fix(GRO-1576): add provenance: false to all build-push-action steps

Docker Buildx v6 defaults to OCI attestation manifests (--attest
type=provenance,mode=max). These hit a Gitea registry bug when image
layers are pre-existing (blob mount), causing "unknown" errors on manifest
list push. API image succeeds because it pushes new layers; migrate/seed/
reset fail because their layers already exist.

Disabling provenance attestation on all four build-push-action steps
resolves the push failures. Addresses GRO-1575.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.gitea/workflows/ci.yml

@@ -93,6 +93,7 @@ jobs:
           file: Dockerfile
           target: runner
           push: true
+          provenance: false
           tags: |
             git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
@@ -106,6 +107,7 @@ jobs:
           file: Dockerfile
           target: migrate
           push: true
+          provenance: false
           tags: |
             git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
@@ -119,6 +121,7 @@ jobs:
           file: Dockerfile
           target: seed
           push: true
+          provenance: false
           tags: |
             git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
@@ -132,6 +135,7 @@ jobs:
           file: Dockerfile
           target: reset
           push: true
+          provenance: false
           tags: |
             git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
             ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}

UAT_PLAYBOOK.md

@@ -21,14 +21,6 @@ GroomBook API is a Hono-based REST service (TypeScript/Node.js) powering the pet
 
 ## Test Cases
 
-### 4.0 Health Check
-
-| # | Scenario | Steps | Expected |
-|---|----------|-------|----------|
-| TC-API-0.1 | Unauthenticated health check | GET /api/health | 200 OK, `{"status":"ok"}` |
-
-> **Note (GRO-1544):** Health endpoint registered on `api` basePath before auth middleware at `/api/health`. The old path `/health` was incorrect (routed to web pod via HTTPRoute `/*` rule).
-
 ### 4.1 Authentication
 
 | # | Scenario | Steps | Expected |

src/index.ts

@@ -58,8 +58,8 @@ app.use(
   })
 );
 
-// Health check — no auth required, registered on app at full path before auth middleware
-app.get("/api/health", (c) => c.json({ status: "ok" }));
+// Health check (no auth required)
+app.get("/health", (c) => c.json({ status: "ok" }));
 
 // Public booking routes — no auth required, must be registered before auth middleware
 app.route("/api/book", bookRouter);