Merge branch 'master' into refactor-join-my-room

.github/dependabot.yml

@@ -88,6 +88,7 @@ updates:
       exclude-patterns:
         - "@vuepress/bundler-vite"
         - "eslint-plugin-vitest"
+        - "vite-plugin-checker"
     vue:
       applies-to: version-updates
       patterns:
@@ -161,6 +162,7 @@ updates:
       exclude-patterns:
         - "@vuepress/bundler-vite"
         - "eslint-plugin-vitest"
+        - "vite-plugin-checker"
     vue:
       applies-to: version-updates
       patterns:
@@ -234,6 +236,7 @@ updates:
       exclude-patterns:
         - "@vuepress/bundler-vite"
         - "eslint-plugin-vitest"
+        - "vite-plugin-checker"
     vue:
       applies-to: version-updates
       patterns:

.github/workflows/admin.deploy.chromatic.yml

@@ -10,10 +10,10 @@ jobs:
     env:
       CHROMATIC_PROJECT_TOKEN: ${{ secrets.CHROMATIC_PROJECT_TOKEN_ADMIN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Admin | Build

.github/workflows/admin.yml

@@ -9,56 +9,37 @@ jobs:
     outputs:
       admin: ${{ steps.filter.outputs.admin }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3.0.2
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
           filters: |
             admin:
               - '.github/workflows/**/*'
               - 'admin/**/*'
+
   build:
     if: needs.files-changed.outputs.admin == 'true'
     name: Build - Admin
     needs: files-changed
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Admin | Build
         run: npm install && npm run build
         working-directory: ./admin
 
-  docker-production:
-    if: needs.files-changed.outputs.admin == 'true'
-    name: Build Docker Production - Admin
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Admin | Build Docker Production
-        run: docker compose -f docker-compose.yml build admin
-
-  docker-development:
-    if: needs.files-changed.outputs.admin == 'true'
-    name: Build Docker Development - Admin
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Admin | Build Docker Development
-        run: docker compose build admin admin-storybook
-
   storybook:
     if: needs.files-changed.outputs.admin == 'true'
     name: Build Storybook - Admin
     needs: files-changed
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Admin | Build Storybook
@@ -71,8 +52,8 @@ jobs:
     needs: files-changed
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Admin | Lint
@@ -85,8 +66,8 @@ jobs:
     needs: files-changed
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Admin | Unit

.github/workflows/backend.yml

@@ -9,8 +9,8 @@ jobs:
     outputs:
       backend: ${{ steps.filter.outputs.backend }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3.0.2
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
           filters: |
@@ -24,42 +24,22 @@ jobs:
     needs: files-changed
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Backend | Build
         run: npm install && npm run build
         working-directory: ./backend
 
-  docker-production:
-    if: needs.files-changed.outputs.backend == 'true'
-    name: Build Docker Production - Backend
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Backend | Build Docker Production
-        run: docker compose -f docker-compose.yml build backend
-
-  docker-development:
-    if: needs.files-changed.outputs.backend == 'true'
-    name: Build Docker Development - Backend
-    needs: files-changed
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Backend | Build Docker Development
-        run: docker compose build backend
-
   lint:
     if: needs.files-changed.outputs.backend == 'true'
     name: Lint - Backend
     needs: files-changed
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Backend | Lint
@@ -74,8 +54,8 @@ jobs:
     env:
       DATABASE_URL: mysql://root:@localhost:3306/dreammall.earth
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Backend | docker-compose database

.github/workflows/deploy.docs.yml

@@ -12,12 +12,12 @@ jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: vuepress-deploy
-        uses: IT4Change/vuepress-build-and-deploy@master
+        uses: IT4Change/vuepress-build-and-deploy@b7244880d4eecbdd2fc984e71b888f7eb5b2ba48 # v1.9.0
         env:
           ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           #TARGET_REPO: username/repo

