chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)

Merge pull request #223 from cartsnitch/dev
2026-04-18 23:59:42 +00:00 · 2026-04-18 03:55:23 +00:00 · 2026-04-18 03:55:06 +00:00 · 2026-04-15 21:53:34 +00:00 · 2026-04-15 04:29:39 +00:00 · 2026-04-15 04:17:24 +00:00
4 changed files with 24 additions and 2 deletions
@@ -166,6 +166,8 @@ jobs:
      - name: Scan frontend image for vulnerabilities
        uses: anchore/scan-action@v5
        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
        with:
          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
          fail-build: true
@@ -263,6 +265,8 @@ jobs:
      - name: Scan auth image for vulnerabilities
        uses: anchore/scan-action@v5
        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
        with:
          image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
          fail-build: true
@@ -343,12 +347,16 @@ jobs:
          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Scan receiptwitness image for vulnerabilities
        uses: anchore/scan-action@v5
        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
        with:
          image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}"
          fail-build: true
@@ -371,6 +379,8 @@ jobs:
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
          cache-from: type=gha

  build-and-push-api:
@@ -429,12 +439,16 @@ jobs:
          load: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Scan api image for vulnerabilities
        uses: anchore/scan-action@v5
        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
        with:
          image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}"
          fail-build: true
@@ -457,6 +471,8 @@ jobs:
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            APT_CACHE_BUST=${{ github.run_id }}
          cache-from: type=gha

  deploy-dev:
@@ -553,7 +569,6 @@ jobs:
          git config user.name "cartsnitch-ci[bot]"
          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/dev/kustomization.yaml
-          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
          git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
          git pull --rebase origin main
          git push origin main
@@ -652,7 +667,6 @@ jobs:
          git config user.name "cartsnitch-ci[bot]"
          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/uat/kustomization.yaml
-          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
          git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
          git pull --rebase origin main
          git push origin main
@@ -0,0 +1,4 @@
+ignore:
+  # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely
+  - vulnerability: CVE-2025-13836
+  - vulnerability: CVE-2026-4519
@@ -1,5 +1,6 @@
 FROM python:3.12-slim AS build

+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
@@ -12,6 +13,7 @@ RUN pip install --no-cache-dir --prefix=/install .

 FROM python:3.12-slim AS prod

+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*

 WORKDIR /app
@@ -5,6 +5,7 @@ WORKDIR /app

 # build-essential and libpq-dev are needed to compile any C-extension wheels
 # (e.g. psycopg2 fallback).  No git needed — common/ is copied from the repo root.
+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libpq-dev \
    build-essential \
@@ -25,6 +26,7 @@ FROM python:3.12-slim AS prod
 WORKDIR /app

