deploy-dev (pull_request) Has been cancelled
Details
CI / deploy-uat (pull_request) Has been cancelled
Details
CI / build-and-push (pull_request) Has been cancelled
Details
2026-06-23 00:14:25 +00:00
Barcode Betty 28d38a298c Merge pull request 'fix(ci): use shell var for jq --arg title in deploy steps (CAR-1436)' (#44) from car-1436-fix-deploy-jq-title into dev
CI / build-and-push (push) Successful in 13s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (push) Failing after 6s
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
fix(ci): use shell var for jq --arg title in deploy steps (CAR-1436)
 2026-06-22 23:56:59 +00:00
Barcode Betty 5cd46571f2 Merge pull request 'ci(CAR-1423): promote two-stage load->push fix to uat' (#42) from dev into uat
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 3s
Details
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / build-and-push (push) Successful in 9s
Details 
ci(CAR-1423): promote two-stage load->push fix to uat (#42)
 2026-06-22 23:40:03 +00:00
Barcode Betty 1233d80c8f Merge pull request 'ci(CAR-1373): apply dev's deploy-job restoration to uat (dev → uat promotion, 3-way resolved)' (#38) from car-1373-uat-merge-resolved into uat
CI / build-and-push (push) Failing after 10s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Successful in 2s
Details
2026-06-12 02:09:22 +00:00
Barcode Betty 89fb02cdea ci(CAR-1373): apply dev's deploy-job restoration to uat (resolve 3-way)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details 
The dev→uat 3-way merge of ci.yml conflicts on:
- CalVer logic (dev is the multi-line readable form)
- ref: main vs parameterized expression (dev wins, per CAR-1374)
- PR body base/head: dev wins (per CAR-1371 + acceptance criteria)
- CAR-1216 comment: dev added, uat didn't have it

Resolution: take dev's version of ci.yml (the corrected form per CAR-1373).

cc @cpfarhood
 2026-06-10 22:47:36 +00:00
Savannah Savings 72f2568b68 Merge pull request 'fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)' (#35) from betty/car-1270-ci-gitea-token-main into main
CI / build-and-push (push) Successful in 2m5s
Details
CI / deploy-dev (push) Failing after 3s
Details
CI / deploy-uat (push) Failing after 3s
Details
2026-06-05 05:12:45 +00:00
Savannah Savings 8a49fc57f1 Merge pull request 'fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)' (#34) from betty/car-1270-ci-gitea-token-uat into uat
CI / build-and-push (push) Successful in 9s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 7s
Details
2026-06-05 05:12:38 +00:00
Barcode Betty a0be839632 fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-05 00:53:43 +00:00
Barcode Betty d5c5d2b6ba fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-05 00:53:13 +00:00
Barcode Betty 3198b21683 revert: undo CAR-1270 direct commit (will land via PR instead)
CI / build-and-push (push) Failing after 12m22s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 27s
Details 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-05 00:52:22 +00:00
Barcode Betty ca1a732033 fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)
CI / build-and-push (push) Successful in 7s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 5s
Details 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-05 00:51:07 +00:00
Savannah Savings 0977a7c3b3 Merge pull request 'ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263)' (#33) from cs_betty/car-1263-auth-pr-bump-main into main
CI / build-and-push (push) Successful in 10s
Details
CI / deploy-dev (push) Failing after 34s
Details
CI / deploy-uat (push) Failing after 36s
Details
2026-06-05 00:34:48 +00:00
Savannah Savings eb436e2c31 Merge pull request 'ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263)' (#32) from cs_betty/car-1263-auth-pr-bump-uat into uat
CI / build-and-push (push) Failing after 6s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 25s
Details
2026-06-05 00:34:47 +00:00
Barcode Betty 21fba7a842 ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern. Brings auth in line with cartsnitch/cartsnitch
and stops the red deploy-dev/deploy-uat jobs on main pushes.

