chore: update actions version and add improvements

.github/workflows/cicd.yml

@@ -20,7 +20,23 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+
+      - name: Read Node.js version
+        id: node_version
+        run: echo "NODE_VER=$(cat .nvmrc)" >> $GITHUB_OUTPUT
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ steps.node_version.outputs.NODE_VER }}
+          cache: 'pnpm'
+
+      - name: Security Audit
+        run: pnpm audit --audit-level high
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -74,4 +90,4 @@ jobs:
           cd $PROJECT_PATH
           set -euxo pipefail
           git pull
-          ansible-playbook -i inventory/${{ github.ref_name == 'master' && 'production' || 'staging'}} site.yml --tags deploy --extra-vars "services_to_start=['front'] docker_compose_project_github_token=${{ secrets.GITHUB_TOKEN }} docker_compose_project_github_actor=${{ github.actor }}"
+          ansible-playbook -i inventory/${{ github.ref_name == 'master' && 'production' || 'staging'}} site.yml --tags deploy --extra-vars "services_to_start=['front'] docker_compose_project_github_token=${{ secrets.GITHUB_TOKEN }} docker_compose_project_github_actor=${{ github.actor }}"

Dockerfile

@@ -1,12 +1,22 @@
-FROM node:20 AS builder
+FROM node:20-alpine AS dependencies
 
 WORKDIR /app
 
 RUN corepack enable
 
-COPY ./pnpm-lock.yaml ./package.json ./
+COPY package.json pnpm-lock.yaml ./
 
-RUN pnpm install
+RUN pnpm install --frozen-lockfile --ignore-scripts
+
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+RUN corepack enable
+
+COPY package.json pnpm-lock.yaml ./
+
+COPY --from=dependencies /app/node_modules ./node_modules
 
 COPY . .
 
@@ -15,15 +25,65 @@ RUN --mount=type=secret,id=env_variables \
 
 RUN pnpm ioc-generate
 
-# Un comment if using graphql instead of REST
-# RUN pnpm graphql
+RUN pnpm graphql
 
 RUN pnpm build
 
-FROM nginx
+FROM nginx:alpine
+
+RUN apk add --no-cache dumb-init
+
+COPY <<EOF /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
 
-# delete default nginx static files
-RUN rm -rf /usr/share/nginx/html/*
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/javascript application/json;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Cache static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # SPA fallback
+    location / {
+        try_files \$uri \$uri/ /index.html;
+    }
+
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+}
+EOF
 
-# copy build files from builder stage
 COPY --from=builder /app/dist /usr/share/nginx/html
+
+RUN chown -R nginx:nginx /usr/share/nginx/html && \
+    chown -R nginx:nginx /var/cache/nginx && \
+    chown -R nginx:nginx /var/log/nginx && \
+    chown -R nginx:nginx /etc/nginx/conf.d && \
+    touch /var/run/nginx.pid && \
+    chown -R nginx:nginx /var/run/nginx.pid
+
+USER nginx
+
+EXPOSE 80
+
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+
+CMD ["nginx", "-g", "daemon off;"]