ci: add Gitea Actions pipeline, Harbor push, and migrate-on-boot

Pipeline (backend/.gitea/workflows/ci.yml):
- lint, typecheck, test (postgres+redis service containers, prisma
  migrate deploy, jest), gitleaks, semgrep, Trivy fs+image scans,
  buildx build with gha cache, Harbor push gated on `main` or v* tags
- Image tags via docker/metadata-action: :latest (main only),
  :sha-<full>, semver-derived :1.2.3 / :1.2 / :1 from v* tags
- Secrets: HARBOR_HOST, MOVIELOOP_USERNAME, MOVIELOOP_PASSWORD,
  PRISMA_TEST_KEY

Production image hardening (docker/Dockerfile, docker/entrypoint.sh):
- New entrypoint runs `npx prisma migrate deploy` then
  `exec node dist/src/main` so migrations apply on container start
  (single-replica deploys only)
- Switched CMD -> ENTRYPOINT, added USER node + chown for non-root
  runtime

Versioning (package.json, .versionrc.json):
- Bumped to 1.0.0 baseline
- Added commit-and-tag-version devDep + release/release:minor/major/dry
  scripts. Conventional Commits drive bumps; CHANGELOG hides chore/ci/etc.

Scan configs:
- .gitleaks.toml allows .env.example
- .semgrepignore excludes node_modules/, dist/, generated/prisma/,
  coverage/, test/, prisma/migrations/
- .trivyignore placeholder with format docs

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -0,0 +1,162 @@
+name: backend-ci
+
+on:
+  push:
+    branches: ["**"]
+    tags: ["v*"]
+  pull_request:
+
+env:
+  IMAGE: ${{ secrets.HARBOR_HOST }}/movieloop/backend
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: package-lock.json
+      - run: npm ci
+      - run: npx eslint "{src,apps,libs,test}/**/*.ts"
+
+  typecheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+      - run: npm ci
+      - run: npx tsc --noEmit
+
+  test:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:17-alpine
+        env:
+          POSTGRES_USER: t
+          POSTGRES_PASSWORD: t
+          POSTGRES_DB: t
+        options: >-
+          --health-cmd "pg_isready -U t"
+          --health-interval 3s
+          --health-retries 20
+        ports: ["5432:5432"]
+      redis:
+        image: redis:7-alpine
+        ports: ["6379:6379"]
+    env:
+      DATABASE_URL: postgresql://t:t@localhost:5432/t?schema=public
+      REDIS_HOST: localhost
+      REDIS_PORT: 6379
+      JWT_SECRET: ci
+      JWT_EXPIRATION: 1d
+      JWT_LONG_EXPIRATION: 7d
+      PRISMA_FIELD_ENCRYPTION_KEY: ${{ secrets.PRISMA_TEST_KEY }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+      - run: npm ci
+      - run: npx prisma migrate deploy
+      - run: npm test
+      # test:e2e skipped — requires rabbitmq + full nest bootstrap. Track as TODO.
+
+  secrets-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # gitleaks needs full history
+      - uses: gitleaks/gitleaks-action@v2
+
+  sast:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: "p/auto"
+
+  fs-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          severity: "HIGH,CRITICAL"
+          exit-code: "1"
+          ignore-unfixed: "true"
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [lint, typecheck, test]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          tags: movieloop-backend:ci-${{ github.sha }}
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  image-scan:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          tags: movieloop-backend:ci-${{ github.sha }}
+          load: true
+          cache-from: type=gha
+      - uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: movieloop-backend:ci-${{ github.sha }}
+          severity: "HIGH,CRITICAL"
+          exit-code: "1"
+          ignore-unfixed: "true"
+
+  push:
+    runs-on: ubuntu-latest
+    needs: [build, image-scan, secrets-scan, sast, fs-scan]
+    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.HARBOR_HOST }}
+          username: ${{ secrets.MOVIELOOP_USERNAME }}
+          password: ${{ secrets.MOVIELOOP_PASSWORD }}
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=sha,format=long
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha

.gitleaks.toml

@@ -0,0 +1,9 @@
+# Gitleaks config for the movieloop backend repo.
+# Inherits the default rule set; allows .env.example by path.
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+    '''(^|/)\.env\.example$''',
+]

.semgrepignore

@@ -0,0 +1,6 @@
+node_modules/
+dist/
+generated/prisma/
+coverage/
+test/
+prisma/migrations/

.trivyignore

@@ -0,0 +1,5 @@
+# Suppressed vulnerabilities for movieloop-backend.
+# Format:
+#   CVE-YYYY-NNNNN  # one-line reason — review by YYYY-MM-DD
+#
+# Keep this list short. Each entry should have an owner and a re-review date.

.versionrc.json

@@ -0,0 +1,14 @@
+{
+  "types": [
+    { "type": "feat",     "section": "Features" },
+    { "type": "fix",      "section": "Bug Fixes" },
+    { "type": "perf",     "section": "Performance" },
+    { "type": "refactor", "section": "Refactor" },
+    { "type": "docs",     "hidden": true },
+    { "type": "chore",    "hidden": true },
+    { "type": "test",     "hidden": true },
+    { "type": "ci",       "hidden": true },
+    { "type": "build",    "hidden": true },
+    { "type": "style",    "hidden": true }
+  ]
+}

docker/Dockerfile

@@ -14,5 +14,8 @@ COPY --from=build /app/node_modules ./node_modules
 COPY --from=build /app/package*.json ./
 COPY --from=build /app/prisma ./prisma
 COPY --from=build /app/prisma.config.ts ./prisma.config.ts
+COPY --from=build /app/docker/entrypoint.sh ./docker/entrypoint.sh
+RUN chmod +x ./docker/entrypoint.sh && chown -R node:node /app
+USER node
 EXPOSE 3000
-CMD ["node", "dist/src/main"]
+ENTRYPOINT ["./docker/entrypoint.sh"]

docker/entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+# Entry point for the production backend image.
+# Runs Prisma migrations, then starts Nest. Single-replica deploys only —
+# multi-replica setups should move migrations to a dedicated job/init container.
+set -e
+echo "[entrypoint] prisma migrate deploy"
+npx prisma migrate deploy
+echo "[entrypoint] starting nest"
+exec node dist/src/main

package.json

@@ -1,6 +1,6 @@
 {
   "name": "movie-loop-backend",
-  "version": "0.0.1",
+  "version": "1.0.0",
   "description": "",
   "author": "Kevin Riehl",
   "private": true,
@@ -17,7 +17,11 @@
     "test:watch": "jest --watch",
     "test:cov": "jest --coverage",
     "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./test/jest-e2e.json"
+    "test:e2e": "jest --config ./test/jest-e2e.json",
+    "release": "commit-and-tag-version",
+    "release:minor": "commit-and-tag-version --release-as minor",
+    "release:major": "commit-and-tag-version --release-as major",
+    "release:dry": "commit-and-tag-version --dry-run"
   },
   "dependencies": {
     "@golevelup/nestjs-rabbitmq": "^7.1.2",
@@ -60,6 +64,7 @@
   "devDependencies": {
     "@eslint/eslintrc": "^3.2.0",
     "@eslint/js": "^9.18.0",
+    "commit-and-tag-version": "^12.5.0",
     "@nestjs/cli": "^11.0.0",
     "@nestjs/schematics": "^11.0.0",
     "@nestjs/testing": "^11.0.1",