npm - @smi-digital/create-smi-app - Versions diffs - 2.6.0 → 2.7.1 - Mend

@smi-digital/create-smi-app 2.6.0 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.js CHANGED Viewed

@@ -667,6 +667,33 @@ async function initializeGitRepository(projectRoot) {
     );
   }
 }
+async function activateVaultFilter(projectRoot) {
+  try {
+    await access2(join6(projectRoot, ".vault-password"));
+  } catch {
+    return;
+  }
+  const setFilter = async (key, value) => runCommandQuiet2(
+    "git",
+    ["config", `filter.ansible-vault.${key}`, value],
+    projectRoot
+  );
+  try {
+    await setFilter(
+      "clean",
+      "ansible-vault encrypt --vault-password-file .vault-password --output=- -"
+    );
+    await setFilter(
+      "smudge",
+      "ansible-vault decrypt --vault-password-file .vault-password --output=- -"
+    );
+    await setFilter("required", "true");
+  } catch {
+    console.warn(
+      "Could not configure the Ansible-Vault git filter automatically. Run `npm run setup:vault` before committing."
+    );
+  }
+}
 async function createScaffold(options, targetDir, templatesDir) {
   const projectName = options.projectName.trim();
   if (!projectName) {
@@ -694,6 +721,12 @@ async function createScaffold(options, targetDir, templatesDir) {
   }
   await createApps(projectRoot, getAppTargets(options));
   await createIntegrations(options, projectRoot, templatesDir);
+  if (options.configureCd) {
+    await runStep(
+      "Activating Ansible-Vault git filter",
+      async () => activateVaultFilter(projectRoot)
+    );
+  }
   if (options.tools.includes("basic")) {
     await runStep(
       "Installing root dependencies",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@smi-digital/create-smi-app",
-  "version": "2.6.0",
+  "version": "2.7.1",
   "description": "",
   "main": "dist/index.js",
   "bin": {

package/templates/.husky/pre-commit CHANGED Viewed

@@ -1,2 +1,15 @@
 #!/usr/bin/env sh
-npx lint-staged
+npx lint-staged
+# Safety net: never let an unencrypted production env file reach a commit.
+# The Ansible-Vault git filter normally encrypts these as they are staged; this
+# guard inspects the *staged* blob and aborts if the filter was inactive (e.g.
+# on a fresh clone where `npm run setup:vault` was not re-run) and a plaintext
+# secret slipped through. No-op for projects without production.*.env files.
+staged_envs=$(git diff --cached --name-only --diff-filter=ACM | grep -E '^production\..*\.env$' || true)
+for f in $staged_envs; do
+  if ! git show ":$f" | head -n 1 | grep -q 'ANSIBLE_VAULT'; then
+    echo "✖ $f is staged UNENCRYPTED. Run 'npm run setup:vault', re-stage the file, then commit." >&2
+    exit 1
+  fi
+done

package/templates/integrations/strapi-astro/.github/workflows/deploy.yml.template CHANGED Viewed

@@ -13,7 +13,6 @@ jobs:
       project_domain: __PROJECT_DOMAIN__
       backend_domain: __BACKEND_DOMAIN__
       app_name: __APP_NAME__
-      image_tag: latest
     secrets:
       # These secrets must be configured at the Organization or Repository level:
       SERVER_SSH_KEY: ${{ secrets.SERVER_SSH_KEY }}

package/templates/integrations/strapi-astro/Dockerfile.backend.template CHANGED Viewed

@@ -4,7 +4,7 @@
 # ========================================================
 # Stage 1: Builder
-FROM node:24-alpine as builder
+FROM node:24-alpine AS builder
 # Installing libvips-dev for sharp Compatibility
 RUN apk update && apk add --no-cache build-base gcc autoconf automake zlib-dev libpng-dev vips-dev curl > /dev/null 2>&1
@@ -20,7 +20,7 @@ RUN npm run build
 # Stage 2: Production
 FROM node:24-alpine
-RUN apk update && apk add --no-cache vips-dev curl > /dev/null 2>&1
+RUN apk update && apk add --no-cache vips-dev > /dev/null 2>&1
 ARG NODE_ENV=production
 ENV NODE_ENV=${NODE_ENV}

package/templates/integrations/strapi-astro/Dockerfile.frontend.ssr.template CHANGED Viewed

