Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
**/*.pem
**/.npmrc
**/.aws
**/.ssh
**/.ebextensions
Expand Down
21 changes: 21 additions & 0 deletions .github/actions/setup-cgr/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: Setup Chainguard registry
description: Authenticate to CGR, write .npmrc, and swap in the CGR lockfile.
inputs:
assumed-id:
description: Chainguard assumed identity (secrets.CGR_ASSUMED_ID)
required: true
runs:
using: composite
steps:
- name: Install chainctl + assume identity
# setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 -> v0.5.1
uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28
with:
identity: ${{ inputs.assumed-id }}
- name: Configure .npmrc for CGR and swap lockfile
shell: bash
Comment thread
KenLSM marked this conversation as resolved.
run: |
chainctl auth configure-npm --org-name open.gov.sg
ex -sc 'g/javascript\/:/t.|s/javascript/javascript-upstream/|x' .npmrc
echo 'use-node-version=22.22.2' >> .npmrc
cp pnpm-lock.cgr.yaml pnpm-lock.yaml
Comment thread
KenLSM marked this conversation as resolved.
24 changes: 15 additions & 9 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
registries:
chainguard-npm:
type: npm-registry
url: https://libraries.cgr.dev/javascript/
username: ${{secrets.CG_LIBRARIES_USER}}
password: ${{secrets.CG_LIBRARIES_PASS}}
replaces-base: true
updates:
- package-ecosystem: 'npm' # See documentation for possible values
directory: '/' # Location of package manifests
- package-ecosystem: 'npm'
directory: '/'
registries:
- chainguard-npm
schedule:
interval: 'daily'
time: '01:00'
Expand All @@ -15,8 +19,10 @@ updates:
prefix: 'fix'
prefix-development: 'chore'
include: 'scope'
- package-ecosystem: 'npm' # See documentation for possible values
directory: '/shared' # Location of package manifests
- package-ecosystem: 'npm'
directory: '/shared'
registries:
- chainguard-npm
schedule:
interval: 'daily'
time: '03:00'
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/build-base-images.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ on:
permissions:
contents: read
packages: write
id-token: write

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is opening something that we previously hardened.

Previous workflow was that only deploy requires privileged access, to reduce attack surface during build time where we're installing / processing from less-known sources.


env:
REGISTRY: ghcr.io
Expand All @@ -42,6 +43,17 @@ jobs:
- name: Checkout
uses: actions/checkout@v4

- name: Install chainctl + assume identity
# setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28 -> v0.5.1
uses: chainguard-dev/setup-chainctl@2cddd35a2f120d9973e58094dc6878c93cf58c28
with:
identity: ${{ secrets.CGR_ASSUMED_ID }}
- name: Generate CGR .npmrc and swap lockfile
run: |
chainctl auth configure-npm --org-name open.gov.sg
ex -sc 'g/javascript\/:/t.|s/javascript/javascript-upstream/|x' .npmrc
cp pnpm-lock.cgr.yaml pnpm-lock.yaml

- name: Compute dependency hash
id: deps-hash
run: |
Expand Down Expand Up @@ -106,6 +118,8 @@ jobs:
${{ env.IMAGE_NAME }}:build-latest
cache-from: |
type=registry,ref=${{ env.IMAGE_NAME }}:build-latest
secret-files: |
npmrc=.npmrc

- name: Build and push runtime-base image
if: steps.check-exists.outputs.skip != 'true'
Expand All @@ -120,6 +134,8 @@ jobs:
${{ env.IMAGE_NAME }}:runtime-latest
cache-from: |
type=registry,ref=${{ env.IMAGE_NAME }}:runtime-latest
secret-files: |
npmrc=.npmrc

- name: Set outputs
id: set-outputs
Expand Down
58 changes: 49 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ env:
NODE_VERSION: '22.22'
PNPM_VERSION: '10.30.3'

permissions:
contents: read
id-token: write

on:
push:
branches-ignore:
Expand Down Expand Up @@ -69,6 +73,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand All @@ -79,7 +87,7 @@ jobs:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile

build:
needs: install
Expand All @@ -88,6 +96,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand All @@ -98,7 +110,7 @@ jobs:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- run: pnpm build
env:
NODE_OPTIONS: '--max-old-space-size=4096'
Expand Down Expand Up @@ -136,6 +148,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand Down Expand Up @@ -163,7 +179,7 @@ jobs:
key: ${{ runner.os }}-build-${{ github.sha }}
fail-on-cache-miss: true
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- name: Configure Datadog Test Visibility
uses: datadog/test-visibility-github-action@7f2b515b64333229315f4701adc590ee6586b270 # v1.0.5
with:
Expand All @@ -185,6 +201,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand All @@ -195,7 +215,7 @@ jobs:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- run: pnpm lint:frontend

backend_test:
Expand All @@ -206,6 +226,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand Down Expand Up @@ -233,7 +257,7 @@ jobs:
key: ${{ runner.os }}-build-${{ github.sha }}
fail-on-cache-miss: true
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- run: pnpm install --prefix services/pdf-gen-sparticuz
- run: pnpm install --prefix services/virus-scanner-guardduty
- name: Configure Datadog Test Visibility
Expand All @@ -256,6 +280,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand All @@ -266,7 +294,7 @@ jobs:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- run: pnpm lint-ci:backend

shared_lint:
Expand All @@ -277,6 +305,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand All @@ -287,7 +319,7 @@ jobs:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- run: pnpm lint-ci:shared

shared_test:
Expand All @@ -298,6 +330,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand All @@ -308,7 +344,7 @@ jobs:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- name: Configure Datadog Test Visibility
uses: datadog/test-visibility-github-action@7f2b515b64333229315f4701adc590ee6586b270 # v1.0.5
with:
Expand All @@ -331,6 +367,10 @@ jobs:
- uses: actions/checkout@v4.3.1
with:
fetch-depth: 0
- name: Setup Chainguard registry
uses: ./.github/actions/setup-cgr
with:
assumed-id: ${{ secrets.CGR_ASSUMED_ID }}
- name: Install pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
with:
Expand All @@ -341,7 +381,7 @@ jobs:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- name: Configure Datadog Test Visibility
uses: datadog/test-visibility-github-action@7f2b515b64333229315f4701adc590ee6586b270 # v1.0.5
with:
Expand Down
3 changes: 2 additions & 1 deletion Dockerfile.base
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,8 @@ COPY packages/shared/package.json ./packages/shared/
COPY packages/sdk/package.json ./packages/sdk/
COPY apps/frontend/package.json ./apps/frontend/

RUN pnpm install --frozen-lockfile --filter "!services/*" --filter "!packages/react-email-preview/*"
RUN --mount=type=secret,id=npmrc,target=/build/.npmrc \
pnpm install --frozen-lockfile --filter "!services/*" --filter "!packages/react-email-preview/*"

# =============================================================================
# runtime-base: Minimal runtime image with system deps and non-root user
Expand Down
Loading
Loading