Also fixes the registry-login password to use REGISTRY_TOKEN (CAR-1009
standard) instead of GITEA_TOKEN — uat already had this fix (CAR-1237);
main was lagging.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-05 00:23:07 +00:00
Barcode Betty 70398efeea ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern (open + (attempt) auto-merge an infra PR;
never hard-fail on approval gate, per CAR-1216). Brings auth in line
with cartsnitch/cartsnitch and stops the red deploy-uat job on every
uat push.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-05 00:23:05 +00:00
Savannah Savings 806843b9c7 Merge pull request 'ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)' (#30) from betty/car-1237-fix-uat-ci into uat
CI / build-and-push (push) Successful in 15s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Failing after 37s
Details 
ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)

Reviewed and merged by Savannah (CTO). Byte-identical to proven main except the spec-mandated REGISTRY_TOKEN registry-login (CAR-1009 standard).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-04 20:41:13 +00:00
Barcode Betty 91ab376f38 ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
- Change A: replace build-and-push with runner-native Docker (no DinD service container)
- Change B: deploy-dev/deploy-uat use secrets.GITEA_TOKEN for infra checkout

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-04 20:33:08 +00:00
Savannah Savings 3496653d33 Merge dev into uat: use direct docker login for Gitea registry (CAR-994)
CI / build-and-push (push) Successful in 6s
Details
2026-06-04 18:52:32 +00:00
Barcode Betty 02b732e24c chore(ci): re-trigger auth UAT build after act-runner DinD fix (CAR-973)
CI / build-and-push (push) Failing after 15s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details 
Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-04 11:46:31 +00:00
Flea Flicker 1099037db1 fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout
CI / build-and-push (push) Failing after 8s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details 
Replaces CI_GITEA_TOKEN (which lacks cross-repo access) with REGISTRY_TOKEN
for checkout of cartsnitch/infra in deploy-uat/deploy-dev jobs.

Fixes CAR-1147
 2026-06-02 10:07:31 +00:00
Flea Flicker 8c37c764e9 fix(ci): add DinD service to enable image builds (CAR-1042)
CI / build-and-push (push) Failing after 15s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details
2026-05-30 08:56:47 +00:00
Flea Flicker 6f392bbbed test(ci): trigger CI after DinD fix (CAR-1042)
CI / build-and-push (push) Failing after 5s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details
2026-05-25 23:15:07 +00:00
Barcode Betty 4a63bc1da8 fix(ci): apply CAR-985 and CAR-986 fixes to uat
CI / build-and-push (push) Failing after 5s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details
2026-05-25 22:53:44 +00:00
Savannah Savings ca423073f1 Merge pull request 'Promote dev to uat (CAR-1034 - auth *.farh.net trustedOrigins fix)' (#27) from dev into uat
CI / build-and-push (push) Failing after 7s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details
2026-05-25 21:28:19 +00:00
Savannah Savings 8bf80a9890 fix(ci): use REGISTRY_TOKEN for container registry auth (CAR-973)
CI / build-and-push (push) Failing after 7s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details 
The REGISTRY_TOKEN secret has write:package scope for git.farh.net.
This fixes the unauthorized error at docker login.

Related: CAR-1023 (REGISTRY_TOKEN setup), CAR-1009 (CI registry token standardization)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-25 00:04:25 +00:00
Savannah Savings a520a65f1b fix(ci): use GITEA_TOKEN secret for docker login
CI / build-and-push (push) Failing after 4s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details 
The github.token (automatic workflow token) in Gitea Actions
doesn't inherit packages:write permission for container registry.
Use the GITEA_TOKEN secret instead with direct docker login.

Ref: CAR-973, CAR-1009
 2026-05-24 20:38:35 +00:00
Savannah Savings bb8d7f159c fix(ci): use direct docker login with github.token for registry auth (CAR-973)
CI / build-and-push (push) Failing after 6s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details 
docker/login-action@v3 fails with Gitea's automatic token.
Use direct docker login with github.token instead, which has
the necessary write:package scope for the container registry.

