Merge pull request #8 from getlarge/chore-setup-nodesecure

chore: setup nodesecure

.github/workflows/ci.yml

@@ -37,8 +37,8 @@ jobs:
 
       # --require-explicit-completion because Nx agents might not receive tasks for more than 30 seconds when preparing the e2e test environment
       # @see https://nx.dev/ci/troubleshooting/ci-execution-failed#the-nx-cloud-heartbeat-process-failed-to-report-its-status-in-time
-      - run: npx nx-cloud start-ci-run --distribute-on="3 linux-small-js" --stop-agents-after="e2e-ci" --require-explicit-completion --with-env-vars="DOTENV_PRIVATE_KEY_CI,POSTGRES_DB,POSTGRES_URL"
-        if: ${{ env.NX_CLOUD_DISTRIBUTED_EXECUTION == 'true' }}
+      - run: npx nx-cloud start-ci-run --distribute-on="3 linux-small-js" --require-explicit-completion --with-env-vars="DOTENV_PRIVATE_KEY_CI,POSTGRES_DB,POSTGRES_URL"
+        if: env.NX_CLOUD_DISTRIBUTED_EXECUTION == 'true'
 
       - uses: actions/setup-node@v4
         with:
@@ -57,7 +57,7 @@ jobs:
       - run: npx nx format:check
 
       - run: npx nx affected -t lint test build
-        if: ${{ !env.ACT }}
+        if: env.ACT != 'true'
 
       - run: |
           npm run ory:generate:kratos -- -e .env.ci
@@ -68,28 +68,34 @@ jobs:
       - run: npx nx run cat-fostering-api:container --skip-nx-cache --no-agents --platforms=linux/amd64 --load=true --push=false --tags='ghcr.io/getlarge/cat-fostering/cat-fostering-api:${{ env.DOCKER_API_TAG }}'
 
       #  can't use --wait --wait-timeout N options since Keto and Kratos migrate containers will exit before the Keto and Kratos services are ready
-      - run: npx @dotenvx/dotenvx run -- docker compose --profile ci -p cat-fostering up -d
+      - run: npx dotenvx run -- docker compose --profile ci -p cat-fostering up -d
         env:
           DOCKER_API_TAG: ${{ env.DOCKER_API_TAG }}
 
       - run: sleep 10
 
       # Prepend any command with "nx-cloud record --" to record its logs to Nx Cloud
-      - run: npx nx-cloud record -- docker ps
-      - run: npx nx-cloud record -- docker compose -p cat-fostering logs keto -n 500
-      - run: npx nx-cloud record -- docker compose -p cat-fostering logs kratos -n 500
-
-      - name: Run e2e tests
-        run: npx nx affected -t e2e --no-agents
-        # if: ${{ env.NX_CLOUD_DISTRIBUTED_EXECUTION == 'false' }}
+      - run: |
+          npx nx-cloud record -- docker ps
+          npx nx-cloud record -- docker compose -p cat-fostering logs keto -n 500
+          npx nx-cloud record -- docker compose -p cat-fostering logs kratos -n 500
 
       # to enable DTE for e2e tests splitting, use the following command instead and set stop-agents-after="e2e-ci"
       # - name: Run distributed e2e tests
       #   run: |
       #     npm run pg:create:connection -- -e .env.ci
       #     docker compose -p cat-fostering restart api
       #     npx nx affected -t e2e-ci
-      #   if: ${{ env.NX_CLOUD_DISTRIBUTED_EXECUTION == 'true' }}
+      #   if: env.NX_CLOUD_DISTRIBUTED_EXECUTION == 'true'
 
       - run: npx nx-cloud complete-ci-run
-        if: always() && ${{ env.NX_CLOUD_DISTRIBUTED_EXECUTION == 'true' }}
+        if: always() && env.NX_CLOUD_DISTRIBUTED_EXECUTION != 'false'
+
+      - name: Run e2e tests
+        run: npx nx affected -t e2e --no-agents
+        # if: ${{ env.NX_CLOUD_DISTRIBUTED_EXECUTION == 'false' }}
+
+      - if: failure()
+        run: |
+          npx nx-cloud record -- docker compose -p cat-fostering logs api -n 200
+          npx nx-cloud record -- docker compose -p cat-fostering logs kratos -n 200

.gitignore

@@ -46,9 +46,10 @@ Thumbs.db
 .env*
 .env.keys
 .flaskenv*
-!*.env.example*
+!*.env.example
 !.env.project
 !.env.vault
 !.env.ci
+.env.example.thunderclient
 
 .angular

.husky/pre-commit

@@ -1,2 +1,3 @@
 [ -n "$CI" ] && exit 0
 npx lint-staged --concurrent false --relative
+npx dotenvx ext precommit

.nodesecureignore

@@ -0,0 +1,11 @@
+{
+  "warnings": {
+    "unsafe-regex": [
+      "class-validator",
+      "validator"
+    ],
+    " unsafe-import": [
+      "pino"
+    ]
+  }
+}

Makefile

@@ -5,7 +5,7 @@ ci: ## Run CI workflow defined in GitHub Actions CI workflow.
 
