From 92a417c102a6d469c9af386a79ea1fea1da5216f Mon Sep 17 00:00:00 2001 From: Conner Majic Date: Fri, 17 Apr 2026 08:23:34 -0600 Subject: [PATCH] ci: improve reproducibility and add dependency audit gate Use lockfile-driven installs in Docker paths and add high-severity npm audit checks in CI while documenting local CORS policy for compose-based development. Made-with: Cursor --- .github/workflows/ci.yml | 56 ++++++++++++++++++++++++++++++++++++++++ Dockerfile | 4 +-- docker-compose.yml | 2 ++ gui-ts/Dockerfile | 2 +- solver-api/Dockerfile | 2 +- 5 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..7236840 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,56 @@ +name: CI + +on: + push: + branches: + - main + - "feature/**" + pull_request: + workflow_dispatch: + schedule: + - cron: "0 5 * * *" + +jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: "npm" + cache-dependency-path: | + solver-api/package-lock.json + gui-ts/package-lock.json + + - name: Install solver-api deps + run: npm ci + working-directory: solver-api + + - name: Install gui deps + run: npm ci + working-directory: gui-ts + + - name: Audit production dependencies (high+) + run: | + npm audit --omit=dev --audit-level=high + cd ../gui-ts && npm audit --omit=dev --audit-level=high + working-directory: solver-api + + - name: Run full test suite + run: make test + + solver-sanitize: + name: Solver sanitize + runs-on: ubuntu-latest + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run ASan/UBSan regression + run: make test-solver-sanitize diff --git a/Dockerfile b/Dockerfile index 95b3386..902bf3e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ FROM node:20-alpine AS api-deps WORKDIR /app/solver-api COPY solver-api/package.json solver-api/package-lock.json* ./ -RUN npm install +RUN npm ci FROM node:20-alpine AS gui-deps WORKDIR /app/gui-ts COPY gui-ts/package.json gui-ts/package-lock.json* ./ -RUN npm install +RUN npm ci FROM alpine:3.20 AS solver-build RUN apk add --no-cache build-base diff --git a/docker-compose.yml b/docker-compose.yml index bb35375..e79a46b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,8 @@ services: working_dir: /app ports: - "4400:4400" + environment: + - CORS_ORIGINS=http://localhost:5173 volumes: - ./solver-api/src:/app/src - ./data:/data diff --git a/gui-ts/Dockerfile b/gui-ts/Dockerfile index f1b6951..47b48c8 100644 --- a/gui-ts/Dockerfile +++ b/gui-ts/Dockerfile @@ -3,7 +3,7 @@ FROM node:20-alpine WORKDIR /app COPY package.json package-lock.json* ./ -RUN npm install +RUN npm ci COPY . . diff --git a/solver-api/Dockerfile b/solver-api/Dockerfile index 252503e..71a80d9 100644 --- a/solver-api/Dockerfile +++ b/solver-api/Dockerfile @@ -5,7 +5,7 @@ WORKDIR /app RUN apk add --no-cache build-base COPY package.json package-lock.json* ./ -RUN npm install +RUN npm ci COPY src ./src