@el-j/magic-helix-plugins 4.0.0-beta.2 → 4.0.0-beta.3

package/dist/ci/github-actions.md

@@ -0,0 +1,268 @@
+# GitHub Actions CI/CD Templates
+
+## Node.js/TypeScript Pipeline
+```yaml
+name: Node.js CI/CD
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+      - run: npm ci
+      - run: npm run build
+      - run: npm test
+      - run: npm run lint
+      - name: Upload coverage
+        uses: codecov/codecov-action@v4
+        if: matrix.node-version == '20.x'
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  docker:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: user/app:latest,user/app:${{ github.sha }}
+          cache-from: type=registry,ref=user/app:buildcache
+          cache-to: type=registry,ref=user/app:buildcache,mode=max
+```
+
+## Python Pipeline
+```yaml
+name: Python CI/CD
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.10', '3.11', '3.12']
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: true
+          virtualenvs-in-project: true
+      - name: Load cached venv
+        uses: actions/cache@v4
+        with:
+          path: .venv
+          key: venv-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('**/poetry.lock') }}
+      - name: Install dependencies
+        run: poetry install --no-interaction
+      - name: Run tests
+        run: poetry run pytest --cov --cov-report=xml
+      - name: Run linters
+        run: |
+          poetry run ruff check .
+          poetry run mypy .
+```
+
+## Go Pipeline
+```yaml
+name: Go CI/CD
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+          cache: true
+      - name: Verify dependencies
+        run: go mod verify
+      - name: Build
+        run: go build -v ./...
+      - name: Run tests
+        run: go test -v -race -coverprofile=coverage.txt ./...
+      - name: Lint
+        uses: golangci/golangci-lint-action@v4
+        with:
+          version: latest
+```
+
+## Rust Pipeline
+```yaml
+name: Rust CI/CD
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: ~/.cargo/registry
+          key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
+      - name: Cache cargo index
+        uses: actions/cache@v4
+        with:
+          path: ~/.cargo/git
+          key: ${{ runner.os }}-cargo-index-${{ hashFiles('**/Cargo.lock') }}
+      - name: Cache target
+        uses: actions/cache@v4
+        with:
+          path: target
+          key: ${{ runner.os }}-target-${{ hashFiles('**/Cargo.lock') }}
+      - name: Check formatting
+        run: cargo fmt -- --check
+      - name: Run clippy
+        run: cargo clippy -- -D warnings
+      - name: Run tests
+        run: cargo test --verbose
+      - name: Build release
+        run: cargo build --release --verbose
+```
+
+## Java/Maven Pipeline
+```yaml
+name: Java CI/CD
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Build with Maven
+        run: mvn -B package --file pom.xml
+      - name: Run tests
+        run: mvn test
+      - name: Generate coverage report
+        run: mvn jacoco:report
+```
+
+## Multi-Platform Docker Build
+```yaml
+name: Docker Multi-Arch
+
+on:
+  push:
+    tags: ['v*']
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+```
+
+## Security Scanning
+```yaml
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+      - name: Upload results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+## Best Practices
+1. **Caching**: Use `actions/cache` for dependencies (npm, pip, cargo, maven)
+2. **Matrix Builds**: Test against multiple language versions
+3. **Secrets**: Store credentials in GitHub Secrets, never in code
+4. **Branch Protection**: Require CI to pass before merging
+5. **Parallel Jobs**: Use `needs` to orchestrate job dependencies
+6. **Docker Layer Caching**: Use registry cache or buildx cache backends
+7. **Security Scanning**: Integrate Trivy, Snyk, or CodeQL
+8. **Artifact Storage**: Upload test reports and binaries with `actions/upload-artifact`

