fix(ci): Node.js 20 → 24 LTS + pipeline fixes (#366, #367) #368

Merged

jason.woltje merged 3 commits from fix/ci-366 into develop

2026-02-13 23:18:05 +00:00

Author	SHA1	Message	Date
jason.woltje	46be7aa36f	Merge branch 'develop' into fix/ci-366 All checks were successful ci/woodpecker/push/orchestrator Pipeline was successful Details ci/woodpecker/push/web Pipeline was successful Details	2026-02-13 23:17:55 +00:00
Jason Woltje	0363a14098	fix(#367 ): migrate Node.js 20 → 24 LTS All checks were successful ci/woodpecker/push/orchestrator Pipeline was successful Details ci/woodpecker/push/web Pipeline was successful Details ci/woodpecker/push/api Pipeline was successful Details Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all Dockerfiles, CI pipelines, and engine constraint from node:20-alpine to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js 16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are clean; web image needs Next.js upstream fix. Fixes #367 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-13 15:20:01 -06:00
Jason Woltje	7fb70210a4	fix(ci): move spec removal to builder stage + suppress tar CVEs All checks were successful ci/woodpecker/push/orchestrator Pipeline was successful Details Two Trivy fixes: 1. Dockerfile: moved spec/test file deletion from production RUN step to builder stage. The previous approach (COPY then RUN rm) left files in the COPY layer — Trivy scans all layers, not just the final FS. Now spec files are deleted in builder BEFORE COPY to production. 2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with documented rationale. tar@7.5.2 is bundled inside npm which ships with node:20-alpine. Not upgradeable — not our dependency. npm is already removed from all production images. Verified: local Trivy scan passes (exit code 0, 0 findings) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 19:19:27 -06:00

Author

SHA1

Message

Date

jason.woltje

46be7aa36f

Merge branch 'develop' into fix/ci-366

ci/woodpecker/push/orchestrator Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

2026-02-13 23:17:55 +00:00

Jason Woltje

0363a14098

fix(#367 ): migrate Node.js 20 → 24 LTS

ci/woodpecker/push/orchestrator Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

ci/woodpecker/push/api Pipeline was successful

Details

Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all
Dockerfiles, CI pipelines, and engine constraint from node:20-alpine
to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js
16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are
clean; web image needs Next.js upstream fix.

Fixes #367

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-13 15:20:01 -06:00

Jason Woltje

7fb70210a4

fix(ci): move spec removal to builder stage + suppress tar CVEs

ci/woodpecker/push/orchestrator Pipeline was successful

Details

Two Trivy fixes:

1. Dockerfile: moved spec/test file deletion from production RUN step
   to builder stage. The previous approach (COPY then RUN rm) left files
   in the COPY layer — Trivy scans all layers, not just the final FS.
   Now spec files are deleted in builder BEFORE COPY to production.

2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with
   documented rationale. tar@7.5.2 is bundled inside npm which ships
   with node:20-alpine. Not upgradeable — not our dependency. npm is
   already removed from all production images.

Verified: local Trivy scan passes (exit code 0, 0 findings)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-12 19:19:27 -06:00

fix(ci): Node.js 20 → 24 LTS + pipeline fixes (#366, #367) #368

3 Commits