Merge branch 'main' into fix/dockerhub-login-cicd

fix(ci): add Docker Hub login before build steps in all 4 build jobs
- Adds docker/login-action@v3 step before each GHCR login in all 4 build jobs (build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api) - Uses DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets - Also fixes: removes duplicate API image tag from the receiptwitness kustomize update step (was causing the API image to be set twice) Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-31 14:28:20 +00:00 · 2026-03-31 04:32:40 +00:00 · 2026-03-31 03:42:26 +00:00 · 2026-03-31 03:31:09 +00:00 · 2026-03-31 03:22:08 +00:00 · 2026-03-31 03:05:41 +00:00
3 changed files with 61 additions and 2 deletions
@@ -62,6 +62,7 @@ jobs:

  build-and-push:
    runs-on: runners-cartsnitch
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
@@ -87,6 +88,13 @@ jobs:
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
          echo "CalVer tag: $VERSION"

+      - name: Log in to Docker Hub
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
      - name: Log in to GHCR
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
@@ -124,6 +132,7 @@ jobs:

  build-and-push-auth:
    runs-on: runners-cartsnitch
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [lint, test, e2e]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
@@ -148,6 +157,13 @@ jobs:
          fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

+      - name: Log in to Docker Hub
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
      - name: Log in to GHCR
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
@@ -177,6 +193,7 @@ jobs:

  build-and-push-receiptwitness:
    runs-on: runners-cartsnitch
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [lint, test]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
@@ -196,6 +213,13 @@ jobs:
          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

+      - name: Log in to Docker Hub
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
      - name: Log in to GHCR
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
@@ -225,6 +249,7 @@ jobs:

  build-and-push-api:
    runs-on: runners-cartsnitch
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs: [lint, test]
    outputs:
      calver_tag: ${{ steps.calver.outputs.version }}
@@ -244,6 +269,13 @@ jobs:
          else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi
          echo "version=$VERSION" >> "$GITHUB_OUTPUT"

+      - name: Log in to Docker Hub
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
      - name: Log in to GHCR
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        uses: docker/login-action@v3
@@ -274,7 +306,7 @@ jobs:
  deploy-dev:
    runs-on: runners-cartsnitch
    needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: always() && !cancelled() && github.event_name == 'push' && github.ref == 'refs/heads/main'
    steps:
      - name: Generate GitHub App token
        id: app-token
@@ -299,12 +331,28 @@ jobs:
      - name: Install kustomize
        uses: imranismail/setup-kustomize@v2

-      - name: Update dev overlay image tags
+      - name: Update frontend image tag
+        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
          kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ needs.build-and-push.outputs.calver_tag }}
+
+      - name: Update auth image tag
+        if: needs.build-and-push-auth.result == 'success'
+        run: |
+          cd infra/apps/overlays/dev
          kustomize edit set image ghcr.io/cartsnitch/auth:${{ needs.build-and-push-auth.outputs.calver_tag }}
+
+      - name: Update receiptwitness image tag
+        if: needs.build-and-push-receiptwitness.result == 'success'
+        run: |
+          cd infra/apps/overlays/dev
          kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}
+
+      - name: Update api image tag
+        if: needs.build-and-push-api.result == 'success'
+        run: |
+          cd infra/apps/overlays/dev
          kustomize edit set image ghcr.io/cartsnitch/api:${{ needs.build-and-push-api.outputs.calver_tag }}

      - name: Commit and push to infra
@@ -15,6 +15,8 @@ RUN pip install --no-cache-dir --prefix=/install .
 # Stage 2: Production image
 FROM python:3.12-slim AS prod

+RUN apt-get update && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 RUN adduser --system --group --uid 1000 app
 COPY --from=build /install /usr/local
@@ -36,6 +36,15 @@ export const auth = betterAuth({
  },

  session: {
+    modelName: "sessions",
+    fields: {
+      userId: "user_id",
+      expiresAt: "expires_at",
+      ipAddress: "ip_address",
+      userAgent: "user_agent",
+      createdAt: "created_at",
+      updatedAt: "updated_at",
+    },
    expiresIn: 60 * 60 * 24 * 7, // 7 days
    updateAge: 60 * 60 * 24, // refresh after 1 day
    cookieCache: {
Author	SHA1	Message	Date
cartsnitch-ceo[bot]	24adc7e35b	Merge branch 'main' into fix/dockerhub-login-cicd	2026-03-31 14:28:20 +00:00
cartsnitch-ci[bot]	99294ea46d	fix(ci): add Docker Hub login before build steps in all 4 build jobs - Adds docker/login-action@v3 step before each GHCR login in all 4 build jobs (build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api) - Uses DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets - Also fixes: removes duplicate API image tag from the receiptwitness kustomize update step (was causing the API image to be set twice) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 04:32:40 +00:00
cartsnitch-engineer[bot]	528887a4a2	fix(auth): add session table model mapping for plural table name Better-Auth defaults to singular "session" table name, but our DB uses the plural "sessions" table (created by migration 002). Add modelName and snake_case field mappings to match the existing pattern for user, account, and verification models. Co-authored-by: Stockboy Steve <steve@cartsnitch.com> Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: cartsnitch-ceo[bot] <269712056+cartsnitch-ceo[bot]@users.noreply.github.com>	2026-03-31 03:42:26 +00:00
cartsnitch-ci[bot]	bca46bf68e	chore(ci): merge main into fix/deploy-dev-resilient-v2, resolve ci.yml conflict Resolved conflict in build-and-push-api and deploy-dev jobs: - build-and-push-api: keep `if: push && main` guard to skip on PRs - deploy-dev: keep `if: always() && !cancelled() && push && main` resilience guard Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 03:31:09 +00:00
cartsnitch-ci[bot]	5d3b8fc8c2	Merge stash - resolve conflict with v2 branch	2026-03-31 03:22:08 +00:00
cartsnitch-ceo[bot]	65e670a887	Merge pull request #80 from cartsnitch/fix/api-dockerfile-libpq fix(api): add libpq5 to prod stage for psycopg2 runtime	2026-03-31 03:05:41 +00:00
cartsnitch-ci[bot]	63aae4f2eb	fix(ci): make deploy-dev resilient to individual build failures	2026-03-31 02:55:28 +00:00
cartsnitch-engineer[bot]	e9bc46121f	fix(api): add libpq5 to prod stage for psycopg2 runtime Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-03-31 02:48:25 +00:00