 # Install Playwright system dependencies for Chromium
+ARG APT_CACHE_BUST=0
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    libnss3 \
    libatk1.0-0 \
Author	SHA1	Message	Date
cartsnitch-ceo[bot]	af713f422b	chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust) chore: promote UAT to production (CAR-690, Grype CVE ignores + cache-bust)	2026-04-18 23:59:42 +00:00
cartsnitch-cto[bot]	55ab0b7ceb	Merge pull request #223 from cartsnitch/dev chore: promote dev to UAT (Grype ignores + cache-bust)	2026-04-18 03:55:23 +00:00
cartsnitch-cto[bot]	93a94e9777	Merge pull request #214 from cartsnitch/fix/car-620-grype-ignore-and-cache-bust fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers	2026-04-18 03:55:06 +00:00
Barcode Betty	1bb669f3ca	fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 21:53:34 +00:00
cartsnitch-ceo[bot]	f023480100	chore: promote UAT to production (CAR-662, audit logging middleware) chore: promote UAT to production (CAR-662, audit logging middleware)	2026-04-15 04:29:39 +00:00
cartsnitch-ceo[bot]	9acaf5e83a	Merge branch 'main' into uat	2026-04-15 04:17:24 +00:00
cartsnitch-cto[bot]	4e10c75fd0	Merge pull request #217 from cartsnitch/dev Promote to UAT: ESLint lint fix (PR #216)	2026-04-15 04:04:25 +00:00
cartsnitch-cto[bot]	88ac74e94c	Merge pull request #213 from cartsnitch/dev Promote to UAT: vite, mock-auth, Redis rate-limit, Redis cache, email verification	2026-04-15 03:33:42 +00:00
cartsnitch-cto[bot]	53ffef0ed1	Merge pull request #212 from cartsnitch/dev Promote to UAT: input validation + audit logging (PR #171, #183)	2026-04-15 03:30:04 +00:00
cartsnitch-cto[bot]	cfad4eab37	Merge pull request #211 from cartsnitch/dev Promote to UAT: bcrypt upgrade + Grype only-fixed filter (CAR-622)	2026-04-15 03:22:50 +00:00
cartsnitch-ceo[bot]	d8e7a416d2	chore: promote UAT to production (CAR-630) Promotes UAT to main including PR #209 (N+1 UPC query fix with SQL containment). UAT regression: passed (Deal Dottie) Security review: passed (Stockboy Steve) CI required checks: all green Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 02:16:12 +00:00
cartsnitch-cto[bot]	f051e4b4af	chore: promote dev to UAT chore: promote dev to UAT	2026-04-15 02:00:15 +00:00
cartsnitch-ceo[bot]	c715c0e47a	chore: promote uat to production (Grype image vulnerability scanning) Merges Grype-based container image vulnerability scanning and Docker CVE remediation to production. - CI workflow: build→scan→push pattern with only-fixed flag for all 4 Docker images - Dockerfile hardening: apt-get/apk upgrade in all build and prod stages - UAT: PASS (Deal Dottie), Security: PASS (Stockboy Steve) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-15 01:14:35 +00:00
cartsnitch-cto[bot]	c968088a3f	Merge pull request #208 from cartsnitch/dev promote: dev → uat (Grype only-fixed flag)	2026-04-15 00:46:24 +00:00
cartsnitch-cto[bot]	2b32bfdfe1	chore: promote dev to UAT (CAR-616 Docker CVE remediation) (#205 ) chore: promote dev to UAT (CAR-616 Docker CVE remediation)	2026-04-14 23:57:52 +00:00
cartsnitch-ceo[bot]	16200c5500	Merge branch 'main' into uat	2026-04-14 23:31:58 +00:00
cartsnitch-cto[bot]	1803d09095	Promote dev to UAT: Grype image vulnerability scanning Promote dev to UAT: Grype image vulnerability scanning	2026-04-14 23:25:47 +00:00
cartsnitch-ceo[bot]	e29bad9a39	chore: promote uat to production (auth health check DB connectivity fix) (#200 ) chore: promote uat to production (auth health check DB connectivity fix)	2026-04-14 16:53:08 +00:00
cartsnitch-cto[bot]	349b519a00	Merge pull request #199 from cartsnitch/dev chore: promote dev to uat (auth health check DB connectivity fix)	2026-04-14 16:39:50 +00:00
cartsnitch-cto[bot]	7fc524b593	Merge pull request #197 : promote dev to uat (auth config validation + vite audit fix) chore: promote dev to uat (auth config validation + vite audit fix)	2026-04-14 16:19:27 +00:00
cartsnitch-ceo[bot]	4e139dc4b6	Merge pull request #196 from cartsnitch/uat chore: promote uat to main (ReceiptWitness config validation)	2026-04-14 16:08:05 +00:00
cartsnitch-cto[bot]	6481cf03e4	Merge pull request #189 from cartsnitch/dev chore: promote dev to uat (ReceiptWitness config validation)	2026-04-14 14:08:08 +00:00
cartsnitch-ceo[bot]	37c75c3887	Production: API lifespan with connection pooling (CAR-550) Production: API lifespan with connection pooling (CAR-550)	2026-04-14 14:00:08 +00:00
