YACS-RCOS · RichtXO · May 1, 2021 · Apr 14, 2021 · Apr 15, 2021 · Apr 15, 2021
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -4,6 +4,7 @@ on:
   push:
   workflow_dispatch:
 
+
 jobs:
   backend-unit-tests:
     name: Run backend unit tests
@@ -51,19 +52,43 @@ jobs:
         run: |
           bash scripts/test.sh
 
-  test-build:
+  lighthouse:
+    name: Lighthouse CI
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: Build production
+      - name: Setup Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 15.x
+
+      - name: Build and Run Production
         run: |
           docker-compose \
             -f docker-compose.yml \
             -f docker-compose.production.yml \
-            build
+            up -d &&
+          sleep 5
+
+      - name: Seed test data
+        working-directory: rpi_data
+        run: |
+          curl --insecure -X POST -H "Content-Type: multipart/form-data" \
+          -F "isPubliclyVisible=on" -F "file=@$FILE_NAME" $AUTH_ARGS $API_ENDPOINT
+        env:
+          FILE_NAME: fall-2021.csv
+          AUTH_ARGS: ${{ secrets.AUTH_ARGS }}
+          API_ENDPOINT: https://localhost/api/bulkCourseUpload
+
+      - name: run Lighthouse CI
+        run: |
+          npm install -g @lhci/cli@0.7.x &&
+          lhci autorun
+        env:
+          LHCI_GITHUB_APP_TOKEN: ${{secrets.LHCI_GITHUB_APP_TOKEN}}
 
   publish-action-status:
-    needs: [backend-unit-tests, test-build]
+    needs: [backend-unit-tests, lighthouse]
     if: always()
     runs-on: ubuntu-latest
 
@@ -74,4 +99,4 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           name: CI
-          conclusion: ${{ env.WORKFLOW_CONCLUSION }}
+          conclusion: ${{ env.WORKFLOW_CONCLUSION }}
diff --git a/.github/workflows/pr-cd.yaml b/.github/workflows/pr-cd.yaml
@@ -6,8 +6,39 @@ on:
   workflow_dispatch:
 
 jobs:
+  wait-checks:
+    runs-on: ubuntu-latest
+
+    steps:
+      # action doesn't support multiple checks yet so
+      #  use a step for each check
+      - name: Wait for ci to complete
+        uses: fountainhead/action-wait-for-check@v1.0.0
+        id: wait-for-ci
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: CI
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Check if ci was successful
+        if: steps.wait-for-ci.outputs.conclusion != 'success'
+        run: exit 1
+
+      - name: Wait for codefactor to complete
+        uses: fountainhead/action-wait-for-check@v1.0.0
+        id: wait-for-codefactor
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          checkName: CodeFactor
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Check if codefactor was successful
+        if: steps.wait-for-codefactor.outputs.conclusion != 'success'
+        run: exit 1
+
   temp_deploy:
     runs-on: ubuntu-latest
+    needs: wait-checks
     steps:
       - uses: actions/checkout@v2
       - name: Use Node.js 13.x
@@ -37,10 +68,10 @@ jobs:
         id: provision
 
       - name: Share Link on PR
-        uses: vinodsai-a/actions-comment-pull-request@master
+        uses: thollander/actions-comment-pull-request@master
         with:
           message: |
             Deploy Link: ${{ steps.provision.outputs.link }}/
             Branch and Build Info: ${{ steps.provision.outputs.link }}:3000/info.txt
             Expected Time Ready: ${{ steps.info.outputs.datetime_ready }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/lighthouserc.js b/lighthouserc.js
@@ -0,0 +1,30 @@
+module.exports = {
+    ci: {
+        collect: {
+            url: ['https://localhost'],
+            settings: {
+                chromeFlags: ['--ignore-certificate-errors'],
+                // --- comment the formFactor and screenEmulation to test for mobile ---
+                formFactor: 'desktop',      
+                screenEmulation: {
+                    mobile: false,
+                    width: 1920,
+                    height: 1080,
+                    deviceScaleFactor: 1,
+                    disabled: false,
+                }
+            }
+        },
+        assert:{
+            assertions: {
+                'categories:performance': ['warn', { 'minScore': 0.8 }],
+                'categories:accessibility': ['warn', { 'minScore': 0.8 }],
+                'categories:best-practices': ['error', { 'minScore': 1.0 }],
+                'categories:seo': ['warn', { 'minScore': 1.0 }],
+            }
+        },
+        upload: {
+            target: 'temporary-public-storage'
+        }
+    }
+}
diff --git a/rpi_data/fall-2021.csv b/rpi_data/fall-2021.csv
diff --git a/rpi_data/summer-2021.csv b/rpi_data/summer-2021.csv
diff --git a/src/web/Dockerfile b/src/web/Dockerfile
@@ -17,6 +17,6 @@ COPY cert/ /etc/nginx/cert
 RUN \
   apt-get update --no-install-recommends && \
   apt-get install openssl --no-install-recommends -y && \
-  rm /var/lib/apt/lists/* || true
+  rm -rf /var/lib/apt/lists/* || true
 
