diff --git a/.github/workflows/ci.yml b/.gitea/workflows/ci.yml similarity index 74% rename from .github/workflows/ci.yml rename to .gitea/workflows/ci.yml index 5dc66a7..e26c8c9 100644 --- a/.github/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -16,14 +16,15 @@ permissions: security-events: write env: - REGISTRY: ghcr.io + REGISTRY: git.farh.net IMAGE_NAME: cartsnitch/cartsnitch RECEIPTWITNESS_IMAGE_NAME: cartsnitch/receiptwitness API_IMAGE_NAME: cartsnitch/api + AUTH_IMAGE_NAME: cartsnitch/auth jobs: lint: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -37,7 +38,7 @@ jobs: run: npx tsc --noEmit test: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -49,7 +50,7 @@ jobs: run: npx vitest run audit: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -61,7 +62,7 @@ jobs: run: npm audit --audit-level=high e2e: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -73,7 +74,7 @@ jobs: - run: npx playwright test lighthouse: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest needs: [test] steps: - uses: actions/checkout@v4 @@ -98,7 +99,7 @@ jobs: CHROME_PATH="$CHROME_PATH" lhci autorun --chrome-flags="--headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage" build-and-push: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest if: github.event_name == 'push' needs: [lint, test, e2e] outputs: @@ -133,13 +134,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta @@ -174,11 +175,7 @@ jobs: only-fixed: "true" output-format: sarif - - name: Upload frontend scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Push Docker image if: github.event_name == 'push' @@ -198,7 +195,7 @@ jobs: git push origin "v${{ steps.calver.outputs.version }}" build-and-push-receiptwitness: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest if: github.event_name == 'push' needs: [lint, test] outputs: @@ -227,13 +224,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta @@ -270,11 +267,7 @@ jobs: only-fixed: "true" output-format: sarif - - name: Upload receiptwitness scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Push Docker image if: github.event_name == 'push' @@ -290,7 +283,7 @@ jobs: cache-from: type=gha build-and-push-api: - runs-on: runners-cartsnitch + runs-on: ubuntu-latest if: github.event_name == 'push' needs: [lint, test] outputs: @@ -319,13 +312,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata (API) id: meta @@ -362,11 +355,7 @@ jobs: only-fixed: "true" output-format: sarif - - name: Upload api scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Push Docker image if: github.event_name == 'push' @@ -381,25 +370,104 @@ jobs: APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha + build-and-push-auth: + runs-on: ubuntu-latest + if: github.event_name == 'push' + needs: [lint, test] + outputs: + calver_tag: ${{ steps.calver.outputs.version }} + sha_tag: sha-${{ github.sha }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Generate CalVer tag + id: calver + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + run: | + DATE_TAG=$(date -u +%Y.%m.%d) + EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1) + if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG" + elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2" + else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//"); VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"; fi + echo "version=$VERSION" >> "$GITHUB_OUTPUT" + + - name: Log in to Docker Hub + if: github.event_name == 'push' + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Log in to Gitea registry + if: github.event_name == 'push' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Extract metadata (auth) + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }} + tags: | + type=sha,prefix=sha-,format=long + type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} + + - name: Build Docker image + uses: docker/build-push-action@v6 + with: + context: ./auth + file: ./auth/Dockerfile + load: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Scan auth image for vulnerabilities + uses: anchore/scan-action@v5 + id: scan + env: + GRYPE_CONFIG: .grype.yaml + with: + image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}" + fail-build: true + severity-cutoff: high + only-fixed: "true" + output-format: sarif + + + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: ./auth + file: ./auth/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + APT_CACHE_BUST=${{ github.run_id }} + cache-from: type=gha + deploy-dev: - runs-on: runners-cartsnitch - needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api] + runs-on: ubuntu-latest + needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') steps: - - name: Generate GitHub App token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.CARTSNITCH_APP_ID }} - private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: infra - - name: Checkout infra repo uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ steps.app-token.outputs.token }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra @@ -422,7 +490,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -437,7 +505,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -452,38 +520,44 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/dev - kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + + - name: Determine image tag for auth + id: auth_tag + run: | + if [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" + else + echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + fi + + - name: Update auth image tag + if: needs.build-and-push-auth.result == 'success' + run: | + cd infra/apps/overlays/dev + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/dev/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 - git commit -m "ci(dev): update cartsnitch, receiptwitness, and api images" + git commit -m "ci(dev): update cartsnitch, receiptwitness, api, and auth images" git pull --rebase origin main git push origin main deploy-uat: - runs-on: runners-cartsnitch - needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api] + runs-on: ubuntu-latest + needs: [build-and-push, build-and-push-receiptwitness, build-and-push-api, build-and-push-auth] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main') steps: - - name: Generate GitHub App token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.CARTSNITCH_APP_ID }} - private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: infra - - name: Checkout infra repo uses: actions/checkout@v4 with: repository: cartsnitch/infra - token: ${{ steps.app-token.outputs.token }} + token: ${{ secrets.REGISTRY_TOKEN }} ref: main path: infra @@ -506,7 +580,7 @@ jobs: if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }} - name: Determine image tag for receiptwitness id: receiptwitness_tag @@ -521,7 +595,7 @@ jobs: if: needs.build-and-push-receiptwitness.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/receiptwitness=git.farh.net/cartsnitch/receiptwitness:${{ steps.receiptwitness_tag.outputs.tag }} - name: Determine image tag for api id: api_tag @@ -536,15 +610,30 @@ jobs: if: needs.build-and-push-api.result == 'success' run: | cd infra/apps/overlays/uat - kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + kustomize edit set image ghcr.io/cartsnitch/api=git.farh.net/cartsnitch/api:${{ steps.api_tag.outputs.tag }} + + - name: Determine image tag for auth + id: auth_tag + run: | + if [ "${{ github.ref }}" == "refs/heads/main" ]; then + echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" + else + echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + fi + + - name: Update auth image tag + if: needs.build-and-push-auth.result == 'success' + run: | + cd infra/apps/overlays/uat + kustomize edit set image ghcr.io/cartsnitch/auth=git.farh.net/cartsnitch/auth:${{ steps.auth_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" - git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" + git config user.email "cartsnitch-ci[bot]@users.noreply.git.farh.net" git add apps/overlays/uat/kustomization.yaml git diff --cached --quiet && echo "No image changes to deploy" && exit 0 - git commit -m "ci(uat): update cartsnitch, receiptwitness, and api images" + git commit -m "ci(uat): update cartsnitch, receiptwitness, api, and auth images" git pull --rebase origin main git push origin main diff --git a/api/.github/workflows/ci.yml b/api/.gitea/workflows/ci.yml similarity index 97% rename from api/.github/workflows/ci.yml rename to api/.gitea/workflows/ci.yml index 5c61bb7..a7855ae 100644 --- a/api/.github/workflows/ci.yml +++ b/api/.gitea/workflows/ci.yml @@ -15,7 +15,7 @@ permissions: packages: write env: - REGISTRY: ghcr.io + REGISTRY: git.farh.net IMAGE_NAME: cartsnitch/api jobs: @@ -130,13 +130,13 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Log in to GHCR + - name: Log in to Gitea registry if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Extract metadata id: meta diff --git a/api/src/cartsnitch_api/main.py b/api/src/cartsnitch_api/main.py index bfd2755..720959c 100644 --- a/api/src/cartsnitch_api/main.py +++ b/api/src/cartsnitch_api/main.py @@ -6,7 +6,6 @@ from fastapi import APIRouter, FastAPI from cartsnitch_api.auth.routes import router as auth_router from cartsnitch_api.cache import cache_client -from cartsnitch_api.database import dispose_engine from cartsnitch_api.middleware.cors import add_cors_middleware from cartsnitch_api.middleware.error_handler import add_error_handlers, add_error_monitor_middleware from cartsnitch_api.middleware.rate_limit import add_rate_limit_middleware diff --git a/auth/tsconfig.json b/auth/tsconfig.json index 764b72a..a1d4e8e 100644 --- a/auth/tsconfig.json +++ b/auth/tsconfig.json @@ -12,5 +12,5 @@ "resolveJsonModule": true }, "include": ["src"], - "exclude": ["node_modules", "dist"] + "exclude": ["node_modules", "dist", "src/__tests__"] } diff --git a/common/.github/workflows/ci.yml b/common/.gitea/workflows/ci.yml similarity index 100% rename from common/.github/workflows/ci.yml rename to common/.gitea/workflows/ci.yml