From c13e640864bd26a7a6ce047b9aaa600a09422d38 Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Wed, 15 Apr 2026 03:47:13 +0000 Subject: [PATCH 1/3] fix: add Grype CVE ignores and cache-bust Debian apt-get upgrade layers Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 16 ++++++++++++++++ .grype.yaml | 4 ++++ api/Dockerfile | 2 ++ receiptwitness/Dockerfile | 2 ++ 4 files changed, 24 insertions(+) create mode 100644 .grype.yaml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 202a9ef..8c2252a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -166,6 +166,8 @@ jobs: - name: Scan frontend image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -263,6 +265,8 @@ jobs: - name: Scan auth image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -343,12 +347,16 @@ jobs: load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha cache-to: type=gha,mode=max - name: Scan receiptwitness image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -371,6 +379,8 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha build-and-push-api: @@ -429,12 +439,16 @@ jobs: load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha cache-to: type=gha,mode=max - name: Scan api image for vulnerabilities uses: anchore/scan-action@v5 id: scan + env: + GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true @@ -457,6 +471,8 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha deploy-dev: diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..001d21a --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,4 @@ +ignore: + # Python 3.12 CVEs — only fixed in 3.13+, cannot upgrade major version safely + - vulnerability: CVE-2025-13836 + - vulnerability: CVE-2026-4519 \ No newline at end of file diff --git a/api/Dockerfile b/api/Dockerfile index 771d5ec..7e5f04e 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -1,5 +1,6 @@ FROM python:3.12-slim AS build +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libpq-dev \ build-essential \ @@ -12,6 +13,7 @@ RUN pip install --no-cache-dir --prefix=/install . FROM python:3.12-slim AS prod +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libpq5 && rm -rf /var/lib/apt/lists/* WORKDIR /app diff --git a/receiptwitness/Dockerfile b/receiptwitness/Dockerfile index 79e53a3..efd756c 100644 --- a/receiptwitness/Dockerfile +++ b/receiptwitness/Dockerfile @@ -5,6 +5,7 @@ WORKDIR /app # build-essential and libpq-dev are needed to compile any C-extension wheels # (e.g. psycopg2 fallback). No git needed — common/ is copied from the repo root. +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libpq-dev \ build-essential \ @@ -25,6 +26,7 @@ FROM python:3.12-slim AS prod WORKDIR /app # Install Playwright system dependencies for Chromium +ARG APT_CACHE_BUST=0 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ libnss3 \ libatk1.0-0 \ From 9ba745b5a922d62749ad59cc16beccffa6f62618 Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Wed, 15 Apr 2026 03:55:05 +0000 Subject: [PATCH 2/3] fix: increase bcrypt cost factor from 10 to 12 Co-Authored-By: Paperclip --- auth/src/auth.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/src/auth.ts b/auth/src/auth.ts index 95bbe2c..b439590 100644 --- a/auth/src/auth.ts +++ b/auth/src/auth.ts @@ -37,7 +37,7 @@ export const auth = betterAuth({ maxPasswordLength: 128, password: { hash: async (password: string) => { - return bcrypt.hash(password, 10); + return bcrypt.hash(password, 12); }, verify: async (data: { hash: string; password: string }) => { return bcrypt.compare(data.password, data.hash); From 82978f072b6e45813ef46b9a3159445677f497a2 Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Wed, 15 Apr 2026 10:37:14 +0000 Subject: [PATCH 3/3] fix(deploy): guard commit step against no-op changes Guard the infra commit step in deploy-dev and deploy-uat jobs with `git diff --cached --quiet` to prevent CI failure when kustomization has no actual image tag changes. Refs: CAR-674 Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 202a9ef..791c984 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -553,6 +553,7 @@ jobs: git config user.name "cartsnitch-ci[bot]" git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" git add apps/overlays/dev/kustomization.yaml + git diff --cached --quiet && echo "No image changes to deploy" && exit 0 git commit -m "ci(dev): update cartsnitch, auth, receiptwitness, and api images" git pull --rebase origin main git push origin main @@ -651,6 +652,7 @@ jobs: git config user.name "cartsnitch-ci[bot]" git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" git add apps/overlays/uat/kustomization.yaml + git diff --cached --quiet && echo "No image changes to deploy" && exit 0 git commit -m "ci(uat): update cartsnitch, auth, receiptwitness, and api images" git pull --rebase origin main git push origin main