Merge pull request #196 from cartsnitch/uat

chore: promote uat to main (ReceiptWitness config validation)
Merge pull request #189 from cartsnitch/dev
2026-04-14 16:08:05 +00:00 · 2026-04-14 14:08:08 +00:00 · 2026-04-14 14:00:08 +00:00 · 2026-04-14 13:48:37 +00:00 · 2026-04-14 13:25:23 +00:00 · 2026-04-14 13:18:38 +00:00
11 changed files with 28 additions and 169 deletions
@@ -13,7 +13,6 @@ concurrency:
 permissions:
  contents: write
  packages: write
-  security-events: write

 env:
  REGISTRY: ghcr.io
@@ -152,44 +151,17 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
          cache-from: type=gha
          cache-to: type=gha,mode=max

-      - name: Scan frontend image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload frontend scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          target: prod
-          cache-from: type=gha
-
      - name: Create git tag
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: |
@@ -249,43 +221,14 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push auth Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./auth
          file: ./auth/Dockerfile
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan auth image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload auth scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: ./auth
-          file: ./auth/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha

  build-and-push-receiptwitness:
    runs-on: runners-cartsnitch
@@ -335,43 +278,14 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push receiptwitness image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./receiptwitness/Dockerfile
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan receiptwitness image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload receiptwitness scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./receiptwitness/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha

  build-and-push-api:
    runs-on: runners-cartsnitch
@@ -421,43 +335,14 @@ jobs:
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

-      - name: Build Docker image
+      - name: Build and push API Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./api
          file: ./api/Dockerfile
-          load: true
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan api image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-      - name: Upload api scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: ./api
-          file: ./api/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha

  deploy-dev:
    runs-on: runners-cartsnitch
@@ -1,6 +1,6 @@
 # Stage 1: Build
 FROM node:20-alpine AS build
-RUN apk update && apk upgrade --no-cache
+
 WORKDIR /app

 COPY package.json package-lock.json ./
@@ -11,9 +11,6 @@ RUN npm run build

 # Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
 FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
-USER root
-RUN apk update && apk upgrade --no-cache
-USER 101

 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
@@ -1,6 +1,6 @@
 FROM python:3.12-slim AS build

-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -12,7 +12,7 @@ RUN pip install --no-cache-dir --prefix=/install .

 FROM python:3.12-slim AS prod

-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*

 WORKDIR /app
 RUN adduser --system --group --uid 1000 app
@@ -1,5 +1,4 @@
 FROM node:22-alpine AS builder
-RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY package.json package-lock.json* ./
 RUN npm ci
@@ -8,7 +7,6 @@ COPY src/ src/
 RUN npm run build

 FROM node:22-alpine
-RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 ENV NODE_ENV=production
 COPY package.json package-lock.json* ./
@@ -941,9 +941,9 @@
      }
    },
    "node_modules/defu": {
-      "version": "6.1.7",
-      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.7.tgz",
-      "integrity": "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==",
+      "version": "6.1.4",
+      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz",
+      "integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==",
      "license": "MIT"
    },
    "node_modules/delegates": {
@@ -4,23 +4,17 @@ import pg from "pg";

 const { Pool } = pg;

+const pool = new Pool({
+  connectionString:
+    process.env.DATABASE_URL ??
+    "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
+});
+
 const secret = process.env.BETTER_AUTH_SECRET;
 if (!secret) {
  throw new Error("BETTER_AUTH_SECRET environment variable is required");
 }

-const databaseUrl = process.env.DATABASE_URL;
-if (!databaseUrl) {
-  console.warn(
-    "WARNING: DATABASE_URL is not set — using default localhost connection. " +
-    "Set DATABASE_URL for production deployments."
-  );
-}
-
-export const pool = new Pool({
-  connectionString: databaseUrl ?? "postgresql://cartsnitch:cartsnitch@localhost:5432/cartsnitch",
-});
-
 export const auth = betterAuth({
  database: pool,
  basePath: "/auth",
@@ -1,6 +1,6 @@
 import { createServer } from "node:http";
 import { toNodeHandler } from "better-auth/node";
-import { auth, pool } from "./auth.js";
+import { auth } from "./auth.js";

 const port = parseInt(process.env.PORT ?? "3001", 10);

