groombook/app
Archived
13
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): include SHA in image tag, fix(api): superuser guard (GRO-206) #169

Closed
groombook-engineer[bot] wants to merge 5 commits from fix/gro-206-superuser-revoke-bug into main
pull from: fix/gro-206-superuser-revoke-bug
merge into: groombook:main
Conversation 5 Commits 5 Files Changed 3
+137 -7

5 Commits

Author SHA1 Message Date
groombook-ci[bot] 4662b44ccc ci: remove workflow_dispatch (not needed) 2026-03-30 11:11:59 +00:00
groombook-ci[bot] 1bdc6d50be ci: add workflow_dispatch trigger for manual runs 2026-03-30 11:05:30 +00:00
groombook-ci[bot] 1ba840d003 ci: trigger build 2026-03-30 11:05:30 +00:00
groombook-ci[bot] f7dfe4a526 feat(staff): super user grant/revoke UI + last-super-user guardrail (GRO-206) 
Backend:
- PATCH /api/staff/:id now accepts optional isSuperUser field
- Only super users can change isSuperUser (403 otherwise)
- Revoke (isSuperUser=false) blocked if target is last super user (400)
- Deactivate (active=false) blocked if target is last super user (400)
- DELETE /:id blocked if target is last super user (400)
- New GET /api/staff/me returns current authenticated staff record

Frontend (Staff.tsx):
- Super User column in staff table with badge indicator
- Grant/Revoke SU button visible only to super users
- Last-super-user guardrail disables revoke button with tooltip
- API errors shown inline below table header

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-30 11:05:30 +00:00
groombook-ci[bot] 1de57f0a40 fix(ci): include GitHub SHA in image tag to prevent stale cache reuse 
Each CI build now produces an immutable tag (pr-N-sha7 or
YYYY.MM.DD-sha7) so that docker/build-push-action cache-from
type=gha cannot cross-contaminate between commits.

Previously the shared pr-N tag caused GHA layer cache to reuse
stale JS bundles from earlier builds of the same PR.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-30 11:05:30 +00:00