package/dist/ci/gitlab-ci.md

@@ -0,0 +1,330 @@
+# GitLab CI/CD Templates
+
+## Node.js/TypeScript Pipeline
+```yaml
+image: node:20-alpine
+
+stages:
+  - build
+  - test
+  - docker
+  - deploy
+
+cache:
+  key:
+    files:
+      - package-lock.json
+  paths:
+    - node_modules/
+    - .npm/
+
+variables:
+  npm_config_cache: "$CI_PROJECT_DIR/.npm"
+
+build:
+  stage: build
+  script:
+    - npm ci
+    - npm run build
+  artifacts:
+    paths:
+      - dist/
+    expire_in: 1 hour
+
+test:
+  stage: test
+  coverage: '/Lines\s*:\s*(\d+\.\d+)%/'
+  script:
+    - npm ci
+    - npm test -- --coverage
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage/cobertura-coverage.xml
+      junit: junit.xml
+
+lint:
+  stage: test
+  script:
+    - npm ci
+    - npm run lint
+
+docker-build:
+  stage: docker
+  image: docker:latest
+  services:
+    - docker:dind
+  before_script:
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  script:
+    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA .
+    - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA $CI_REGISTRY_IMAGE:latest
+    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
+    - docker push $CI_REGISTRY_IMAGE:latest
+  only:
+    - main
+
+deploy-production:
+  stage: deploy
+  image: alpine/kubectl:latest
+  script:
+    - kubectl config set-cluster k8s --server="$KUBE_URL" --insecure-skip-tls-verify=true
+    - kubectl config set-credentials admin --token="$KUBE_TOKEN"
+    - kubectl config set-context default --cluster=k8s --user=admin
+    - kubectl config use-context default
+    - kubectl set image deployment/app app=$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA -n production
+  environment:
+    name: production
+    url: https://app.example.com
+  only:
+    - main
+```
+
+## Python Pipeline
+```yaml
+image: python:3.12-slim
+
+stages:
+  - test
+  - build
+  - deploy
+
+variables:
+  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
+
+cache:
+  paths:
+    - .cache/pip
+    - .venv/
+
+before_script:
+  - pip install poetry
+  - poetry config virtualenvs.in-project true
+  - poetry install
+
+test:
+  stage: test
+  script:
+    - poetry run pytest --cov --cov-report=xml --cov-report=term
+    - poetry run ruff check .
+    - poetry run mypy .
+  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage.xml
+
+docker:
+  stage: build
+  image: docker:latest
+  services:
+    - docker:dind
+  script:
+    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA .
+    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
+  only:
+    - main
+```
+
+## Go Pipeline
+```yaml
+image: golang:1.21
+
+stages:
+  - test
+  - build
+
+variables:
+  GOPATH: $CI_PROJECT_DIR/.go
+
+cache:
+  paths:
+    - .go/pkg/mod/
+
+before_script:
+  - mkdir -p .go
+  - go mod download
+
+test:
+  stage: test
+  script:
+    - go fmt $(go list ./... | grep -v /vendor/)
+    - go vet $(go list ./... | grep -v /vendor/)
+    - go test -race -coverprofile=coverage.txt -covermode=atomic ./...
+  coverage: '/coverage: \d+\.\d+% of statements/'
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage.xml
+
+build:
+  stage: build
+  script:
+    - CGO_ENABLED=0 go build -ldflags="-s -w" -o app
+  artifacts:
+    paths:
+      - app
+```
+
+## Rust Pipeline
+```yaml
+image: rust:1.75
+
+stages:
+  - test
+  - build
+
+variables:
+  CARGO_HOME: $CI_PROJECT_DIR/.cargo
+
+cache:
+  paths:
+    - .cargo/
+    - target/
+
+test:
+  stage: test
+  script:
+    - rustc --version && cargo --version
+    - cargo fmt -- --check
+    - cargo clippy -- -D warnings
+    - cargo test --verbose
+
+build:
+  stage: build
+  script:
+    - cargo build --release
+  artifacts:
+    paths:
+      - target/release/app
+```
+
+## Java/Maven Pipeline
+```yaml
+image: maven:3.9-eclipse-temurin-21
+
+stages:
+  - build
+  - test
+  - package
+
+variables:
+  MAVEN_OPTS: "-Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository"
+
+cache:
+  paths:
+    - .m2/repository
+
+build:
+  stage: build
+  script:
+    - mvn compile
+
+test:
+  stage: test
+  script:
+    - mvn test
+    - mvn jacoco:report
+  coverage: '/Total.*?([0-9]{1,3})%/'
+  artifacts:
+    reports:
+      junit: target/surefire-reports/TEST-*.xml
+
+package:
+  stage: package
+  script:
+    - mvn package -DskipTests
+  artifacts:
+    paths:
+      - target/*.jar
+```
+
+## Multi-Stage with Environments
+```yaml
+stages:
+  - build
+  - test
+  - staging
+  - production
+
+build:
+  stage: build
+  script:
+    - npm ci
+    - npm run build
+  artifacts:
+    paths:
+      - dist/
+
+test:
+  stage: test
+  script:
+    - npm test
+
+deploy-staging:
+  stage: staging
+  script:
+    - echo "Deploying to staging"
+    - kubectl set image deployment/app app=$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA -n staging
+  environment:
+    name: staging
+    url: https://staging.example.com
+  only:
+    - develop
+
+deploy-production:
+  stage: production
+  script:
+    - echo "Deploying to production"
+    - kubectl set image deployment/app app=$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA -n production
+  environment:
+    name: production
+    url: https://app.example.com
+  when: manual
+  only:
+    - main
+```
+
+## Docker with Buildx (Multi-arch)
+```yaml
+docker-multiarch:
+  stage: build
+  image: docker:latest
+  services:
+    - docker:dind
+  before_script:
+    - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+    - docker buildx create --use --name multiarch
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  script:
+    - docker buildx build --platform linux/amd64,linux/arm64 -t $CI_REGISTRY_IMAGE:latest --push .
+```
+
+## Security Scanning
+```yaml
+include:
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+  - template: Security/Container-Scanning.gitlab-ci.yml
+
+container_scanning:
+  variables:
+    DOCKER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
+  dependencies:
+    - docker-build
+```
+
+## Best Practices
+1. **Caching**: Cache dependencies (`node_modules/`, `.m2/`, `.cargo/`)
+2. **Artifacts**: Pass build outputs between stages
+3. **Environments**: Use GitLab environments for deployment tracking
+4. **Manual Gates**: Use `when: manual` for production deployments
+5. **Templates**: Use `include:` to reuse common configurations
+6. **Variables**: Store secrets in GitLab CI/CD Variables (masked & protected)
+7. **Docker Layer Caching**: Use `DOCKER_BUILDKIT=1` for faster builds
+8. **Coverage**: Use `coverage:` regex to display coverage in merge requests
+9. **Resource Groups**: Prevent concurrent deployments to the same environment
+10. **Rules**: Use `rules:` instead of `only:`/`except:` for modern syntax

