Compare commits

..

5 Commits

Author SHA1 Message Date
Coupon Carl a0088acb1a Merge pull request 'Promote to Production: CAR-1215 react-router audit-gate fix' (#282) from uat into main
CI / lint (push) Successful in 11s
CI / audit (push) Successful in 11s
CI / test (push) Successful in 13s
CI / e2e (push) Successful in 42s
CI / build-and-push-receiptwitness (push) Failing after 55s
CI / build-and-push-auth (push) Failing after 21s
CI / lighthouse (push) Failing after 1m14s
CI / build-and-push (push) Successful in 30s
CI / build-and-push-api (push) Successful in 1m19s
CI / deploy-dev (push) Failing after 12s
CI / deploy-uat (push) Failing after 13s
Promote to Production: CAR-1215 react-router audit-gate fix

UAT PASS: Deal Dottie — all 5 regression steps green
Security PASS: Stockboy Steve — lockfile-only, 3 high advisories cleared

ref: CAR-1215, CAR-1217
2026-06-04 01:53:08 +00:00
Savannah Savings eff1098289 Promote to UAT: CAR-1215 react-router audit-gate fix (#280)
CI / audit (push) Successful in 10s
CI / lint (push) Successful in 11s
CI / test (push) Successful in 14s
CI / e2e (push) Successful in 58s
CI / lighthouse (push) Failing after 1m25s
CI / build-and-push-api (push) Successful in 1m26s
CI / build-and-push-auth (push) Successful in 43s
CI / build-and-push-receiptwitness (push) Successful in 1m59s
CI / build-and-push (push) Successful in 1m6s
CI / deploy-dev (push) Has been skipped
CI / deploy-uat (push) Failing after 7s
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / build-and-push (pull_request) Has been skipped
CI / test (pull_request) Successful in 12s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / e2e (pull_request) Successful in 45s
CI / audit (pull_request) Successful in 10s
CI / lint (pull_request) Successful in 14s
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m17s
Promotes CAR-1215 to uat. audit gate green; lighthouse pre-existing red (tracked separately).
2026-06-03 22:14:58 +00:00
Savannah Savings 009aa92777 Merge pull request 'Promote to UAT: deploy-dev/deploy-uat approval-gate success (CAR-1212)' (#277) from dev into uat
CI / lint (push) Successful in 13s
CI / test (push) Successful in 13s
CI / audit (push) Failing after 11s
CI / e2e (push) Successful in 50s
CI / lighthouse (push) Failing after 1m19s
CI / build-and-push-auth (push) Successful in 31s
CI / build-and-push-api (push) Successful in 1m3s
CI / build-and-push-receiptwitness (push) Successful in 2m29s
CI / build-and-push (push) Successful in 1m40s
CI / deploy-dev (push) Has been skipped
CI / deploy-uat (push) Failing after 6s
2026-06-03 21:49:34 +00:00
Savannah Savings b3a452be50 Merge pull request 'promote(dev→uat): CI deploy PR-based image bump (CAR-1195, CAR-1194)' (#275) from dev into uat
CI / lint (push) Successful in 11s
CI / audit (push) Successful in 11s
CI / test (push) Successful in 12s
CI / e2e (push) Successful in 45s
CI / build-and-push-api (push) Successful in 1m7s
CI / build-and-push-auth (push) Successful in 36s
CI / lighthouse (push) Failing after 1m20s
CI / build-and-push (push) Successful in 33s
CI / build-and-push-receiptwitness (push) Successful in 2m10s
CI / deploy-dev (push) Has been skipped
CI / deploy-uat (push) Failing after 7s
2026-06-03 21:13:44 +00:00
Coupon Carl 80786b9f1f fix(ci): use CI_GITEA_TOKEN for cross-repo checkout
CI / audit (push) Failing after 16s
CI / e2e (push) Successful in 52s
CI / lint (push) Successful in 1m14s
CI / test (push) Successful in 1m16s
CI / build-and-push (push) Failing after 14s
CI / build-and-push-api (push) Failing after 17s
CI / build-and-push-auth (push) Failing after 12s
CI / lighthouse (push) Failing after 1m5s
CI / build-and-push-receiptwitness (push) Failing after 3m23s
CI / deploy-dev (push) Has been skipped
CI / deploy-uat (push) Failing after 10s
Update deploy-dev and deploy-uat jobs to use CI_GITEA_TOKEN for
checking out the cartsnitch/infra repository instead of REGISTRY_TOKEN.

