Merge branch 'master' into integrate-with-frontend-web-app

JonathanLeeWH · JonathanLeeWH · commit 6788910897cb · 2021-07-03T22:25:09.000+08:00
diff --git a/.github/ci/docker-compose-test-ci-db-only.yml b/.github/ci/docker-compose-test-ci-db-only.yml
@@ -0,0 +1,16 @@
+version: '3.8'
+
+services:
+  mongo:
+    image: mongo
+    restart: always
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: root
+      MONGO_INITDB_ROOT_PASSWORD: password
+    volumes:
+      - db-data:/data/db
+    ports:
+      - 27017:27017
+
+volumes:
+  db-data:
diff --git a/.github/workflows/app-test-container-no-docker-cache.yml b/.github/workflows/app-test-container-no-docker-cache.yml
@@ -0,0 +1,65 @@
+name: App Container CI (With docker caching disabled)
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+  # Added in response to recent changes by GitHub on 1 March 2021 involving dependabot pull requests running with read only permissions which resulted in by default GitHub secrets are unable to be read.
+  # References:
+  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target (Announcement of changes to be made to dependabot pull requests)
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (Recommended security mitigations by GitHub)
+  # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (Ongoing GitHub issues by users in response to the changes)
+  pull_request_target:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 18
+
+    # If the Pull Request is coming from a fork (pull_request_target), ensure it's opened by "dependabot[bot]". Otherwise, clone it normally.
+    # References:
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
+    # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (dependabot PM recommended solution)
+
+    if:
+      ${{ (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') }}
+
+    steps:
+      - name: checkout
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+
+      - name: checkout Pull Request (dependabot[bot] only)
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+        with:
+          # Without ref with pull_request_target, it does not actually build the PR, instead it builds the latest changeset from the target repository which is not the intended behaviour. (Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ [Last example])
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      # Pull the latest image to build, and avoid caching pull-only images.
+      # (docker pull is faster than caching in most cases.)
+      - name: docker-compose pull
+        run: docker-compose pull
+      # - name: docker layer caching
+      #   uses: satackey/action-docker-layer-caching@v0.0.11
+      #   continue-on-error: true
+      - name: Run test in container
+        shell: bash
+        env:
+          FIREBASE_CLIENT_API_KEY: ${{ secrets.FIREBASE_CLIENT_API_KEY }}
+          # Your firebase service account information
+          FIREBASE_ADMIN_SA_TYPE: ${{ secrets.FIREBASE_ADMIN_SA_TYPE }}
+          FIREBASE_ADMIN_SA_PROJECT_ID: ${{ secrets.FIREBASE_ADMIN_SA_PROJECT_ID }}
+          FIREBASE_ADMIN_SA_PRIVATE_KEY_ID: ${{ secrets.FIREBASE_ADMIN_SA_PRIVATE_KEY_ID }}
+          FIREBASE_ADMIN_SA_PRIVATE_KEY: ${{ secrets.FIREBASE_ADMIN_SA_PRIVATE_KEY }}
+          FIREBASE_ADMIN_SA_CLIENT_EMAIL: ${{ secrets.FIREBASE_ADMIN_SA_CLIENT_EMAIL }}
+          FIREBASE_ADMIN_SA_CLIENT_ID: ${{ secrets.FIREBASE_ADMIN_SA_CLIENT_ID }}
+          FIREBASE_ADMIN_SA_AUTH_URI: ${{ secrets.FIREBASE_ADMIN_SA_AUTH_URI }}
+          FIREBASE_ADMIN_SA_TOKEN_URI: ${{ secrets.FIREBASE_ADMIN_SA_TOKEN_URI }}
+          FIREBASE_ADMIN_SA_AUTH_PROVIDER_X509_CERT_URL: ${{ secrets.FIREBASE_ADMIN_SA_AUTH_PROVIDER_X509_CERT_URL}}
+          FIREBASE_ADMIN_SA_CLIENT_X509_CERT_URL: ${{ secrets.FIREBASE_ADMIN_SA_CLIENT_X509_CERT_URL}}
+        run: docker-compose --file ./.github/ci/docker-compose-test-ci.yml up --build --exit-code-from app
diff --git a/.github/workflows/app-test-container.yml b/.github/workflows/app-test-container.yml
@@ -5,23 +5,50 @@ on:
     branches: [master]
   pull_request:
     branches: [master]
+  # Added in response to recent changes by GitHub on 1 March 2021 involving dependabot pull requests running with read only permissions which resulted in by default GitHub secrets are unable to be read.
+  # References:
+  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target (Announcement of changes to be made to dependabot pull requests)
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (Recommended security mitigations by GitHub)
+  # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (Ongoing GitHub issues by users in response to the changes)
+  pull_request_target:
+    branches: [master]
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
-    timeout-minutes: 8
+    timeout-minutes: 18
+
+    # If the Pull Request is coming from a fork (pull_request_target), ensure it's opened by "dependabot[bot]". Otherwise, clone it normally.
+    # References:
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
+    # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (dependabot PM recommended solution)
+
+    if:
+      ${{ (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') }}
 