package/dist/containers/docker-multistage.md

@@ -0,0 +1,120 @@
+# Docker Multi-Stage Build Best Practices
+
+## Overview
+Multi-stage builds reduce image size and improve security by separating build-time and runtime dependencies.
+
+## Basic Pattern
+```dockerfile
+# Stage 1: Build
+FROM builder-image AS builder
+WORKDIR /build
+COPY source files
+RUN build commands
+
+# Stage 2: Runtime
+FROM runtime-image
+WORKDIR /app
+COPY --from=builder /build/artifacts .
+CMD ["run", "app"]
+```
+
+## Language-Specific Optimizations
+
+### Go
+```dockerfile
+FROM golang:1.21-alpine AS builder
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o app
+
+FROM scratch
+COPY --from=builder /build/app /app
+ENTRYPOINT ["/app"]
+```
+
+### Rust
+```dockerfile
+FROM rust:1.75-alpine AS builder
+WORKDIR /build
+RUN apk add --no-cache musl-dev
+COPY Cargo.toml Cargo.lock ./
+RUN mkdir src && echo "fn main() {}" > src/main.rs && cargo build --release && rm -rf src
+COPY src ./src
+RUN touch src/main.rs && cargo build --release
+
+FROM alpine:latest
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /build/target/release/app /app
+CMD ["/app"]
+```
+
+### Node.js
+```dockerfile
+FROM node:20-alpine AS builder
+WORKDIR /build
+COPY package*.json ./
+RUN npm ci --only=production
+
+FROM node:20-alpine
+WORKDIR /app
+COPY --from=builder /build/node_modules ./node_modules
+COPY . .
+CMD ["node", "index.js"]
+```
+
+### Java/Spring Boot
+```dockerfile
+FROM maven:3.9-eclipse-temurin-21 AS builder
+WORKDIR /build
+COPY pom.xml .
+RUN mvn dependency:go-offline
+COPY src ./src
+RUN mvn package -DskipTests
+
+FROM eclipse-temurin:21-jre-alpine
+WORKDIR /app
+COPY --from=builder /build/target/*.jar app.jar
+ENTRYPOINT ["java", "-jar", "app.jar"]
+```
+
+### Python
+```dockerfile
+FROM python:3.12-slim AS builder
+WORKDIR /build
+RUN pip install --no-cache-dir poetry
+COPY pyproject.toml poetry.lock ./
+RUN poetry export -f requirements.txt -o requirements.txt --without-hashes
+RUN pip wheel --no-cache-dir --wheel-dir /wheels -r requirements.txt
+
+FROM python:3.12-slim
+WORKDIR /app
+COPY --from=builder /wheels /wheels
+RUN pip install --no-cache-dir /wheels/*
+COPY . .
+CMD ["python", "main.py"]
+```
+
+## Security Hardening
+- Use specific image tags, not `latest`
+- Run as non-root user: `USER 1000:1000`
+- Scan images: `docker scout cves image:tag`
+- Use distroless or alpine base images
+- Multi-platform builds: `docker buildx build --platform linux/amd64,linux/arm64`
+
+## .dockerignore Template
+```
+node_modules
+.git
+.env
+*.log
+dist
+coverage
+.vscode
+```
+
+## Build Optimization
+- Layer caching: COPY dependency files before source code
+- Parallel builds: `RUN cmd1 & cmd2 & wait`
+- Build contexts: Use `.dockerignore` to exclude unnecessary files