Related: CAR-1009 (CI registry token standardization)
 2026-05-24 20:37:22 +00:00
Barcode Betty a92f578dcf chore: re-trigger CI after DNS fix (CAR-968)
CI / build-and-push (push) Failing after 5s
Details
CI / deploy-dev (push) Has been skipped
Details
CI / deploy-uat (push) Has been skipped
Details
2026-05-24 20:34:39 +00:00
4 changed files with 44 additions and 19 deletions
Expand all files Collapse all files
.gitea/CI_TRIGGER.md
+1
View File
@@ -0,0 +1 @@
# CI trigger 20260525231507 - post-DinD verification (CAR-1042)
.gitea/workflows/ci.yml
+31 -12
View File
@@ -67,11 +67,31 @@ jobs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Scan Docker image
uses: anchore/scan-action@v5
id: scan
env:
GRYPE_CONFIG: .grype.yaml
with:
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
severity-cutoff: high
only-fixed: "true"
output-format: sarif
- name: Push Docker image
uses: docker/build-push-action@v6
with:
context: .
push: true
# CAR-1446: git.farh.net does not implement the OCI referrers API.
# Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
# HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
# does not exist in this Gitea registry version). OCI Distribution Spec
# >=1.1 is required for provenance/SBOM attestation manifests; without it
# the docker/build-push-action would fail at the attestation PUT.
# Compensating control: the Grype scan step above fails the build on any
# unfixed HIGH-severity CVE before the image reaches the registry.
provenance: false
sbom: false
tags: ${{ steps.meta.outputs.tags }}
@@ -143,7 +163,7 @@ jobs:
exit 0
fi
TITLE="ci(dev): update auth image (${GITHUB_SHA::12})"
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
'{head: $head, base: $base, title: $title, body: $body}')
PR_JSON=$(curl -sS -X POST \
-H "Authorization: token ${CI_GITEA_TOKEN}" \
@@ -177,12 +197,11 @@ jobs:
MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
if [ "$MERGED" = "true" ]; then
echo "PR #${PR_NUM} merged into cartsnitch/infra dev"
elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
exit 0
else
echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
exit 1
# CAR-1438: PR opened successfully; any non-merged outcome (empty body,
# approval-gate, pending checks) is the GitOps gate — not a failure.
echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge"
exit 0
fi
deploy-uat:
@@ -245,7 +264,7 @@ jobs:
exit 0
fi
TITLE="ci(uat): update auth image (${GITHUB_SHA::12})"
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \
'{head: $head, base: $base, title: $title, body: $body}')
PR_JSON=$(curl -sS -X POST \
-H "Authorization: token ${CI_GITEA_TOKEN}" \
@@ -275,10 +294,10 @@ jobs:
MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
if [ "$MERGED" = "true" ]; then
echo "PR #${PR_NUM} merged into cartsnitch/infra uat"
elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
exit 0
else
echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
exit 1
# CAR-1438: PR opened successfully; any non-merged outcome (empty body,
# approval-gate, pending checks) is the GitOps gate — not a failure.
echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge"
exit 0
fi
package-lock.json
Generated
+6 -6
View File
@@ -818,9 +818,9 @@
}
},
"node_modules/defu": {
"version": "6.1.4",
"resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz",
"integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==",
"version": "6.1.7",
"resolved": "https://registry.npmjs.org/defu/-/defu-6.1.7.tgz",
"integrity": "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==",
"license": "MIT"
},
"node_modules/esbuild": {
@@ -909,9 +909,9 @@
}
},
"node_modules/kysely": {
"version": "0.28.14",
"resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.14.tgz",
"integrity": "sha512-SU3lgh0rPvq7upc6vvdVrCsSMUG1h3ChvHVOY7wJ2fw4C9QEB7X3d5eyYEyULUX7UQtxZJtZXGuT6U2US72UYA==",
"version": "0.28.17",
"resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.17.tgz",
"integrity": "sha512-nbD8lB9EB3wNdMhOCdx5Li8DxnLbvKByylRLcJ1h+4SkrowVeECAyZlyiKMThF7xFdRz0jSQ2MoJr+wXux2y0Q==",
"license": "MIT",
"engines": {
"node": ">=20.0.0"
package.json
+6 -1
View File
@@ -21,5 +21,10 @@
"@types/pg": "^8.11.0",
"tsx": "^4.19.0",
"typescript": "^5.7.0"
},
"overrides": {
"picomatch": "^4.0.4",
"defu": "^6.1.5",
"kysely": "^0.28.17"
}
}
}