From ce0ef40abcbd35215c95fcc6e83f29da9e674c4e Mon Sep 17 00:00:00 2001 From: Priyanka-Inflectionzone Date: Thu, 3 Jul 2025 16:13:13 +0530 Subject: [PATCH 1/3] Updated dockerfile to resolve vulnerabilities --- Dockerfile | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index fe9a414..1785197 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ -FROM node:18.18-alpine3.18 AS builder +FROM node:18.20.8-alpine3.21 AS builder COPY . /app RUN apk add bash RUN apk add --no-cache \ python3 \ py3-pip \ - && pip3 install --upgrade pip \ - && pip3 install \ - awscli \ + # && pip3 install --upgrade pip \ + # && pip3 install \ + # awscli \ && rm -rf /var/cache/apk/* RUN apk add --update alpine-sdk @@ -20,15 +20,13 @@ RUN npx prisma generate RUN npm run build ## - -FROM node:18.18-alpine3.18 +FROM node:18.20.8-alpine3.21 RUN apk add bash RUN apk add --no-cache \ python3 \ py3-pip \ - && pip3 install --upgrade pip \ - && pip3 install \ - awscli \ + # && pip3 install --upgrade pip \ + && pip3 install --break-system-packages awscli \ && rm -rf /var/cache/apk/* RUN apk add --update alpine-sdk RUN apk update From ce516d0864304f6e978500fbeabaf257d56bdc38 Mon Sep 17 00:00:00 2001 From: inflection-sahil Date: Fri, 26 Sep 2025 15:46:54 +0530 Subject: [PATCH 2/3] added ci-cd workflows --- .github/workflows/ecr-ci.yml | 89 +++++++++++++++++++++++++++++++++ .github/workflows/server-cd.yml | 64 ++++++++++++++++++++++++ 2 files changed, 153 insertions(+) create mode 100755 .github/workflows/ecr-ci.yml create mode 100755 .github/workflows/server-cd.yml diff --git a/.github/workflows/ecr-ci.yml b/.github/workflows/ecr-ci.yml new file mode 100755 index 0000000..2570df2 --- /dev/null +++ b/.github/workflows/ecr-ci.yml @@ -0,0 +1,89 @@ +# Required secrets +# AWS_REGION +# AWS_ACCESS_KEY_ID +# AWS_SECRET_ACCESS_KEY +# PERSONAL_ACCESS_TOKEN +# ENV_FILE_BUCKET_PATH + +name: Continuous Integration with ECR + +on: + push: + branches: + - develop + # workflow_run: + # workflows: + # - GitGuardian Secrets Scan + # types: + # - completed + workflow_dispatch: + inputs: + trigger_cd: + description: 'Trigger CD workflow (true/false)' + required: true + default: 'false' + +env: + ECR_REPOSITORY_NAME: forms-service + ECR_IMAGE_TAG: ${{ github.sha }} + TRIGGER_WORKFLOW_URL: https://api.github.com/repos/inflection-zone/forms-service/actions/workflows/server-cd.yml/dispatches + +jobs: + build: + name: Build and push the docker image to ECR + runs-on: ubuntu-latest + + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + with: + fetch-depth: 1 # required to scan only latest commit + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + # role-to-assume: ROLE_TO_ASSUME + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Login to Amazon ECR + id: ecr-login + uses: aws-actions/amazon-ecr-login@v2 + # with: + # registry-type: public + + - name: Build and push the image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ steps.ecr-login.outputs.registry }}/${{ env.ECR_REPOSITORY_NAME }}:${{ env.ECR_IMAGE_TAG }} + + - name: Show ECR image tag + run: echo "Pushed image tag- ${{ env.ECR_IMAGE_TAG }}" + + - name: Trigger server-cd workflow + # if: ${{ github.event.inputs.trigger_cd == 'true' }} + run: | + RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${{ secrets.PERSONAL_ACCESS_TOKEN }}" \ + ${{ env.TRIGGER_WORKFLOW_URL }} \ + -d "{ + \"ref\": \"develop\", + \"inputs\": { + \"service\": \"forms-service\", + \"ecr_registry_uri\": \"${{ steps.ecr-login.outputs.registry }}\", + \"ecr_repository_name\": \"${{ env.ECR_REPOSITORY_NAME }}\", + \"ecr_image_tag\": \"${{ env.ECR_IMAGE_TAG }}\" + } + }" + ) + + if [ "$RESPONSE" -eq 204 ]; then + echo "CD workflow triggered successfully." + else + echo "Failed to trigger CD workflow. HTTP status: $RESPONSE" + exit 1 + fi diff --git a/.github/workflows/server-cd.yml b/.github/workflows/server-cd.yml new file mode 100755 index 0000000..9e61f2a --- /dev/null +++ b/.github/workflows/server-cd.yml @@ -0,0 +1,64 @@ +# Required secrets +# SERVER_HOST +# SERVER_PORT +# SERVER_USER +# SERVER_SSH_KEY +# SERVER_PASSPHRASE + +name: Continuous Deployment to Server + +on: + workflow_dispatch: + inputs: + service: + description: 'Service to deploy' + required: true + ecr_registry_uri: + description: 'ECR registry URI' + required: true + ecr_repository_name: + description: 'ECR repository name' + required: true + ecr_image_tag: + description: 'Image tag to deploy' + required: true + +jobs: + deploy: + name: Deploy to Server + runs-on: ubuntu-latest + + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Deploy to Server via SSH + uses: appleboy/ssh-action@v1.2.0 + with: + host: ${{ secrets.SERVER_HOST }} + username: ${{ secrets.SERVER_USER }} + key: ${{ secrets.SERVER_SSH_KEY }} + port: ${{ secrets.SERVER_PORT }} + passphrase: ${{ secrets.SERVER_PASSPHRASE }} + script: | + set -e + SERVICE_NAME="${{ github.event.inputs.service }}" + ECR_REGISTRY_URI="${{ github.event.inputs.ecr_registry_uri }}" + ECR_REPOSITORY_NAME="${{ github.event.inputs.ecr_repository_name }}" + ECR_IMAGE_TAG="${{ github.event.inputs.ecr_image_tag }}" + + ECR_IMAGE=${ECR_REGISTRY_URI}/${ECR_REPOSITORY_NAME}:${ECR_IMAGE_TAG} + + echo "Pulling latest image $ECR_IMAGE..." + docker pull $ECR_IMAGE + + COMPOSE_FILE="./webservices/forms-dev/compose/docker-compose.yml" + + echo "Updating image for $SERVICE_NAME in $COMPOSE_FILE..." + # Replace image line under the selected service + sed -i "/^[[:space:]]*$SERVICE_NAME:/,/^[[:space:]]*[a-zA-Z]/s|^[[:space:]]*image:.*| image: $ECR_IMAGE|" $COMPOSE_FILE + + echo "Redeploying $SERVICE_NAME..." + docker compose -f $COMPOSE_FILE up -d $SERVICE_NAME + + echo "Deployment successful" From 77f4330a8123c86e4564e2954a4b5849690bef9a Mon Sep 17 00:00:00 2001 From: Priyanka-Inflectionzone Date: Fri, 26 Sep 2025 16:16:19 +0530 Subject: [PATCH 3/3] Modified dockerfile and entrypoint --- Dockerfile | 12 +++++------- entrypoint.sh | 2 +- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1785197..f5506c1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18.20.8-alpine3.21 AS builder +FROM node:24.8-alpine3.21 AS builder COPY . /app RUN apk add bash RUN apk add --no-cache \ @@ -16,11 +16,10 @@ RUN npm install -g typescript RUN npm install COPY src ./src COPY tsconfig.json ./ -RUN npx prisma generate RUN npm run build ## -FROM node:18.20.8-alpine3.21 +FROM node:24.8-alpine3.21 RUN apk add bash RUN apk add --no-cache \ python3 \ @@ -37,15 +36,14 @@ WORKDIR /app COPY package*.json /app/ RUN npm install pm2 -g RUN npm install -COPY --from=builder /app/dist /app/dist +COPY --from=builder /app/dist/ . RUN chmod +x /app/entrypoint.sh +RUN dos2unix /app/entrypoint.sh EXPOSE 5555 -CMD ["sh", "-c", "npx prisma migrate deploy"] - -ENTRYPOINT ["/bin/sh", "./entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "-c", "/app/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh index 6c56f55..a572f2b 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -8,4 +8,4 @@ cd /app # Add any other scripts here... # Start the service # npm run start -pm2-runtime dist/index.js \ No newline at end of file +pm2-runtime src/index.js \ No newline at end of file