Applied npm overrides from previous commit. Grype scan now passes
at --fail-on high with only MEDIUM-severity remaining CVEs in uuid
(GHSA-w5hq-g745-h8pq, major bump to v11 required, not a blocking risk)
and better-auth (GHSA-wxw3-q3m9-c3jr, updating to 1.6.2 separately).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4
All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Deploy-dev and deploy-uat jobs were opening image-tag-bump PRs against
dev/uat branches per CAR-1371. Flux reconciles all overlays from infra
main, so those PRs were never picked up. Revert --arg base back to main.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438)
Any non-merged outcome after successful PR creation is now treated
as the GitOps approval gate (exit 0). Only empty PR_NUM hard-fails.
The dev→uat 3-way merge of ci.yml conflicts on:
- CalVer logic (dev is the multi-line readable form)
- ref: main vs parameterized expression (dev wins, per CAR-1374)
- PR body base/head: dev wins (per CAR-1371 + acceptance criteria)
- CAR-1216 comment: dev added, uat didn't have it
Resolution: take dev's version of ci.yml (the corrected form per CAR-1373).
cc @cpfarhood
Add deploy-dev and deploy-uat jobs to cartsnitch/auth:dev. These were
removed in CAR-1041 because the previous direct-push implementation was
invalid. Re-add them in the post-CAR-1371+1374 frontend pattern:
- base=dev / base=uat (was base=main in main, direct-push in uat)
- parameterized ref matches PR base (CAR-1374 sibling)
- head=cartsnitch:${BRANCH} (cross-repo PR head, matches frontend)
- never-fail on merge outcome (CAR-1216)
- request cs_savannah review per GitOps gate
cc @cpfarhood
Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern. Brings auth in line with cartsnitch/cartsnitch
and stops the red deploy-dev/deploy-uat jobs on main pushes.
Also fixes the registry-login password to use REGISTRY_TOKEN (CAR-1009
standard) instead of GITEA_TOKEN — uat already had this fix (CAR-1237);
main was lagging.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Migrates auth .gitea/workflows/ci.yml deploy-dev and deploy-uat
jobs from direct 'git push origin main' to cartsnitch/infra to the
CAR-1195 PR-bump pattern (open + (attempt) auto-merge an infra PR;
never hard-fail on approval gate, per CAR-1216). Brings auth in line
with cartsnitch/cartsnitch and stops the red deploy-uat job on every
uat push.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
ci(uat): runner-native Docker build + fix deploy infra token (CAR-1237)
Reviewed and merged by Savannah (CTO). Byte-identical to proven main except the spec-mandated REGISTRY_TOKEN registry-login (CAR-1009 standard).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Change A: replace build-and-push with runner-native Docker (no DinD service container)
- Change B: deploy-dev/deploy-uat use secrets.GITEA_TOKEN for infra checkout
Co-Authored-By: Paperclip <noreply@paperclip.ing>
docker/login-action@v3 exits 1 against git.farh.net. Replace with a
direct docker login shell command using secrets.REGISTRY_TOKEN via
--password-stdin.
cc @cpfarhood
Replaces CI_GITEA_TOKEN (which lacks cross-repo access) with REGISTRY_TOKEN
for checkout of cartsnitch/infra in deploy-uat/deploy-dev jobs.
Fixes CAR-1147
Remove deploy-dev and deploy-uat CI jobs. CartSnitch uses Flux GitOps —
CI builds images, Flux deploys. These Actions-based deployment jobs were
added incorrectly in CAR-987.
Co-Authored-By: Barcode Betty <betty@cartsnitch>
Barcode Betty
Barcode Betty
Savannah Savings