from ups6tream

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"

.github/linters/.hadolint.yaml

@@ -0,0 +1,44 @@
+# README: https://github.com/hadolint/hadolint
+
+# Often it's a good idea to do inline disables rather that repo-wide in this file.
+# Example of inline Dockerfile rules:
+# hadolint ignore=DL3018
+#RUN apk add --no-cache git
+
+failure-threshold: warning
+
+# or just ignore rules repo-wide
+ignored:
+  - DL3003 #ignore that we use cd sometimes
+  - DL3006 #image pin versions
+  - DL3008 #apt pin versions
+  - DL3018 #apk add pin versions
+  - DL3022 #bad rule for COPY --from
+  - DL3028 #gem install pin versions
+  - DL3059 #multiple consecutive runs
+  - DL4006 #we don't need pipefail in this
+  - SC2016 #we want single quotes sometimes
+
+
+# FULL TEMPLATE
+# failure-threshold: string               # name of threshold level (error | warning | info | style | ignore | none)
+# format: string                          # Output format (tty | json | checkstyle | codeclimate | gitlab_codeclimate | gnu | codacy)
+# ignored: [string]                       # list of rules
+# label-schema:                           # See Linting Labels below for specific label-schema details
+#   author: string                        # Your name
+#   contact: string                       # email address
+#   created: timestamp                    # rfc3339 datetime
+#   version: string                       # semver
+#   documentation: string                 # url
+#   git-revision: string                  # hash
+#   license: string                       # spdx
+# no-color: boolean                       # true | false
+# no-fail: boolean                        # true | false
+# override:
+#   error: [string]                       # list of rules
+#   warning: [string]                     # list of rules
+#   info: [string]                        # list of rules
+#   style: [string]                       # list of rules
+# strict-labels: boolean                  # true | false
+# disable-ignore-pragma: boolean          # true | false
+# trustedRegistries: string | [string]    # registry or list of registries

.github/linters/.markdown-lint.yml

@@ -0,0 +1,9 @@
+# MD013/line-length - Line length
+MD013:
+  # Number of characters, default is 80
+  # I'm OK with long lines. All editors now have wordwrap
+  line_length: 9999
+  # Number of characters for headings
+  heading_line_length: 100
+  # check code blocks?
+  code_blocks: false

.github/linters/.yaml-lint.yml

@@ -0,0 +1,53 @@
+---
+###########################################
+# These are the rules used for            #
+# linting all the yaml files in the stack #
+# NOTE:                                   #
+# You can disable line with:              #
+# # yamllint disable-line                 #
+###########################################
+rules:
+  braces:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 5
+  brackets:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 5
+  colons:
+    level: warning
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    level: warning
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments: disable
+  comments-indentation: disable
+  document-end: disable
+  document-start: disable
+  empty-lines:
+    level: warning
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    level: warning
+    max-spaces-after: 1
+  indentation:
+    level: warning
+    spaces: consistent
+    indent-sequences: true
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable

.github/workflows/call-docker-build.yaml

@@ -0,0 +1,54 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Docker Build
+
+on:
+  push:
+    branches:
+      - main
+    # don't rebuild image if someone only edited unrelated files
+    paths-ignore:
+      - 'README.md'
+      - '.github/linters/**'
+  pull_request:
+    # don't rebuild image if someone only edited unrelated files
+    paths-ignore:
+      - 'README.md'
+      - '.github/linters/**'
+
+jobs:
+  call-docker-build:
+
+    name: Call Docker Build
+
+    uses: bretfisher/docker-build-workflow/.github/workflows/reusable-docker-build.yaml@main
+
+    permissions:
+      contents: read
+      packages: write # needed to push docker image to ghcr.io
+      pull-requests: write # needed to create and update comments in PRs
+
+    secrets:
+
+      # Only needed if with:dockerhub-enable is true below
+      dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+
+      # Only needed if with:dockerhub-enable is true below
+      # https://hub.docker.com/settings/security
+      dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    with:
+
+      ### REQUIRED
+      ### ENABLE ONE OR BOTH REGISTRIES
+      ### tell docker where to push.
+      ### NOTE if Docker Hub is set to true, you must set secrets above and also add account/repo/tags below
+      dockerhub-enable: true
+      ghcr-enable: true
+
+      ### REQUIRED 
+      ### A list of the account/repo names for docker build. List should match what's enabled above
+      ### defaults to:
+      image-names: |
+        ghcr.io/${{ github.repository }}
+        ${{ github.repository }}

