Compare commits

..

9 Commits

Author SHA1 Message Date
Barcode Betty dfcbc3fd3d fix(ci): align deploy-dev/deploy-uat frontend bump with base image name (CAR-1318)
CI / lint (pull_request) Successful in 13s
CI / test (pull_request) Successful in 13s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / audit (pull_request) Successful in 41s
CI / e2e (pull_request) Successful in 1m12s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m15s
The base frontend deployment in cartsnitch/infra uses
ghcr.io/cartsnitch/app, but the deploy-dev/deploy-uat jobs
targeted ghcr.io/cartsnitch/cartsnitch — a name that matches no
resource, so each bump added a dead images entry and left the
real 'app' entry's newTag pinned.

Switch both jobs to kustomize edit set image
ghcr.io/cartsnitch/app=... so the next deploy updates the active
entry. The matching infra overlay cleanup drops the dead
cartsnitch entry from dev/uat.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-07 11:14:26 +00:00
Savannah Savings 515631987b Merge pull request 'ci(deploy): never hard-fail on infra-PR merge outcome (CAR-1216)' (#284) from betty/car-1216-deploy-never-fail-merge into dev
CI / audit (push) Successful in 11s
CI / lint (push) Successful in 18s
CI / audit (pull_request) Successful in 9s
CI / test (pull_request) Successful in 21s
CI / build-and-push-api (push) Failing after 1m2s
CI / test (push) Successful in 45s
CI / lint (pull_request) Successful in 11s
CI / e2e (push) Successful in 40s
CI / e2e (pull_request) Successful in 40s
CI / lighthouse (push) Failing after 1m13s
CI / build-and-push-auth (push) Successful in 30s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m14s
CI / build-and-push (push) Successful in 2m59s
CI / build-and-push-receiptwitness (push) Successful in 4m35s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 15s
2026-06-07 10:20:28 +00:00
Savannah Savings 993302c72c fix(auth): pin base image to node 22.22.2 digest (CAR-1279 Phase 2) (#287)
CI / audit (push) Successful in 10s
CI / test (push) Successful in 14s
CI / e2e (push) Successful in 42s
CI / lighthouse (push) Failing after 1m16s
CI / test (pull_request) Successful in 12s
CI / lint (push) Successful in 14s
CI / lint (pull_request) Successful in 11s
CI / e2e (pull_request) Successful in 47s
CI / audit (pull_request) Successful in 10s
CI / build-and-push-auth (push) Successful in 2m20s
CI / build-and-push-api (push) Successful in 3m12s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / build-and-push (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m18s
CI / build-and-push-receiptwitness (push) Successful in 5m16s
CI / build-and-push (push) Successful in 2m21s
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (push) Failing after 14s
CI / deploy-uat (push) Has been skipped
2026-06-06 06:22:35 +00:00
Savannah Savings 7803d229eb fix(auth): pin base image to node 22.22.2 digest (CAR-1279 Phase 2)
CI / lint (pull_request) Successful in 40s
CI / test (pull_request) Successful in 1m15s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m12s
CI / audit (pull_request) Successful in 2m47s
CI / e2e (pull_request) Successful in 3m18s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
Pin both build and runtime stages of auth/Dockerfile to
node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
— the Docker Hub manifest digest for node:22.22.2-alpine (verified against
the registry by CTO).

This is the digest pulled in by the previously-healthy ghcr auth image, which
connects fine to the dev Postgres with the same pg 8.20.0 driver and
byte-identical source. The Gitea-built image, which bundles node 22.22.3
(via the floating 'node:22-alpine' tag), deterministically resets the
Postgres connection during the /health DB probe (read ECONNRESET →
Connection terminated unexpectedly).

Pinning both stages to the manifest digest restores the exact node runtime
that the healthy ghcr image used and fixes the dev auth crashloop. The
'RUN apk update && apk upgrade --no-cache' lines are kept as-is per task
spec.

