mike/WhereTheHeartIsGo
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Activity Actions

Project Bootstrap & Infrastructure Setup (OP#693) #1

Merged
Gravity Bot merged 4 commits from feature/693-project-bootstrap into main 2026-02-16 16:42:18 +00:00
Conversation 0 Commits 4 Files changed 6 +189 -4
Gravity Bot commented 2026-02-16 15:33:09 +00:00
Collaborator
Copy link

Summary

  • OP#694: Configured Forgejo repo settings (branch protections, external issue tracker with OP# pattern, collaborators, labels)
  • OP#695: Created CI/CD pipeline with build, test, and lint jobs for backend (Go) and frontend (Node.js)
  • OP#696: Added build-time version injection to health endpoint via ldflags, fixed pre-existing broken package declaration in calculator.go
  • OP#697: Added production compose overlay for pulling published container images from Forgejo registry
  • OP#702: Added security scanning — govulncheck (Go), npm audit (Node.js), Trivy container image scanning
  • OP#699: Documented the Next.js RCE cryptominer incident in the OpenProject wiki
  • OP#698: Set up OpenProject board, sidebar queries, and done statuses
  • OP#700: Verified all infrastructure locally (tests pass, compose validates, protections confirmed)

Verification

  • CI pipeline triggers and passes on this PR
  • Branch protection prevents direct push to main
  • OP# references in commits render as clickable links in Forgejo
  • Version endpoint returns injected version after merge + tag

Links

## Summary - OP#694: Configured Forgejo repo settings (branch protections, external issue tracker with OP# pattern, collaborators, labels) - OP#695: Created CI/CD pipeline with build, test, and lint jobs for backend (Go) and frontend (Node.js) - OP#696: Added build-time version injection to health endpoint via ldflags, fixed pre-existing broken package declaration in calculator.go - OP#697: Added production compose overlay for pulling published container images from Forgejo registry - OP#702: Added security scanning — govulncheck (Go), npm audit (Node.js), Trivy container image scanning - OP#699: Documented the Next.js RCE cryptominer incident in the OpenProject wiki - OP#698: Set up OpenProject board, sidebar queries, and done statuses - OP#700: Verified all infrastructure locally (tests pass, compose validates, protections confirmed) ## Verification - [ ] CI pipeline triggers and passes on this PR - [ ] Branch protection prevents direct push to main - [ ] OP# references in commits render as clickable links in Forgejo - [ ] Version endpoint returns injected version after merge + tag ## Links - Epic: [OP#693](https://project.bros.ninja/work_packages/693) - Board: [Main Kanban](https://project.bros.ninja/projects/10/boards) - Wiki: [Incident Post-Mortem](https://project.bros.ninja/projects/10/wiki/incidents)
CI workflow (on push to main and PRs):
- backend-lint: go vet
- backend-test: go test with race detector
- frontend-build: npm ci, lint, build

Publish workflow (on version tag push):
- Build and push backend/frontend container images to
  Forgejo registry with version, latest, and SHA tags

Closes OP#695

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add Version variable to health handler, set via ldflags at build time
- Update Dockerfile to accept VERSION build arg and pass to ldflags
- Update publish workflow to pass version tag to Docker build
- Fix pre-existing missing package declaration in calculator.go

Closes OP#696

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CI pipeline additions:
- backend-security: govulncheck for Go vulnerability database
- frontend-security: npm audit (high+ severity, omit dev deps)

Publish pipeline additions:
- Trivy container image scan on both backend and frontend images
  before pushing to registry (fails on CRITICAL severity)

Prevents incidents like the Next.js RCE (GHSA-9qr9-h5gf-34mp)
from reaching production undetected.

Closes OP#702

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat(deploy): add production compose overlay for published images
Some checks failed
CI / backend-lint (pull_request) Failing after 16s
Details
CI / backend-security (pull_request) Failing after 12s
Details
CI / backend-test (pull_request) Failing after 15s
Details
CI / frontend-security (pull_request) Failing after 29s
Details
CI / frontend-build (pull_request) Failing after 32s
Details
2d725f67fa 
Adds docker-compose.prod.yml that overrides build directives with
published container images from the Forgejo registry. Supports
VERSION env var to pin a specific release.

Usage: docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d

Closes OP#697

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something isnt working

  
chore

Maintenance and tooling

  
documentation

Documentation updates

  
enhancement

Improvement to existing functionality

  
feature

New feature or request

  
security

Security vulnerability or hardening

No labels
bug
chore
documentation
enhancement
feature
security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
mike/WhereTheHeartIsGo!1
No description provided.