@@ -9,22 +9,8 @@ const handler = toNodeHandler(auth);
 const server = createServer(async (req, res) => {
  // Health check
  if (req.url === "/health" && req.method === "GET") {
-    try {
-      const client = await pool.connect();
-      try {
-        await Promise.race([
-          client.query("SELECT 1"),
-          new Promise((_, reject) => setTimeout(() => reject(new Error("DB timeout")), 2000)),
-        ]);
-      } finally {
-        client.release();
-      }
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "ok", db: "connected" }));
-    } catch {
-      res.writeHead(503, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ status: "error", db: "unreachable" }));
-    }
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ status: "ok" }));
    return;
  }

@@ -9805,9 +9805,9 @@
      }
    },
    "node_modules/vite": {
-      "version": "6.4.2",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.2.tgz",
-      "integrity": "sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==",
+      "version": "6.4.1",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.4.1.tgz",
+      "integrity": "sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==",
      "devOptional": true,
      "license": "MIT",
      "dependencies": {
@@ -5,7 +5,7 @@ WORKDIR /app

 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
    && rm -rf /var/lib/apt/lists/*
@@ -25,7 +25,7 @@ FROM python:3.12-slim AS prod
 WORKDIR /app

 # Install Playwright system dependencies for Chromium
-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get install -y --no-install-recommends \
    libnss3 \
    libatk1.0-0 \
    libatk-bridge2.0-0 \
Author	SHA1	Message	Date
cartsnitch-ceo[bot]	4e139dc4b6	Merge pull request #196 from cartsnitch/uat chore: promote uat to main (ReceiptWitness config validation)	2026-04-14 16:08:05 +00:00
cartsnitch-cto[bot]	6481cf03e4	Merge pull request #189 from cartsnitch/dev chore: promote dev to uat (ReceiptWitness config validation)	2026-04-14 14:08:08 +00:00
cartsnitch-ceo[bot]	37c75c3887	Production: API lifespan with connection pooling (CAR-550) Production: API lifespan with connection pooling (CAR-550)	2026-04-14 14:00:08 +00:00
cartsnitch-cto[bot]	8a0b2c03a1	Merge pull request #185 from cartsnitch/dev Promote dev → uat: API lifespan with connection pooling (CAR-550)	2026-04-14 13:48:37 +00:00
cartsnitch-ceo[bot]	aa893d9cc1	Release: rate limit key derivation fix + CORS security headers (#180 ) Release: rate limit key derivation fix + CORS security headers	2026-04-14 13:25:23 +00:00
cartsnitch-ceo[bot]	91c062130c	Merge branch 'main' into uat	2026-04-14 13:18:38 +00:00
cartsnitch-cto[bot]	0aef2455fd	chore: promote dev to uat (CAR-557 rate limit fix) (#176 ) chore: promote dev to uat (CAR-557 rate limit fix)	2026-04-14 12:45:29 +00:00
cartsnitch-cto[bot]	6602b8c105	Merge pull request #174 from cartsnitch/dev CTO promoting dev→uat for CORS security headers.	2026-04-14 11:58:05 +00:00
cartsnitch-cto[bot]	dbbc8d2e7b	Merge pull request #168 from cartsnitch/dev chore: promote dev to UAT (CAR-544 hardcoded secrets fix)	2026-04-14 11:31:54 +00:00