@@ -1,31 +1,31 @@
 # ========================================================
-# EXAMPLE: Dockerfile for Astro SSR (Server-Side Rendering)
+# Dockerfile for Astro SSR (Server-Side Rendering)
 # Place this in your /frontend folder and name it 'Dockerfile'
+#
+# Uses npm + the committed package-lock.json so installs are reproducible,
+# and the @astrojs/node adapter for the runtime (matches `astro add node`).
 # ========================================================
-# Stage 1: Build with Bun
-FROM oven/bun:1 as builder
+# Stage 1: Build
+FROM node:24-alpine AS builder
 WORKDIR /app
 COPY package.json package-lock.json ./
-RUN bun install
+RUN npm ci
 COPY . .
-RUN bun run build
+RUN npm run build
-# Stage 2: Serve dynamic application using Bun
-FROM oven/bun:1-alpine
+# Stage 2: Serve the SSR server bundle
+FROM node:24-alpine
 WORKDIR /app
-# Copy the built SSR server bundle and node_modules
+# Copy the built SSR server bundle and its dependencies
 COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/package.json ./
-# Expose port 4321 (Matches the 'frontend_port' logic in Ansible for SSR)
 EXPOSE 4321
-# Default environment variables
 ENV HOST=0.0.0.0
 ENV PORT=4321
-# Start the server (Adjust entrypoint depending on your Astro Node/Bun adapter)
-CMD ["bun", "./dist/server/entry.mjs"]
+# @astrojs/node standalone server entrypoint
+CMD ["node", "./dist/server/entry.mjs"]

package/templates/integrations/strapi-astro/docker-compose.yml.template CHANGED Viewed

@@ -2,7 +2,7 @@ services:
   __APP_NAME__-strapi:
     container_name: __APP_NAME__-strapi
     # The image is built in CI and pushed to Zot
-    image: registry.smi-digital.com/__APP_NAME__-strapi:${IMAGE_TAG:-latest}
+    image: registry.smi-digital.com/__APP_NAME__-strapi:latest
     restart: unless-stopped
     env_file:
       - ./backend.env
@@ -12,7 +12,8 @@ services:
     networks:
       - agency_shared_network
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:1337/admin"]
+      # node-based (no curl dependency): node is always present in the image
+      test: ["CMD", "node", "-e", "fetch('http://localhost:1337/admin').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
       interval: 10s
       timeout: 5s
       retries: 15
@@ -30,7 +31,7 @@ services:
   __APP_NAME__-astro:
     container_name: __APP_NAME__-astro
-    image: registry.smi-digital.com/__APP_NAME__-astro:${IMAGE_TAG:-latest}
+    image: registry.smi-digital.com/__APP_NAME__-astro:latest
     restart: unless-stopped
     env_file:
       - ./frontend.env
@@ -40,7 +41,8 @@ services:
       __APP_NAME__-strapi:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "wget", "-q", "--spider", "http://localhost:4321"]
+      # node-based liveness (image is node:alpine); any HTTP response = server up
+      test: ["CMD", "node", "-e", "fetch('http://localhost:4321/').then(() => process.exit(0)).catch(() => process.exit(1))"]
       interval: 5s
       timeout: 2s
       retries: 5
@@ -59,7 +61,7 @@ services:
     depends_on:
       - __APP_NAME__-astro
     healthcheck:
-      test: ["CMD", "wget", "-q", "--spider", "http://localhost/"]
+      test: ["CMD", "wget", "-q", "-O", "/dev/null", "http://localhost/"]
       interval: 5s
       timeout: 2s
       retries: 5

package/templates/integrations/strapi-astro/production.backend.env.template CHANGED Viewed

@@ -1,9 +1,13 @@
 # ==============================================================================
 # PRODUCTION BACKEND SECRETS (Strapi)
-#
-# 🚨 SECURITY WARNING 🚨
-# This file MUST be encrypted before committing to Git!
-# Run: ansible-vault encrypt production.backend.env --vault-password-file .vault-password
+#
+# 🔒 Encrypted automatically by the Ansible-Vault git filter.
+# Edit in plaintext locally — it is encrypted on commit (GitHub only ever stores
+# ciphertext) and decrypted again on checkout. The deploy decrypts it on the
+# server. Do NOT run `ansible-vault encrypt` by hand; the filter handles it.
+#
+# If `git status` shows this file as plaintext after staging, the filter is not
+# active on this machine — run `npm run setup:vault` before committing.
 # ==============================================================================
 # Strapi System Keys (Automatically generated by create-smi-app)

package/templates/integrations/strapi-astro/production.frontend.env.template CHANGED Viewed

@@ -1,9 +1,13 @@
 # ==============================================================================
 # PRODUCTION FRONTEND SECRETS (Astro SSR)
-#
-# 🚨 SECURITY WARNING 🚨
-# This file MUST be encrypted before committing to Git!
-# Run: ansible-vault encrypt production.frontend.env --vault-password-file .vault-password
+#
+# 🔒 Encrypted automatically by the Ansible-Vault git filter.
+# Edit in plaintext locally — it is encrypted on commit (GitHub only ever stores
+# ciphertext) and decrypted again on checkout. The deploy decrypts it on the
+# server. Do NOT run `ansible-vault encrypt` by hand; the filter handles it.
+#
+# If `git status` shows this file as plaintext after staging, the filter is not
+# active on this machine — run `npm run setup:vault` before committing.
 # ==============================================================================
 # Internal Docker Network routing (Do not change)