feat: runtime config, Gitea Actions pipeline, and Harbor push

Runtime config (src/lib/config.ts, src/api/client.ts, src/lib/ws.ts,
index.html, Dockerfile, nginx.conf, docker/):
- New typed getConfig() helper reads window.__APP_CONFIG__ at runtime
  with import.meta.env.VITE_API_URL as a dev-only fallback.
- index.html loads <script src="/config.js"> synchronously before the
  bundle. /config.js is rendered at container start via envsubst on
  docker/config.js.template, populated from the API_URL env var
  (docker/40-render-config.sh runs as part of the official nginx:alpine
  /docker-entrypoint.d sequence).
- Dockerfile drops the VITE_API_URL build arg — one image works across
  all environments now.
- nginx.conf adds Cache-Control: no-store on /config.js so browsers and
  CDNs don't pin stale config.

Pipeline (.gitea/workflows/ci.yml):
- lint, typecheck, gitleaks, semgrep, Trivy fs+image scans, buildx
  build with gha cache, Harbor push gated on `main` or v* tags
- Image tags via metadata-action: :latest (main only), :sha-<full>,
  semver-derived :1.2.3 / :1.2 / :1 from v* tags
- Secrets: HARBOR_HOST, MOVIELOOP_USERNAME, MOVIELOOP_PASSWORD

Versioning (package.json, .versionrc.json):
- Bumped to 1.0.0 baseline
- Added commit-and-tag-version devDep + release scripts. Conventional
  Commits drive bumps; CHANGELOG hides chore/ci/etc.

Scan configs:
- .gitleaks.toml allows .env.example
- .semgrepignore excludes node_modules/, dist/, coverage/, public/
- .trivyignore placeholder with format docs

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -0,0 +1,129 @@
+name: frontend-ci
+
+on:
+  push:
+    branches: ["**"]
+    tags: ["v*"]
+  pull_request:
+
+env:
+  IMAGE: ${{ secrets.HARBOR_HOST }}/movieloop/frontend
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: package-lock.json
+      - run: npm ci
+      - run: npx eslint .
+
+  typecheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+      - run: npm ci
+      - run: npx tsc -b
+
+  secrets-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+
+  sast:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: "p/auto"
+
+  fs-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          severity: "HIGH,CRITICAL"
+          exit-code: "1"
+          ignore-unfixed: "true"
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [lint, typecheck]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          target: production
+          tags: movieloop-frontend:ci-${{ github.sha }}
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  image-scan:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          target: production
+          tags: movieloop-frontend:ci-${{ github.sha }}
+          load: true
+          cache-from: type=gha
+      - uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: movieloop-frontend:ci-${{ github.sha }}
+          severity: "HIGH,CRITICAL"
+          exit-code: "1"
+          ignore-unfixed: "true"
+
+  push:
+    runs-on: ubuntu-latest
+    needs: [build, image-scan, secrets-scan, sast, fs-scan]
+    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.HARBOR_HOST }}
+          username: ${{ secrets.MOVIELOOP_USERNAME }}
+          password: ${{ secrets.MOVIELOOP_PASSWORD }}
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=sha,format=long
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          target: production
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha

.gitleaks.toml

@@ -0,0 +1,9 @@
+# Gitleaks config for the movieloop frontend repo.
+# Inherits the default rule set; allows .env.example by path.
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+    '''(^|/)\.env\.example$''',
+]

.semgrepignore

@@ -0,0 +1,4 @@
+node_modules/
+dist/
+coverage/
+public/

.trivyignore

@@ -0,0 +1,5 @@
+# Suppressed vulnerabilities for movieloop-frontend.
+# Format:
+#   CVE-YYYY-NNNNN  # one-line reason — review by YYYY-MM-DD
+#
+# Keep this list short. Each entry should have an owner and a re-review date.

.versionrc.json

@@ -0,0 +1,14 @@
+{
+  "types": [
+    { "type": "feat",     "section": "Features" },
+    { "type": "fix",      "section": "Bug Fixes" },
+    { "type": "perf",     "section": "Performance" },
+    { "type": "refactor", "section": "Refactor" },
+    { "type": "docs",     "hidden": true },
+    { "type": "chore",    "hidden": true },
+    { "type": "test",     "hidden": true },
+    { "type": "ci",       "hidden": true },
+    { "type": "build",    "hidden": true },
+    { "type": "style",    "hidden": true }
+  ]
+}

Dockerfile

@@ -8,10 +8,10 @@ EXPOSE 5173
 CMD ["npm", "run", "dev", "--", "--host"]
 
