From f05c822d8eb7d0e39b27bfd76ac505cb5291a728 Mon Sep 17 00:00:00 2001
From: mpw <x@mpw.sh>
Date: Wed, 4 Oct 2023 14:31:33 -0300
Subject: [PATCH 1/5] initial cicd workflow test

---
 .github/workflows/release.yml | 99 +++++++++++++++++++++++++++++++++++
 Dockerfile                    | 20 +++++++
 server.js                     |  2 +-
 3 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/release.yml
 create mode 100644 Dockerfile

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..baae5d3
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,99 @@
+name: Release Image
+on:
+  push:
+    branches:
+      - mpw/cicd
+      - main
+      - release
+    paths-ignore:
+      - 'README.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  SERVICE_NAME: uploads
+  CACHE_CONFIG: type=s3,region=${{ vars.AWS_REGION }},bucket=${{ vars.AWS_BUCKET }},access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }},secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  DOCKERHUB_REPO: ${{ vars.DOCKERHUB_ORG }}/${{ env.SERVICE_NAME }}
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+    runs-on: ${{ matrix.arch }}
+    environment: release
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - run: |
+          docker context create ci
+          docker context use ci
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          driver-opts: image=moby/buildkit:master
+          version: v0.11.2
+          endpoint: ci
+
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+      - name: Build and push ${{ env.SERVICE_NAME }}
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          provenance: false
+          platforms: linux/${{ matrix.arch }}
+          tags: ${{ env.DOCKERHUB_REPO }}:latest-${{ matrix.arch }}
+          cache-from: ${{ env.CACHE_CONFIG }},prefix=buildx/${{ env.SERVICE_NAME }}/${{ matrix.arch }}/
+          cache-to: ${{ env.CACHE_CONFIG }},prefix=buildx/${{ env.SERVICE_NAME }}/${{ matrix.arch }}/,mode=max
+
+  finalize:
+    needs: build
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Merge image tags
+        uses: Noelware/docker-manifest-action@master
+        with:
+          inputs: ${{ env.DOCKERHUB_REPO }}:latest,${{ env.DOCKERHUB_REPO }}:${{ github.sha }}
+          images: ${{ env.DOCKERHUB_REPO }}:latest-amd64,${{ env.DOCKERHUB_REPO }}:latest-arm64
+          push: true
+
+      - name: Setup variables
+        id: vars
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/release" ]]; then
+            echo "::set-output name=environment::prod"
+          else
+            echo "::set-output name=environment::stage"
+          fi
+
+      - name: Invoke workflow in hub-kubes repo
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          ref: main
+          token: ${{ secrets.ACTIONS_TOKEN }}
+          workflow: release.yml
+          repo: holaplex/hub-kubes
+          inputs: '{ "service": "${{ env.SERVICE_NAME }}", "environment": "${{ steps.vars.outputs.environment }}", "commit_hash": "${{ github.sha }}"}'
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..a4a3f96
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,20 @@
+FROM node:20-alpine AS base
+WORKDIR /app
+COPY package*.json ./
+
+FROM base AS dependencies
+RUN npm set progress=false && npm config set depth 0 && \
+    npm install --only=production
+RUN cp -R node_modules prod_node_modules
+RUN npm install
+
+FROM dependencies AS build
+ENV NODE_ENV=production
+COPY . .
+
+# --- Release ----
+FROM base AS release
+COPY --from=dependencies /app/prod_node_modules ./node_modules
+COPY . .
+EXPOSE 3000
+CMD ["npm","start"]
diff --git a/server.js b/server.js
index 55ed97a..64cc56c 100644
--- a/server.js
+++ b/server.js
@@ -24,7 +24,7 @@ fastify.post("/uploads", async function handler(request, reply) {
 
 // Run the server!
 try {
-  await fastify.listen({ port: 3000 });
+  await fastify.listen({ port: 3000, host: "0.0.0.0" });
 } catch (err) {
   fastify.log.error(err);
   process.exit(1);

From e1ad7264c1e7073754ba7241bfb714d3c3974c13 Mon Sep 17 00:00:00 2001
From: mpw <x@mpw.sh>
Date: Wed, 4 Oct 2023 14:34:38 -0300
Subject: [PATCH 2/5] use repo name when possible

