Correções de violações de acessibilidade com alto impacto

.dockerignore

@@ -1,2 +1,4 @@
 dev
 var/*/*
+node_modules
+vendor

.env.sample

@@ -0,0 +1,38 @@
+PORT=80
+BUILD_ASSETS=0
+DATABASE_URL=postgresql://mapas:mapas@database:5432/mapas?serverVersion=14&charset=utf8
+DATADIR=/opt/postgres/data
+GOOGLE_RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
+GOOGLE_RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
+JOBS_INTERVAL=5
+MAILER_FROM=sysadmin@localhost
+MAILER_TRANSPORT=smtp://mailhog:1025
+MC_UPDATES_PROCESSES=1
+NUM_PROCESSES=1
+PENDING_PCACHE_RECREATION_INTERVAL=5
+POSTGRES_DB=mapas
+POSTGRES_PASSWORD=mapas
+POSTGRES_USER=mapas
+PWA_UPSTREAM=pwa:3000
+#REDIS_CACHE=redis://redis:6379
+SERVER_NAME=http://
+SESSIONS_SAVE_PATH=/app/var/sessions
+TRUSTED_HOSTS=^${SERVER_NAME:-example\.com|localhost} | php$$
+TRUSTED_PROXIES=127.0.0.0/8,10.0.0.0/8,172.17.0.0/12,192.168.0.0/16
+DB_HOST=database
+APP_ENV=development
+XDEBUG_MODE=off
+APP_MODE=development
+# APP_RUNTIME=Runtime\\FrankenPhpSymfony\\Runtime
+NIXPACKS_PHP_ROOT_DIR=/app/public
+NIXPACKS_PHP_FALLBACK_PATH=/index.php
+
+SITE_NAME=Mapas v7
+SITE_DESCRIPTION=Mapas Culturais é uma plataforma colaborativa que reúne informações sobre agentes, espaços, eventos e projetos culturais, fornecendo ao poder público uma radiografia da área de cultura e ao cidadão um mapa de espaços e eventos culturais da região. A plataforma está alinhada ao Sistema Nacional de Informação e Indicadores Culturais do Ministério da Cultura (SNIIC) e contribui para a realização de alguns dos objetivos do Plano Nacional de Cultura.
+LOGO_TITLE=
+LOGO_SUBTITLE=
+LOGO_IMAGE=
+AUTH_EMAIL_IMAGE=
+AUTH_LOGIN_ON_REGISTER=true
+STATUS_CREATE_AGENT=1
+AUTH_LOGIN_BY_CPF=false

.github/workflows/ci.yml

@@ -1,18 +1,26 @@
 name: ci
-
 on:
   push:
     branches:
-      - "master"
-      - "develop"
+      - "feature*"
     tags:
       - "v*.*.*"
   pull_request:
     branches:
       - "develop"
+  workflow_dispatch:
 
