Merge pull request 'fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [uat→main]' (#49 ) from uat into main

fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [uat→main] All Phase 3 gates passed: - UAT regression: PASS (CAR-1442, Deal Dottie) - Security review: PASS (CAR-1443, Stockboy Steve) - CEO code review: APPROVED (Carl, review #4830)
Merge pull request 'fix(ci): promote revert deploy PR base dev/uat → main to uat (CAR-1431)' (#51 ) from dev into uat
2026-06-23 01:37:29 +00:00 · 2026-06-23 01:11:16 +00:00 · 2026-06-23 00:52:23 +00:00 · 2026-06-23 00:42:32 +00:00 · 2026-06-23 00:42:02 +00:00 · 2026-06-23 00:19:02 +00:00
4 changed files with 8 additions and 32 deletions
@@ -0,0 +1 @@
 # CI trigger 20260525231507 - post-DinD verification (CAR-1042)
@@ -67,31 +67,11 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      - name: Scan Docker image
        uses: anchore/scan-action@v5
        id: scan
        env:
          GRYPE_CONFIG: .grype.yaml
        with:
          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
          fail-build: true
          severity-cutoff: high
          only-fixed: "true"
          output-format: sarif
      - name: Push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          # CAR-1446: git.farh.net does not implement the OCI referrers API.
          # Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
          # HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
          # does not exist in this Gitea registry version). OCI Distribution Spec
          # >=1.1 is required for provenance/SBOM attestation manifests; without it
          # the docker/build-push-action would fail at the attestation PUT.
          # Compensating control: the Grype scan step above fails the build on any
          # unfixed HIGH-severity CVE before the image reaches the registry.
          provenance: false
          sbom: false
          tags: ${{ steps.meta.outputs.tags }}
@@ -818,9 +818,9 @@
      }
    },
    "node_modules/defu": {
-      "version": "6.1.7",
+      "version": "6.1.4",
-      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.7.tgz",
+      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz",
-      "integrity": "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==",
+      "integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==",
      "license": "MIT"
    },
    "node_modules/esbuild": {
@@ -909,9 +909,9 @@
      }
    },
    "node_modules/kysely": {
-      "version": "0.28.17",
+      "version": "0.28.14",
-      "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.17.tgz",
+      "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.14.tgz",
-      "integrity": "sha512-nbD8lB9EB3wNdMhOCdx5Li8DxnLbvKByylRLcJ1h+4SkrowVeECAyZlyiKMThF7xFdRz0jSQ2MoJr+wXux2y0Q==",
+      "integrity": "sha512-SU3lgh0rPvq7upc6vvdVrCsSMUG1h3ChvHVOY7wJ2fw4C9QEB7X3d5eyYEyULUX7UQtxZJtZXGuT6U2US72UYA==",
      "license": "MIT",
      "engines": {
        "node": ">=20.0.0"
@@ -21,10 +21,5 @@
    "@types/pg": "^8.11.0",
    "tsx": "^4.19.0",
    "typescript": "^5.7.0"
  },
  "overrides": {
    "picomatch": "^4.0.4",
    "defu": "^6.1.5",
    "kysely": "^0.28.17"
  }
-}
+}
Author	SHA1	Message	Date
Barcode Betty	0f375815f2	Merge pull request 'fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [uat→main]' (#49 ) from uat into main CI / build-and-push (push) Successful in 11s Details CI / deploy-dev (push) Successful in 7s Details CI / deploy-uat (push) Successful in 14s Details fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [uat→main] All Phase 3 gates passed: - UAT regression: PASS (CAR-1442, Deal Dottie) - Security review: PASS (CAR-1443, Stockboy Steve) - CEO code review: APPROVED (Carl, review #4830)	2026-06-23 01:37:29 +00:00
Barcode Betty	f99dc97528	Merge pull request 'fix(ci): promote revert deploy PR base dev/uat → main to uat (CAR-1431)' (#51 ) from dev into uat CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details CI / build-and-push (push) Successful in 8s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Successful in 5s Details fix(ci): promote revert deploy PR base to uat (CAR-1431) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-23 01:11:16 +00:00
Barcode Betty	ba7bcef05e	Merge pull request 'fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [dev→uat]' (#48 ) from dev into uat CI / build-and-push (push) Successful in 9s Details CI / deploy-uat (push) Successful in 8s Details CI / deploy-dev (push) Has been skipped Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) [dev→uat] QA PASS Charlie review #4825. Promotes CAR-1436+CAR-1438 fixes to UAT.	2026-06-23 00:52:23 +00:00
Barcode Betty	9600de923c	Merge pull request 'fix(ci): apply jq title fix to uat (CAR-1436 resolved)' (#47 ) from car-1436-uat-merge-resolved into uat CI / build-and-push (push) Successful in 11s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 5s Details fix(ci): apply CAR-1436 jq title fix to uat (via 3-way resolution)	2026-06-23 00:42:32 +00:00
