cartsnitch/auth
12
0
Fork 1
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: cartsnitch/auth:v2026.06.23.2
Branches Tags
cartsnitch/auth:main cartsnitch/auth:uat cartsnitch/auth:dev cartsnitch/auth:barcode-betty/car-1428-revert-deploy-base cartsnitch/auth:car-1436-uat-merge-resolved cartsnitch/auth:car-1438-graceful-exit-fix cartsnitch/auth:car-1436-fix-deploy-jq-title cartsnitch/auth:betty/car-1423-two-stage-build cartsnitch/auth:betty/car-1423-disable-provenance cartsnitch/auth:car-1373-uat-merge-resolved cartsnitch/auth:betty/car-1237-fix-uat-ci cartsnitch/auth:cs_savannah/car-1147-ci-infra-checkout cartsnitch/auth:betty/remove-deploy-jobs cartsnitch/auth:betty/car-1034-trustedorigins-fix cartsnitch/auth:car-1023-use-registry-token cartsnitch/auth:betty/car-1027-trustedorigins-fix cartsnitch/auth:car-994-fix-docker-login cartsnitch/auth:betty/fix-docker-login cartsnitch/auth:car-959-gitea-registry cartsnitch/auth:betty/car-964-gitea-registry-v2 cartsnitch/auth:barcode-betty/gitea-registry cartsnitch/auth:barcode-betty/car-959-gitea-registry cartsnitch/auth:barcode-betty/car-931-ghcr-auth cartsnitch/auth:barcode-betty/move-workflows-to-gitea cartsnitch/auth:betty/car-892-gitea-actions-ghcr-auth cartsnitch/auth:betty/car-869-gitea-actions-auth cartsnitch/auth:add-ci-grype
cartsnitch/auth:v2026.06.23.3 cartsnitch/auth:v2026.06.23.2 cartsnitch/auth:v2026.06.23 cartsnitch/auth:v2026.06.07 cartsnitch/auth:v2026.06.05.2 cartsnitch/auth:v2026.06.05 cartsnitch/auth:v2026.04.22 cartsnitch/auth:v2026.04.21
...
compare: cartsnitch/auth:dev
Branches Tags
cartsnitch/auth:main cartsnitch/auth:uat cartsnitch/auth:dev cartsnitch/auth:barcode-betty/car-1428-revert-deploy-base cartsnitch/auth:car-1436-uat-merge-resolved cartsnitch/auth:car-1438-graceful-exit-fix cartsnitch/auth:car-1436-fix-deploy-jq-title cartsnitch/auth:betty/car-1423-two-stage-build cartsnitch/auth:betty/car-1423-disable-provenance cartsnitch/auth:car-1373-uat-merge-resolved cartsnitch/auth:betty/car-1237-fix-uat-ci cartsnitch/auth:cs_savannah/car-1147-ci-infra-checkout cartsnitch/auth:betty/remove-deploy-jobs cartsnitch/auth:betty/car-1034-trustedorigins-fix cartsnitch/auth:car-1023-use-registry-token cartsnitch/auth:betty/car-1027-trustedorigins-fix cartsnitch/auth:car-994-fix-docker-login cartsnitch/auth:betty/fix-docker-login cartsnitch/auth:car-959-gitea-registry cartsnitch/auth:betty/car-964-gitea-registry-v2 cartsnitch/auth:barcode-betty/gitea-registry cartsnitch/auth:barcode-betty/car-959-gitea-registry cartsnitch/auth:barcode-betty/car-931-ghcr-auth cartsnitch/auth:barcode-betty/move-workflows-to-gitea cartsnitch/auth:betty/car-892-gitea-actions-ghcr-auth cartsnitch/auth:betty/car-869-gitea-actions-auth cartsnitch/auth:add-ci-grype
cartsnitch/auth:v2026.06.23.3 cartsnitch/auth:v2026.06.23.2 cartsnitch/auth:v2026.06.23 cartsnitch/auth:v2026.06.07 cartsnitch/auth:v2026.06.05.2 cartsnitch/auth:v2026.06.05 cartsnitch/auth:v2026.04.22 cartsnitch/auth:v2026.04.21

