fix(ci): update kustomize image refs from ghcr.io to git.farh.net

Fixes QA finding: deploy-dev and deploy-uat jobs still referenced ghcr.io in kustomize edit set image commands. Co-Authored-By: Paperclip <noreply@paperclip.ing>
release: promote uat → main (seed tooling CAR-812 + auth health)
2026-05-23 15:51:58 +00:00 · 2026-05-04 21:55:13 +00:00 · 2026-05-04 21:44:34 +00:00 · 2026-05-04 21:17:31 +00:00 · 2026-05-04 19:42:36 +00:00 · 2026-05-04 19:41:47 +00:00
5 changed files with 69 additions and 157 deletions
@@ -16,15 +16,14 @@ permissions:
  security-events: write

 env:
-  REGISTRY: git.farh.net
+  REGISTRY: ghcr.io
  IMAGE_NAME: cartsnitch/cartsnitch
  RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness
  API_IMAGE_NAME: cartsnitch/api
-  AUTH_IMAGE_NAME: cartsnitch/auth

 jobs:
  lint:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@@ -38,7 +37,7 @@ jobs:
        run: npx tsc --noEmit

  test:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@@ -50,7 +49,7 @@ jobs:
        run: npx vitest run

  audit:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@@ -62,7 +61,7 @@ jobs:
        run: npm audit --audit-level=high

  e2e:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@@ -74,7 +73,7 @@ jobs:
      - run: npx playwright test

  lighthouse:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    needs: [test]
    steps:
      - uses: actions/checkout@v4
@@ -99,7 +98,7 @@ jobs:
          CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage"

  build-and-push:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
    needs: [lint, test, e2e]
    outputs:
@@ -134,13 +133,13 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Log in to Gitea registry
+      - name: Log in to GHCR
        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
@@ -175,7 +174,11 @@ jobs:
          only-fixed: "true"
          output-format: sarif

-
+      - name: Upload frontend scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Push Docker image
        if: github.event_name == 'push'
@@ -195,7 +198,7 @@ jobs:
          git push origin "v${{ steps.calver.outputs.version }}"

  build-and-push-receiptwitness:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
    needs: [lint, test]
    outputs:
@@ -224,13 +227,13 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Log in to Gitea registry
+      - name: Log in to GHCR
        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
@@ -267,7 +270,11 @@ jobs:
          only-fixed: "true"
          output-format: sarif

-
+      - name: Upload receiptwitness scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Push Docker image
        if: github.event_name == 'push'
@@ -283,7 +290,7 @@ jobs:
          cache-from: type=gha

  build-and-push-api:
-    runs-on: ubuntu-latest
+    runs-on: runners-cartsnitch
    if: github.event_name == 'push'
    needs: [lint, test]
    outputs:
@@ -312,13 +319,13 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Log in to Gitea registry
+      - name: Log in to GHCR
        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (API)
        id: meta
@@ -355,7 +362,11 @@ jobs:
          only-fixed: "true"
          output-format: sarif

-
+      - name: Upload api scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Push Docker image
        if: github.event_name == 'push'
@@ -370,104 +381,25 @@ jobs:
            APT_CACHE_BUST=${{ github.run_id }}
          cache-from: type=gha

-  build-and-push-auth:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-    needs: [lint, test]
-    outputs:
-      calver_tag: ${{ steps.calver.outputs.version }}
-      sha_tag: sha-${{ github.sha }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Generate CalVer tag
-        id: calver
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-        run: |
-          DATE_TAG=$(date -u +%Y.%m.%d)
-          EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
-          if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG"
-          elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2"
-          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-
-      - name: Log in to Docker Hub
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Log in to Gitea registry
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Extract metadata (auth)
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}
-          tags: |
-            type=sha,prefix=sha-,format=long
-            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-
-      - name: Build Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: ./auth
-          file: ./auth/Dockerfile
-          load: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Scan auth image for vulnerabilities
-        uses: anchore/scan-action@v5
-        id: scan
-        env:
-          GRYPE_CONFIG: .grype.yaml
-        with:
-          image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}"
-          fail-build: true
-          severity-cutoff: high
-          only-fixed: "true"
-          output-format: sarif
-
-
-
-      - name: Push Docker image
-        if: github.event_name == 'push'
-        uses: docker/build-push-action@v6
-        with:
-          context: ./auth
-          file: ./auth/Dockerfile
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            APT_CACHE_BUST=${{ github.run_id }}
-          cache-from: type=gha
-
  deploy-dev:
-    runs-on: ubuntu-latest
-    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth]
+    runs-on: runners-cartsnitch
+    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
      - name: Checkout infra repo
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.REGISTRY_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
          ref: main
          path: infra

