TehRiehlDeal
a0d76bc958
frontend-ci / lint (push) Successful in 15s
frontend-ci / typecheck (push) Successful in 14s
frontend-ci / secrets-scan (push) Failing after 4s
frontend-ci / sast (push) Successful in 7s
frontend-ci / fs-scan (push) Failing after 1m27s
frontend-ci / image-scan (push) Has been cancelled
frontend-ci / push (push) Has been cancelled
frontend-ci / build (push) Has been cancelled
Runtime config (src/lib/config.ts, src/api/client.ts, src/lib/ws.ts, index.html, Dockerfile, nginx.conf, docker/): - New typed getConfig() helper reads window.__APP_CONFIG__ at runtime with import.meta.env.VITE_API_URL as a dev-only fallback. - index.html loads <script src="/config.js"> synchronously before the bundle. /config.js is rendered at container start via envsubst on docker/config.js.template, populated from the API_URL env var (docker/40-render-config.sh runs as part of the official nginx:alpine /docker-entrypoint.d sequence). - Dockerfile drops the VITE_API_URL build arg — one image works across all environments now. - nginx.conf adds Cache-Control: no-store on /config.js so browsers and CDNs don't pin stale config. Pipeline (.gitea/workflows/ci.yml): - lint, typecheck, gitleaks, semgrep, Trivy fs+image scans, buildx build with gha cache, Harbor push gated on `main` or v* tags - Image tags via metadata-action: :latest (main only), :sha-<full>, semver-derived :1.2.3 / :1.2 / :1 from v* tags - Secrets: HARBOR_HOST, MOVIELOOP_USERNAME, MOVIELOOP_PASSWORD Versioning (package.json, .versionrc.json): - Bumped to 1.0.0 baseline - Added commit-and-tag-version devDep + release scripts. Conventional Commits drive bumps; CHANGELOG hides chore/ci/etc. Scan configs: - .gitleaks.toml allows .env.example - .semgrepignore excludes node_modules/, dist/, coverage/, public/ - .trivyignore placeholder with format docs Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
130 lines
3.3 KiB
YAML
130 lines
3.3 KiB
YAML
name: frontend-ci
|
|
|
|
on:
|
|
push:
|
|
branches: ["**"]
|
|
tags: ["v*"]
|
|
pull_request:
|
|
|
|
env:
|
|
IMAGE: ${{ secrets.HARBOR_HOST }}/movieloop/frontend
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: npm
|
|
cache-dependency-path: package-lock.json
|
|
- run: npm ci
|
|
- run: npx eslint .
|
|
|
|
typecheck:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: npm
|
|
- run: npm ci
|
|
- run: npx tsc -b
|
|
|
|
secrets-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- uses: gitleaks/gitleaks-action@v2
|
|
|
|
sast:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: returntocorp/semgrep-action@v1
|
|
with:
|
|
config: "p/auto"
|
|
|
|
fs-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: fs
|
|
severity: "HIGH,CRITICAL"
|
|
exit-code: "1"
|
|
ignore-unfixed: "true"
|
|
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
needs: [lint, typecheck]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
tags: movieloop-frontend:ci-${{ github.sha }}
|
|
load: true
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
image-scan:
|
|
runs-on: ubuntu-latest
|
|
needs: [build]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
tags: movieloop-frontend:ci-${{ github.sha }}
|
|
load: true
|
|
cache-from: type=gha
|
|
- uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: movieloop-frontend:ci-${{ github.sha }}
|
|
severity: "HIGH,CRITICAL"
|
|
exit-code: "1"
|
|
ignore-unfixed: "true"
|
|
|
|
push:
|
|
runs-on: ubuntu-latest
|
|
needs: [build, image-scan, secrets-scan, sast, fs-scan]
|
|
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: docker/setup-buildx-action@v3
|
|
- uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ secrets.HARBOR_HOST }}
|
|
username: ${{ secrets.MOVIELOOP_USERNAME }}
|
|
password: ${{ secrets.MOVIELOOP_PASSWORD }}
|
|
- uses: docker/metadata-action@v5
|
|
id: meta
|
|
with:
|
|
images: ${{ env.IMAGE }}
|
|
tags: |
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
type=sha,format=long
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
- uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: Dockerfile
|
|
target: production
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
cache-from: type=gha
|