fix(ci): use full SHA in docker/metadata-action tags

The sha_tag output is a 40-char SHA, but docker/metadata-action defaults to short (7-char) SHA tags. This caused UAT pods to fail image pulls because kustomization tags didn't match GHCR tags. Change type=sha,prefix=sha- to type=sha,prefix=sha-,format=long in all four build jobs (cartsnitch, auth, receiptwitness, api). Fixes CAR-482. Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(ci): build and deploy from dev and uat branches
2026-04-04 05:31:04 +00:00 · 2026-04-04 04:59:40 +00:00 · 2026-04-04 04:54:09 +00:00 · 2026-04-04 04:44:47 +00:00 · 2026-04-04 04:40:50 +00:00 · 2026-04-04 04:24:09 +00:00
12 changed files with 261 additions and 61 deletions
@@ -2,9 +2,9 @@ name: CI

 on:
  push:
-    branches: [main]
+    branches: [main, dev, uat]
  pull_request:
-    branches: [main]
+    branches: [main, dev, uat]

 concurrency:
  group: ci-${{ github.ref }}
@@ -99,10 +99,11 @@ jobs:

  build-and-push:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -126,14 +127,14 @@ jobs:
          echo "CalVer tag: $VERSION"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -146,7 +147,7 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

@@ -154,7 +155,7 @@ jobs:
        uses: docker/build-push-action@v6
        with:
          context: .
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          target: prod
@@ -169,10 +170,11 @@ jobs:

  build-and-push-auth:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -195,14 +197,14 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -215,7 +217,7 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

@@ -224,16 +226,17 @@ jobs:
        with:
          context: ./auth
          file: ./auth/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

  build-and-push-receiptwitness:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -251,14 +254,14 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -271,7 +274,7 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

@@ -280,16 +283,17 @@ jobs:
        with:
          context: .
          file: ./receiptwitness/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

  build-and-push-api:
    runs-on: runners-cartsnitch
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push'
    needs: [lint, test]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
+      sha_tag: sha-${{ github.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
@@ -307,14 +311,14 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

      - name: Log in to Docker Hub
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Log in to GHCR
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
@@ -327,23 +331,23 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}
          tags: |
-            type=sha,prefix=sha-
+            type=sha,prefix=sha-,format=long
            type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

      - name: Build and push API Docker image
        uses: docker/build-push-action@v6
        with:
-          context: .
+          context: ./api
          file: ./api/Dockerfile
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

  deploy-dev:
    runs-on: runners-cartsnitch
    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    steps:
      - name: Generate GitHub App token
        id: app-token
@@ -368,29 +372,65 @@ jobs:
      - name: Install kustomize
        uses: imranismail/setup-kustomize@v2

+      - name: Determine image tag for frontend
+        id: frontend_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update auth image tag
        if: needs.build-and-push-auth.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update receiptwitness image tag
        if: needs.build-and-push-receiptwitness.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi

      - name: Update api image tag
        if: needs.build-and-push-api.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}

      - name: Commit and push to infra
        run: |
@@ -399,4 +439,103 @@ jobs:
          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
          git add apps/overlays/dev/kustomization.yaml
          git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images"
+          git pull --rebase origin main
+          git push origin main
+
+  deploy-uat:
+    runs-on: runners-cartsnitch
+    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
+    if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CARTSNITCH_APP_ID }}
+          private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: infra
+
+      - name: Checkout infra repo
+        uses: actions/checkout@v4
+        with:
+          repository: cartsnitch/infra
+          token: ${{ steps.app-token.outputs.token }}
+          ref: main
+          path: infra
+
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Install kustomize
+        uses: imranismail/setup-kustomize@v2
+
+      - name: Determine image tag for frontend
+        id: frontend_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update frontend image tag
+        if: needs.build-and-push.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+
+      - name: Determine image tag for auth
+        id: auth_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update auth image tag
+        if: needs.build-and-push-auth.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }}
+
+      - name: Determine image tag for receiptwitness
+        id: receiptwitness_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update receiptwitness image tag
+        if: needs.build-and-push-receiptwitness.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }}
+
+      - name: Determine image tag for api
+        id: api_tag
+        run: |
+          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
+            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Update api image tag
+        if: needs.build-and-push-api.result == 'success'
+        run: |
+          cd infra/apps/overlays/uat
+          kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
+
+      - name: Commit and push to infra
+        run: |
+          cd infra
+          git config user.name "cartsnitch-ci[bot]"
+          git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
+          git add apps/overlays/uat/kustomization.yaml
+          git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images"
+          git pull --rebase origin main
          git push origin main
@@ -16,6 +16,8 @@ WORKDIR /app
 RUN adduser --system --group --uid 1000 app
 COPY --from=build /install /usr/local
 COPY src/ ./src/
+COPY alembic.ini ./
+COPY alembic/ ./alembic/

