TehRiehlDeal
5a2c6885e9
CI / sast (push) Successful in 19s
CI / secrets-scan (push) Successful in 5s
CI / vuln-scan (push) Successful in 20s
CI / lint (push) Failing after 5s
CI / test (push) Failing after 7s
CI / image-scan (push) Has been skipped
CI / build-images (push) Has been skipped
CI / push (push) Has been skipped
Three coupled changes the deployable build pipeline needed:
1. Runtime config (window.__APP_CONFIG__)
Vite bakes env vars at build time, which means one image per
deploy target. Switched to a runtime-config pattern: the nginx
container's entrypoint writes /config.js from env vars before
serving, and index.html loads it before the React bundle. The
client reads window.__APP_CONFIG__.apiBaseUrl via the new
runtimeConfig.apiUrl() helper instead of hardcoding /api. One
image, any backend.
2. Dockerfiles
- packages/server/Dockerfile: multi-stage with `pnpm deploy
--prod` for a flat node_modules. tini for PID 1, non-root
user, alpine base. The `.prisma/client/` generated artifacts
aren't tracked by `pnpm deploy` (not a declared dep) so we
manually copy them from the builder's pnpm store into the
same .pnpm@prisma+client+... directory that deploy preserved
— without this, PrismaClient instantiation throws "did not
initialize yet."
- packages/client/Dockerfile: vite build + nginx:alpine
runtime, custom nginx.conf with no-cache on /config.js and
long-cache on hashed assets, /docker-entrypoint.d/40-app-
config.sh materializes config.js at startup.
- Added tsconfig.build.json on the server so `nest build` emits
dist/main.js (the existing tsconfig included test/, which
made tsc pick the package root as common prefix and produce
dist/src/main.js).
3. CI overhaul (.github/workflows/ci.yml)
Switched to the per-project pattern used elsewhere: parallel
test / lint / secrets-scan / vuln-scan / sast jobs, then
build-images, image-scan, and a gated push job. Push is
main-only, checks Harbor for an existing version tag before
pushing, signs images with cosign, and back-pushes per-package
git tags (server-vX.Y.Z, client-vX.Y.Z). Renamed Harbor
project to tehriehlincremental and the auth secrets to
INCREMENTAL_USERNAME / INCREMENTAL_PASSWORD per request. Test
job retains the Postgres service container so integration
tests still run.
Verification:
- Server image: builds, boots, mounts all routes, "listening on
:3001" — confirmed Prisma client initializes properly.
- Client image: builds, entrypoint generates /config.js with
APP_API_BASE_URL=https://api.example.com/api confirmed via
curl, index.html loads config.js before main bundle.
- pnpm -r typecheck / test / lint / format:check: all clean.
- 80 unit tests pass + 7 integration tests.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
15 lines
130 B
Plaintext
15 lines
130 B
Plaintext
**/node_modules
|
|
**/dist
|
|
**/coverage
|
|
**/.turbo
|
|
**/*.log
|
|
.git
|
|
.github
|
|
.vscode
|
|
.idea
|
|
.env
|
|
.env.local
|
|
.env.*.local
|
|
*.swp
|
|
.docker-data
|