From 04d3618b3332c1dfebab848e30111664b086b5fd Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 28 Apr 2026 13:28:06 +0300 Subject: [PATCH 01/25] feat(HII-13198): add security vulnerabilities check --- .../nodejs-generic-api/test-unit/action.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index e41f799a..90753faa 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -93,6 +93,14 @@ runs: shell: bash run: npm run test:cov + - name: Vulnerability scan + uses: extenda/actions/trivy-scan@v0 + with: + image: eu.gcr.io/extenda/security:${{ github.sha }} + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} + fail-on-vulnerabilities: true + notify-slack-on-vulnerabilities: false + - name: Analyze with SonarCloud uses: extenda/actions/sonar-scanner@v0 with: From d2182199434ccad3011a3d18026e3db9f93f696c Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 28 Apr 2026 13:36:25 +0300 Subject: [PATCH 02/25] fix(HII-13198): fix copilot review --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 90753faa..52741dde 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -7,6 +7,10 @@ inputs: GCLOUD_AUTH: description: "GCP Auth (staging)" required: false + vulnerability-scan-image: + description: "Container image to scan for vulnerabilities" + required: false + default: eu.gcr.io/extenda/security:${{ github.sha }} slack-channel: description: Name of the channel to notify failing action required: false @@ -96,7 +100,7 @@ runs: - name: Vulnerability scan uses: extenda/actions/trivy-scan@v0 with: - image: eu.gcr.io/extenda/security:${{ github.sha }} + image: ${{ inputs.vulnerability-scan-image }} service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} fail-on-vulnerabilities: true notify-slack-on-vulnerabilities: false From c583beecf410ccef89b888076d2e39a956c84d12 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 28 Apr 2026 13:50:29 +0300 Subject: [PATCH 03/25] test(HII-13198): test new check in pipeline --- .../nodejs-generic-api/test-unit/action.yaml | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 52741dde..2d8f1b88 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -10,7 +10,6 @@ inputs: vulnerability-scan-image: description: "Container image to scan for vulnerabilities" required: false - default: eu.gcr.io/extenda/security:${{ github.sha }} slack-channel: description: Name of the channel to notify failing action required: false @@ -45,7 +44,7 @@ runs: - uses: extenda/actions/setup-gcloud@v0 id: gcloud with: - service-account-key: ${{ inputs.GCLOUD_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} - name: GCloud configure-docker shell: bash @@ -97,10 +96,26 @@ runs: shell: bash run: npm run test:cov + - name: Resolve vulnerability scan image + id: scan-image + shell: bash + run: | + if [ -n "${{ inputs.vulnerability-scan-image }}" ]; then + echo "image=${{ inputs.vulnerability-scan-image }}" >> "$GITHUB_OUTPUT" + elif [ -n "${IMAGE_NAME:-}" ]; then + echo "image=${IMAGE_NAME}:${GITHUB_SHA}" >> "$GITHUB_OUTPUT" + elif [ -n "${GITHUB_REPOSITORY#*/}" ]; then + echo "image=eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}" >> "$GITHUB_OUTPUT" + else + echo "Unable to resolve vulnerability scan image." + echo "Provide inputs.vulnerability-scan-image or set IMAGE_NAME in the caller workflow." + exit 1 + fi + - name: Vulnerability scan uses: extenda/actions/trivy-scan@v0 with: - image: ${{ inputs.vulnerability-scan-image }} + image: ${{ steps.scan-image.outputs.image }} service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} fail-on-vulnerabilities: true notify-slack-on-vulnerabilities: false From e79fb7d91b187f23e7633949fe3ca56fc0d79070 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 28 Apr 2026 13:59:02 +0300 Subject: [PATCH 04/25] test(HII-13198): test new check in pipeline --- .../nodejs-generic-api/test-unit/README.md | 11 +++++ .../nodejs-generic-api/test-unit/action.yaml | 42 +++++++++++++++---- 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/README.md b/composite-actions/nodejs-generic-api/test-unit/README.md index d8302dba..536c6711 100644 --- a/composite-actions/nodejs-generic-api/test-unit/README.md +++ b/composite-actions/nodejs-generic-api/test-unit/README.md @@ -6,9 +6,13 @@ This is typical action, to run tests in nodejs api application. ```yaml - uses: extenda/shared-workflows/composite-actions/nodejs-generic-api/test-unit@master + env: + IMAGE_NAME: eu.gcr.io/extenda/att-api with: GCLOUD_AUTH: ${{ secrets.GCLOUD_AUTH_STAGING }} SECRET_AUTH: ${{ secrets.SECRET_AUTH }} + # Optional override if your image naming differs + # vulnerability-scan-image: eu.gcr.io/extenda/att-api:${{ github.sha }} ``` ### Requirements @@ -20,3 +24,10 @@ This is typical action, to run tests in nodejs api application. - You must set Node.js version in `.nvmrc` file. - You should have a ```npm run check-openapi-schema``` script, to test you openapi schema. - You should have a ```npm run ts:check``` script, to check, whether your typescript code is valid. +- Vulnerability scan image resolution order is: + 1) ``vulnerability-scan-image`` + 2) ``${IMAGE_NAME}:${GITHUB_SHA}`` + 3) ``eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}`` + 4) ``eu.gcr.io/extenda/security:${GITHUB_SHA}`` +- The action checks local Docker first, then tries to pull each candidate from registry. +- If no candidate image can be found, the job