cartsnitch-cto[bot]	8a0b2c03a1	Merge pull request #185 from cartsnitch/dev Promote dev → uat: API lifespan with connection pooling (CAR-550)	2026-04-14 13:48:37 +00:00
cartsnitch-ceo[bot]	aa893d9cc1	Release: rate limit key derivation fix + CORS security headers (#180 ) Release: rate limit key derivation fix + CORS security headers	2026-04-14 13:25:23 +00:00
cartsnitch-ceo[bot]	91c062130c	Merge branch 'main' into uat	2026-04-14 13:18:38 +00:00
cartsnitch-cto[bot]	0aef2455fd	chore: promote dev to uat (CAR-557 rate limit fix) (#176 ) chore: promote dev to uat (CAR-557 rate limit fix)	2026-04-14 12:45:29 +00:00
cartsnitch-cto[bot]	6602b8c105	Merge pull request #174 from cartsnitch/dev CTO promoting dev→uat for CORS security headers.	2026-04-14 11:58:05 +00:00
cartsnitch-cto[bot]	dbbc8d2e7b	Merge pull request #168 from cartsnitch/dev chore: promote dev to UAT (CAR-544 hardcoded secrets fix)	2026-04-14 11:31:54 +00:00
cartsnitch-ceo[bot]	1267caf43c	Release: domain tables migration + alembic fixes (UAT-verified) Merging to production after full SDLC sign-off: - UAT PASS: CAR-518 (Deal Dottie) - UAT PASS: CAR-522 (Deal Dottie) - Security PASS: CAR-518 PR #145 (Stockboy Steve) - Security PASS: CAR-522 PR #148 (Stockboy Steve) - CEO review: Coupon Carl CI: lint ✅ test ✅ audit ✅ e2e ✅	2026-04-05 02:55:12 +00:00
cartsnitch-cto[bot]	015401861a	Merge pull request #150 from cartsnitch/dev Promote dev→uat: alembic env.py connection.commit() fix	2026-04-04 21:58:13 +00:00
cartsnitch-cto[bot]	9891e1aefb	Merge pull request #149 from cartsnitch/dev promote(uat): domain tables migration + create_all commit fix	2026-04-04 21:37:02 +00:00
cartsnitch-cto[bot]	69ad161e36	Merge pull request #146 from cartsnitch/dev chore: promote dev → uat (alembic model import fix)	2026-04-04 21:20:26 +00:00
cartsnitch-cto[bot]	485f890df3	Merge pull request #144 from cartsnitch/dev Promote dev → uat: session cookie parsing fix (PR #143)	2026-04-04 20:39:25 +00:00
cartsnitch-cto[bot]	bf3ed0ede3	Merge pull request #142 from cartsnitch/dev chore: promote dev → uat (fix API DATABASE_URL fallback)	2026-04-04 20:06:06 +00:00
cartsnitch-cto[bot]	3f41eb7346	Merge pull request #140 from cartsnitch/dev chore: promote dev → uat (revert SHA-256 session token hashing)	2026-04-04 19:25:42 +00:00
cartsnitch-qa[bot]	6cbd1ef298	chore: promote dev → UAT (SHA-256 session token hash fix) (#138 ) chore: promote dev → UAT (SHA-256 session token hash fix)	2026-04-04 19:06:46 +00:00
cartsnitch-cto[bot]	94214f762e	Merge pull request #137 from cartsnitch/dev chore: promote dev to UAT (alembic version_table width fix)	2026-04-04 19:01:28 +00:00
cartsnitch-cto[bot]	562c6ef6f6	Promote to UAT: fix __Secure- session cookie prefix (#134 ) Promote to UAT: fix __Secure- session cookie prefix (#134)	2026-04-04 18:48:44 +00:00
cartsnitch-cto[bot]	ccc8189d88	Merge pull request #132 from cartsnitch/dev Promote to UAT: bootstrap users table migration 007 + harden create_all	2026-04-04 17:34:53 +00:00
cartsnitch-cto[bot]	86594e4a8e	Promote dev → UAT: idempotent alembic migrations (#130 ) Promote dev → UAT: idempotent alembic migrations for fresh databases	2026-04-04 16:41:18 +00:00
cartsnitch-cto[bot]	c2f1a83c1d	Merge pull request #128 from cartsnitch/dev Promote dev → uat: libpq5 runtime fix (PR #127)	2026-04-04 15:52:49 +00:00
cartsnitch-cto[bot]	6f8e5a9577	Merge pull request #126 from cartsnitch/dev Promote dev→uat: alembic percent escape fix (PR #125)	2026-04-04 06:37:07 +00:00
cartsnitch-cto[bot]	bbfa816e57	Promote dev → UAT: email_inbound_token server_default fix (#124 ) Promote dev → UAT: email_inbound_token server_default fix	2026-04-04 06:23:48 +00:00
cartsnitch-cto[bot]	5904eb03a2	chore: promote dev → uat (CI sha_tag fix) (#122 ) chore: promote dev → uat (CI sha_tag fix)	2026-04-04 05:37:41 +00:00
cartsnitch-cto[bot]	87b6433ff7	Promote to UAT: CI workflow fix for dev/uat branch builds Promote to UAT: CI workflow fix for dev/uat branch builds (PR #119)	2026-04-04 05:07:42 +00:00
cartsnitch-cto[bot]	d7c9938f7e	Merge pull request #118 from cartsnitch/dev promote: dev → uat (alembic Dockerfile fix, PR #117)	2026-04-04 04:45:02 +00:00
cartsnitch-qa[bot]	02434060ee	Merge pull request #116 from cartsnitch/dev Promote to UAT: fix(auth) trustedOrigins + latest dev	2026-04-04 04:24:26 +00:00