.github/workflows/deployment.yml

@@ -0,0 +1,86 @@
+name: Push/Deploy
+
+on: push
+
+jobs:
+  build-and-push-images:
+    strategy:
+      matrix:
+        folder: [authentik, admin, backend, frontend, presenter]
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}/${{ matrix.folder }}
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - name: Log in to the Container registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@60a0d343a0d8a18aedee9d34e62251f752153bdb
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+      - name: Build and push Docker images
+        id: push
+        uses: docker/build-push-action@a8d35412fb758de9162fd63e3fa3f0942bdedb4d
+        with:
+          context: ${{ matrix.folder }}
+          target: production
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # This will clutter our packages. I think it's fine to leave that out:
+      # https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
+      #
+      # - name: Generate artifact attestation
+      #   uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0
+      #   with:
+      #     subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+      #     subject-digest: ${{ steps.push.outputs.digest }}
+      #     push-to-registry: true
+
+  deploy-to-kubernetes:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master'
+    needs: build-and-push-images
+    steps:
+      - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 # v1.6.0
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - run: |
+          mkdir -p ~/.config/sops/age
+          echo $SOPS_KEY | base64 --decode > ~/.config/sops/age/keys.txt
+        env:
+          SOPS_KEY: ${{ secrets.SOPS_KEY }}
+      - run: |
+          mkdir -p ~/.kube
+          sops decrypt ./infrastructure/helmfile/secrets/kubeconfig > ~/.kube/config
+      - run: echo "IMAGE_TAG=sha-$(echo $GITHUB_SHA | cut -c 1-7)" >> $GITHUB_ENV
+      - uses: helmfile/helmfile-action@314e6f498c8fb72ae64ed6f526e992a6a9a90e32 #v1.9.1
+        with:
+          helmfile-args: apply --environment master
+          helmfile-workdirectory: ./infrastructure/helmfile
+          helm-plugins: >
+            https://github.com/databus23/helm-diff,
+            https://github.com/jkroepke/helm-secrets
+
+

.github/workflows/e2e.run.tests.yml

@@ -7,16 +7,15 @@ jobs:
     name: Run all E2E tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
 
       - name: E2E | Boot up test system
         run: |
-          docker compose up -d --wait database authentik
-          docker compose exec -T postgresql psql authentik --username authentik < authentik/dump.sql
+          docker compose up -d --wait database authentik authentik-worker
           cd backend
           cp .env.dist .env
           npm install
@@ -25,10 +24,12 @@ jobs:
           npm run start &
           cd ../frontend
           cp .env.dist .env
+          rm .env.production
           npm install
           npm run prod &
           cd  ../presenter
           cp .env.dist .env
+          rm .env.production
           export PORT=3001
           npm install
           npm run prod &
@@ -41,7 +42,7 @@ jobs:
 
       - name: E2E | Run all tests
         id: e2e-run
-        uses: cypress-io/github-action@v6
+        uses: cypress-io/github-action@689551a1df6a10c75be61ae30b642cb84fb8164c # v6.7.2
         with:
           working-directory: tests
 
@@ -54,12 +55,12 @@ jobs:
 
       - name: Get PR number
         if: ${{ failure() && steps.e2e-run.conclusion == 'failure' }}
-        uses: jwalton/gh-find-current-pr@master
+        uses: jwalton/gh-find-current-pr@89ee5799558265a1e0e31fab792ebb4ee91c016b # v1.3.3
         id: pr-number
 
       - name: E2E | if tests failed, upload report
         if: ${{ failure() && steps.e2e-run.conclusion == 'failure' }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: dreammall-e2e-test-report-pr-${{ steps.pr-number.outputs.pr }}
           path: /home/runner/work/dreammall.earth/dreammall.earth/tests/cypress/reports/dreammall-e2e_html_report

.github/workflows/e2e.yml

@@ -9,8 +9,8 @@ jobs:
     outputs:
       e2e: ${{ steps.filter.outputs.e2e }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3.0.2
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
           filters: |
@@ -24,9 +24,9 @@ jobs:
     needs: files-changed
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
 

.github/workflows/frontend.deploy.chromatic.yml

@@ -10,10 +10,10 @@ jobs:
     env:
       CHROMATIC_PROJECT_TOKEN: ${{ secrets.CHROMATIC_PROJECT_TOKEN_FRONTEND }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v4.1.7
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@26961cf329f22f6837d5f54c3efd76b480300ace # v4.0.3
         with:
           node-version-file: './.tool-versions'
       - name: Frontend | Build