   # export GITHUB_TOKEN=$(gh auth token)
   # export DOTENV_PRIVATE_KEY_CI=$(cat .env.keys | grep DOTENV_PRIVATE_KEY_CI | cut -d '=' -f2 | tr -d '"')
-	@act push --container-daemon-socket="unix:///var/run/docker.sock" --bind --env-file='' --var NX_CLOUD_DISTRIBUTED_EXECUTION=true -s GITHUB_TOKEN="${GITHUB_TOKEN}" -s DOTENV_PRIVATE_KEY_CI=${DOTENV_PRIVATE_KEY_CI} --pull=true -e github_event.tmp
+	@act push --container-daemon-socket="unix:///var/run/docker.sock" --bind --env-file='' --var NX_CLOUD_DISTRIBUTED_EXECUTION=${NX_CLOUD_DISTRIBUTED_EXECUTION:-false} -s GITHUB_TOKEN="${GITHUB_TOKEN}" -s DOTENV_PRIVATE_KEY_CI=${DOTENV_PRIVATE_KEY_CI} --pull=true -e github_event.tmp
 	@rm -f github_event.tmp
 
 

apps/cat-fostering-api-e2e/src/cat-fostering-api/fostering.spec.ts

@@ -30,7 +30,7 @@ describe('E2E Fostering Requests API tests', () => {
       email: 'nobody@test.it',
       password: 'p4s$worD!',
     });
-  }, 15000);
+  }, 20000);
 
   describe('POST /api/fostering', () => {
     it('should create a fostering request', async () => {

apps/cat-fostering-api/.gitignore

@@ -2,4 +2,5 @@
 .env*
 .flaskenv*
 !.env.project
-!.env.vault
+!.env.vault
+package-lock.json

apps/cat-fostering-api/Dockerfile

@@ -1,5 +1,5 @@
-# Build the docker image with `npx nx docker-build cat-fostering-api`.
-# Tip: Modify "docker-build" options in project.json to change docker build args.
+# Build the docker image with `npx nx run cat-fostering-api:container`.
+# Tip: Modify "container" options in project.json to change docker build args.
 #
 # Run the container with `docker run -e ORY_ACTION_API_KEY='hello' -e POSTGRES_URL='postgres://dbuser:secret@postgres:5432/appdb' --network cat-fostering_ory -p 3000:3000 -t ghcr.io/getlarge/cat-fostering/cat-fostering-api:latest`.
 
@@ -12,7 +12,7 @@ WORKDIR /app
 
 RUN echo "Building cat-fostering-api image with NODE_VERSION=$NODE_VERSION"
 
-COPY ./apps/cat-fostering-api/package*.json ./
+COPY ./dist/apps/cat-fostering-api/package*.json ./
 
 RUN npm install --omit=dev -f --loglevel=error
 RUN curl -sf https://gobinaries.com/tj/node-prune | sh

apps/cat-fostering-api/package.json

@@ -9,14 +9,14 @@
     "@nestjs/platform-express": "^10.0.2",
     "@nestjs/swagger": "^7.3.1",
     "@nestjs/typeorm": "^10.0.2",
-    "@ory/client": "1.9.0",
+    "@ory/client": "1.14.3",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
     "express": "4.19.2",
     "nestjs-pino": "^4.0.0",
     "typeorm": "^0.3.20",
     "pg": "^8.11.5",
-    "validator": "13.11.0",
+    "validator": "13.12.0",
     "@nestjs/devtools-integration": "0.1.6"
   }
 }

apps/cat-fostering-api/project.json

@@ -5,7 +5,7 @@
   "projectType": "application",
   "tags": ["type:app", "platform:node"],
   "namedInputs": {
-    "dockerFiles": ["{projectRoot}/Dockerfile"]
+    "dockerFiles": ["{projectRoot}/Dockerfile", "{projectRoot}/package.json"]
   },
   "targets": {
     "serve": {
@@ -50,6 +50,7 @@
         "dockerFiles",
         { "dependentTasksOutputFiles": "**/dist/**/*", "transitive": true }
       ],
+      "cache": true,
       "dependsOn": ["lint", "build"],
       "options": {
         "file": "apps/cat-fostering-api/Dockerfile",
@@ -59,14 +60,39 @@
         "build-args": ["APP_NAME=cat-fostering-api", "NODE_VERSION=20.9.0"]
       }
     },
-    "docker-build": {
+    "generate-lock-file": {
+      "inputs": ["{projectRoot}/package.json"],
+      "outputs": ["{projectRoot}/package-lock.json"],
+      "dependsOn": [
+        {
+          "target": "lint",
+          "params": "forward"
+        }
+      ],
       "cache": true,
-      "dependsOn": ["lint", "build"],
+      "command": "npm i --prefix apps/cat-fostering-api --package-lock-only",
+      "metadata": {
+        "description": "Generate NPM lock file"
+      }
+    },
+    "nsci": {
       "inputs": [
-        "dockerFiles",
-        { "dependentTasksOutputFiles": "**/dist/**/*", "transitive": true }
+        "{workspaceRoot}/.nodesecurerc",
+        "{workspaceRoot}/.nodesecureignore",
+        {
+          "dependentTasksOutputFiles": "apps/cat-fostering-api/package-lock.json"
+        }
       ],
-      "command": "docker build -f apps/cat-fostering-api/Dockerfile . -t ghcr.io/getlarge/cat-fostering/cat-fostering-api:dev"
+      "dependsOn": ["generate-lock-file", "build"],
+      "cache": true,
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npx nsci --directory=dist/apps/cat-fostering-api --strategy=npm --vulnerabilities=medium run",
+        "forwardAllArgs": true
+      },
+      "metadata": {
+        "description": "Run the NodeSecure CI analysis"
+      }
     }
   }
 }

apps/cat-fostering-api/webpack.config.js

@@ -14,7 +14,14 @@ module.exports = {
       compiler: 'tsc',
       main: './src/main.ts',
       tsConfig: './tsconfig.app.json',
-      assets: ['./src/assets'],
+      assets: [
+        './src/assets',
+        {
+          input: './',
+          glob: './package*.json',
+          output: '.',
+        },
+      ],
       optimization: false,
       outputHashing: 'none',
       transformers: [