Barcode Betty	011264a87b	fix(ci): resolve dev→uat merge conflict, apply jq title fix (CAR-1436) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details	2026-06-23 00:42:02 +00:00
Barcode Betty	3a6190a805	Merge pull request 'Promote uat→main: CAR-994 Docker login fix + CAR-1423 REGISTRY_TOKEN fix' (#43 ) from uat into main CI / build-and-push (push) Successful in 11m44s Details CI / deploy-dev (push) Failing after 6s Details CI / deploy-uat (push) Failing after 7s Details Merge uat into main: CAR-994 Docker login fix + CAR-1423 two-stage build + CAR-1270 CI_GITEA_TOKEN fix	2026-06-23 00:19:02 +00:00
Barcode Betty	a2d18c18d8	Merge remote-tracking branch 'origin/main' into uat-fresh CI / build-and-push (push) Successful in 14s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 5s Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details	2026-06-23 00:16:40 +00:00
Barcode Betty	b5151db0ac	fix: resolve ci.yml merge conflict (CAR-994+CAR-1423+CAR-1270) CI / deploy-dev (push) Has been cancelled Details CI / deploy-uat (push) Has been cancelled Details CI / build-and-push (push) Has been cancelled Details CI / deploy-dev (pull_request) Has been cancelled Details CI / deploy-uat (pull_request) Has been cancelled Details CI / build-and-push (pull_request) Has been cancelled Details	2026-06-23 00:14:25 +00:00
Barcode Betty	5cd46571f2	Merge pull request 'ci(CAR-1423): promote two-stage load->push fix to uat' (#42 ) from dev into uat CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 3s Details CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details CI / build-and-push (push) Successful in 9s Details ci(CAR-1423): promote two-stage load->push fix to uat (#42)	2026-06-22 23:40:03 +00:00
Barcode Betty	1233d80c8f	Merge pull request 'ci(CAR-1373): apply dev's deploy-job restoration to uat (dev → uat promotion, 3-way resolved)' (#38 ) from car-1373-uat-merge-resolved into uat CI / build-and-push (push) Failing after 10s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Successful in 2s Details	2026-06-12 02:09:22 +00:00
Barcode Betty	89fb02cdea	ci(CAR-1373): apply dev's deploy-job restoration to uat (resolve 3-way) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details The dev→uat 3-way merge of ci.yml conflicts on: - CalVer logic (dev is the multi-line readable form) - ref: main vs parameterized expression (dev wins, per CAR-1374) - PR body base/head: dev wins (per CAR-1371 + acceptance criteria) - CAR-1216 comment: dev added, uat didn't have it Resolution: take dev's version of ci.yml (the corrected form per CAR-1373). cc @cpfarhood	2026-06-10 22:47:36 +00:00
Savannah Savings	72f2568b68	Merge pull request 'fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)' (#35 ) from betty/car-1270-ci-gitea-token-main into main CI / build-and-push (push) Successful in 2m5s Details CI / deploy-dev (push) Failing after 3s Details CI / deploy-uat (push) Failing after 3s Details	2026-06-05 05:12:45 +00:00
Savannah Savings	8a49fc57f1	Merge pull request 'fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270)' (#34 ) from betty/car-1270-ci-gitea-token-uat into uat CI / build-and-push (push) Successful in 9s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 7s Details	2026-06-05 05:12:38 +00:00
Barcode Betty	a0be839632	fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:53:43 +00:00
Barcode Betty	d5c5d2b6ba	fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:53:13 +00:00
Barcode Betty	3198b21683	revert: undo CAR-1270 direct commit (will land via PR instead) CI / build-and-push (push) Failing after 12m22s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 27s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:52:22 +00:00
Barcode Betty	ca1a732033	fix(ci): use CI_GITEA_TOKEN for cross-repo infra access in deploy jobs (CAR-1270) CI / build-and-push (push) Successful in 7s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 5s Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:51:07 +00:00
Savannah Savings	0977a7c3b3	Merge pull request 'ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263)' (#33 ) from cs_betty/car-1263-auth-pr-bump-main into main CI / build-and-push (push) Successful in 10s Details CI / deploy-dev (push) Failing after 34s Details CI / deploy-uat (push) Failing after 36s Details	2026-06-05 00:34:48 +00:00
Savannah Savings	eb436e2c31	Merge pull request 'ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263)' (#32 ) from cs_betty/car-1263-auth-pr-bump-uat into uat CI / build-and-push (push) Failing after 6s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 25s Details	2026-06-05 00:34:47 +00:00
Barcode Betty	21fba7a842	ci(auth): migrate deploy-dev/deploy-uat to PR-bump + fix registry token (CAR-1263) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat jobs from direct 'git push origin main' to cartsnitch/infra to the CAR-1195 PR-bump pattern. Brings auth in line with cartsnitch/cartsnitch and stops the red deploy-dev/deploy-uat jobs on main pushes. Also fixes the registry-login password to use REGISTRY_TOKEN (CAR-1009 standard) instead of GITEA_TOKEN — uat already had this fix (CAR-1237); main was lagging. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:23:07 +00:00