fails. diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 2d8f1b88..9f9b6148 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -100,18 +100,42 @@ runs: id: scan-image shell: bash run: | + CANDIDATES=() + if [ -n "${{ inputs.vulnerability-scan-image }}" ]; then - echo "image=${{ inputs.vulnerability-scan-image }}" >> "$GITHUB_OUTPUT" - elif [ -n "${IMAGE_NAME:-}" ]; then - echo "image=${IMAGE_NAME}:${GITHUB_SHA}" >> "$GITHUB_OUTPUT" - elif [ -n "${GITHUB_REPOSITORY#*/}" ]; then - echo "image=eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}" >> "$GITHUB_OUTPUT" - else - echo "Unable to resolve vulnerability scan image." - echo "Provide inputs.vulnerability-scan-image or set IMAGE_NAME in the caller workflow." - exit 1 + CANDIDATES+=("${{ inputs.vulnerability-scan-image }}") + fi + + if [ -n "${IMAGE_NAME:-}" ]; then + CANDIDATES+=("${IMAGE_NAME}:${GITHUB_SHA}") fi + if [ -n "${GITHUB_REPOSITORY#*/}" ]; then + CANDIDATES+=("eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}") + fi + + # Common shared security image fallback used across projects. + CANDIDATES+=("eu.gcr.io/extenda/security:${GITHUB_SHA}") + + for IMAGE in "${CANDIDATES[@]}"; do + echo "Trying vulnerability scan image: ${IMAGE}" + if docker image inspect "${IMAGE}" >/dev/null 2>&1; then + echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" + exit 0 + fi + if docker pull "${IMAGE}" >/dev/null 2>&1; then + echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" + exit 0 + fi + done + + echo "Unable to locate a vulnerability scan image for ${GITHUB_SHA}." + echo "Tried:" + for IMAGE in "${CANDIDATES[@]}"; do + echo "- ${IMAGE}" + done + exit 1 + - name: Vulnerability scan uses: extenda/actions/trivy-scan@v0 with: From 7d229a9eb307e5f1ed0fc908b405bf56952585ac Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 28 Apr 2026 14:07:24 +0300 Subject: [PATCH 05/25] test(HII-13198): test new check in pipeline --- .../nodejs-generic-api/test-unit/action.yaml | 51 ++++++++----------- 1 file changed, 22 insertions(+), 29 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 9f9b6148..17cff31f 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -96,45 +96,38 @@ runs: shell: bash run: npm run test:cov - - name: Resolve vulnerability scan image + - name: Build vulnerability scan image id: scan-image shell: bash run: | - CANDIDATES=() - + IMAGE="" if [ -n "${{ inputs.vulnerability-scan-image }}" ]; then - CANDIDATES+=("${{ inputs.vulnerability-scan-image }}") + IMAGE="${{ inputs.vulnerability-scan-image }}" + elif [ -n "${IMAGE_NAME:-}" ]; then + IMAGE="${IMAGE_NAME}:${GITHUB_SHA}" + elif [ -n "${GITHUB_REPOSITORY#*/}" ]; then + IMAGE="eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}" + fi + + if [ -z "${IMAGE}" ]; then + echo "Unable to resolve vulnerability scan image tag." + echo "Provide inputs.vulnerability-scan-image or set IMAGE_NAME in the caller workflow." + exit 1 fi - if [ -n "${IMAGE_NAME:-}" ]; then - CANDIDATES+=("${IMAGE_NAME}:${GITHUB_SHA}") + if [ ! -f Dockerfile ]; then + echo "No Dockerfile found in repository root." + exit 1 fi - if [ -n "${GITHUB_REPOSITORY#*/}" ]; then - CANDIDATES+=("eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}") + echo "Building local image for vulnerability scan: ${IMAGE}" + docker build -t "${IMAGE}" . + if ! docker image inspect "${IMAGE}" >/dev/null 2>&1; then + echo "Failed to build image ${IMAGE}." + exit 1 fi - # Common shared security image fallback used across projects. - CANDIDATES+=("eu.gcr.io/extenda/security:${GITHUB_SHA}") - - for IMAGE in "${CANDIDATES[@]}"; do - echo "Trying vulnerability scan image: ${IMAGE}" - if docker image inspect "${IMAGE}" >/dev/null 2>&1; then - echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" - exit 0 - fi - if docker pull "${IMAGE}" >/dev/null 2>&1; then - echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" - exit 0 - fi - done - - echo "Unable to locate a vulnerability scan image for ${GITHUB_SHA}." - echo "Tried:" - for IMAGE in "${CANDIDATES[@]}"; do - echo "- ${IMAGE}" - done - exit 1 + echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" - name: Vulnerability scan uses: extenda/actions/trivy-scan@v0 From 763b061f4f53a5f2c3f5dc608ecc1dc9d6975552 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 28 Apr 2026 14:21:02 +0300 Subject: [PATCH 06/25] test(HII-13198): test new check in pipeline --- .../nodejs-generic-api/test-unit/action.yaml | 29 ++++++------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 17cff31f..86e11ac7 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -7,9 +7,6 @@ inputs: GCLOUD_AUTH: description: "GCP Auth (staging)" required: false - vulnerability-scan-image: - description: "Container image to scan for vulnerabilities" - required: false slack-channel: description: Name of the channel to notify failing action required: false @@ -59,7 +56,7 @@ runs: env: cache-name: cache-sonar-binary with: - path: /home/runner/.sonar/native-sonar-scanner + path: /home/runner/.sonar/cache key: ${{ runner.os }}-cache-sonar-binary restore-keys: | ${{ runner.os }}-build-${{ env.cache-name }} @@ -100,34 +97,26 @@ runs: id: scan-image shell: bash run: | - IMAGE="" - if [ -n "${{ inputs.vulnerability-scan-image }}" ]; then - IMAGE="${{ inputs.vulnerability-scan-image }}" - elif [ -n "${IMAGE_NAME:-}" ]; then - IMAGE="${IMAGE_NAME}:${GITHUB_SHA}" - elif [ -n "${GITHUB_REPOSITORY#*/}" ]; then - IMAGE="eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}" - fi + IMAGE="${IMAGE_NAME:+${IMAGE_NAME}:${GITHUB_SHA}}" - if [ -z "${IMAGE}" ]; then + if [ -z "$IMAGE" ]; then echo "Unable to resolve vulnerability scan image tag." - echo "Provide inputs.vulnerability-scan-image or set IMAGE_NAME in the caller workflow." + echo "Set IMAGE_NAME in the caller workflow." exit 1 fi - if [ ! -f Dockerfile ]; then + if [ ! -f "Dockerfile" ]; then echo "No Dockerfile found in repository root." exit 1 fi - echo "Building local image for vulnerability scan: ${IMAGE}" - docker build -t "${IMAGE}" . - if ! docker image inspect "${IMAGE}" >/dev/null 2>&1; then - echo "Failed to build image ${IMAGE}." + echo "Building local image for vulnerability scan: $IMAGE" + if ! docker build --quiet -t "$IMAGE" .; then + echo "Failed to build image $IMAGE." exit 1 fi - echo "image=${IMAGE}" >> "$GITHUB_OUTPUT" + echo "image=$IMAGE" >> "$GITHUB_OUTPUT" - name: Vulnerability scan uses: extenda/actions/trivy-scan@v0 From d063f1aa91ca1f89630e9ab12a8508adfe90cb55 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 28 Apr 2026 14:35:09 +0300 Subject: [PATCH 07/25] test(HII-13198): test new check in pipeline --- .../nodejs-generic-api/test-unit/README.md | 16 +++++++--------- .../nodejs-generic-api/test-unit/action.yaml | 2 +- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/README.md b/composite-actions/nodejs-generic-api/test-unit/README.md index 536c6711..1568b94d 100644 --- a/composite-actions/nodejs-generic-api/test-unit/README.md +++ b/composite-actions/nodejs-generic-api/test-unit/README.md @@ -11,8 +11,9 @@ This is typical action, to run tests in nodejs api application. with: GCLOUD_AUTH: ${{ secrets.GCLOUD_AUTH_STAGING }} SECRET_AUTH: ${{ secrets.SECRET_AUTH }} - # Optional override if your image naming differs - # vulnerability-scan-image: eu.gcr.io/extenda/att-api:${{ github.sha }} + # Optional + # slack-channel: team-ci-alerts + # notify-slack-on-fail: true ``` ### Requirements @@ -24,10 +25,7 @@ This is typical action, to run tests in nodejs api application. - You must set Node.js version in `.nvmrc` file. - You should have a ```npm run check-openapi-schema``` script, to test you openapi schema. - You should have a ```npm run ts:check``` script, to check, whether your typescript code is valid. -- Vulnerability scan image resolution order is: - 1) ``vulnerability-scan-image`` - 2) ``${IMAGE_NAME}:${GITHUB_SHA}`` - 3) ``eu.gcr.io/extenda/${GITHUB_REPOSITORY#*/}:${GITHUB_SHA}`` - 4) ``eu.gcr.io/extenda/security:${GITHUB_SHA}`` -- The action checks local Docker first, then tries to pull each candidate from registry. -- If no candidate image can be found, the job fails. +- Set `IMAGE_NAME` in workflow `env`. +- The action builds one local image in the test job using `docker build --quiet -t "${IMAGE_NAME}:${GITHUB_SHA}" .`. +- Trivy scans this locally built image (`${IMAGE_NAME}:${GITHUB_SHA}`). +- The job fails if `IMAGE_NAME` is missing, `Dockerfile` is missing, or local image build fails. diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 86e11ac7..7f857fd0 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -101,7 +101,7 @@ runs: if [ -z "$IMAGE" ]; then echo "Unable to resolve vulnerability scan image tag." - echo "Set IMAGE_NAME in the caller workflow." + echo "Set IMAGE_NAME in caller workflow." exit 1 fi From 07a6dc2939e3fab76ce35a0095cb574c4895e252 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 29 Apr 2026 13:37:18 +0300 Subject: [PATCH 08/25] fix(HII-13198): fix security vulnerabilities --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 7f857fd0..d4e3425c 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -41,7 +41,7 @@ runs: - uses: extenda/actions/setup-gcloud@v0 id: gcloud with: - service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH }} - name: GCloud configure-docker shell: bash @@ -122,7 +122,7 @@ runs: uses: extenda/actions/trivy-scan@v0 with: image: ${{ steps.scan-image.outputs.image }} - service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH }} fail-on-vulnerabilities: true notify-slack-on-vulnerabilities: false From f10e9e6b7a4e05386693635fc247b2eeac02c725 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Thu, 30 Apr 2026 14:23:11 +0300 Subject: [PATCH 09/25] test(HII-13198): test security vulnerabilities --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index d4e3425c..ba6c53cc 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -112,6 +112,8 @@ runs: echo "Building local image for vulnerability scan: $IMAGE" if ! docker build --quiet -t "$IMAGE" .; then + echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." + docker build -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi From 353fbaca67a5d8d110359e036831051cf553ffb3 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 15:51:52 +0300 Subject: [PATCH 10/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index ba6c53cc..c158acfd 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -34,6 +34,7 @@ runs: - name: Copy test .env files shell: bash run: cp test/example.env .env + - name: Copy .env files shell: bash run: find . -type f -name '*example.env' -execdir mv {} .env ';' @@ -70,7 +71,7 @@ runs: shell: bash run: | echo "@hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/" > .npmrc - npm run auth -- --credential-config=./.npmrc + npm run auth -- --credential-config=./.npmrc - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' @@ -110,10 +111,20 @@ runs: exit 1 fi + export DOCKER_BUILDKIT=1 + + BUILD_ARGS=() + if [ -f ".npmrc" ]; then + echo "Detected .npmrc, mounting as BuildKit secret." + BUILD_ARGS+=(--secret id=npmrc,src=.npmrc) + else + echo "No .npmrc found, building without npm secret." + fi + echo "Building local image for vulnerability scan: $IMAGE" - if ! docker build --quiet -t "$IMAGE" .; then + if ! docker build "${BUILD_ARGS[@]}" --quiet -t "$IMAGE" .; then echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." - docker build -t "$IMAGE" . + docker build "${BUILD_ARGS[@]}" -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi @@ -143,4 +154,4 @@ runs: *Unit test failed for ${{ github.repository }}: ${{ github.workflow }}* :heavy_exclamation_mark: Test failed on ${{ github.event_name }} event. Workflow: ${{ github.workflow }}. Job: ${{github.job}}. Run id: channel: ${{ inputs.slack-channel }} - service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} \ No newline at end of file From 7e0eb69cadd6e37566b7c585d7e90f5dd21b0b78 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 16:16:04 +0300 Subject: [PATCH 11/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index c158acfd..a1f02e81 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -70,8 +70,13 @@ runs: - name: Run NPM auth script shell: bash run: | - echo "@hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/" > .npmrc - npm run auth -- --credential-config=./.npmrc + cat > .npmrc <<'EOF' + @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ + //europe-west1-npm.pkg.dev/extenda/npm/:always-auth=true + EOF + + npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config=.npmrc + rg "_authToken|_auth=" .npmrc >/dev/null || (echo "No npm credentials written to .npmrc" && exit 1) - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' @@ -111,6 +116,11 @@ runs: exit 1 fi + rg "_authToken|_auth=" .npmrc >/dev/null || { + echo ".npmrc does not contain auth token entries required for private npm packages." + exit 1 + } + export DOCKER_BUILDKIT=1 BUILD_ARGS=() @@ -154,4 +164,4 @@ runs: *Unit test failed for ${{ github.repository }}: ${{ github.workflow }}* :heavy_exclamation_mark: Test failed on ${{ github.event_name }} event. Workflow: ${{ github.workflow }}. Job: ${{github.job}}. Run id: channel: ${{ inputs.slack-channel }} - service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} \ No newline at end of file + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} From 5016cc35a158077a2dd7bba5295dbd3fcbfd1bfe Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 16:20:58 +0300 Subject: [PATCH 12/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index a1f02e81..347b0e9a 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -72,11 +72,14 @@ runs: run: | cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ - //europe-west1-npm.pkg.dev/extenda/npm/:always-auth=true EOF npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config=.npmrc - rg "_authToken|_auth=" .npmrc >/dev/null || (echo "No npm credentials written to .npmrc" && exit 1) + + if ! grep -Eq "_authToken|_auth=" .npmrc; then + echo "No npm credentials written to .npmrc" + exit 1 + fi - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' @@ -116,10 +119,10 @@ runs: exit 1 fi - rg "_authToken|_auth=" .npmrc >/dev/null || { + if ! grep -Eq "_authToken|_auth=" .npmrc; then echo ".npmrc does not contain auth token entries required for private npm packages." exit 1 - } + fi export DOCKER_BUILDKIT=1 @@ -164,4 +167,4 @@ runs: *Unit test failed for ${{ github.repository }}: ${{ github.workflow }}* :heavy_exclamation_mark: Test failed on ${{ github.event_name }} event. Workflow: ${{ github.workflow }}. Job: ${{github.job}}. Run id: channel: ${{ inputs.slack-channel }} - service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} \ No newline at end of file From 08196f2e92afcc759d7b3a2823616d938b045038 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 16:31:21 +0300 Subject: [PATCH 13/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 347b0e9a..a65a3222 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -70,14 +70,20 @@ runs: - name: Run NPM auth script shell: bash run: | + # Repo .npmrc: registry mapping only cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF - npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config=.npmrc + # Write credentials to HOME npmrc (reliable location in CI) + npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config="$HOME/.npmrc" - if ! grep -Eq "_authToken|_auth=" .npmrc; then - echo "No npm credentials written to .npmrc" + if grep -Eq "_authToken|_auth=" "$HOME/.npmrc"; then + echo "NPMRC_SECRET_FILE=$HOME/.npmrc" >> "$GITHUB_ENV" + elif grep -Eq "_authToken|_auth=" .npmrc; then + echo "NPMRC_SECRET_FILE=.npmrc" >> "$GITHUB_ENV" + else + echo "No npm credentials written to either \$HOME/.npmrc or ./.npmrc" exit 1 fi @@ -119,25 +125,17 @@ runs: exit 1 fi - if ! grep -Eq "_authToken|_auth=" .npmrc; then - echo ".npmrc does not contain auth token entries required for private npm packages." + if [ -z "${NPMRC_SECRET_FILE:-}" ] || [ ! -f "${NPMRC_SECRET_FILE}" ]; then + echo "NPMRC secret file is missing. Expected file: ${NPMRC_SECRET_FILE:-}" exit 1 fi export DOCKER_BUILDKIT=1 - BUILD_ARGS=() - if [ -f ".npmrc" ]; then - echo "Detected .npmrc, mounting as BuildKit secret." - BUILD_ARGS+=(--secret id=npmrc,src=.npmrc) - else - echo "No .npmrc found, building without npm secret." - fi - echo "Building local image for vulnerability scan: $IMAGE" - if ! docker build "${BUILD_ARGS[@]}" --quiet -t "$IMAGE" .; then + if ! docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" --quiet -t "$IMAGE" .; then echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." - docker build "${BUILD_ARGS[@]}" -t "$IMAGE" . + docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi From 4b836c3daaa99e7888dd9703c6078b036a3dd203 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 17:09:19 +0300 Subject: [PATCH 14/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 25 ++++++------------- 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index a65a3222..40415a83 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -70,22 +70,16 @@ runs: - name: Run NPM auth script shell: bash run: | - # Repo .npmrc: registry mapping only + # Runtime .npmrc for this workspace (not committed) cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF - # Write credentials to HOME npmrc (reliable location in CI) - npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config="$HOME/.npmrc" + # Write token into workspace .npmrc (backward-compatible for repos that COPY . .) + npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config=.npmrc - if grep -Eq "_authToken|_auth=" "$HOME/.npmrc"; then - echo "NPMRC_SECRET_FILE=$HOME/.npmrc" >> "$GITHUB_ENV" - elif grep -Eq "_authToken|_auth=" .npmrc; then - echo "NPMRC_SECRET_FILE=.npmrc" >> "$GITHUB_ENV" - else - echo "No npm credentials written to either \$HOME/.npmrc or ./.npmrc" - exit 1 - fi + # Also mirror to HOME for tools that read ~/.npmrc + cp .npmrc "$HOME/.npmrc" - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' @@ -125,17 +119,12 @@ runs: exit 1 fi - if [ -z "${NPMRC_SECRET_FILE:-}" ] || [ ! -f "${NPMRC_SECRET_FILE}" ]; then - echo "NPMRC secret file is missing. Expected file: ${NPMRC_SECRET_FILE:-}" - exit 1 - fi - export DOCKER_BUILDKIT=1 echo "Building local image for vulnerability scan: $IMAGE" - if ! docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" --quiet -t "$IMAGE" .; then + if ! docker build --secret id=npmrc,src=.npmrc --quiet -t "$IMAGE" .; then echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." - docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" -t "$IMAGE" . + docker build --secret id=npmrc,src=.npmrc -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi From faba3df98a3bc2ebe952ec6f00621b169a008657 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 17:32:30 +0300 Subject: [PATCH 15/25] test(HII-13198): test security vulnerabilities --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 40415a83..63dedf44 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -70,7 +70,7 @@ runs: - name: Run NPM auth script shell: bash run: | - # Runtime .npmrc for this workspace (not committed) + # Runtime .npmrc for this workspace cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF From 30b5f4bdad130c788fc2018bd22995f0e6fca228 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 17:39:16 +0300 Subject: [PATCH 16/25] fix(HII-13198): fixed copilot issue --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 63dedf44..46fe3842 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -70,7 +70,10 @@ runs: - name: Run NPM auth script shell: bash run: | - # Runtime .npmrc for this workspace + # Restrict permissions for credential files created in this step. + umask 077 + + # Runtime .npmrc for this workspace cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF @@ -79,7 +82,7 @@ runs: npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config=.npmrc # Also mirror to HOME for tools that read ~/.npmrc - cp .npmrc "$HOME/.npmrc" + install -m 600 .npmrc "$HOME/.npmrc" - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' From f4f7c1915557a0387b9e37cb81c97fe2094a703d Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Tue, 5 May 2026 17:43:56 +0300 Subject: [PATCH 17/25] fix(HII-13198): fixed copilot issue --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 46fe3842..6534f6ec 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -81,8 +81,10 @@ runs: # Write token into workspace .npmrc (backward-compatible for repos that COPY . .) npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config=.npmrc - # Also mirror to HOME for tools that read ~/.npmrc - install -m 600 .npmrc "$HOME/.npmrc" + # Use dedicated npm user config without overwriting existing HOME config. + NPM_USERCONFIG="$RUNNER_TEMP/.npmrc" + install -m 600 .npmrc "$NPM_USERCONFIG" + echo "NPM_CONFIG_USERCONFIG=$NPM_USERCONFIG" >> "$GITHUB_ENV" - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' From e4ec433760d606dfb87abaf95c25ce2d4dd1a33d Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 11:30:02 +0300 Subject: [PATCH 18/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 6534f6ec..19fbb1d8 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -73,18 +73,15 @@ runs: # Restrict permissions for credential files created in this step. umask 077 - # Runtime .npmrc for this workspace + # Base npm config for this workspace and job-scoped user config. cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF + install -m 