Refs CAR-1279, CAR-1276 (CAR-1287)
2026-06-06 02:26:54 +00:00
Savannah Savings 39804135a4 fix(auth): log /health 503 error and surface message in body (#283, CAR-1276)
CI / audit (push) Successful in 13s
CI / test (push) Successful in 13s
CI / lint (pull_request) Successful in 14s
CI / test (pull_request) Successful in 13s
CI / lighthouse (push) Failing after 1m22s
CI / e2e (pull_request) Successful in 49s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / e2e (push) Successful in 44s
CI / audit (pull_request) Successful in 13s
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m23s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lint (push) Successful in 16m17s
CI / build-and-push-auth (push) Successful in 38s
CI / build-and-push-api (push) Successful in 1m34s
CI / build-and-push (push) Successful in 2m44s
CI / build-and-push-receiptwitness (push) Successful in 3m52s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Failing after 6s
2026-06-06 00:02:17 +00:00
Barcode Betty 81b19b9072 ci(deploy): never hard-fail on infra-PR merge outcome (CAR-1216)
CI / lint (pull_request) Successful in 12s
CI / test (pull_request) Successful in 12s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / audit (pull_request) Successful in 18s
CI / e2e (pull_request) Successful in 43s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 17m15s
The in-job merge attempt against `cartsnitch/infra` main is a best-effort
fast-path only. `infra` main requires a human approving review and the CI
bot (`CI_GITEA_TOKEN`) can never self-approve, so the merge call
structurally cannot succeed in the general case.

Replace the special-cased `does not have enough approvals` branch and the
final `else -> exit 1` branch in both `deploy-dev` and `deploy-uat` with a
single non-failing outcome: surface the Gitea response as a `::notice::`
and `exit 0`. The PR is already opened and `cs_savannah` is requested as
reviewer above, so the GitOps hand-off is intact.

The only hard-fail (`exit 1`) in this step remains the empty-`PR_NUM`
check (PR could not be created at all).

Related: CAR-1195 (PR-bump pattern), CAR-1194, CAR-1212.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-05 23:57:11 +00:00
Barcode Betty b2c4692400 fix(auth): log /health 503 error and surface message in body (CAR-1276)
CI / deploy-uat (pull_request) Has been skipped
CI / test (pull_request) Successful in 12s
CI / lint (pull_request) Successful in 13s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / audit (pull_request) Successful in 40s
CI / e2e (pull_request) Successful in 1m11s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m15s
The /health handler's catch block was empty, so when the DB probe
failed we had no log line to diagnose from. UAT auth was crashlooping
on /health 503s for that exact reason — pod logs only showed
'CartSnitch auth service listening on port 3001' and nothing else.

Add console.error with the error name/message and include the message
in the 503 response body so the next time this fails we can read the
actual error from `kubectl logs` without re-deploying.

This is the dev-side observability half of CAR-1276. The underlying
DB failure still needs investigation (likely better-auth schema
missing from the cartsnitch DB; see CAR-1276 for the analysis).

Tests updated to assert the new error field is present and a string.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-05 07:05:46 +00:00
Savannah Savings 8eeaa92ad8 CAR-1215: bump react-router to 7.16.0 (clear audit gate) (#278)
CI / audit (push) Successful in 10s
CI / build-and-push-api (push) Successful in 1m23s
CI / build-and-push-auth (push) Successful in 43s
CI / lint (pull_request) Successful in 11s
CI / audit (pull_request) Successful in 13s
CI / lint (push) Successful in 14s
CI / test (push) Successful in 14s
CI / test (pull_request) Successful in 12s
CI / e2e (push) Successful in 57s
CI / lighthouse (push) Failing after 1m29s
CI / e2e (pull_request) Successful in 46s
CI / build-and-push-receiptwitness (push) Successful in 2m33s
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / build-and-push (push) Successful in 54s
CI / lighthouse (pull_request) Failing after 1m17s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (push) Failing after 17s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
Lockfile-only bump react-router/react-router-dom 7.14.0->7.16.0 clearing GHSA-49rj-9fvp-4h2h, GHSA-2j2x-hqr9-3h42, GHSA-8x6r-g9mw-2r78. QA PASS (cs_charlie), security PASS (cs_steve). audit gate now green; lighthouse pre-existing red (out of scope, tracked separately).
2026-06-03 22:14:12 +00:00
Barcode Betty fc3a0b4d92 chore(deps): bump react-router + react-router-dom to 7.16.0 (CAR-1215)
CI / lint (pull_request) Successful in 12s
CI / test (pull_request) Successful in 12s
CI / audit (pull_request) Successful in 11s
CI / build-and-push-api (pull_request) Has been skipped
CI / build-and-push-receiptwitness (pull_request) Has been skipped
CI / build-and-push-auth (pull_request) Has been skipped
CI / e2e (pull_request) Successful in 43s
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / build-and-push (pull_request) Has been skipped
CI / lighthouse (pull_request) Failing after 1m16s
Lockfile-only bump from 7.14.0 -> 7.16.0. The ^7.0.0 range in
package.json already permits 7.16.0, so no source changes.

