From 842e4af70578fef0b4d9bf2b71ac120c98b6399a Mon Sep 17 00:00:00 2001
From: Daniel Garcia Brito <daniel.garcia.brito@mrmilu.com>
Date: Fri, 26 Dec 2025 10:44:41 +0000
Subject: [PATCH 1/3] chore: update actions version

---
 .github/workflows/cicd.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index f525092..a3569c0 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -74,4 +74,4 @@ jobs:
           cd $PROJECT_PATH
           set -euxo pipefail
           git pull
-          ansible-playbook -i inventory/${{ github.ref_name == 'master' && 'production' || 'staging'}} site.yml --tags deploy --extra-vars "services_to_start=['front'] docker_compose_project_github_token=${{ secrets.GITHUB_TOKEN }} docker_compose_project_github_actor=${{ github.actor }}"
\ No newline at end of file
+          ansible-playbook -i inventory/${{ github.ref_name == 'master' && 'production' || 'staging'}} site.yml --tags deploy --extra-vars "services_to_start=['front'] docker_compose_project_github_token=${{ secrets.GITHUB_TOKEN }} docker_compose_project_github_actor=${{ github.actor }}"

From baba11697e16893a6fb90c52d0b94a349721b88d Mon Sep 17 00:00:00 2001
From: Daniel Garcia Brito <daniel.garcia.brito@mrmilu.com>
Date: Wed, 31 Dec 2025 11:31:55 +0000
Subject: [PATCH 2/3] chore: add audit for dependencies and improve dockerfile

---
 .github/workflows/cicd.yml | 16 ++++++++
 Dockerfile                 | 78 +++++++++++++++++++++++++++++++++-----
 2 files changed, 85 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index a3569c0..a69578b 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -22,6 +22,22 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Read Node.js version
+        id: node_version
+        run: echo "NODE_VER=$(cat .nvmrc)" >> $GITHUB_OUTPUT
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ steps.node_version.outputs.NODE_VER }}
+          cache: 'pnpm'
+
+      - name: Security Audit
+        run: pnpm audit --audit-level high
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
diff --git a/Dockerfile b/Dockerfile
index c2d07e2..282e6e0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,12 +1,22 @@
-FROM node:20 AS builder
+FROM node:20-alpine AS dependencies
 
 WORKDIR /app
 
 RUN corepack enable
 
-COPY ./pnpm-lock.yaml ./package.json ./
+COPY package.json pnpm-lock.yaml ./
 
-RUN pnpm install
+RUN pnpm install --frozen-lockfile --ignore-scripts
+
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+RUN corepack enable
+
+COPY package.json pnpm-lock.yaml ./
+
+COPY --from=dependencies /app/node_modules ./node_modules
 
 COPY . .
 
@@ -15,15 +25,65 @@ RUN --mount=type=secret,id=env_variables \
 
 RUN pnpm ioc-generate
 
-# Un comment if using graphql instead of REST
-# RUN pnpm graphql
+RUN pnpm graphql
 
 RUN pnpm build
 
-FROM nginx
+FROM nginx:alpine
+
+RUN apk add --no-cache dumb-init
+
+COPY <<EOF /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
 
-# delete default nginx static files
-RUN rm -rf /usr/share/nginx/html/*
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/javascript application/json;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Cache static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # SPA fallback
+    location / {
+        try_files \$uri \$uri/ /index.html;
+    }
+
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+}
+EOF
 
-# copy build files from builder stage
 COPY --from=builder /app/dist /usr/share/nginx/html
+
+RUN chown -R nginx:nginx /usr/share/nginx/html && \
+    chown -R nginx:nginx /var/cache/nginx && \
+    chown -R nginx:nginx /var/log/nginx && \
+    chown -R nginx:nginx /etc/nginx/conf.d && \
+    touch /var/run/nginx.pid && \
+    chown -R nginx:nginx /var/run/nginx.pid
+
+USER nginx
+
+EXPOSE 80
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+
+CMD ["nginx", "-g", "daemon off;"]

From 4fe7c37f37c20c1d63a0cac4af15b6458c0f1ea1 Mon Sep 17 00:00:00 2001
From: Daniel Garcia Brito <daniel.garcia.brito@mrmilu.com>
Date: Thu, 8 Jan 2026 12:01:19 +0000
Subject: [PATCH 3/3] feat: optimize Docker build and enhance CI/CD pipeline

---
 .github/workflows/cicd.yml |  2 ++
 Dockerfile                 | 46 +++++---------------------------------
 nginx.conf                 | 35 +++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 40 deletions(-)
 create mode 100644 nginx.conf

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index a69578b..3cb7519 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -66,6 +66,8 @@ jobs:
           labels: ${{ steps.meta_main.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          build-args: |
+            NODE_VERSION=${{ steps.node_version.outputs.NODE_VER }}
           secrets: |
             "env_variables=${{ secrets.ENV_VARIABLES}}"
 
diff --git a/Dockerfile b/Dockerfile
index 282e6e0..018fffb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,5 @@
-FROM node:20-alpine AS dependencies
+ARG NODE_VERSION=20
+FROM node:${NODE_VERSION}-alpine AS dependencies
 
 WORKDIR /app
 
@@ -8,7 +9,7 @@ COPY package.json pnpm-lock.yaml ./
 
 RUN pnpm install --frozen-lockfile --ignore-scripts
 
-FROM node:20-alpine AS builder
+FROM node:${NODE_VERSION}-alpine AS builder
 
 WORKDIR /app
 
@@ -33,44 +34,9 @@ FROM nginx:alpine
 
 RUN apk add --no-cache dumb-init
 
-COPY <<EOF /etc/nginx/conf.d/default.conf
-server {
-    listen 80;
-    server_name _;
-    root /usr/share/nginx/html;
-    index index.html;
-
-    # Gzip compression
-    gzip on;
-    gzip_vary on;
-    gzip_min_length 1024;
-    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/javascript application/json;
-
-    # Security headers
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-
-    # Cache static assets
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
-        expires 1y;
-        add_header Cache-Control "public, immutable";
-    }
-
-    # SPA fallback
-    location / {
-        try_files \$uri \$uri/ /index.html;
-    }
-
-    # Health check endpoint
-    location /health {
-        access_log off;
-        return 200 "healthy\n";
-        add_header Content-Type text/plain;
-    }
-}
-EOF
+COPY nginx.conf /etc/nginx/conf.d/default.conf
 
+# Copy build files from builder stage
 COPY --from=builder /app/dist /usr/share/nginx/html
 
 RUN chown -R nginx:nginx /usr/share/nginx/html && \
@@ -86,4 +52,4 @@ EXPOSE 80
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 
-CMD ["nginx", "-g", "daemon off;"]
+CMD ["nginx", "-g", "daemon off;"]
\ No newline at end of file
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..32af290
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,35 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/javascript application/json;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Cache static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # SPA fallback
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+}