 # --- Build stage ---
+# No VITE_API_URL build arg: the production image uses runtime config (/config.js)
+# rendered at container startup. See docker/40-render-config.sh.
 FROM node:22-alpine AS build
 WORKDIR /app
-ARG VITE_API_URL
-ENV VITE_API_URL=$VITE_API_URL
 COPY package*.json ./
 RUN npm ci
 COPY . .
@@ -19,7 +19,11 @@ RUN npm run build
 
 # --- Production stage ---
 FROM nginx:alpine AS production
+RUN apk add --no-cache gettext
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY docker/config.js.template /etc/nginx/templates/config.js.template
+COPY docker/40-render-config.sh /docker-entrypoint.d/40-render-config.sh
+RUN chmod +x /docker-entrypoint.d/40-render-config.sh
 EXPOSE 80
-CMD ["nginx", "-g", "daemon off;"]
+# nginx:alpine's upstream entrypoint runs /docker-entrypoint.d/*.sh then launches nginx.

docker/40-render-config.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+# Render /config.js from the env var API_URL at container start.
+# Runs as part of the official nginx:alpine /docker-entrypoint.d sequence,
+# so nginx itself is launched by the upstream entrypoint after this script.
+set -e
+: "${API_URL:=/api/v1}"
+export API_URL
+envsubst < /etc/nginx/templates/config.js.template > /usr/share/nginx/html/config.js
+echo "[config] API_URL=${API_URL} -> /config.js"

docker/config.js.template

@@ -0,0 +1 @@
+window.__APP_CONFIG__ = { apiUrl: "${API_URL}" };

index.html

@@ -29,6 +29,7 @@
       })();
     </script>
     <div id="root"></div>
+    <script src="/config.js"></script>
     <script type="module" src="/src/main.tsx"></script>
   </body>
 </html>

nginx.conf

@@ -21,6 +21,12 @@ server {
         add_header Cache-Control "public, immutable";
     }
 
+    # Runtime config — rendered fresh on each container start. Never cache.
+    location = /config.js {
+        add_header Cache-Control "no-store" always;
+        try_files /config.js =404;
+    }
+
     # SPA fallback — serve index.html for all non-file routes
     location / {
         try_files $uri $uri/ /index.html;

package.json

@@ -1,7 +1,7 @@
 {
   "name": "frontend-temp",
   "private": true,
-  "version": "0.0.0",
+  "version": "1.0.0",
   "type": "module",
   "license": "MIT",
   "author": "Kevin Riehl",
@@ -9,7 +9,11 @@
     "dev": "vite",
     "build": "tsc -b && vite build",
     "lint": "eslint .",
-    "preview": "vite preview"
+    "preview": "vite preview",
+    "release": "commit-and-tag-version",
+    "release:minor": "commit-and-tag-version --release-as minor",
+    "release:major": "commit-and-tag-version --release-as major",
+    "release:dry": "commit-and-tag-version --dry-run"
   },
   "dependencies": {
     "@base-ui/react": "^1.2.0",
@@ -32,6 +36,7 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.39.1",
+    "commit-and-tag-version": "^12.5.0",
     "@types/node": "^24.10.1",
     "@types/react": "^19.2.7",
     "@types/react-dom": "^19.2.3",

src/api/client.ts

@@ -1,8 +1,9 @@
 import axios from 'axios';
 import { storage } from '@/lib/storage';
+import { config } from '@/lib/config';
 
 const apiClient = axios.create({
-  baseURL: import.meta.env.VITE_API_URL || '/api/v1',
+  baseURL: config.apiUrl,
   timeout: 30000,
   headers: {
     'Content-Type': 'application/json',

src/lib/config.ts

@@ -0,0 +1,15 @@
+declare global {
+  interface Window {
+    __APP_CONFIG__?: AppConfig;
+  }
+}
+
+export interface AppConfig {
+  apiUrl: string;
+}
+
+const fallback: AppConfig = {
+  apiUrl: (import.meta.env.VITE_API_URL as string | undefined) ?? '/api/v1',
+};
+
+export const config: AppConfig = window.__APP_CONFIG__ ?? fallback;

src/lib/ws.ts

@@ -1,6 +1,9 @@
+import { config } from '@/lib/config';
+
 export function getWsUrl(namespace: string): string {
-  const apiUrl = import.meta.env.VITE_API_URL;
+  const apiUrl = config.apiUrl;
-  if (!apiUrl) return namespace;
+  // Relative URL (e.g. "/api/v1") — return namespace as-is for same-origin connect
+  if (!apiUrl || apiUrl.startsWith('/')) return namespace;
   const origin = apiUrl.replace(/\/api\/v1\/?$/, '');
   return `${origin}${namespace}`;
 }