5 Commits
v2026.06.23.2 ... dev

Author SHA1 Message Date
Barcode Betty 92015fc5e9 fix(deps): regenerate lockfile with defu 6.1.7, kysely 0.28.17 (CAR-1446)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / build-and-push (push) Successful in 36s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (push) Successful in 6s
Details 
Applied npm overrides from previous commit. Grype scan now passes
at --fail-on high with only MEDIUM-severity remaining CVEs in uuid
(GHSA-w5hq-g745-h8pq, major bump to v11 required, not a blocking risk)
and better-auth (GHSA-wxw3-q3m9-c3jr, updating to 1.6.2 separately).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 03:43:04 +00:00
Barcode Betty 6722b0e796 fix(deps): add npm overrides to pin patched versions of defu, kysely, picomatch (CAR-1446)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / build-and-push (push) Failing after 10s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (push) Successful in 2s
Details 
Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4

All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 03:42:45 +00:00
Barcode Betty 88952a4651 ci(auth): update CAR-1446 comment with empirical OCI referrers proof
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / build-and-push (push) Failing after 11m7s
Details
CI / deploy-uat (push) Has been skipped
Details
CI / deploy-dev (push) Successful in 3s
Details
2026-06-23 02:50:37 +00:00
Barcode Betty 9ec0a7b56c Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)' (#52) from betty/car-1446-sbom-provenance-scan into dev
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details
CI / deploy-dev (push) Has been cancelled
Details
CI / deploy-uat (push) Has been cancelled
Details
CI / build-and-push (push) Has been cancelled
Details 
ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 02:41:17 +00:00
Barcode Betty 30fa99a717 ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)
CI / build-and-push (pull_request) Has been skipped
Details
CI / deploy-dev (pull_request) Has been skipped
Details
CI / deploy-uat (pull_request) Has been skipped
Details 
- Insert anchore/scan-action@v5 step between Build and Push
- severity-cutoff: high, only-fixed: true (matches monorepo pattern)
- Add inline comment on provenance:false/sbom:false explaining OCI distribution
  spec >=1.1 limitation on git.farh.net registry

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-06-23 02:39:55 +00:00
3 changed files with 32 additions and 7 deletions
Expand all files Collapse all files
.gitea/workflows/ci.yml
+20
View File
@@ -67,11 +67,31 @@ jobs:
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
- name: Scan Docker image
uses: anchore/scan-action@v5
id: scan
env:
GRYPE_CONFIG: .grype.yaml
with:
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
severity-cutoff: high
only-fixed: "true"
output-format: sarif
- name: Push Docker image - name: Push Docker image
uses: docker/build-push-action@v6 uses: docker/build-push-action@v6
with: with:
context: . context: .
push: true push: true
# CAR-1446: git.farh.net does not implement the OCI referrers API.
# Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
# HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
# does not exist in this Gitea registry version). OCI Distribution Spec
# >=1.1 is required for provenance/SBOM attestation manifests; without it
# the docker/build-push-action would fail at the attestation PUT.
# Compensating control: the Grype scan step above fails the build on any
# unfixed HIGH-severity CVE before the image reaches the registry.
provenance: false provenance: false
sbom: false sbom: false
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
package-lock.json
Generated
+6 -6
View File
@@ -818,9 +818,9 @@
} }
}, },
"node_modules/defu": { "node_modules/defu": {
"version": "6.1.4", "version": "6.1.7",
"resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz", "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.7.tgz",
"integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==", "integrity": "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==",
"license": "MIT" "license": "MIT"
}, },
"node_modules/esbuild": { "node_modules/esbuild": {
@@ -909,9 +909,9 @@
} }
}, },
"node_modules/kysely": { "node_modules/kysely": {
"version": "0.28.14", "version": "0.28.17",
"resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.14.tgz", "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.17.tgz",
"integrity": "sha512-SU3lgh0rPvq7upc6vvdVrCsSMUG1h3ChvHVOY7wJ2fw4C9QEB7X3d5eyYEyULUX7UQtxZJtZXGuT6U2US72UYA==", "integrity": "sha512-nbD8lB9EB3wNdMhOCdx5Li8DxnLbvKByylRLcJ1h+4SkrowVeECAyZlyiKMThF7xFdRz0jSQ2MoJr+wXux2y0Q==",
"license": "MIT", "license": "MIT",
"engines": { "engines": {
"node": ">=20.0.0" "node": ">=20.0.0"
package.json
+5
View File
@@ -21,5 +21,10 @@
"@types/pg": "^8.11.0", "@types/pg": "^8.11.0",
"tsx": "^4.19.0", "tsx": "^4.19.0",
"typescript": "^5.7.0" "typescript": "^5.7.0"
},
"overrides": {
"picomatch": "^4.0.4",
"defu": "^6.1.5",
"kysely": "^0.28.17"
} }
} }