---
 .github/workflows/release.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index baae5d3..f954103 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,7 +2,6 @@ name: Release Image
 on:
   push:
     branches:
-      - mpw/cicd
       - main
       - release
     paths-ignore:
@@ -15,7 +14,7 @@ concurrency:
 env:
   SERVICE_NAME: uploads
   CACHE_CONFIG: type=s3,region=${{ vars.AWS_REGION }},bucket=${{ vars.AWS_BUCKET }},access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }},secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  DOCKERHUB_REPO: ${{ vars.DOCKERHUB_ORG }}/${{ env.SERVICE_NAME }}
+  DOCKERHUB_REPO: ${{ vars.DOCKERHUB_ORG }}/${{ github.event.repository.name }}
 
 jobs:
   build:
@@ -50,17 +49,18 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
-      - name: Build and push ${{ env.SERVICE_NAME }}
+      - name: Build and push ${{ github.event.repository.name }}
         uses: docker/build-push-action@v3
         with:
           context: .
           file: ./Dockerfile
+
           push: true
           provenance: false
           platforms: linux/${{ matrix.arch }}
           tags: ${{ env.DOCKERHUB_REPO }}:latest-${{ matrix.arch }}
-          cache-from: ${{ env.CACHE_CONFIG }},prefix=buildx/${{ env.SERVICE_NAME }}/${{ matrix.arch }}/
-          cache-to: ${{ env.CACHE_CONFIG }},prefix=buildx/${{ env.SERVICE_NAME }}/${{ matrix.arch }}/,mode=max
+          cache-from: ${{ env.CACHE_CONFIG }},prefix=buildx/hub-ui/${{ matrix.arch }}/
+          cache-to: ${{ env.CACHE_CONFIG }},prefix=buildx/hub-ui/${{ matrix.arch }}/,mode=max
 
   finalize:
     needs: build

From 7c9ae54c2223f91174f94ec1fd0dfea436f62f7e Mon Sep 17 00:00:00 2001
From: mpw <x@mpw.sh>
Date: Wed, 4 Oct 2023 14:36:23 -0300
Subject: [PATCH 3/5] add cicd test branch

---
 .github/workflows/release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f954103..0382380 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,6 +2,7 @@ name: Release Image
 on:
   push:
     branches:
+      - mpw/cicd
       - main
       - release
     paths-ignore:
@@ -59,8 +60,8 @@ jobs:
           provenance: false
           platforms: linux/${{ matrix.arch }}
           tags: ${{ env.DOCKERHUB_REPO }}:latest-${{ matrix.arch }}
-          cache-from: ${{ env.CACHE_CONFIG }},prefix=buildx/hub-ui/${{ matrix.arch }}/
-          cache-to: ${{ env.CACHE_CONFIG }},prefix=buildx/hub-ui/${{ matrix.arch }}/,mode=max
+          cache-from: ${{ env.CACHE_CONFIG }},prefix=buildx/${{ github.event.repository.name }}/${{ matrix.arch }}/
+          cache-to: ${{ env.CACHE_CONFIG }},prefix=buildx/${{ github.event.repository.name }}/${{ matrix.arch }}/,mode=max
 
   finalize:
     needs: build

From 5896a18ec7bec25e2d39d6d299c3d21e4b7e27a3 Mon Sep 17 00:00:00 2001
From: mpw <x@mpw.sh>
Date: Wed, 4 Oct 2023 14:53:36 -0300
Subject: [PATCH 4/5] remove test branch from workflow

---
 .github/workflows/release.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0382380..961d93a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,7 +2,6 @@ name: Release Image
 on:
   push:
     branches:
-      - mpw/cicd
       - main
       - release
     paths-ignore:

From cbba587452804ad766a14587c3daae8854ac2ab0 Mon Sep 17 00:00:00 2001
From: mpw <x@mpw.sh>
Date: Wed, 4 Oct 2023 15:11:07 -0300
Subject: [PATCH 5/5] dont run as root

---
 Dockerfile | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a4a3f96..22a1f35 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,9 @@
 FROM node:20-alpine AS base
 WORKDIR /app
-COPY package*.json ./
+RUN addgroup -g 10000 uploader && adduser -u 10000 -G uploader -s /bin/sh -D uploader
+RUN chown -R uploader:uploader /app
+USER uploader
+COPY --chown=uploader:uploader package*.json ./
 
 FROM base AS dependencies
 RUN npm set progress=false && npm config set depth 0 && \
@@ -10,11 +13,10 @@ RUN npm install
 
 FROM dependencies AS build
 ENV NODE_ENV=production
-COPY . .
+COPY --chown=uploader:uploader . .
 
-# --- Release ----
 FROM base AS release
 COPY --from=dependencies /app/prod_node_modules ./node_modules
-COPY . .
+COPY --chown=uploader:uploader . .
 EXPOSE 3000
 CMD ["npm","start"]