Clears three high-severity advisories that block the audit CI gate:
- GHSA-49rj-9fvp-4h2h (turbo-stream arbitrary constructor invocation)
- GHSA-2j2x-hqr9-3h42 (protocol-relative URL open redirect)
- GHSA-8x6r-g9mw-2r78 (DoS via unbounded path expansion)

No runtime behavior change; react-router stays on 7.x. npm audit
--audit-level=high exits clean (0 high/critical) locally.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 21:56:05 +00:00
5 changed files with 66 additions and 33 deletions
+22 -18
View File
@@ -495,7 +495,7 @@ jobs:
if: needs.build-and-push.result == 'success'
run: |
cd infra/apps/overlays/dev
kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
- name: Determine image tag for receiptwitness
id: receiptwitness_tag
@@ -577,6 +577,16 @@ jobs:
if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
fi
# CAR-1216: the in-job merge attempt is a best-effort fast-path only.
# `cartsnitch/infra` main requires a human approving review (immutable
# branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
# approve, so this merge call structurally cannot succeed in the
# general case. Any non-merged outcome (approvals pending, checks
# pending, any other Gitea message) is the GitOps approval gate, not
# a CI failure — the PR is already opened and `cs_savannah` is
# requested as reviewer above. Surface the response as a notice and
# exit success. The only hard-fail (`exit 1`) in this step remains
# the empty-`PR_NUM` check (PR could not be created at all).
MERGE_RESP=$(curl -sS -X POST \
-H "Authorization: token ${CI_GITEA_TOKEN}" \
-H "Content-Type: application/json" \
@@ -586,14 +596,6 @@ jobs:
if [ "$MERGED" = "true" ]; then
echo "PR #${PR_NUM} merged into cartsnitch/infra main"
else
# GitOps approval gate (CAR-1216): the CI bot cannot self-approve
# cartsnitch/infra main's required human review, so the in-job
# auto-merge is structurally impossible and will always fail with
# SOME message (checks-pending, then approvals, then transient
# errors). Special-casing individual messages is fragile. The PR
# is correctly opened, cs_savannah is requested as reviewer, and
# the CTO will backstop-merge — that is the success condition.
# Treat every merge-outcome failure as success (exit 0).
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
exit 0
fi
@@ -639,7 +641,7 @@ jobs:
if: needs.build-and-push.result == 'success'
run: |
cd infra/apps/overlays/uat
kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
- name: Determine image tag for receiptwitness
id: receiptwitness_tag
@@ -721,6 +723,16 @@ jobs:
if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
fi
# CAR-1216: the in-job merge attempt is a best-effort fast-path only.
# `cartsnitch/infra` main requires a human approving review (immutable
# branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
# approve, so this merge call structurally cannot succeed in the
# general case. Any non-merged outcome (approvals pending, checks
# pending, any other Gitea message) is the GitOps approval gate, not
# a CI failure — the PR is already opened and `cs_savannah` is
# requested as reviewer above. Surface the response as a notice and
# exit success. The only hard-fail (`exit 1`) in this step remains
# the empty-`PR_NUM` check (PR could not be created at all).
MERGE_RESP=$(curl -sS -X POST \
-H "Authorization: token ${CI_GITEA_TOKEN}" \
-H "Content-Type: application/json" \
@@ -730,14 +742,6 @@ jobs:
if [ "$MERGED" = "true" ]; then
echo "PR #${PR_NUM} merged into cartsnitch/infra main"
else
# GitOps approval gate (CAR-1216): the CI bot cannot self-approve
# cartsnitch/infra main's required human review, so the in-job
# auto-merge is structurally impossible and will always fail with
# SOME message (checks-pending, then approvals, then transient
# errors). Special-casing individual messages is fragile. The PR
# is correctly opened, cs_savannah is requested as reviewer, and
# the CTO will backstop-merge — that is the success condition.
# Treat every merge-outcome failure as success (exit 0).
echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
exit 0
fi
+2 -2