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  security-events: write
+  actions: read
+  checks: read
+  statuses: read
+
 jobs:
-  docker:
+  CODE_PUBLISH:
     runs-on: ubuntu-latest
     steps:
       -
@@ -23,44 +31,169 @@ jobs:
         id: meta
         uses: docker/metadata-action@v4
         with:
-          # list of Docker images to use as base name for tags
           images: |
-            docker.io/hacklab/mapasculturais 
-          # ghcr.io/username/app
-          # generate Docker tags based on the following events/attributes
+            ghcr.io/redemapas/mapas 
           tags: |
+            type=raw,value=latest,enable=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
             type=ref,event=branch
+            type=raw,value=pr-${{ github.event.pull_request.number }}
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
+            type=sha
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      -
-        name: Login to Docker Hub
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
       # -
-      #   name: Login to GHCR
+      #   name: Login to Docker Hub
       #   if: github.event_name != 'pull_request'
       #   uses: docker/login-action@v2
       #   with:
-      #     registry: ghcr.io
-      #     username: ${{ github.repository_owner }}
-      #     password: ${{ secrets.GITHUB_TOKEN }}
+      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
+      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Login to GHCR
+        # if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Build and push
         uses: docker/build-push-action@v4
         with:
-          file: ./docker/Dockerfile
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
+          file: .nixpacks/Dockerfile
+          platforms: linux/amd64
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  CODE_STYLE_FIXER:
+    name: CODE STYLE CS FIXER
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Run PHP-CS-Fixer
+        uses: erkenes/php-cs-fixer-action@main
+        with:
+          args: '--dry-run --diff -vvv'
+
+  CODE_STYLE_PSALM:
+    name: CODE SECURITY
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Run Psalm
+        uses: docker://ghcr.io/psalm/psalm-github-actions
+        with:
+          composer_require_dev: true
+          composer_ignore_platform_reqs: true
+          security_analysis: true
+          report_file: results.sarif
+      - name: Upload Security Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: results.sarif
+
+  CODE_TESTS:
+    name: CODE TESTS
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    steps:
+      - name: Baixando codigo
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      # See https://github.com/pnpm/action-setup
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+      # See https://github.com/actions/setup-node
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'pnpm'
+          # cache-dependency-path: ./pnpm-lock.yaml
+      - run: pnpm i
+      - run: pnpm run build
+      - name: Configuração de valores padrões
+        run: |
+            cp .env.sample .env
+
+      - uses: hoverkraft-tech/compose-action@v1.5.1
+        with:
+          compose-file: |
+            docker-compose.yml
+            docker-compose.dev.yml
+          services: "backend"
+          up-flags: "-d --wait"
+          down-flags: "-v"
+
+      - name: Atualização da estrutura do banco de dados
+        run: |
+          make db-restore
+          make init
+          make init_dev
+          make db-migrations
+        env:
+          APP_MODE: development
+
+      - name: Testes Unitários com PhpUnit
+        run: |
+          make test-backend
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v2
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage.xml
+          verbose: true
+
+      # - name: Testes de integração com Cypress
+      #   uses: cypress-io/github-action@v6
+      #   with:
+      #     config: '{"e2e":{"viewportWidth":375,"viewportHeight":667}}'
+      #     wait-on: "http://localhost:4242"
+      #     wait-on-timeout: 120
+      #     browser: chrome
+      #     # record: false
+      #     # parallel: true
+      #     # group: "UI - Chrome - Mobile"
+      #     config-file: cypress/cypress.config.js
+      #   env:
+      #     # CYPRESS_PROJECT_ID: ${{ secrets.CYPRESS_PROJECT_ID }}
+      #     # CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
+      #     # Recommended: pass the GitHub token lets this action correctly
+      #     # determine the unique run id necessary to re-run the checks
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #
+      # - name: Save build folder
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: screenshots
+      #     if-no-files-found: error
+      #     path: src/cypress/screenshots
+    # - name: Install composer and dependencies
+    #   uses: php-actions/composer@v6
+    #   with:
+    #     php_extensions: pdo_pgsql zip intl gd mbstring curl xml
 
+    # - name: PHPUnit Tests Mapas
+    #   uses: php-actions/phpunit@v3
+    #   env:
+    #     XDEBUG_MODE: coverage
+    #   with:
+    #     version: 10.5
+    #     php_version: 8.2
+    #     configuration: phpunit.xml
+    #     php_extensions: pdo_pgsql zip intl gd mbstring curl xml

.gitignore

@@ -12,3 +12,7 @@ src/themes/BaseV1/assets/css/main.css
 src/themes/BaseV1/assets/css/main.css.map
 **/.env
 !/dev/.env
+.phpunit*
+*.phar
+*.php-cs-fixer.cache
+*coverage.xml