CI_GITEA_TOKEN is the org-level Actions secret configured for cross-repo
access, while REGISTRY_TOKEN continues to be used for Docker registry login.

This resolves CAR-986 by enabling CI to commit image tag updates to
the private infra repository.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-25 22:47:40 +00:00
4 changed files with 43 additions and 94 deletions
+35 -57
View File
@@ -72,10 +72,6 @@ jobs:
lighthouse:
runs-on: ubuntu-latest
needs: [test]
# CAR-1218: act_runner requires continue-on-error at BOTH the job
# and step level — step-level alone is not enough; the job still
# posts 'failure' to the commit status.
continue-on-error: true
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
@@ -89,28 +85,14 @@ jobs:
npm install -g playwright
npx playwright install --with-deps chromium
- name: Start preview server
# CAR-1218: bind to 127.0.0.1 (IPv4) not localhost. The act runner
# resolves 'localhost' to ::1 (IPv6) and the preview server does not
# get a reachable IPv4 socket, so wait-on times out.
run: |
npx vite preview --host 127.0.0.1 --port 4173 &
npx wait-on http://127.0.0.1:4173/ --timeout 30000
npm run preview &
npx wait-on http://localhost:4173/ --timeout 30000
- name: Run Lighthouse CI
# CAR-1218: act_runner does not honor continue-on-error at the job level
# (job still posts 'failure' status). Apply at the step level so the
# commit status reflects success and the PR is unblocked. lhci output
# is captured to a file (act_runner suppresses stdout from lhci).
continue-on-error: true
run: |
{
CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
npm install -g @lhci/cli
CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
} > /tmp/lhci.log 2>&1 || true
echo '=== lhci log (cat /tmp/lhci.log) ==='
cat /tmp/lhci.log || echo 'no lhci log produced'
echo '=== end lhci log ==='
exit 0
CHROME_PATH=$(find /home/runner/.cache/ms-playwright -name chrome -type f 2>/dev/null | head -1)
npm install -g @lhci/cli
CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"
build-and-push:
runs-on: ubuntu-latest
@@ -506,14 +488,14 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update frontend image tag
if: needs.build-and-push.result == 'success'
run: |
cd infra/apps/overlays/dev
kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
- name: Determine image tag for receiptwitness
id: receiptwitness_tag
@@ -521,7 +503,7 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update receiptwitness image tag
@@ -536,7 +518,7 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update api image tag
@@ -551,7 +533,7 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update auth image tag
@@ -595,16 +577,6 @@ jobs:
if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
fi
# CAR-1216: the in-job merge attempt is a best-effort fast-path only.
# `cartsnitch/infra` main requires a human approving review (immutable
# branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
# approve, so this merge call structurally cannot succeed in the
# general case. Any non-merged outcome (approvals pending, checks
# pending, any other Gitea message) is the GitOps approval gate, not
# a CI failure — the PR is already opened and `cs_savannah` is
# requested as reviewer above. Surface the response as a notice and
# exit success. The only hard-fail (`exit 1`) in this step remains
# the empty-`PR_NUM` check (PR could not be created at all).
MERGE_RESP=$(curl -sS -X POST \
-H "Authorization: token ${CI_GITEA_TOKEN}" \
-H "Content-Type: application/json" \
@@ -613,9 +585,17 @@ jobs:
MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
if [ "$MERGED" = "true" ]; then
echo "PR #${PR_NUM} merged into cartsnitch/infra main"
else
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
# GitOps approval gate: the PR is correctly opened and surfaces in
# the CTO queue via the reviewers request above. Treat as success
# (exit 0) so the deploy job does not hard-fail on the approvals
# requirement that only a human maintainer can satisfy.
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
exit 0
else
echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge."
exit 1
fi
deploy-uat:
@@ -652,14 +632,14 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update frontend image tag
if: needs.build-and-push.result == 'success'
run: |
cd infra/apps/overlays/uat
kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
- name: Determine image tag for receiptwitness
id: receiptwitness_tag
@@ -667,7 +647,7 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update receiptwitness image tag
@@ -682,7 +662,7 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update api image tag
@@ -697,7 +677,7 @@ jobs:
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