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+
+      - name: checkout Pull Request (dependabot[bot] only)
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+        with:
+          # Without ref with pull_request_target, it does not actually build the PR, instead it builds the latest changeset from the target repository which is not the intended behaviour. (Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ [Last example])
+          ref: ${{ github.event.pull_request.head.sha }}
+
       # Pull the latest image to build, and avoid caching pull-only images.
       # (docker pull is faster than caching in most cases.)
       - name: docker-compose pull
         run: docker-compose pull
+
       - name: docker layer caching
-        uses: satackey/action-docker-layer-caching@v0.0.10
+        uses: satackey/action-docker-layer-caching@v0.0.11
         continue-on-error: true
+
       - name: Run test in container
         shell: bash
         env:
diff --git a/.github/workflows/node.js-with-docker-db.yml b/.github/workflows/node.js-with-docker-db.yml
@@ -0,0 +1,84 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node while connecting to a mongodb docker instance
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Node.js with docker db CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+    # Added in response to recent changes by GitHub on 1 March 2021 involving dependabot pull requests running with read only permissions which resulted in by default GitHub secrets are unable to be read.
+  # References:
+  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target (Announcement of changes to be made to dependabot pull requests)
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (Recommended security mitigations by GitHub)
+  # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (Ongoing GitHub issues by users in response to the changes)
+  pull_request_target:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    timeout-minutes: 18
+
+    strategy:
+      matrix:
+        node-version: [14, 16]
+
+    # If the Pull Request is coming from a fork (pull_request_target), ensure it's opened by "dependabot[bot]". Otherwise, clone it normally.
+    # References:
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
+    # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (dependabot PM recommended solution)
+
+    if:
+      ${{ (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') }}
+
+    steps:
+      - name: checkout
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+
+      - name: checkout Pull Request (dependabot[bot] only)
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+        with:
+          # Without ref with pull_request_target, it does not actually build the PR, instead it builds the latest changeset from the target repository which is not the intended behaviour. (Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ [Last example])
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      # Pull the latest image to build, and avoid caching pull-only images.
+      # (docker pull is faster than caching in most cases.)
+      - name: docker-compose pull
+        run: docker-compose pull
+
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v2.2.0
+        with:
+          node-version: ${{ matrix.node-version }}
+          check-latest: true
+          cache: npm
+      - name: npm ci
+        run: npm ci
+      - name: npm run build
+        run: npm run build --if-present
+      - name: Build and Start mongodb in docker instance
+        shell: bash
+        run: docker-compose --file ./.github/ci/docker-compose-test-ci-db-only.yml up --build --detach
+      - name: Running test cases
+        run: npm run test-ci
+        env:
+          PORT: ${{ secrets.PORT }}
+          TEST_MONGODB_URI: mongodb://root:password@localhost:27017/softwareRepositoryTest?authSource=admin
+          FIREBASE_CLIENT_API_KEY: ${{ secrets.FIREBASE_CLIENT_API_KEY }}
+          # Your firebase service account information
+          FIREBASE_ADMIN_SA_TYPE: ${{ secrets.FIREBASE_ADMIN_SA_TYPE }}
+          FIREBASE_ADMIN_SA_PROJECT_ID: ${{ secrets.FIREBASE_ADMIN_SA_PROJECT_ID }}
+          FIREBASE_ADMIN_SA_PRIVATE_KEY_ID: ${{ secrets.FIREBASE_ADMIN_SA_PRIVATE_KEY_ID }}
+          FIREBASE_ADMIN_SA_PRIVATE_KEY: ${{ secrets.FIREBASE_ADMIN_SA_PRIVATE_KEY }}
+          FIREBASE_ADMIN_SA_CLIENT_EMAIL: ${{ secrets.FIREBASE_ADMIN_SA_CLIENT_EMAIL }}
+          FIREBASE_ADMIN_SA_CLIENT_ID: ${{ secrets.FIREBASE_ADMIN_SA_CLIENT_ID }}
+          FIREBASE_ADMIN_SA_AUTH_URI: ${{ secrets.FIREBASE_ADMIN_SA_AUTH_URI }}
+          FIREBASE_ADMIN_SA_TOKEN_URI: ${{ secrets.FIREBASE_ADMIN_SA_TOKEN_URI }}
+          FIREBASE_ADMIN_SA_AUTH_PROVIDER_X509_CERT_URL: ${{ secrets.FIREBASE_ADMIN_SA_AUTH_PROVIDER_X509_CERT_URL}}
+          FIREBASE_ADMIN_SA_CLIENT_X509_CERT_URL: ${{ secrets.FIREBASE_ADMIN_SA_CLIENT_X509_CERT_URL}}
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
@@ -2,6 +2,12 @@
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
 # Addition of Cache Action
 