 USER 1000
 EXPOSE 8000
@@ -23,4 +25,4 @@ EXPOSE 8000
 HEALTHCHECK --interval=30s --timeout=3s \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"

-CMD ["uvicorn", "cartsnitch_api.main:app", "--host", "0.0.0.0", "--port", "8000"]
+CMD ["uvicorn", "cartsnitch_api.main:app", "--host", "0.0.0.0", "--port", "8000"]
@@ -22,11 +22,6 @@ from cartsnitch_api.services.auth import AuthService
 router = APIRouter(prefix="/auth", tags=["auth"])


-class EmailInAddressResponse(BaseModel):
-    email_address: str
-    instructions: str
-
-
@router.get("/me", response_model=UserResponse)
 async def get_me(
    user_id: str = Depends(get_current_user),
@@ -70,23 +65,3 @@ async def delete_me(
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
        ) from None
-
-
-@router.get("/me/email-in-address", response_model=EmailInAddressResponse)
-async def get_email_in_address(
-    user_id: str = Depends(get_current_user),
-    db: AsyncSession = Depends(get_db),
-):
-    result = await db.execute(select(User.email_inbound_token).where(User.id == user_id))
-    token = result.scalar_one_or_none()
-    if not token:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND, detail="Email inbound token not found"
-        ) from None
-    return EmailInAddressResponse(
-        email_address=f"receipts+{token}@receipts.cartsnitch.com",
-        instructions=(
-            "Forward your digital receipt emails to this address. "
-            "We currently support Meijer, Kroger, and Target receipt emails."
-        ),
-    )
@@ -19,7 +19,13 @@ async def get_email_in_address(
    svc = AuthService(db)
    try:
        email_address = await svc.get_email_in_address(user_id)
-        return EmailInAddressResponse(email_address=email_address)
+        return EmailInAddressResponse(
+            email_address=email_address,
+            instructions=(
+                "Forward your digital receipt emails to this address. "
+                "We currently support Meijer, Kroger, and Target receipt emails."
+            ),
+        )
    except LookupError:
        raise HTTPException(
            status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
@@ -24,6 +24,7 @@ class UserResponse(BaseModel):

 class EmailInAddressResponse(BaseModel):
    email_address: str
+    instructions: str


 # ---------- Stores ----------
@@ -76,4 +76,4 @@ class AuthService:
        if not user:
            raise LookupError("User not found")

-        return f"{user.email_inbound_token}@email.cartsnitch.com"
+        return f"receipts+{user.email_inbound_token}@receipts.cartsnitch.com"
@@ -1,4 +1,4 @@
-"""Tests for GET /auth/me/email-in-address endpoint."""
+"""Tests for GET /api/v1/me/email-in-address endpoint."""

 import pytest
 from httpx import AsyncClient
@@ -8,7 +8,7 @@ from httpx import AsyncClient
 async def test_get_email_in_address_authenticated(client: AsyncClient, auth_headers: dict):
    """Authenticated user gets their email-in address."""
    response = await client.get(
-        "/auth/me/email-in-address",
+        "/api/v1/me/email-in-address",
        headers=auth_headers,
    )

@@ -27,7 +27,7 @@ async def test_get_email_in_address_authenticated(client: AsyncClient, auth_head
@pytest.mark.asyncio
 async def test_get_email_in_address_unauthenticated(client: AsyncClient):
    """Unauthenticated request returns 401."""
-    response = await client.get("/auth/me/email-in-address")
+    response = await client.get("/api/v1/me/email-in-address")
    assert response.status_code == 401


