fix: ensure only verified github emails

[rebelchris]

Apparently one can set unverified github email (I couldn't reproduce what user managed to do myself)
But output is something like this:

github oauth debug: raw responses
      githubProfile: {
        "login": "rebelchris",
        "id": 554874,
        "node_id": "MDQ6VXNlcjU1NDg3NA==",
        "avatar_url": "https://avatars.githubusercontent.com/u/554874?v=4",
        "gravatar_id": "",
        "url": "https://api.github.com/users/rebelchris",
        "html_url": "https://github.com/rebelchris",
        "followers_url": "https://api.github.com/users/rebelchris/followers",
        "following_url": "https://api.github.com/users/rebelchris/following{/other_user}",
        "gists_url": "https://api.github.com/users/rebelchris/gists{/gist_id}",
        "starred_url": "https://api.github.com/users/rebelchris/starred{/owner}{/repo}",
        "subscriptions_url": "https://api.github.com/users/rebelchris/subscriptions",
        "organizations_url": "https://api.github.com/users/rebelchris/orgs",
        "repos_url": "https://api.github.com/users/rebelchris/repos",
        "events_url": "https://api.github.com/users/rebelchris/events{/privacy}",
        "received_events_url": "https://api.github.com/users/rebelchris/received_events",
        "type": "User",
        "user_view_type": "public",
        "site_admin": false,
        "name": "Chris Bongers",
        "company": "daily.dev",
        "blog": "https://daily-dev-tips.com",
        "location": "Cape Town",
        "email": "chrisbongers@gmail.com",
        "hireable": null,
        "bio": "Developer, wide range of languages but ❤️JavaScript.",
        "twitter_username": "DailyDevTips1",
        "notification_email": "chrisbongers@gmail.com",
        "public_repos": 131,
        "public_gists": 35,
        "followers": 876,
        "following": 446,
        "created_at": "2011-01-10T01:27:55Z",
        "updated_at": "2026-03-02T11:24:01Z"
      }
      githubEmails: [
        {
          "email": "chris_bongers@hotmail.com",
          "primary": false,
          "verified": true,
          "visibility": null
        },
        {
          "email": "chrisbongers@gmail.com",
          "primary": true,
          "verified": true,
          "visibility": "public"
        }
      ]
      profileStatus: 200
      emailsStatus: 200

So for primary one we now check verified status (ba apparently does it underwater to link to user.emailVerified)
I couldn't reproduce the original issue so can't 100% guarantee it.

[pulumi]

🍹 The Update (preview) for dailydotdev/api/prod (at 4294ab4) was successful.

✨ Neo Explanation

Standard container image rollout deploying commit `cc772530`, which adds a GitHub OAuth email-verification enforcement gate. No stateful resources are affected. ✅ Low Risk

This is a routine application deployment rolling out a new build (cc772530) across all Kubernetes workloads. The code change adds a GitHub OAuth guard in the user.create.before hook that blocks sign-ups when the GitHub-provided email is unverified, while still permitting standard email/password sign-ups with unverified emails.

The migration Jobs (both DB and Clickhouse) are being cycled to the new commit hash as expected — the old commit-stamped Jobs are deleted and new ones created for the incoming release.

Resource Changes

    Name                                                       Type                           Operation
~   vpc-native-user-profile-analytics-history-clickhouse-cron  kubernetes:batch/v1:CronJob    update
~   vpc-native-sync-subscription-with-cio-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-materialize-yearly-best-post-archives-cron      kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-users-cron                         kubernetes:batch/v1:CronJob    update
~   vpc-native-channel-digests-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-private-deployment                              kubernetes:apps/v1:Deployment  update
~   vpc-native-personalized-digest-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-expired-better-auth-sessions-cron         kubernetes:batch/v1:CronJob    update
~   vpc-native-post-analytics-clickhouse-cron                  kubernetes:batch/v1:CronJob    update
~   vpc-native-bg-deployment                                   kubernetes:apps/v1:Deployment  update
~   vpc-native-temporal-deployment                             kubernetes:apps/v1:Deployment  update
~   vpc-native-hourly-notification-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-user-profile-analytics-clickhouse-cron          kubernetes:batch/v1:CronJob    update
~   vpc-native-rotate-daily-quests-cron                        kubernetes:batch/v1:CronJob    update
~   vpc-native-worker-job-deployment                           kubernetes:apps/v1:Deployment  update
-   vpc-native-api-clickhouse-migration-8065efa8               kubernetes:batch/v1:Job        delete
~   vpc-native-update-tags-str-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-update-achievement-rarity-cron                  kubernetes:batch/v1:CronJob    update
~   vpc-native-update-tag-materialized-views-cron              kubernetes:batch/v1:CronJob    update
~   vpc-native-user-profile-updated-sync-cron                  kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-user-companies-cron                kubernetes:batch/v1:CronJob    update
~   vpc-native-update-highlighted-views-cron                   kubernetes:batch/v1:CronJob    update
~   vpc-native-update-trending-cron                            kubernetes:batch/v1:CronJob    update
~   vpc-native-rotate-weekly-quests-cron                       kubernetes:batch/v1:CronJob    update
~   vpc-native-check-analytics-report-cron                     kubernetes:batch/v1:CronJob    update
+   vpc-native-api-clickhouse-migration-cc772530               kubernetes:batch/v1:Job        create
~   vpc-native-ws-deployment                                   kubernetes:apps/v1:Deployment  update
~   vpc-native-expire-super-agent-trial-cron                   kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-gifted-plus-cron                          kubernetes:batch/v1:CronJob    update
~   vpc-native-user-posts-analytics-refresh-cron               kubernetes:batch/v1:CronJob    update
~   vpc-native-update-current-streak-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-personalized-digest-deployment                  kubernetes:apps/v1:Deployment  update
~   vpc-native-generic-referral-reminder-cron                  kubernetes:batch/v1:CronJob    update
~   vpc-native-validate-active-users-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-deployment                                      kubernetes:apps/v1:Deployment  update
~   vpc-native-update-source-public-threshold-cron             kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-zombie-opportunities-cron                 kubernetes:batch/v1:CronJob    update
~   vpc-native-calculate-top-readers-cron                      kubernetes:batch/v1:CronJob    update
~   vpc-native-clean-stale-user-transactions-cron              kubernetes:batch/v1:CronJob    update
~   vpc-native-squad-posts-analytics-refresh-cron              kubernetes:batch/v1:CronJob    update
~   vpc-native-daily-digest-cron                               kubernetes:batch/v1:CronJob    update
... and 12 other changes