@@ -490,7 +422,7 @@ jobs:
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
@@ -505,7 +437,7 @@ jobs:
        if: needs.build-and-push-receiptwitness.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}

      - name: Determine image tag for api
        id: api_tag
@@ -520,44 +452,38 @@ jobs:
        if: needs.build-and-push-api.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
-
-      - name: Determine image tag for auth
-        id: auth_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update auth image tag
-        if: needs.build-and-push-auth.result == 'success'
-        run: |
-          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}

      - name: Commit and push to infra
        run: |
          cd infra
          git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/dev/kustomization.yaml
          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
-          git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images"
+          git commit -m "ci(dev): update cartsnitch, receiptwitness, and api images"
          git pull --rebase origin main
          git push origin main

  deploy-uat:
-    runs-on: ubuntu-latest
-    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth]
+    runs-on: runners-cartsnitch
+    needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api]
    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
      - name: Checkout infra repo
        uses: actions/checkout@v4
        with:
          repository: cartsnitch/infra
-          token: ${{ secrets.REGISTRY_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
          ref: main
          path: infra

@@ -580,7 +506,7 @@ jobs:
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
@@ -595,7 +521,7 @@ jobs:
        if: needs.build-and-push-receiptwitness.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}

      - name: Determine image tag for api
        id: api_tag
@@ -610,30 +536,15 @@ jobs:
        if: needs.build-and-push-api.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
-
-      - name: Determine image tag for auth
-        id: auth_tag
-        run: |
-          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
-            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Update auth image tag
-        if: needs.build-and-push-auth.result == 'success'
-        run: |
-          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+          kustomize edit set image git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }}

      - name: Commit and push to infra
        run: |
          cd infra
          git config user.name "cartsnitch-ci[bot]"
-          git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/uat/kustomization.yaml
          git diff --cached --quiet && echo "No image changes to deploy" && exit 0
-          git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images"
+          git commit -m "ci(uat): update cartsnitch, receiptwitness, and api images"
          git pull --rebase origin main
          git push origin main
@@ -15,7 +15,7 @@ permissions:
  packages: write

 env:
-  REGISTRY: git.farh.net
+  REGISTRY: ghcr.io
  IMAGE_NAME: cartsnitch/api

 jobs:
@@ -130,13 +130,13 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

-      - name: Log in to Gitea registry
+      - name: Log in to GHCR
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
@@ -6,6 +6,7 @@ from fastapi import APIRouter, FastAPI