.github/workflows/call-super-linter.yaml

@@ -0,0 +1,36 @@
+---
+# template source: https://github.com/bretfisher/super-linter-workflow/blob/main/templates/call-super-linter.yaml
+name: Lint Code Base
+
+on:
+
+  push:
+    branches: [main]
+
+  pull_request:
+
+jobs:
+  call-super-linter:
+
+    name: Call Super-Linter
+
+    permissions:
+      contents: read # clone the repo to lint
+      statuses: write #read/write to repo custom statuses
+
+    ### use Reusable Workflows to call my workflow remotely
+    ### https://docs.github.com/en/actions/learn-github-actions/reusing-workflows
+    ### you can also call workflows from inside the same repo via file path
+
+    uses: bretfisher/super-linter-workflow/.github/workflows/reusable-super-linter.yaml@main
+
+    ### Optional settings examples
+
+    with:
+      ### For a DevOps-focused repository. Prevents some code-language linters from running
+      ### defaults to false
+      devops-only: true
+
+      ### A regex to exclude files from linting
+      ### defaults to empty
+      # filter-regex-exclude: html/.*

Dockerfile

@@ -1,6 +1,7 @@
-# if you're doing anything beyond your local machine, please pin this to a specific version at https://hub.docker.com/_/node/
-# FROM node:12-alpine also works here for a smaller image
-FROM node:12-slim
+# If you're doing anything beyond your local machine, please pin this to a specific version at https://hub.docker.com/_/node/
+# Always use slim. If you need additional packages, add them with apt
+# Alpine variants are not offically supported by Node.js, so we use the default debian variant
+FROM node:18-slim
 
 # set our node environment, either development or production
 # defaults to production, compose overrides this to development on build and run
@@ -16,29 +17,32 @@ EXPOSE $PORT 9229 9230
 # but pin this version for the best stability
 RUN npm i npm@latest -g
 
-# install dependencies first, in a different location for easier app bind mounting for local development
-# due to default /opt permissions we have to create the dir with root and change perms
-RUN mkdir /opt/node_app && chown node:node /opt/node_app
-WORKDIR /opt/node_app
+# remember to put things that don't change much at the top for better caching
+# this entrypoint script will copy any file-based secrets into envs
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+
 # the official node image provides an unprivileged user as a security best practice
 # but we have to manually enable it. We put it here so npm installs dependencies as the same
-# user who runs the app. 
+# user who runs the app.
 # https://github.com/nodejs/docker-node/blob/master/docs/BestPractices.md#non-root-user
 USER node
-COPY package.json package-lock.json* ./
-RUN npm install --no-optional && npm cache clean --force
+
+# install dependencies first, in a different location for easier app bind mounting for local development
+# WORKDIR now sets correct permissions if you set USER first
+WORKDIR /opt/node_app
+
+COPY --chown=node:node package.json package-lock.json* ./
+RUN npm ci && npm cache clean --force
 ENV PATH /opt/node_app/node_modules/.bin:$PATH
 
 # check every 30s to ensure this service returns HTTP 200
 HEALTHCHECK --interval=30s CMD node healthcheck.js
 
 # copy in our source code last, as it changes the most
+# copy in as node user, so permissions match what we need
 WORKDIR /opt/node_app/app
-COPY . .
-
-COPY docker-entrypoint.sh /usr/local/bin/
-ENTRYPOINT ["docker-entrypoint.sh"]
-
+COPY --chown=node:node . .
 
 # if you want to use npm start instead, then use `docker run --init in production`
 # so that signals are passed properly. Note the code in index.js is needed to catch Docker signals