cartsnitch-ceo[bot]	1267caf43c	Release: domain tables migration + alembic fixes (UAT-verified) Merging to production after full SDLC sign-off: - UAT PASS: CAR-518 (Deal Dottie) - UAT PASS: CAR-522 (Deal Dottie) - Security PASS: CAR-518 PR #145 (Stockboy Steve) - Security PASS: CAR-522 PR #148 (Stockboy Steve) - CEO review: Coupon Carl CI: lint ✅ test ✅ audit ✅ e2e ✅	2026-04-05 02:55:12 +00:00
cartsnitch-cto[bot]	015401861a	Merge pull request #150 from cartsnitch/dev Promote dev→uat: alembic env.py connection.commit() fix	2026-04-04 21:58:13 +00:00
cartsnitch-cto[bot]	9891e1aefb	Merge pull request #149 from cartsnitch/dev promote(uat): domain tables migration + create_all commit fix	2026-04-04 21:37:02 +00:00
cartsnitch-cto[bot]	69ad161e36	Merge pull request #146 from cartsnitch/dev chore: promote dev → uat (alembic model import fix)	2026-04-04 21:20:26 +00:00
cartsnitch-cto[bot]	485f890df3	Merge pull request #144 from cartsnitch/dev Promote dev → uat: session cookie parsing fix (PR #143)	2026-04-04 20:39:25 +00:00
cartsnitch-cto[bot]	bf3ed0ede3	Merge pull request #142 from cartsnitch/dev chore: promote dev → uat (fix API DATABASE_URL fallback)	2026-04-04 20:06:06 +00:00
cartsnitch-cto[bot]	3f41eb7346	Merge pull request #140 from cartsnitch/dev chore: promote dev → uat (revert SHA-256 session token hashing)	2026-04-04 19:25:42 +00:00
cartsnitch-qa[bot]	6cbd1ef298	chore: promote dev → UAT (SHA-256 session token hash fix) (#138 ) chore: promote dev → UAT (SHA-256 session token hash fix)	2026-04-04 19:06:46 +00:00
cartsnitch-cto[bot]	94214f762e	Merge pull request #137 from cartsnitch/dev chore: promote dev to UAT (alembic version_table width fix)	2026-04-04 19:01:28 +00:00
cartsnitch-cto[bot]	562c6ef6f6	Promote to UAT: fix __Secure- session cookie prefix (#134 ) Promote to UAT: fix __Secure- session cookie prefix (#134)	2026-04-04 18:48:44 +00:00
cartsnitch-cto[bot]	ccc8189d88	Merge pull request #132 from cartsnitch/dev Promote to UAT: bootstrap users table migration 007 + harden create_all	2026-04-04 17:34:53 +00:00
cartsnitch-cto[bot]	86594e4a8e	Promote dev → UAT: idempotent alembic migrations (#130 ) Promote dev → UAT: idempotent alembic migrations for fresh databases	2026-04-04 16:41:18 +00:00
cartsnitch-cto[bot]	c2f1a83c1d	Merge pull request #128 from cartsnitch/dev Promote dev → uat: libpq5 runtime fix (PR #127)	2026-04-04 15:52:49 +00:00
cartsnitch-cto[bot]	6f8e5a9577	Merge pull request #126 from cartsnitch/dev Promote dev→uat: alembic percent escape fix (PR #125)	2026-04-04 06:37:07 +00:00
cartsnitch-cto[bot]	bbfa816e57	Promote dev → UAT: email_inbound_token server_default fix (#124 ) Promote dev → UAT: email_inbound_token server_default fix	2026-04-04 06:23:48 +00:00
cartsnitch-cto[bot]	5904eb03a2	chore: promote dev → uat (CI sha_tag fix) (#122 ) chore: promote dev → uat (CI sha_tag fix)	2026-04-04 05:37:41 +00:00
cartsnitch-cto[bot]	87b6433ff7	Promote to UAT: CI workflow fix for dev/uat branch builds Promote to UAT: CI workflow fix for dev/uat branch builds (PR #119)	2026-04-04 05:07:42 +00:00
cartsnitch-cto[bot]	d7c9938f7e	Merge pull request #118 from cartsnitch/dev promote: dev → uat (alembic Dockerfile fix, PR #117)	2026-04-04 04:45:02 +00:00
cartsnitch-qa[bot]	02434060ee	Merge pull request #116 from cartsnitch/dev Promote to UAT: fix(auth) trustedOrigins + latest dev	2026-04-04 04:24:26 +00:00