 from cartsnitch_api.auth.routes import router as auth_router
 from cartsnitch_api.cache import cache_client
+from cartsnitch_api.database import dispose_engine
 from cartsnitch_api.middleware.cors import add_cors_middleware
 from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware
 from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware
@@ -12,5 +12,5 @@
    "resolveJsonModule": true
  },
  "include": ["src"],
-  "exclude": ["node_modules", "dist", "src/__tests__"]
+  "exclude": ["node_modules", "dist"]
 }
Author	SHA1	Message	Date
Flea Flicker	883b8ca5cf	fix(ci): update kustomize image refs from ghcr.io to git.farh.net CI / lint (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / audit (pull_request) Has been cancelled Details CI / e2e (pull_request) Has been cancelled Details CI / lighthouse (pull_request) Has been cancelled Details CI / build-and-push (pull_request) Has been cancelled Details CI / build-and-push-receiptwitness (pull_request) Has been cancelled Details CI / build-and-push-api (pull_request) Has been cancelled Details CI / deploy-dev (pull_request) Has been cancelled Details CI / deploy-uat (pull_request) Has been cancelled Details Fixes QA finding: deploy-dev and deploy-uat jobs still referenced ghcr.io in kustomize edit set image commands. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-23 15:51:58 +00:00
coupon-carl-ceo[bot]	e3ed19f98c	release: promote uat → main (seed tooling CAR-812 + auth health) CI / test (pull_request) Has been cancelled Details CI / audit (pull_request) Has been cancelled Details CI / e2e (pull_request) Has been cancelled Details CI / build-and-push-receiptwitness (pull_request) Has been cancelled Details CI / deploy-uat (pull_request) Has been cancelled Details CI / lint (pull_request) Has been cancelled Details CI / lighthouse (pull_request) Has been cancelled Details CI / build-and-push (pull_request) Has been cancelled Details CI / build-and-push-api (pull_request) Has been cancelled Details CI / deploy-dev (pull_request) Has been cancelled Details UAT PASS (Deal Dottie, 2026-05-04) + Security PASS (Stockboy Steve, 2026-05-04) Merged with admin privileges due to 1-commit divergence (README/UI-only release commit from PR #245 with no file overlap with uat changes). No functional conflict. Refs: CAR-842, CAR-812	2026-05-04 21:55:13 +00:00
savannah-savings-cto[bot]	e54736d900	chore: promote dev → uat (seed tooling, CAR-812) (#247 ) chore: promote dev → uat (seed tooling, CAR-812)	2026-05-04 21:44:34 +00:00
savannah-savings-cto[bot]	40abf64888	chore: promote dev → uat (auth health routing fix) (#246 ) chore: promote dev → uat (auth health routing fix)	2026-05-04 21:17:31 +00:00
savannah-savings-cto[bot]	3615a78f0e	release: remove mock auth bypass + README expansion (CAR-813/CAR-829) release: remove mock auth bypass + README expansion (CAR-813/CAR-829)	2026-05-04 19:42:36 +00:00
savannah-savings-cto[bot]	d785606bd1	Merge main into uat to bring up to date for production release	2026-05-04 19:41:47 +00:00
savannah-savings-cto[bot]	48eaf45121	Merge pull request #244 from cartsnitch/dev promote: dev → uat (README expansion)	2026-05-04 19:00:18 +00:00
savannah-savings-cto[bot]	4bf5cd3826	Merge pull request #242 from cartsnitch/dev Promote dev → uat: remove VITE_MOCK_AUTH bypass (#181)	2026-05-04 16:23:33 +00:00
coupon-carl-ceo[bot]	a3fca65ea1	Merge pull request #239 from cartsnitch/uat release: lifespan DB/Redis connection pooling (CAR-550)	2026-05-04 15:41:53 +00:00
savannah-savings-cto[bot]	25c27d08fe	Merge pull request #241 from cartsnitch/dev promote: dev → uat (color contrast accessibility fix)	2026-05-04 15:31:13 +00:00
Chris Farhood	aaf645fbe9	ci: retrigger e2e after runner network outage [CAR-799] Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 15:30:28 +00:00
savannah-savings-cto[bot]	80aa58b37a	Merge pull request #240 from cartsnitch/dev Promote dev → uat: PR #178 (fix N+1 UPC scan with Postgres JSON containment)	2026-05-04 15:20:28 +00:00
savannah-savings-cto[bot]	062f6be8ea	Merge pull request #238 from cartsnitch/dev Promote dev to UAT: lifespan DB/Redis connection pooling	2026-05-04 15:07:59 +00:00
savannah-savings-cto[bot]	60beb2d89e	Merge pull request #237 from cartsnitch/uat release: remove auth image build from monorepo CI (CAR-749)	2026-04-20 18:53:47 +00:00
savannah-savings-cto[bot]	9120c834e4	Merge pull request #236 from cartsnitch/dev Promote dev to UAT: remove auth image build from CI	2026-04-20 18:01:29 +00:00