+## TODO: Add mitigations for GitHub Actions dependabot read only changes which resulted in GitHub Secrets cannot be read.
+## References:
+# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target (Announcement of changes to be made to dependabot pull requests)
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (Recommended security mitigations by GitHub)
+# https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (Ongoing GitHub issues by users in response to the changes)
+
 name: Node.js CI
 
 on:
@@ -16,21 +22,16 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [12.x]
+        node-version: [14.x]
 
     steps:
-      - uses: actions/checkout@v2
-      - name: Cache artifacts such as dependencies and build outputs
-        uses: actions/cache@v2
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
+      - uses: actions/checkout@v2.3.4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2.1.2
+        uses: actions/setup-node@v2.2.0
         with:
           node-version: ${{ matrix.node-version }}
+          check-latest: true
+          cache: npm
       - run: npm ci
       - run: npm run build --if-present
       - run: npm test
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@
 # With comments to aid in my learning of docker.
 
 # To use official nodejs base docker image.
-FROM node:12
+FROM node:lts
 
 # The working directory where any subsequent instructions in the Dockerfile will be executed on.
 WORKDIR /app
diff --git a/Dockerfile-ci b/Dockerfile-ci
@@ -2,7 +2,7 @@
 # With comments to aid in my learning of docker.
 
 # To use official nodejs base docker image.
-FROM node:12
+FROM node:lts
 
 # The working directory where any subsequent instructions in the Dockerfile will be executed on.
 WORKDIR /app
diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
 # Software Repository (API Backend)
 
 [![MIT License](https://img.shields.io/badge/license-MIT-blue)](https://github.com/learnsoftwaredevelopment/SoftwareRepository/blob/master/LICENSE)
-![GitHub Node.js CI](https://github.com/learnsoftwaredevelopment/SoftwareRepository/workflows/Node.js%20CI/badge.svg?branch=master)
-![App Container CI](https://github.com/learnsoftwaredevelopment/SoftwareRepository/workflows/App%20Container%20CI/badge.svg?branch=master)
+[![Node.js with docker db CI](https://github.com/learnsoftwaredevelopment/SoftwareRepository/actions/workflows/node.js-with-docker-db.yml/badge.svg)](https://github.com/learnsoftwaredevelopment/SoftwareRepository/actions/workflows/node.js-with-docker-db.yml)
+![App Container CI](https://github.com/learnsoftwaredevelopment/SoftwareRepository/actions/workflows/app-test-container-no-docker-cache.yml/badge.svg?branch=master)
 
 ## Introduction
 
@@ -169,7 +169,7 @@ A list of the technologies and frameworks used in this project
 
 ### Backend Technologies
 
-- Node.js (Node 12)
+- Node.js (Node.js LTS)
 - MongoDB
 - Firebase Authentication
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