@@ -35,7 +35,7 @@ async def test_get_email_in_address_unauthenticated(client: AsyncClient):
 async def test_get_email_in_address_invalid_token(client: AsyncClient):
    """Invalid JWT token returns 401."""
    response = await client.get(
-        "/auth/me/email-in-address",
+        "/api/v1/me/email-in-address",
        headers={"Authorization": "Bearer invalid-token-xyz"},
    )
    assert response.status_code == 401
@@ -45,7 +45,7 @@ async def test_get_email_in_address_invalid_token(client: AsyncClient):
 async def test_email_address_format(client: AsyncClient, auth_headers: dict):
    """Email address format is receipts+{22-char-urlsafe-token}@receipts.cartsnitch.com."""
    response = await client.get(
-        "/auth/me/email-in-address",
+        "/api/v1/me/email-in-address",
        headers=auth_headers,
    )

@@ -95,5 +95,6 @@ export const auth = betterAuth({
    "https://cartsnitch.com",
    "https://cartsnitch.farh.net",
    "https://cartsnitch.dev.farh.net",
+    "https://cartsnitch.uat.farh.net",
  ],
 });
@@ -0,0 +1,37 @@
+"""Add email_inbound_token to users.
+
+Revision ID: 001_add_email_inbound_token
+Revises:
+Create Date: 2026-04-02
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+
+from alembic import op
+
+revision: str = "001_add_email_inbound_token"
+down_revision: str | None = None
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    op.add_column("users", sa.Column("email_inbound_token", sa.String(22), nullable=True))
+    op.create_unique_constraint("uq_users_email_inbound_token", "users", ["email_inbound_token"])
+
+    # Backfill existing users with generated tokens (PostgreSQL)
+    op.execute(
+        "UPDATE users SET email_inbound_token = "
+        "substring(replace(gen_random_uuid()::text, '-', ''), 1, 22) "
+        "WHERE email_inbound_token IS NULL"
+    )
+
+    # Alter to non-nullable
+    op.alter_column("users", "email_inbound_token", nullable=False)
+
+
+def downgrade() -> None:
+    op.drop_constraint("uq_users_email_inbound_token", "users", type_="unique")
+    op.drop_column("users", "email_inbound_token")
@@ -1,5 +1,6 @@
 """User and UserStoreAccount models."""

+import secrets
 import uuid
 from datetime import datetime
 from typing import TYPE_CHECKING
@@ -21,6 +22,9 @@ class User(UUIDPrimaryKeyMixin, TimestampMixin, Base):
    __tablename__ = "users"

    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    email_inbound_token: Mapped[str] = mapped_column(
+        String(22), nullable=False, unique=True, default=lambda: secrets.token_urlsafe(16)
+    )
    hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
    display_name: Mapped[str | None] = mapped_column(String(100))
    email_verified: Mapped[bool] = mapped_column(Boolean, nullable=False, server_default="false")
@@ -20,6 +20,7 @@ class UserRead(BaseModel):
    id: uuid.UUID
    email: str
    display_name: str | None
+    email_inbound_token: str
    created_at: datetime
    updated_at: datetime

@@ -147,6 +147,40 @@ class TestStoreLocationModel:
        assert loc.lat == pytest.approx(42.2808)