.nixpacks/Dockerfile

@@ -0,0 +1,35 @@
+FROM ghcr.io/railwayapp/nixpacks:ubuntu-1727136237
+
+ENTRYPOINT ["/bin/bash", "-l", "-c"]
+WORKDIR /app/
+
+
+COPY .nixpacks/nixpkgs-dbc4f15b899ac77a8d408d8e0f89fa9c0c5f2b78.nix .nixpacks/nixpkgs-dbc4f15b899ac77a8d408d8e0f89fa9c0c5f2b78.nix
+RUN nix-env -if .nixpacks/nixpkgs-dbc4f15b899ac77a8d408d8e0f89fa9c0c5f2b78.nix && nix-collect-garbage -d
+
+COPY .nixpacks/assets /assets/
+ARG NIXPACKS_METADATA NIXPACKS_PHP_FALLBACK_PATH NIXPACKS_PHP_ROOT_DIR PORT POST_MAX_SIZE UPLOAD_MAX_FILESIZE
+ENV NIXPACKS_METADATA=$NIXPACKS_METADATA NIXPACKS_PHP_FALLBACK_PATH=$NIXPACKS_PHP_FALLBACK_PATH NIXPACKS_PHP_ROOT_DIR=$NIXPACKS_PHP_ROOT_DIR PORT=$PORT POST_MAX_SIZE=$POST_MAX_SIZE UPLOAD_MAX_FILESIZE=$UPLOAD_MAX_FILESIZE
+
+# setup phase
+COPY . /app/.
+RUN PHP_INI_PATH=$(php --ini | grep "Additional .ini files parsed:" | cut -d: -f2 | tr -d " "); echo "PHP_INI_PATH is $PHP_INI_PATH"; echo "upload_max_filesize=128M" >> $PHP_INI_PATH; echo "post_max_size=128M" >> $PHP_INI_PATH; echo "Content of php.ini below:"; cat "$PHP_INI_PATH"
+
+# install phase
+COPY . /app/.
+RUN  mkdir -p /var/log/nginx && mkdir -p /var/cache/nginx
+RUN  composer install --ignore-platform-reqs
+RUN  pnpm i --frozen-lockfile
+
+# build phase
+COPY . /app/.
+RUN  pnpm run build
+
+
+
+
+
+# start
+COPY . /app
+CMD ["node /assets/scripts/prestart.mjs /assets/nginx.template.conf /nginx.conf && (php-fpm -y /assets/php-fpm.conf & nginx -c /nginx.conf)"]
+

.nixpacks/assets/nginx.template.conf

@@ -0,0 +1,73 @@
+worker_processes 5;
+daemon off;
+
+worker_rlimit_nofile 8192;
+
+events {
+  worker_connections  4096;  # Default: 1024
+}
+
+http {
+    include    $!{nginx}/conf/mime.types;
+    index    index.html index.htm index.php;
+
+    default_type application/octet-stream;
+    log_format   main '$remote_addr - $remote_user [$time_local]  $status '
+        '"$request" $body_bytes_sent "$http_referer" '
+        '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log /dev/stdout;
+    error_log /dev/stdout;
+    sendfile     on;
+    tcp_nopush   on;
+    server_names_hash_bucket_size 128; # this seems to be required for some vhosts
+    client_max_body_size 128M;
+
+    server {
+        listen ${PORT};
+        listen [::]:${PORT};
+        server_name localhost;
+
+        $if(NIXPACKS_PHP_ROOT_DIR) (
+            root ${NIXPACKS_PHP_ROOT_DIR};
+        ) else (
+            root /app;
+        )
+
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+
+        index index.php;
+
+        charset utf-8;
+
+        $if(IS_LARAVEL) (
+            location / {
+                try_files $uri $uri/ /index.php?$query_string;
+            }
+        ) else ()
+
+        $if(NIXPACKS_PHP_FALLBACK_PATH) (
+          location / {
+            try_files $uri $uri/ ${NIXPACKS_PHP_FALLBACK_PATH}?$query_string;
+          }
+        ) else ()
+
+        location = /favicon.ico { access_log off; log_not_found off; }
+        location = /robots.txt  { access_log off; log_not_found off; }
+
+        $if(IS_LARAVEL) (
+            error_page 404 /index.php;
+        ) else ()
+
+        location ~ \.php$ {
+            fastcgi_pass 127.0.0.1:9000;
+            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+            include $!{nginx}/conf/fastcgi_params;
+            include $!{nginx}/conf/fastcgi.conf;
+        }
+
+        location ~ /\.(?!well-known).* {
+            deny all;
+        }
+    }
+}

.nixpacks/assets/php-fpm.conf

@@ -0,0 +1,10 @@
+[www]
+listen = 127.0.0.1:9000
+user = nobody
+pm = dynamic
+pm.max_children = 50
+pm.min_spare_servers = 4
+pm.max_spare_servers = 32
+pm.start_servers = 18
+clear_env = no
+catch_workers_output = yes