feat: trunkio meta-linter (EddieHubCommunity#71)

gewenyu99 · web-flow · commit d9b5839a3882 · 2024-08-06T09:23:50.000+01:00
* Init Trunk Check * add format command * Disable Telemetry * enable PR annotations * Fix lint comments * Run linter with dependencies installed * Fix invalid yaml * Update lint.yml * Update lint.yml (EddieHubCommunity#2) * Fix linter errors * Fix more linter errors * Add ignore for markdownlint on Changelog.md * Remove duplicate top level yaml in trunk config * Update Dockerfile
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,5 +1,5 @@
 name: Deploy to Caprover
-
+permissions: read-all
 on:
   registry_package:
     types: [published]
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1,4 +1,5 @@
 name: Publish Docker
+permissions: read-all
 on:
   release:
     types: [published]
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -14,5 +14,7 @@ jobs:
           node-version: 22.4
       - name: Install dependencies
         run: npm ci
-      - name: Run linter
-        run: npm run lint
+      - name: Trunk Check
+        uses: trunk-io/trunk-action@v1
+        # with:
+        #   post-annotations: true # only for fork PRs
diff --git a/.trunk/.gitignore b/.trunk/.gitignore
@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp
diff --git a/.trunk/configs/.hadolint.yaml b/.trunk/configs/.hadolint.yaml
@@ -0,0 +1,4 @@
+# Following source doesn't work in most setups
+ignored:
+  - SC1090
+  - SC1091
diff --git a/.trunk/configs/.markdownlint.yaml b/.trunk/configs/.markdownlint.yaml
@@ -0,0 +1,5 @@
+# Prettier friendly markdownlint config (all formatting rules disabled)
+extends: markdownlint/style/prettier
+
+# Disable MD024 rule
+MD024: false
diff --git a/.trunk/configs/.yamllint.yaml b/.trunk/configs/.yamllint.yaml
@@ -0,0 +1,7 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true
diff --git a/.trunk/configs/svgo.config.js b/.trunk/configs/svgo.config.js
@@ -0,0 +1,14 @@
+module.exports = {
+  plugins: [
+    {
+      name: "preset-default",
+      params: {
+        overrides: {
+          removeViewBox: false, // https://github.com/svg/svgo/issues/1128
+          sortAttrs: true,
+          removeOffCanvasPaths: true,
+        },
+      },
+    },
+  ],
+};
diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
@@ -0,0 +1,54 @@
+# This file controls the behavior of Trunk: https://docs.trunk.io/cli
+# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
+version: 0.1
+cli:
+  version: 1.22.2
+# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
+plugins:
+  sources:
+    - id: trunk
+      ref: v1.6.1
+      uri: https://github.com/trunk-io/plugins
+# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
+runtimes:
+  enabled:
+    - node@18.12.1
+    - python@3.10.8
+# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
+lint:
+  enabled:
+    # Prisma
+    - prisma@5.17.0
+
+    # Security + IaS config
+    - actionlint@1.7.1
+    - checkov@3.2.208
+    - hadolint@2.12.0
+    - trufflehog@3.80.1
+    # These scan dependencies, but require network access. Enable if it fits your project.
+    # - osv-scanner@1.8.2
+    # - trivy@0.53.0
+
+    # Toml, Yaml, Markdown, etc.
+    # - taplo@0.9.2
+    - markdownlint@0.41.0
+    - yamllint@1.35.1
+
+    # Formatters and linters
+    - eslint@8.57.0
+    - git-diff-check
+    - prettier@3.3.3
+
+    # Optimize SVGs and PNGs
+    - svgo@3.3.2
+    - oxipng@9.1.2 # Manually added in case you add PNGs later
+  ignore:
+    - linters: [markdownlint]
+      paths:
+        - CHANGELOG.md
+actions:
+  # Optional githooks that help you run check and format before push.
+  enabled:
+    - trunk-announce
+    - trunk-check-pre-push
+    - trunk-upgrade-available
diff --git a/Dockerfile b/Dockerfile
@@ -8,15 +8,28 @@ RUN npm ci  --omit=dev --ignore-scripts
 
 COPY . .
 
-RUN npx prisma generate
-RUN npm run build
+RUN npx prisma generate && \
+    npm run build
 
 # Production image
 FROM node:${NODE_VERSION} AS production
 WORKDIR /usr/src/app
 
-COPY --from=builder /usr/src/app .
+COPY --from=builder /usr/src/app /usr/src/app
 
-EXPOSE 3000
+# Create a non-root user and group
+RUN groupadd -r appuser && useradd -r -g appuser -d /usr/src/app -s /sbin/nologin appuser
+
+# Copy application files from builder
+COPY --from=builder /usr/src/app /usr/src/app
+
+# Change ownership of the application directory
+RUN chown -R appuser:appuser /usr/src/app
+
+# Switch to the non-root user
+USER appuser
+
+# Added healthcheck to satisfy checkov lint, you should configure this according to your application
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:3000/health || exit 1
 
 CMD ["npm", "run", "start"]
diff --git a/compose.yaml b/compose.yaml
@@ -29,7 +29,7 @@ services:
     networks:
       - healthcheck
     healthcheck:
-      test: ["CMD", "pg_isready", "-U", "user", "-d", "healthcheck"]
+      test: [CMD, pg_isready, -U, user, -d, healthcheck]
       interval: 10s
       timeout: 5s
       retries: 5
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`name: Publish Docker`
	`2`	`+permissions: read-all`
`2`	`3`	`on:`
`3`	`4`	`release:`
`4`	`5`	`types: [published]`