+class TestUserModel:
+    def test_email_inbound_token_auto_populated(self, session):
+        user = User(
+            id=uuid.uuid4(),
+            email="token_test@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        session.add(user)
+        session.commit()
+        assert user.email_inbound_token is not None
+        assert len(user.email_inbound_token) == 22
+
+    def test_email_inbound_token_unique(self, session):
+        user1 = User(
+            id=uuid.uuid4(),
+            email="user1@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        user2 = User(
+            id=uuid.uuid4(),
+            email="user2@example.com",
+            hashed_password="hashed",
+            created_at=datetime.now(UTC),
+            updated_at=datetime.now(UTC),
+        )
+        session.add_all([user1, user2])
+        session.commit()
+        assert user1.email_inbound_token != user2.email_inbound_token
+
+
 class TestUserStoreAccountModel:
    def test_account_status_enum(self, session):
        user = User(
Author	SHA1	Message	Date
cartsnitch-engineer[bot]	7639be9a41	fix(ci): use full SHA in docker/metadata-action tags The sha_tag output is a 40-char SHA, but docker/metadata-action defaults to short (7-char) SHA tags. This caused UAT pods to fail image pulls because kustomization tags didn't match GHCR tags. Change type=sha,prefix=sha- to type=sha,prefix=sha-,format=long in all four build jobs (cartsnitch, auth, receiptwitness, api). Fixes CAR-482. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 05:31:04 +00:00
cartsnitch-cto[bot]	ebe439ce84	fix(ci): build and deploy from dev and uat branches fix(ci): build and deploy from dev and uat branches	2026-04-04 04:59:40 +00:00
cartsnitch-engineer[bot]	a663729121	fix(ci): build and deploy from dev and uat branches	2026-04-04 04:54:09 +00:00
cartsnitch-cto[bot]	4fc7933e30	Merge pull request #117 from cartsnitch/betty/fix-alembic-dockerfile fix(api): include alembic config and migrations in Docker image	2026-04-04 04:44:47 +00:00
cartsnitch-engineer[bot]	6e0cb93ee2	fix(api): include alembic config and migrations in Docker image	2026-04-04 04:40:50 +00:00
cartsnitch-qa[bot]	0e4848f8b4	Merge pull request #115 from cartsnitch/betty/fix-uat-trustedorigins fix(auth): add UAT hostname to trustedOrigins	2026-04-04 04:24:09 +00:00
Pawla Abdul	bb7010f881	fix(auth): add UAT hostname to trustedOrigins Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-04 04:18:03 +00:00
cartsnitch-cto[bot]	4756e1c1c5	Merge pull request #114 from cartsnitch/feat/sync-common-email-inbound-token feat(common): sync email_inbound_token from standalone common repo	2026-04-03 20:18:35 +00:00
Barcode Betty	73c038e406	feat(common): sync email_inbound_token from standalone repo	2026-04-03 20:12:35 +00:00
cartsnitch-cto[bot]	02e34d65bb	fix(ci): use api/Dockerfile in build-and-push-api job fix(ci): use api/Dockerfile in build-and-push-api job	2026-04-03 19:53:46 +00:00
cartsnitch-ceo[bot]	a869bb42d7	fix(ci): use api/Dockerfile in build-and-push-api job PR #111 fixed the build context to ./api but forgot to also update the file path. The job was using ./Dockerfile (the frontend Dockerfile which references nginx.conf and package-lock.json from the repo root), causing the API image build to fail with a cache checksum error. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-04-03 19:49:28 +00:00
cartsnitch-cto[bot]	d77d1b58b8	Merge pull request #112 from cartsnitch/fix/ci-deploy-race fix(ci): add git pull --rebase to deploy jobs to prevent race condition	2026-04-03 17:22:21 +00:00
cartsnitch-engineer[bot]	d86c0001eb	fix(ci): add git pull --rebase to deploy jobs to prevent race condition	2026-04-03 17:19:57 +00:00
cartsnitch-cto[bot]	5cc2bb78e9	Merge pull request #111 from cartsnitch/fix/ci-api-docker-context fix(ci): correct API Docker build context to api/ directory	2026-04-03 17:12:38 +00:00
cartsnitch-engineer[bot]	c9075be6e0	fix(ci): correct API Docker build context to api/ directory	2026-04-03 17:07:03 +00:00
cartsnitch-engineer[bot]	6c297b5e81	fix: correct email-in-address format, remove dead code, update tests (#110 ) - Fix email format in AuthService.get_email_in_address to use receipts+{token}@receipts.cartsnitch.com (was broken: @email.cartsnitch.com) - Remove dead EmailInAddressResponse class and GET /auth/me/email-in-address endpoint from auth/routes.py (endpoint moved to routes/user.py) - Add instructions field to EmailInAddressResponse schema - Update routes/user.py to include instructions in the response - Update test URLs from /auth/me/email-in-address to /api/v1/me/email-in-address Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-03 13:34:21 +00:00
cartsnitch-cto[bot]	80004e4285	feat(ci): add deploy-uat job for UAT environment (#109 ) Mirrors deploy-dev job but targets apps/overlays/uat. Both deploy-dev and deploy-uat run in parallel after all build jobs complete. Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-04-03 13:27:47 +00:00
cartsnitch-cto[bot]	94f99595fc	fix(deps): resolve npm audit vulnerabilities (brace-expansion, lodash) (#108 ) - Override brace-expansion to >=1.1.13 to resolve GHSA-f886-m6hf-6m8v - Override lodash to >=4.17.24 to resolve GHSA-r5fr-rjxr-66jc and GHSA-f23m-r3pf-42rh - Override minimatch to ^10.2.4 to maintain compatibility with brace-expansion@5.x Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: CartSnitch Engineer Bot <cartnoreply@cartsnitch.com>	2026-04-03 13:23:20 +00:00