View File
@@ -1,4 +1,4 @@
FROM node:22-alpine AS builder
FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f AS builder
RUN apk update && apk upgrade --no-cache
WORKDIR /app
COPY package.json package-lock.json* ./
@@ -7,7 +7,7 @@ COPY tsconfig.json ./
COPY src/ src/
RUN npm run build
FROM node:22-alpine
FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
RUN apk update && apk upgrade --no-cache
WORKDIR /app
ENV NODE_ENV=production
+23 -4
View File
@@ -19,9 +19,18 @@ describe('Auth health endpoint', () => {
}
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ status: 'ok', db: 'reachable' }));
} catch {
} catch (err) {
// Mirror src/index.ts: log the error and include the message in the
// response body so /health 503s are diagnosable from pod logs.
console.error(
'[auth /health] DB probe failed:',
err instanceof Error ? `${err.name}: ${err.message}` : err,
);
const detail = err instanceof Error ? err.message : 'unknown error';
res.writeHead(503, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ status: 'error', db: 'unreachable' }));
res.end(
JSON.stringify({ status: 'error', db: 'unreachable', error: detail }),
);
}
return;
}
@@ -76,7 +85,10 @@ describe('Auth health endpoint', () => {
close();
equal(status, 503);
equal(body, '{"status":"error","db":"unreachable"}');
const parsed = JSON.parse(body);
equal(parsed.status, 'error');
equal(parsed.db, 'unreachable');
equal(parsed.error, 'connection refused');
});
it('returns 503 with db=unreachable when query times out', async () => {
@@ -95,7 +107,14 @@ describe('Auth health endpoint', () => {
close();
equal(status, 503);
equal(body, '{"status":"error","db":"unreachable"}');
const parsed = JSON.parse(body);
equal(parsed.status, 'error');
equal(parsed.db, 'unreachable');
// The query promise rejects with a synthetic 'timeout' error; the
// Promise.race wrapper also rejects with 'DB timeout'. The body should
// surface whichever error was thrown — accept either to stay robust.
equal(typeof parsed.error, 'string');
equal(parsed.error.length > 0, true);
});
it('returns a terminal response for unknown paths (no hang)', async () => {
+12 -2
View File
@@ -21,9 +21,19 @@ const server = createServer(async (req, res) => {
}
res.writeHead(200, { "Content-Type": "application/json" });
res.end(JSON.stringify({ status: "ok", db: "reachable" }));
} catch {
} catch (err) {
// Log the actual error so /health 503s are diagnosable from pod logs
// (CAR-1276: UAT auth was crashlooping with no log output beyond the
// initial "listening on port 3001" line because this catch was empty).
console.error(
"[auth /health] DB probe failed:",
err instanceof Error ? `${err.name}: ${err.message}` : err,
);
const detail = err instanceof Error ? err.message : "unknown error";
res.writeHead(503, { "Content-Type": "application/json" });
res.end(JSON.stringify({ status: "error", db: "unreachable" }));
res.end(
JSON.stringify({ status: "error", db: "unreachable", error: detail }),
);
}
return;
}
+7 -7
View File
@@ -8305,9 +8305,9 @@
}
},
"node_modules/react-router": {
"version": "7.14.0",
"resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.0.tgz",
"integrity": "sha512-m/xR9N4LQLmAS0ZhkY2nkPA1N7gQ5TUVa5n8TgANuDTARbn1gt+zLPXEm7W0XDTbrQ2AJSJKhoa6yx1D8BcpxQ==",
"version": "7.16.0",
"resolved": "https://registry.npmjs.org/react-router/-/react-router-7.16.0.tgz",
"integrity": "sha512-wArC8lVyJb3+jM9OpDyW6hLCizACWkvQR/sSGqSs+o5uEXEtGlqdZ4v8hENR3Jad6i+LRkK93q/+bQAcvl6V1A==",
"license": "MIT",
"dependencies": {
"cookie": "^1.0.1",
@@ -8327,12 +8327,12 @@
}
},
"node_modules/react-router-dom": {
"version": "7.14.0",
"resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.0.tgz",
"integrity": "sha512-2G3ajSVSZMEtmTjIklRWlNvo8wICEpLihfD/0YMDxbWK2UyP5EGfnoIn9AIQGnF3G/FX0MRbHXdFcD+rL1ZreQ==",
"version": "7.16.0",
"resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.16.0.tgz",
"integrity": "sha512-kMUAbimWB5FVbF4Bce4bJsiKJWLIUHq/mEG8+CFDnCSgltptBiG5nguducmsJeGKytlCvQud9Qhzpn49iduTlA==",
"license": "MIT",
"dependencies": {
"react-router": "7.14.0"
"react-router": "7.16.0"
},
"engines": {
"node": ">=20.0.0"