-CMD ["/usr/local/bin/entrypoint.sh"]
+CMD ["/usr/local/bin/entrypoint.sh"]
diff --git a/src/web/nginx.conf b/src/web/nginx.conf
@@ -13,16 +13,14 @@ http {
   default_type application/octet-stream;
   keepalive_timeout  65;
 
-# Expires map
+  # Expires map
   map $sent_http_content_type $expires {
-      default                    off;
-      text/html                  epoch;
-      text/css                   max;
-      application/javascript     max;
-      ~image/                    max;
+      text/css                   30d;
+      application/javascript     30d;
+      application/json           60m;
   }
 
-
+  proxy_cache_path /tmp/micro_cache levels=1:2 keys_zone=micro_cache:100m max_size=100m inactive=3600s;
 
   server{
     listen 80;
@@ -43,8 +41,10 @@ http {
     gzip_proxied  any;
     gzip_vary on;
     gzip_comp_level 6;
-    gzip_buffers 16 8k; 
-
+    gzip_buffers 16 8k;
+    gzip_min_length 600;
+    gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;
+
     ssl_certificate      /etc/nginx/cert/${HOST}.crt;
     ssl_certificate_key  /etc/nginx/cert/${HOST}.key;
 
@@ -54,31 +54,33 @@ http {
     ssl_protocols       TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers   on;
     ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
-    # disabling unwanted http methods
+
+    # Disabling unwanted http methods
     if ($request_method !~ ^(DELETE|GET|POST)$ ){
       return 405;
     }
-    # prevent clickjack attacks
-    add_header X-Frame-Options "SAMEORIGIN";
-    # prevent XSS attacks
-    add_header X-XSS-Protection "1; mode=block";
-    # Configuring HSTS
-    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+
+    # Headers
+    add_header X-Frame-Options "SAMEORIGIN";                                                      # prevent clickjack attacks
+    add_header X-XSS-Protection "1; mode=block";                                                  # prevent XSS attacks
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;   # Configuring HSTS
+    add_header CC-X-Request-ID $request_id;
+    add_header X-Cache_Status $upstream_cache_status;
+
     # Secure Diffie-Hellman for TLS
     ssl_dhparam /etc/nginx/cert/${HOST}.pem;
 
     ssl_session_cache shared:TLS:10m;
     ssl_session_timeout 10m;
-    ssl_buffer_size 4k;
-
-    # Set HSTS to 365 days
-    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
+
+    # Enable session tickets
+    ssl_session_tickets on;
 
     # OCSP stapling
     ssl_stapling on;
     ssl_stapling_verify on;
-    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
-
+    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;       # Google and Cisco
+    resolver_timeout 2s;
 
     # simple secure admin panel, will change later
     location ~* ^/admin {
@@ -96,6 +98,16 @@ http {
 
     # Serve API routes
     location /api {
+      # Micro Cache
+      proxy_cache micro_cache;
+      proxy_cache_valid 200 1s;
+      proxy_cache_use_stale updating;
+      proxy_cache_background_update on;
+      proxy_cache_lock on;
+
+      proxy_cache_revalidate on;
+      proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
+
       proxy_pass http://yacs_api:5000;
       client_max_body_size 3M;
     }