600 .npmrc "$RUNNER_TEMP/.npmrc" + echo "NPM_CONFIG_USERCONFIG=$RUNNER_TEMP/.npmrc" >> "$GITHUB_ENV" - # Write token into workspace .npmrc (backward-compatible for repos that COPY . .) - npx --yes google-artifactregistry-auth --repo-config=.npmrc --credential-config=.npmrc - - # Use dedicated npm user config without overwriting existing HOME config. - NPM_USERCONFIG="$RUNNER_TEMP/.npmrc" - install -m 600 .npmrc "$NPM_USERCONFIG" - echo "NPM_CONFIG_USERCONFIG=$NPM_USERCONFIG" >> "$GITHUB_ENV" + # Service-owned auth hook (if present) should populate npm credentials. + NPM_CONFIG_USERCONFIG="$RUNNER_TEMP/.npmrc" npm run auth --if-present - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' @@ -127,9 +124,9 @@ runs: export DOCKER_BUILDKIT=1 echo "Building local image for vulnerability scan: $IMAGE" - if ! docker build --secret id=npmrc,src=.npmrc --quiet -t "$IMAGE" .; then + if ! docker build --secret id=npmrc,src="$RUNNER_TEMP/.npmrc" --quiet -t "$IMAGE" .; then echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." - docker build --secret id=npmrc,src=.npmrc -t "$IMAGE" . + docker build --secret id=npmrc,src="$RUNNER_TEMP/.npmrc" -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi @@ -140,7 +137,7 @@ runs: uses: extenda/actions/trivy-scan@v0 with: image: ${{ steps.scan-image.outputs.image }} - service-account-key: ${{ inputs.GCLOUD_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} fail-on-vulnerabilities: true notify-slack-on-vulnerabilities: false From c1150b4ef7c74dc3e214705b004b7ac1ad5fb603 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 11:51:09 +0300 Subject: [PATCH 19/25] test(HII-13198): test security vulnerabilities --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 19fbb1d8..24b23ee7 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -137,7 +137,7 @@ runs: uses: extenda/actions/trivy-scan@v0 with: image: ${{ steps.scan-image.outputs.image }} - service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH }} fail-on-vulnerabilities: true notify-slack-on-vulnerabilities: false From 16e0661badeec6583fb58fa7bb60af75246d5d9a Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 11:58:46 +0300 Subject: [PATCH 20/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 24b23ee7..c501ca4f 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -70,19 +70,18 @@ runs: - name: Run NPM auth script shell: bash run: | - # Restrict permissions for credential files created in this step. umask 077 - - # Base npm config for this workspace and job-scoped user config. - cat > .npmrc <<'EOF' + cat > "$RUNNER_TEMP/.npmrc" <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF - install -m 600 .npmrc "$RUNNER_TEMP/.npmrc" - echo "NPM_CONFIG_USERCONFIG=$RUNNER_TEMP/.npmrc" >> "$GITHUB_ENV" - # Service-owned auth hook (if present) should populate npm credentials. NPM_CONFIG_USERCONFIG="$RUNNER_TEMP/.npmrc" npm run auth --if-present + if ! grep -Eq "_authToken|_auth=" "$RUNNER_TEMP/.npmrc"; then + echo "No npm credentials written to $RUNNER_TEMP/.npmrc" + exit 1 + fi + - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' shell: bash From ae8dfc15cef81cce1622d16819f411e5d32695b5 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 12:02:40 +0300 Subject: [PATCH 21/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 34 +++++++++++++++---- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index c501ca4f..c9d095b8 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -1,5 +1,6 @@ name: "Run unit tests" description: "Run unit tests for the service" + inputs: SECRET_AUTH: description: "GCP Auth" @@ -15,6 +16,7 @@ inputs: default: false type: boolean required: false + runs: using: "composite" steps: @@ -70,15 +72,30 @@ runs: - name: Run NPM auth script shell: bash run: | + # Restrict permissions for credential files created in this step. umask 077 - cat > "$RUNNER_TEMP/.npmrc" <<'EOF' + + # Base npm config for this workspace. + cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF + # Prepare a job-scoped npmrc candidate. + install -m 600 .npmrc "$RUNNER_TEMP/.npmrc" + echo "NPM_CONFIG_USERCONFIG=$RUNNER_TEMP/.npmrc" >> "$GITHUB_ENV" + + # Service-owned auth hook (if present). NPM_CONFIG_USERCONFIG="$RUNNER_TEMP/.npmrc" npm run auth --if-present - if ! grep -Eq "_authToken|_auth=" "$RUNNER_TEMP/.npmrc"; then - echo "No npm credentials written to $RUNNER_TEMP/.npmrc" + # Detect where credentials were actually written. + if grep -Eq "_authToken|_auth=" "$RUNNER_TEMP/.npmrc"; then + echo "NPMRC_SECRET_FILE=$RUNNER_TEMP/.npmrc" >> "$GITHUB_ENV" + elif [ -f "$HOME/.npmrc" ] && grep -Eq "_authToken|_auth=" "$HOME/.npmrc"; then + echo "NPMRC_SECRET_FILE=$HOME/.npmrc" >> "$GITHUB_ENV" + elif grep -Eq "_authToken|_auth=" .npmrc; then + echo "NPMRC_SECRET_FILE=.npmrc" >> "$GITHUB_ENV" + else + echo "No npm credentials found in RUNNER_TEMP, HOME, or workspace .npmrc" exit 1 fi @@ -120,12 +137,17 @@ runs: exit 1 fi + if [ -z "${NPMRC_SECRET_FILE:-}" ] || [ ! -f "${NPMRC_SECRET_FILE}" ]; then + echo "NPMRC secret file is missing. Expected: ${NPMRC_SECRET_FILE:-}" + exit 1 + fi + export DOCKER_BUILDKIT=1 echo "Building local image for vulnerability scan: $IMAGE" - if ! docker build --secret id=npmrc,src="$RUNNER_TEMP/.npmrc" --quiet -t "$IMAGE" .; then + if ! docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" --quiet -t "$IMAGE" .; then echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." - docker build --secret id=npmrc,src="$RUNNER_TEMP/.npmrc" -t "$IMAGE" . + docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi @@ -153,6 +175,6 @@ runs: with: text: | *Unit test failed for ${{ github.repository }}: ${{ github.workflow }}* :heavy_exclamation_mark: - Test failed on ${{ github.event_name }} event. Workflow: ${{ github.workflow }}. Job: ${{github.job}}. Run id: + Test failed on ${{ github.event_name }} event. Workflow: ${{ github.workflow }}. Job: ${{ github.job }}. Run id: channel: ${{ inputs.slack-channel }} service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} \ No newline at end of file From 8de12348c13d1703dec3668b9a3c48c18454b216 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 12:24:14 +0300 Subject: [PATCH 22/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 48 ++++++++++++------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index c9d095b8..8fd98f78 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -72,33 +72,45 @@ runs: - name: Run NPM auth script shell: bash run: | - # Restrict permissions for credential files created in this step. umask 077 - # Base npm config for this workspace. + # Workspace npm config with private registry mapping. cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF - # Prepare a job-scoped npmrc candidate. + # Candidate npmrc for secret mounting. install -m 600 .npmrc "$RUNNER_TEMP/.npmrc" - echo "NPM_CONFIG_USERCONFIG=$RUNNER_TEMP/.npmrc" >> "$GITHUB_ENV" - # Service-owned auth hook (if present). + # Service-owned auth hook. Some repos write token to different npmrc paths. NPM_CONFIG_USERCONFIG="$RUNNER_TEMP/.npmrc" npm run auth --if-present - # Detect where credentials were actually written. + # Resolve where credentials actually ended up. if grep -Eq "_authToken|_auth=" "$RUNNER_TEMP/.npmrc"; then - echo "NPMRC_SECRET_FILE=$RUNNER_TEMP/.npmrc" >> "$GITHUB_ENV" + AUTH_NPMRC="$RUNNER_TEMP/.npmrc" elif [ -f "$HOME/.npmrc" ] && grep -Eq "_authToken|_auth=" "$HOME/.npmrc"; then - echo "NPMRC_SECRET_FILE=$HOME/.npmrc" >> "$GITHUB_ENV" - elif grep -Eq "_authToken|_auth=" .npmrc; then - echo "NPMRC_SECRET_FILE=.npmrc" >> "$GITHUB_ENV" + AUTH_NPMRC="$HOME/.npmrc" + elif grep -Eq "_authToken|_auth=" ".npmrc"; then + AUTH_NPMRC=".npmrc" else echo "No npm credentials found in RUNNER_TEMP, HOME, or workspace .npmrc" exit 1 fi + echo "NPMRC_SECRET_FILE=$AUTH_NPMRC" >> "$GITHUB_ENV" + + # Ensure workspace .npmrc has credentials too (legacy Dockerfiles use COPY . . then npm ci). + if [ "$AUTH_NPMRC" != ".npmrc" ]; then + cat "$AUTH_NPMRC" > .npmrc + fi + + # Extract token for legacy Dockerfile build-arg fallback. + TOKEN_LINE="$(grep -E '//europe-west1-npm\.pkg\.dev/extenda/npm/:(_authToken|_auth)=' "$AUTH_NPMRC" | head -n 1 || true)" + if [ -n "$TOKEN_LINE" ]; then + TOKEN_VALUE="${TOKEN_LINE#*=}" + echo "NPM_TOKEN=$TOKEN_VALUE" >> "$GITHUB_ENV" + fi + - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' shell: bash @@ -137,17 +149,19 @@ runs: exit 1 fi - if [ -z "${NPMRC_SECRET_FILE:-}" ] || [ ! -f "${NPMRC_SECRET_FILE}" ]; then - echo "NPMRC secret file is missing. Expected: ${NPMRC_SECRET_FILE:-}" - exit 1 - fi - export DOCKER_BUILDKIT=1 + BUILD_ARGS=(--secret id=npmrc,src="${NPMRC_SECRET_FILE}") + + # Legacy fallback for Dockerfiles that do plain `RUN npm ci` (no secret mount). + if [ -n "${NPM_TOKEN:-}" ]; then + BUILD_ARGS+=(--build-arg "NPM_TOKEN=${NPM_TOKEN}") + fi + echo "Building local image for vulnerability scan: $IMAGE" - if ! docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" --quiet -t "$IMAGE" .; then + if ! docker build "${BUILD_ARGS[@]}" --quiet -t "$IMAGE" .; then echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." - docker build --secret id=npmrc,src="${NPMRC_SECRET_FILE}" -t "$IMAGE" . + docker build "${BUILD_ARGS[@]}" -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi From 62641294a806a9eacbc6d369b234298acc54f739 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 12:57:45 +0300 Subject: [PATCH 23/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/action.yaml | 51 +++++-------------- 1 file changed, 12 insertions(+), 39 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 8fd98f78..c7fd419a 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -74,41 +74,21 @@ runs: run: | umask 077 - # Workspace npm config with private registry mapping. - cat > .npmrc <<'EOF' + # Ensure base registry mapping exists in workspace. + if [ ! -f ".npmrc" ]; then + cat > .npmrc <<'EOF' @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ EOF - - # Candidate npmrc for secret mounting. - install -m 600 .npmrc "$RUNNER_TEMP/.npmrc" - - # Service-owned auth hook. Some repos write token to different npmrc paths. - NPM_CONFIG_USERCONFIG="$RUNNER_TEMP/.npmrc" npm run auth --if-present - - # Resolve where credentials actually ended up. - if grep -Eq "_authToken|_auth=" "$RUNNER_TEMP/.npmrc"; then - AUTH_NPMRC="$RUNNER_TEMP/.npmrc" - elif [ -f "$HOME/.npmrc" ] && grep -Eq "_authToken|_auth=" "$HOME/.npmrc"; then - AUTH_NPMRC="$HOME/.npmrc" - elif grep -Eq "_authToken|_auth=" ".npmrc"; then - AUTH_NPMRC=".npmrc" - else - echo "No npm credentials found in RUNNER_TEMP, HOME, or workspace .npmrc" - exit 1 + elif ! grep -q '^@hiiretail:registry=' .npmrc; then + echo '@hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/' >> .npmrc fi - echo "NPMRC_SECRET_FILE=$AUTH_NPMRC" >> "$GITHUB_ENV" - - # Ensure workspace .npmrc has credentials too (legacy Dockerfiles use COPY . . then npm ci). - if [ "$AUTH_NPMRC" != ".npmrc" ]; then - cat "$AUTH_NPMRC" > .npmrc - fi + # Service-owned auth hook (recommended standard). + npm run auth --if-present - # Extract token for legacy Dockerfile build-arg fallback. - TOKEN_LINE="$(grep -E '//europe-west1-npm\.pkg\.dev/extenda/npm/:(_authToken|_auth)=' "$AUTH_NPMRC" | head -n 1 || true)" - if [ -n "$TOKEN_LINE" ]; then - TOKEN_VALUE="${TOKEN_LINE#*=}" - echo "NPM_TOKEN=$TOKEN_VALUE" >> "$GITHUB_ENV" + # If auth ended up in HOME npmrc, mirror it to workspace for legacy Dockerfiles. + if [ -f "$HOME/.npmrc" ] && grep -Eq "_authToken|_auth=" "$HOME/.npmrc" && ! grep -Eq "_authToken|_auth=" ".npmrc"; then + cp "$HOME/.npmrc" .npmrc fi - name: Install dependencies @@ -151,17 +131,10 @@ runs: export DOCKER_BUILDKIT=1 - BUILD_ARGS=(--secret id=npmrc,src="${NPMRC_SECRET_FILE}") - - # Legacy fallback for Dockerfiles that do plain `RUN npm ci` (no secret mount). - if [ -n "${NPM_TOKEN:-}" ]; then - BUILD_ARGS+=(--build-arg "NPM_TOKEN=${NPM_TOKEN}") - fi - echo "Building local image for vulnerability scan: $IMAGE" - if ! docker build "${BUILD_ARGS[@]}" --quiet -t "$IMAGE" .; then + if ! docker build --secret id=npmrc,src=.npmrc --quiet -t "$IMAGE" .; then echo "Initial quiet Docker build failed. Retrying with full logs for debugging..." - docker build "${BUILD_ARGS[@]}" -t "$IMAGE" . + docker build --secret id=npmrc,src=.npmrc -t "$IMAGE" . echo "Failed to build image $IMAGE." exit 1 fi From b7e3481b01f646282ec27942f8ff83de00b712c6 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 15:37:36 +0300 Subject: [PATCH 24/25] test(HII-13198): test security vulnerabilities --- .../nodejs-generic-api/test-unit/README.md | 2 ++ .../nodejs-generic-api/test-unit/action.yaml | 19 ++++++------------- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/README.md b/composite-actions/nodejs-generic-api/test-unit/README.md index 1568b94d..d89af4c6 100644 --- a/composite-actions/nodejs-generic-api/test-unit/README.md +++ b/composite-actions/nodejs-generic-api/test-unit/README.md @@ -25,6 +25,8 @@ This is typical action, to run tests in nodejs api application. - You must set Node.js version in `.nvmrc` file. - You should have a ```npm run check-openapi-schema``` script, to test you openapi schema. - You should have a ```npm run ts:check``` script, to check, whether your typescript code is valid. +- You must commit `.npmrc` in the repository root. +- You should provide `npm run auth` in `package.json` (the action calls `npm run auth --if-present`). - Set `IMAGE_NAME` in workflow `env`. - The action builds one local image in the test job using `docker build --quiet -t "${IMAGE_NAME}:${GITHUB_SHA}" .`. - Trivy scans this locally built image (`${IMAGE_NAME}:${GITHUB_SHA}`). diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index c7fd419a..5b487d35 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -44,7 +44,7 @@ runs: - uses: extenda/actions/setup-gcloud@v0 id: gcloud with: - service-account-key: ${{ inputs.GCLOUD_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs.SECRET_AUTH }} - name: GCloud configure-docker shell: bash @@ -74,23 +74,16 @@ runs: run: | umask 077 - # Ensure base registry mapping exists in workspace. + # Use repository-owned npm config only. if [ ! -f ".npmrc" ]; then - cat > .npmrc <<'EOF' - @hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/ - EOF - elif ! grep -q '^@hiiretail:registry=' .npmrc; then - echo '@hiiretail:registry=https://europe-west1-npm.pkg.dev/extenda/npm/' >> .npmrc + echo "Missing .npmrc in repository root." + echo "Please commit .npmrc and provide npm auth script in package.json." + exit 1 fi # Service-owned auth hook (recommended standard). npm run auth --if-present - # If auth ended up in HOME npmrc, mirror it to workspace for legacy Dockerfiles. - if [ -f "$HOME/.npmrc" ] && grep -Eq "_authToken|_auth=" "$HOME/.npmrc" && ! grep -Eq "_authToken|_auth=" ".npmrc"; then - cp "$HOME/.npmrc" .npmrc - fi - - name: Install dependencies if: steps.cache-node-modules.outputs.cache-hit != 'true' shell: bash @@ -145,7 +138,7 @@ runs: uses: extenda/actions/trivy-scan@v0 with: image: ${{ steps.scan-image.outputs.image }} - service-account-key: ${{ inputs.GCLOUD_AUTH }} + service-account-key: ${{ inputs.GCLOUD_AUTH || inputs}} fail-on-vulnerabilities: true notify-slack-on-vulnerabilities: false From e8749a3535e4439af9d667ea1b4ef712276dc3a1 Mon Sep 17 00:00:00 2001 From: Dorin Cujba Date: Wed, 6 May 2026 15:48:55 +0300 Subject: [PATCH 25/25] test(HII-13198): test security vulnerabilities --- composite-actions/nodejs-generic-api/test-unit/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composite-actions/nodejs-generic-api/test-unit/action.yaml b/composite-actions/nodejs-generic-api/test-unit/action.yaml index 5b487d35..c2e20675 100644 --- a/composite-actions/nodejs-generic-api/test-unit/action.yaml +++ b/composite-actions/nodejs-generic-api/test-unit/action.yaml @@ -138,7 +138,7 @@ runs: uses: extenda/actions/trivy-scan@v0 with: image: ${{ steps.scan-image.outputs.image }} - service-account-key: ${{ inputs.GCLOUD_AUTH || inputs}} + service-account-key: ${{ inputs.GCLOUD_AUTH }} fail-on-vulnerabilities: true notify-slack-on-vulnerabilities: false