fix(ci): fix pipeline #365 — web build-shared + orchestrator secret scan
- Add build-shared step to web.yml so lint/typecheck/test can resolve @mosaic/shared types (same fix previously applied to api.yml) - Remove compiled .spec.js/.test.js files from orchestrator production image to prevent Trivy secret scanning false positives from test fixtures (fake AWS keys and RSA private keys in secret-scanner tests) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
@@ -43,6 +43,16 @@ steps:
|
||||
depends_on:
|
||||
- install
|
||||
|
||||
build-shared:
|
||||
image: *node_image
|
||||
environment:
|
||||
SKIP_ENV_VALIDATION: "true"
|
||||
commands:
|
||||
- *use_deps
|
||||
- pnpm --filter "@mosaic/shared" build
|
||||
depends_on:
|
||||
- install
|
||||
|
||||
lint:
|
||||
image: *node_image
|
||||
environment:
|
||||
@@ -51,7 +61,7 @@ steps:
|
||||
- *use_deps
|
||||
- pnpm --filter "@mosaic/web" lint
|
||||
depends_on:
|
||||
- install
|
||||
- build-shared
|
||||
|
||||
typecheck:
|
||||
image: *node_image
|
||||
@@ -61,7 +71,7 @@ steps:
|
||||
- *use_deps
|
||||
- pnpm --filter "@mosaic/web" typecheck
|
||||
depends_on:
|
||||
- install
|
||||
- build-shared
|
||||
|
||||
test:
|
||||
image: *node_image
|
||||
@@ -71,7 +81,7 @@ steps:
|
||||
- *use_deps
|
||||
- pnpm --filter "@mosaic/web" test
|
||||
depends_on:
|
||||
- install
|
||||
- build-shared
|
||||
|
||||
# === Build ===
|
||||
|
||||
|
||||
@@ -83,6 +83,8 @@ COPY --from=builder --chown=nestjs:nodejs /app/packages ./packages
|
||||
|
||||
# Copy built orchestrator application
|
||||
COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/dist ./apps/orchestrator/dist
|
||||
# Remove compiled test files from production (contain test fixtures that trigger Trivy secret scanning)
|
||||
RUN find ./apps/orchestrator/dist -name '*.spec.js' -o -name '*.spec.js.map' -o -name '*.test.js' -o -name '*.test.js.map' | xargs rm -f 2>/dev/null || true
|
||||
COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/package.json ./apps/orchestrator/
|
||||
|
||||
# Copy app's node_modules which contains symlinks to root node_modules
|
||||
|
||||
@@ -53,3 +53,11 @@
|
||||
| CI-MIT-002 | done | Remove npm from 3 Node.js production images (eliminates 5 npm bundled CVEs) | | apps | develop | | CI-MIT-003 | worker-11 | 2026-02-12T17:10Z | 2026-02-12T17:12Z | 5K | 5K |
|
||||
| CI-MIT-003 | done | Trim .trivyignore to OpenBao-only (5 CVEs: 4 false positives + 1 upstream Go stdlib) | | ci | develop | CI-MIT-001,CI-MIT-002 | CI-MIT-004 | orch | 2026-02-12T17:13Z | 2026-02-12T17:14Z | 3K | 2K |
|
||||
| CI-MIT-004 | done | Verification: 11 of 16 CVEs eliminated at source, 5 remaining documented in .trivyignore | | all | develop | CI-MIT-001,CI-MIT-002,CI-MIT-003 | | orch | 2026-02-12T17:14Z | 2026-02-12T17:15Z | 3K | 1K |
|
||||
|
||||
## Pipeline #365 Follow-up Fixes
|
||||
|
||||
| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used |
|
||||
| ----------- | ------ | ------------------------------------------------------------------------------------------------- | ----- | ------------ | ------- | ----------------------- | ----------- | --------- | ----------------- | ----------------- | -------- | ---- |
|
||||
| CI-FIX5-001 | done | Add build-shared step to web.yml (fixes lint/typecheck/test: @mosaic/shared not found) | #364 | ci | develop | | CI-FIX5-003 | worker-12 | 2026-02-12T18:00Z | 2026-02-12T18:02Z | 5K | 3K |
|
||||
| CI-FIX5-002 | done | Remove compiled test files from orchestrator production image (Trivy secret scan false positives) | #365 | orchestrator | develop | | CI-FIX5-003 | worker-13 | 2026-02-12T18:00Z | 2026-02-12T18:02Z | 5K | 3K |
|
||||
| CI-FIX5-003 | done | Verification: validate all pipeline #365 fixes | | all | develop | CI-FIX5-001,CI-FIX5-002 | | orch | 2026-02-12T18:03Z | 2026-02-12T18:04Z | 3K | 1K |
|
||||
|
||||
Reference in New Issue
Block a user