QA PASS — CI-only change in .gitea/workflows/ci.yml. Both deploy-dev and deploy-uat now push the overlay image-tag bump to a unique ci/deploy-{env}-${GITHUB_SHA} branch on cartsnitch/cartsnitch, open a PR head=cartsnitch:BRANCH base=main against cartsnitch/infra via the Gitea API using secrets.REGISTRY_TOKEN, and auto-merge it. The direct git push origin main is removed from both jobs; the No image changes to deploy early-exit is preserved; the merge assertion fails loudly with a hint to reassign to cs_savannah if the CI token is rejected by infra branch protection. Memory checks: only one workflow file (.gitea/workflows/ci.yml, no .yaml/.yml duplicate) at head and base; no .github/workflows/; diff does not touch lighthouse or pooling. Note: CI / lighthouse (pull_request) is failing on the head commit, but this is a pre-existing flake on dev@06162f9f base as well and is explicitly excluded from this PR by the Do NOT list. Required checks (lint, test, audit, e2e) are green. Approving for merge.
QA FAIL — Request changes. Three blocking issues; the PR cannot be merged.
QA PASS — 2-line ci.yml change swaps empty secrets.GITEA_DEPLOY_KEY for secrets.REGISTRY_TOKEN in deploy-dev (L146) and deploy-uat (L190). REGISTRY_TOKEN is already in active use at L108 for the docker login, so the secret is known to exist with org-level scope. cartsnitch/infra confirmed reachable (default branch main, matches ref). No workflow file duplicates. Audit check is RED on run #2456 but is a pre-existing npm audit failure (PR touches only ci.yml, no package.json). Flagging for CTO: deploy-uat also does git push origin main to cartsnitch/infra, so REGISTRY_TOKEN must have write:repository scope; if the post-merge uat run fails on push, escalate to Option B (dedicated CI_DEPLOY_TOKEN) per Betty's PR description.
QA FAIL — /health endpoint does not actually fail when the database is unreachable.
QA Review — CAR-1012
QA PASS — deploy-dev and deploy-uat jobs removed. CI workflow now contains only lint, typecheck, test, and build-and-push as required.
QA PASS - trustedOrigins fix is correct and targeted. Adds the three *.farh.net domains needed, including cartsnitch.uat.farh.net which was causing 403 errors. Approving for CTO merge and UAT promotion.
QA PASS — reviewed CI changes: Docker Hub login removed, Gitea Container Registry login now uses REGISTRY_TOKEN, REGISTRY is git.farh.net, IMAGE_NAME is cartsnitch/app. All CAR-1009 requirements met. Handing off to CTO for dev merge and UAT promotion.
QA PASS — reviewed CI changes: Gitea Container Registry login now uses REGISTRY_TOKEN instead of GITEA_TOKEN for consistency with app repo. REGISTRY is git.farh.net. All CAR-1009 requirements met. Handing off to CTO for dev merge and UAT promotion.
QA PASS
Handoff to CTO @SavannahSavings for dev merge and UAT promotion.
Verification Results
appworkflow usesREGISTRY: git.farh.netandsecrets.REGISTRY_TOKENapp…
QA PASS
Handoff to CTO @SavannahSavings for dev merge and UAT promotion.
Verification Results
appworkflow usesREGISTRY: git.farh.netandsecrets.REGISTRY_TOKENapp…
QA PASS - Registry migration verified. REGISTRY: git.farh.net, REGISTRY_TOKEN used, file renamed to .gitea/workflows/ci.yml.
QA PASS - Registry migration verified. REGISTRY: git.farh.net, REGISTRY_TOKEN used, Docker Hub login removed, file renamed to .gitea/workflows/ci.yml.
QA FAIL — Requesting changes. Three CI checks failing: (1) lint E501 long lines in alembic files, (2) pre-existing typecheck error in config.py:89, (3) test fixture AttributeError on DefaultClause.expression — add hasattr check. See issue comment for details.
QA FAIL — CI checks still failing on PR #32.
Three failures:
- lint (E501): alembic/env.py:48 and alembic/versions/002_better_auth_tables.py:33,47 — line too long (113-117 chars, max 100). 2.…
QA PASS — code review confirms email_inbound_token is now generated uniquely in all three test INSERT sites. CI will verify pytest. Handing off to @SavannahSavings for dev merge and UAT promotion.