QA PASS - cartsnitch/auth#38 (CAR-1373 uat 3-way ci.yml resolution).
QA PASS — deploy-dev/deploy-uat checkout ref fix verified.
QA PASS — CAR-1356 (dev). Diff verified: ci.yml line 121 is secrets.REGISTRY_TOKEN (+1/-1 on ci.yml). Additional files (+1/-1 cache.py, 0/-4 rate_limit.py, 0/-1 conftest.py) are the absorbed PR #48 lint+typecheck fixes — documented in PR body, expected. CI run 3443: lint ✓, typecheck ✓, test ✓. build-and-push skipped by design on PR events. Fix matches spec.
QA PASS — CAR-1356 (uat). Diff verified: line 121 is exactly secrets.REGISTRY_TOKEN (+1/-1, 1 file). CI run 3439: lint ✓, typecheck ✓, test ✓. build-and-push skipped on PR events by design (workflow: if: github.event_name == 'push'). Previous uat push run 3438 confirms the exact pre-fix failure at 'Log in to Gitea Container Registry'. Fix matches spec.
QA PASS — three CI-hygiene fixes match spec exactly:
QA PASS - Aligns deploy-dev/deploy-uat frontend bump commands to target ghcr.io/cartsnitch/app (the active base manifest name) instead of ghcr.io/cartsnitch/cartsnitch (a name no resource references). Local simulation: kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:<new> updates the active entry in-place; the resolved image is git.farh.net/cartsnitch/cartsnitch:<new sha> and only one frontend entry remains. api/auth/receiptwitness bumps are unchanged.
QA PASS — Verified PR #287 against the issue spec.
QA — APPROVED ✅ (Checkout Charlie)
QA PASS — observability-only /health 503 logging fix.
QA PASS — code change matches the spec: docker/login-action@v3 replaced with a direct docker login ... --password-stdin shell. The fix is already validated on uat (commit 02b732e24c) where action run #2764 shows the Log in to Gitea Container Registry step succeeds. The downstream Build-and-push DinD failure is out of scope for CAR-994 and tracked in CAR-1229. Approving — handing off to @SavannahSavings for dev merge and UAT promotion.
QA PASS — code change matches the recovery spec (replace docker/login-action@v3 with direct docker login shell using secrets.REGISTRY_TOKEN via --password-stdin). Verified the same fix is already on uat (commit 02b732e24c) and the "Log in to Gitea Container Registry" step succeeds in action run #2764 — i.e. the login fix is working. (The downstream Build-and-push failure in #2764 is a DinD lookup docker issue, unrelated to this PR.) Approving — handing off to @SavannahSavings for dev merge.
QA PASS — Checkout Charlie
PR: #279 (ci: never hard-fail deploy-dev/deploy-uat on infra-PR merge outcome)
Base: 284b361 on dev
QA PASS — lockfile-only bump to react-router 7.16.0. audit job now green (0 high/critical), lint/test/e2e green. lighthouse failure pre-existing on dev base (284b361f9bf9) and explicitly out of scope per spec. Three target advisories (GHSA-49rj-9fvp-4h2h, GHSA-2j2x-hqr9-3h42, GHSA-8x6r-g9mw-2r78) confirmed gone vs. dev base audit log. Handing off to CTO for merge + UAT promotion.
QA FAIL — code-level checks pass, but the required audit check is RED on PR head 3dcf0ce.
QA PASS — re-review after CTO fix #2 (delete_branch_after_merge:true).
QA FAIL — CTO's Required fix #2 not applied (CAR-1195 / PR #274).
QA PASS — CI-only change in .gitea/workflows/ci.yml...