Applied npm overrides from previous commit. Grype scan now passes
at --fail-on high with only MEDIUM-severity remaining CVEs in uuid
(GHSA-w5hq-g745-h8pq, major bump to v11 required, not a blocking risk)
and better-auth (GHSA-wxw3-q3m9-c3jr, updating to 1.6.2 separately).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4
All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Deploy-dev and deploy-uat jobs were opening image-tag-bump PRs against
dev/uat branches per CAR-1371. Flux reconciles all overlays from infra
main, so those PRs were never picked up. Revert --arg base back to main.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438)
Any non-merged outcome after successful PR creation is now treated
as the GitOps approval gate (exit 0). Only empty PR_NUM hard-fails.
Add deploy-dev and deploy-uat jobs to cartsnitch/auth:dev. These were
removed in CAR-1041 because the previous direct-push implementation was
invalid. Re-add them in the post-CAR-1371+1374 frontend pattern:
- base=dev / base=uat (was base=main in main, direct-push in uat)
- parameterized ref matches PR base (CAR-1374 sibling)
- head=cartsnitch:${BRANCH} (cross-repo PR head, matches frontend)
- never-fail on merge outcome (CAR-1216)
- request cs_savannah review per GitOps gate
cc @cpfarhood
docker/login-action@v3 exits 1 against git.farh.net. Replace with a
direct docker login shell command using secrets.REGISTRY_TOKEN via
--password-stdin.
cc @cpfarhood
Remove deploy-dev and deploy-uat CI jobs. CartSnitch uses Flux GitOps —
CI builds images, Flux deploys. These Actions-based deployment jobs were
added incorrectly in CAR-987.
Co-Authored-By: Barcode Betty <betty@cartsnitch>
Replace stale .farh.net subdomains with correct *.cartsnitch.com domains to fix
CORS Origin validation blocking UAT auth (403 on sign-up/sign-in).
Refs: CAR-992
Co-Authored-By: Paperclip <noreply@paperclip.ing>
chore: move workflows from .github to .gitea (#9)
Merge PR: barcode-betty/move-workflows-to-gitea -> dev
Reviewed-by: Savannah Savings (CTO)
QA-by: Checkout Charlie
Replace ${{ secrets.GITHUB_TOKEN }} with ${{ secrets.GITEA_TOKEN }}
for docker/login-action in Gitea Actions. GITHUB_TOKEN is not available
in Gitea Actions and was causing 'authentication required' failures for
ghcr.io push, leaving the auth service with a stale image on UAT.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Replace runs-on: runners-cartsnitch with runs-on: ubuntu-latest (3 jobs)
- Remove actions/create-github-app-token step from deploy-dev and deploy-uat
- Replace token in infra checkout with secrets.GITEA_TOKEN
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add .github/workflows/ci.yml with build/push and deploy-dev/uat jobs
- Add .grype.yaml with Python 3.12 CVE ignores
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Build and push Docker image to GHCR on push to main/dev/uat
- Generate CalVer tags on main branch
- Auto-deploy to dev and uat overlays via infra repo
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Barcode Betty
Barcode Betty
Savannah Savings
Chris Farhood