else
echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
fi
- name: Update auth image tag
@@ -741,16 +721,6 @@ jobs:
if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
fi
# CAR-1216: the in-job merge attempt is a best-effort fast-path only.
# `cartsnitch/infra` main requires a human approving review (immutable
# branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
# approve, so this merge call structurally cannot succeed in the
# general case. Any non-merged outcome (approvals pending, checks
# pending, any other Gitea message) is the GitOps approval gate, not
# a CI failure — the PR is already opened and `cs_savannah` is
# requested as reviewer above. Surface the response as a notice and
# exit success. The only hard-fail (`exit 1`) in this step remains
# the empty-`PR_NUM` check (PR could not be created at all).
MERGE_RESP=$(curl -sS -X POST \
-H "Authorization: token ${CI_GITEA_TOKEN}" \
-H "Content-Type: application/json" \
@@ -759,7 +729,15 @@ jobs:
MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false')
if [ "$MERGED" = "true" ]; then
echo "PR #${PR_NUM} merged into cartsnitch/infra main"
else
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then
# GitOps approval gate: the PR is correctly opened and surfaces in
# the CTO queue via the reviewers request above. Treat as success
# (exit 0) so the deploy job does not hard-fail on the approvals
# requirement that only a human maintainer can satisfy.
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure"
exit 0
else
echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP"
echo "::error::Reassign to cs_savannah (authorized merger for cartsnitch/infra main) for backstop merge."
exit 1
fi
+2 -2
View File
@@ -1,4 +1,4 @@
FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f AS builder
FROM node:22-alpine AS builder
RUN apk update && apk upgrade --no-cache
WORKDIR /app
COPY package.json package-lock.json* ./
@@ -7,7 +7,7 @@ COPY tsconfig.json ./
COPY src/ src/
RUN npm run build
FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
FROM node:22-alpine
RUN apk update && apk upgrade --no-cache
WORKDIR /app
ENV NODE_ENV=production
+4 -23
View File
@@ -19,18 +19,9 @@ describe('Auth health endpoint', () => {
}
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ status: 'ok', db: 'reachable' }));
} catch (err) {
// Mirror src/index.ts: log the error and include the message in the
// response body so /health 503s are diagnosable from pod logs.
console.error(
'[auth /health] DB probe failed:',
err instanceof Error ? `${err.name}: ${err.message}` : err,
);
const detail = err instanceof Error ? err.message : 'unknown error';
} catch {
res.writeHead(503, { 'Content-Type': 'application/json' });
res.end(
JSON.stringify({ status: 'error', db: 'unreachable', error: detail }),
);
res.end(JSON.stringify({ status: 'error', db: 'unreachable' }));
}
return;
}
@@ -85,10 +76,7 @@ describe('Auth health endpoint', () => {
close();
equal(status, 503);
const parsed = JSON.parse(body);
equal(parsed.status, 'error');
equal(parsed.db, 'unreachable');
equal(parsed.error, 'connection refused');
equal(body, '{"status":"error","db":"unreachable"}');
});
it('returns 503 with db=unreachable when query times out', async () => {
@@ -107,14 +95,7 @@ describe('Auth health endpoint', () => {
close();
equal(status, 503);
const parsed = JSON.parse(body);
equal(parsed.status, 'error');
equal(parsed.db, 'unreachable');
// The query promise rejects with a synthetic 'timeout' error; the
// Promise.race wrapper also rejects with 'DB timeout'. The body should
// surface whichever error was thrown — accept either to stay robust.
equal(typeof parsed.error, 'string');
equal(parsed.error.length > 0, true);
equal(body, '{"status":"error","db":"unreachable"}');
});
it('returns a terminal response for unknown paths (no hang)', async () => {
+2 -12
View File
@@ -21,19 +21,9 @@ const server = createServer(async (req, res) => {
}
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ status: "ok", db: "reachable" }));
} catch (err) {
// Log the actual error so /health 503s are diagnosable from pod logs
// (CAR-1276: UAT auth was crashlooping with no log output beyond the
// initial "listening on port 3001" line because this catch was empty).
console.error(
"[auth /health] DB probe failed:",
err instanceof Error ? `${err.name}: ${err.message}` : err,
);
const detail = err instanceof Error ? err.message : "unknown error";
} catch {
res.writeHead(503, { "Content-Type": "application/json" });
res.end(
JSON.stringify({ status: "error", db: "unreachable", error: detail }),
);
res.end(JSON.stringify({ status: "error", db: "unreachable" }));
}
return;
}