From 3b12adf8f720f3ed6f86fbf5cd8642f9a12069bc Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason.woltje@uscllc.com>
Date: Thu, 12 Feb 2026 17:25:49 -0600
Subject: [PATCH] =?UTF-8?q?fix(ci):=20fix=20pipeline=20#365=20=E2=80=94=20?=
 =?UTF-8?q?web=20build-shared=20+=20orchestrator=20secret=20scan?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add build-shared step to web.yml so lint/typecheck/test can resolve
  @mosaic/shared types (same fix previously applied to api.yml)
- Remove compiled .spec.js/.test.js files from orchestrator production
  image to prevent Trivy secret scanning false positives from test
  fixtures (fake AWS keys and RSA private keys in secret-scanner tests)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .woodpecker/web.yml          | 16 +++++++++++++---
 apps/orchestrator/Dockerfile |  2 ++
 docs/tasks.md                |  8 ++++++++
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/.woodpecker/web.yml b/.woodpecker/web.yml
index ac9e2f5..b03a46f 100644
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@@ -43,6 +43,16 @@ steps:
     depends_on:
       - install
 
+  build-shared:
+    image: *node_image
+    environment:
+      SKIP_ENV_VALIDATION: "true"
+    commands:
+      - *use_deps
+      - pnpm --filter "@mosaic/shared" build
+    depends_on:
+      - install
+
   lint:
     image: *node_image
     environment:
@@ -51,7 +61,7 @@ steps:
       - *use_deps
       - pnpm --filter "@mosaic/web" lint
     depends_on:
-      - install
+      - build-shared
 
   typecheck:
     image: *node_image
@@ -61,7 +71,7 @@ steps:
       - *use_deps
       - pnpm --filter "@mosaic/web" typecheck
     depends_on:
-      - install
+      - build-shared
 
   test:
     image: *node_image
@@ -71,7 +81,7 @@ steps:
       - *use_deps
       - pnpm --filter "@mosaic/web" test
     depends_on:
-      - install
+      - build-shared
 
   # === Build ===
 
diff --git a/apps/orchestrator/Dockerfile b/apps/orchestrator/Dockerfile
index 33d8bca..506919a 100644
--- a/apps/orchestrator/Dockerfile
+++ b/apps/orchestrator/Dockerfile
@@ -83,6 +83,8 @@ COPY --from=builder --chown=nestjs:nodejs /app/packages ./packages
 
 # Copy built orchestrator application
 COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/dist ./apps/orchestrator/dist
+# Remove compiled test files from production (contain test fixtures that trigger Trivy secret scanning)
+RUN find ./apps/orchestrator/dist -name '*.spec.js' -o -name '*.spec.js.map' -o -name '*.test.js' -o -name '*.test.js.map' | xargs rm -f 2>/dev/null || true
 COPY --from=builder --chown=nestjs:nodejs /app/apps/orchestrator/package.json ./apps/orchestrator/
 
 # Copy app's node_modules which contains symlinks to root node_modules
diff --git a/docs/tasks.md b/docs/tasks.md
index 8ccc1a1..ae361a8 100644
--- a/docs/tasks.md
+++ b/docs/tasks.md
@@ -53,3 +53,11 @@
 | CI-MIT-002 | done   | Remove npm from 3 Node.js production images (eliminates 5 npm bundled CVEs)              |       | apps   | develop |                                  | CI-MIT-003 | worker-11 | 2026-02-12T17:10Z | 2026-02-12T17:12Z | 5K       | 5K   |
 | CI-MIT-003 | done   | Trim .trivyignore to OpenBao-only (5 CVEs: 4 false positives + 1 upstream Go stdlib)     |       | ci     | develop | CI-MIT-001,CI-MIT-002            | CI-MIT-004 | orch      | 2026-02-12T17:13Z | 2026-02-12T17:14Z | 3K       | 2K   |
 | CI-MIT-004 | done   | Verification: 11 of 16 CVEs eliminated at source, 5 remaining documented in .trivyignore |       | all    | develop | CI-MIT-001,CI-MIT-002,CI-MIT-003 |            | orch      | 2026-02-12T17:14Z | 2026-02-12T17:15Z | 3K       | 1K   |
+
+## Pipeline #365 Follow-up Fixes
+
+| id          | status | description                                                                                       | issue | repo         | branch  | depends_on              | blocks      | agent     | started_at        | completed_at      | estimate | used |
+| ----------- | ------ | ------------------------------------------------------------------------------------------------- | ----- | ------------ | ------- | ----------------------- | ----------- | --------- | ----------------- | ----------------- | -------- | ---- |
+| CI-FIX5-001 | done   | Add build-shared step to web.yml (fixes lint/typecheck/test: @mosaic/shared not found)            | #364  | ci           | develop |                         | CI-FIX5-003 | worker-12 | 2026-02-12T18:00Z | 2026-02-12T18:02Z | 5K       | 3K   |
+| CI-FIX5-002 | done   | Remove compiled test files from orchestrator production image (Trivy secret scan false positives) | #365  | orchestrator | develop |                         | CI-FIX5-003 | worker-13 | 2026-02-12T18:00Z | 2026-02-12T18:02Z | 5K       | 3K   |
+| CI-FIX5-003 | done   | Verification: validate all pipeline #365 fixes                                                    |       | all          | develop | CI-FIX5-001,CI-FIX5-002 |             | orch      | 2026-02-12T18:03Z | 2026-02-12T18:04Z | 3K       | 1K   |