Barcode Betty	70398efeea	ci(auth): migrate deploy-dev/deploy-uat to PR-bump mechanism (CAR-1263) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat jobs from direct 'git push origin main' to cartsnitch/infra to the CAR-1195 PR-bump pattern (open + (attempt) auto-merge an infra PR; never hard-fail on approval gate, per CAR-1216). Brings auth in line with cartsnitch/cartsnitch and stops the red deploy-uat job on every uat push. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-05 00:23:05 +00:00
Savannah Savings	806843b9c7	Merge pull request 'ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)' (#30 ) from betty/car-1237-fix-uat-ci into uat CI / build-and-push (push) Successful in 15s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Failing after 37s Details ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237) Reviewed and merged by Savannah (CTO). Byte-identical to proven main except the spec-mandated REGISTRY_TOKEN registry-login (CAR-1009 standard). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-04 20:41:13 +00:00
Barcode Betty	91ab376f38	ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237) CI / build-and-push (pull_request) Has been skipped Details CI / deploy-dev (pull_request) Has been skipped Details CI / deploy-uat (pull_request) Has been skipped Details - Change A: replace build-and-push with runner-native Docker (no DinD service container) - Change B: deploy-dev/deploy-uat use secrets.GITEA_TOKEN for infra checkout Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-04 20:33:08 +00:00
Savannah Savings	3496653d33	Merge dev into uat: use direct docker login for Gitea registry (CAR-994) CI / build-and-push (push) Successful in 6s Details	2026-06-04 18:52:32 +00:00
Barcode Betty	02b732e24c	chore(ci): re-trigger auth UAT build after act-runner DinD fix (CAR-973) CI / build-and-push (push) Failing after 15s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-04 11:46:31 +00:00
Flea Flicker	1099037db1	fix(ci): use REGISTRY_TOKEN for cross-repo infra checkout CI / build-and-push (push) Failing after 8s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details Replaces CI_GITEA_TOKEN (which lacks cross-repo access) with REGISTRY_TOKEN for checkout of cartsnitch/infra in deploy-uat/deploy-dev jobs. Fixes CAR-1147	2026-06-02 10:07:31 +00:00
Flea Flicker	8c37c764e9	fix(ci): add DinD service to enable image builds (CAR-1042) CI / build-and-push (push) Failing after 15s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-30 08:56:47 +00:00
Flea Flicker	6f392bbbed	test(ci): trigger CI after DinD fix (CAR-1042) CI / build-and-push (push) Failing after 5s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-25 23:15:07 +00:00
Barcode Betty	4a63bc1da8	fix(ci): apply CAR-985 and CAR-986 fixes to uat CI / build-and-push (push) Failing after 5s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-25 22:53:44 +00:00
Savannah Savings	ca423073f1	Merge pull request 'Promote dev to uat (CAR-1034 - auth *.farh.net trustedOrigins fix)' (#27 ) from dev into uat CI / build-and-push (push) Failing after 7s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-25 21:28:19 +00:00
Savannah Savings	8bf80a9890	fix(ci): use REGISTRY_TOKEN for container registry auth (CAR-973) CI / build-and-push (push) Failing after 7s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details The REGISTRY_TOKEN secret has write:package scope for git.farh.net. This fixes the unauthorized error at docker login. Related: CAR-1023 (REGISTRY_TOKEN setup), CAR-1009 (CI registry token standardization) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-25 00:04:25 +00:00
Savannah Savings	a520a65f1b	fix(ci): use GITEA_TOKEN secret for docker login CI / build-and-push (push) Failing after 4s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details The github.token (automatic workflow token) in Gitea Actions doesn't inherit packages:write permission for container registry. Use the GITEA_TOKEN secret instead with direct docker login. Ref: CAR-973, CAR-1009	2026-05-24 20:38:35 +00:00
Savannah Savings	bb8d7f159c	fix(ci): use direct docker login with github.token for registry auth (CAR-973) CI / build-and-push (push) Failing after 6s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details docker/login-action@v3 fails with Gitea's automatic token. Use direct docker login with github.token instead, which has the necessary write:package scope for the container registry. Related: CAR-1009 (CI registry token standardization)	2026-05-24 20:37:22 +00:00
Barcode Betty	a92f578dcf	chore: re-trigger CI after DNS fix (CAR-968) CI / build-and-push (push) Failing after 5s Details CI / deploy-dev (push) Has been skipped Details CI / deploy-uat (push) Has been skipped Details	2026-05-24 20:34:39 +00:00
		`@@ -0,0 +1 @@`
							`# CI trigger 20260525231507 - post-DinD verification (CAR-1042)`