@tomei/sso 0.64.1 → 0.65.1-test.1

package/.commitlintrc.json

@@ -1,22 +1,22 @@
-{
-  "extends": [
-    "@commitlint/config-conventional"
-  ],
-  "rules": {
-    "header-max-length": [ 2, "always", 120 ],
-    "type-enum": [
-      2,
-      "always",
-      [
-        "breaking",
-        "feat",
-        "fix",
-        "refactor",
-        "config",
-        "test",
-        "docs",
-        "chore"
-      ]
-    ]
-  }
-}
+{
+  "extends": [
+    "@commitlint/config-conventional"
+  ],
+  "rules": {
+    "header-max-length": [ 2, "always", 120 ],
+    "type-enum": [
+      2,
+      "always",
+      [
+        "breaking",
+        "feat",
+        "fix",
+        "refactor",
+        "config",
+        "test",
+        "docs",
+        "chore"
+      ]
+    ]
+  }
+}

package/.gitlab-ci.yml

@@ -1,16 +1,237 @@
-variables:
-  SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
-  GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
-sonarcloud-check:
-  image:
-    name: sonarsource/sonar-scanner-cli:latest
-    entrypoint: [""]
-  cache:
-    key: "${CI_JOB_NAME}"
-    paths:
-      - .sonar/cache
-  script:
-    - sonar-scanner
-  only:
-    - merge_requests
-    - main
+# ============================================================
+# .gitlab-ci.yml — npm package with trusted publishing (OIDC)
+#
+# Project path: all-tomei-projects/tomei-package/General/<package-name>
+#
+# Tag patterns:
+#   test-vX.Y.Z-rc.N     → npm publish --tag test    (RC for test env)
+#   staging-vX.Y.Z-rc.N  → npm publish --tag staging (RC for staging env)
+#   prod-vX.Y.Z          → npm publish --tag latest  (production, manual gate)
+#   prod-vX.Y.Z-hotfix.N → npm publish --tag latest  (hotfix, manual gate)
+#
+# No NPM_TOKEN secret needed — OIDC trusted publishing only.
+#
+# Required CI/CD variables (Settings → CI/CD → Variables):
+#   DISCORD_WEBHOOK  — Discord incoming webhook URL (masked)
+#
+# npm side setup required (npmjs.com):
+#   1. package.json → publishConfig.provenance: true
+#   2. npmjs.com → package Settings → Publishing Access
+#      → Enable OIDC publishing for GitLab project:
+#        all-tomei-projects/tomei-package/General/<package-name>
+# ============================================================
+default:
+  image: node:20-alpine
+  tags:
+    - shared
+
+stages:
+  - validate
+  - build
+  - publish
+  - notify
+
+# ────────────────────────────────────────────────────────────
+# STAGE: validate
+# Runs lint and unit tests before publish
+# Skipped on prod tags — code already validated on test + staging
+# ────────────────────────────────────────────────────────────
+lint:
+  stage: validate
+  cache:
+    key: node-$CI_COMMIT_REF_SLUG
+    paths: [node_modules/]
+  script:
+    - npm ci
+    - npm run lint
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^test-v/'
+    - if: '$CI_COMMIT_TAG =~ /^staging-v/'
+
+unit-test:
+  stage: validate
+  cache:
+    key: node-$CI_COMMIT_REF_SLUG
+    paths: [node_modules/]
+  script:
+    - npm ci
+    - npm test
+  coverage: '/Lines\s*:\s*(\d+\.?\d*)%/'
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage/cobertura-coverage.xml
+    expire_in: 7 days
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^test-v/'
+    - if: '$CI_COMMIT_TAG =~ /^staging-v/'
+
+# ────────────────────────────────────────────────────────────
+# STAGE: build
+# Compiles the package (tsc / rollup / whatever your build uses)
+# Artifacts passed to publish jobs
+# Runs on all tag patterns
+# ────────────────────────────────────────────────────────────
+build:
+  stage: build
+  cache:
+    key: node-$CI_COMMIT_REF_SLUG
+    paths: [node_modules/]
+  script:
+    - npm ci
+    - npm run build
+  artifacts:
+    paths:
+      - dist/
+    expire_in: 1 hour
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^test-v/'
+    - if: '$CI_COMMIT_TAG =~ /^staging-v/'
+    - if: '$CI_COMMIT_TAG =~ /^prod-v/'
+
+# ────────────────────────────────────────────────────────────
+# STAGE: publish — test RC
+# Triggered by: test-vX.Y.Z-rc.N tag
+# Publishes with dist-tag "test"
+# Consumers must opt in: npm install @tomei/pkg@test
+# Version stamped: test-v1.24.0-rc.1 → 1.24.0-rc.1
+# ────────────────────────────────────────────────────────────
+publish-test:
+  stage: publish
+  needs: [build]
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^test-v/'
+  script:
+    - echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+    - cat ~/.npmrc  # verify .npmrc content
+    - |
+      RC_VERSION=$(echo "$CI_COMMIT_TAG" | sed 's/^test-v\([0-9.]*\)-rc\.\([0-9]*\)$/\1-test.\2/')
+      echo "Publishing version $RC_VERSION with dist-tag: test"
+      npm version "$RC_VERSION" --no-git-tag-version --ignore-scripts --force
+      npm publish --tag test --access public
+      echo "Published: @$(node -p "require('./package.json').name")@$RC_VERSION [test]"
+
+# ────────────────────────────────────────────────────────────
+# STAGE: publish — staging RC
+# Triggered by: staging-vX.Y.Z-rc.N tag
+# Publishes with dist-tag "staging"
+# Consumers must opt in: npm install @tomei/pkg@staging
+# Version stamped: staging-v1.24.0-rc.1 → 1.24.0-rc.1
+# ────────────────────────────────────────────────────────────
+publish-staging:
+  stage: publish
+  needs: [build]
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^staging-v/'
+  script:
+    - echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+    - |
+      RC_VERSION=$(echo "$CI_COMMIT_TAG" | sed 's/^staging-v\([0-9.]*\)-rc\.\([0-9]*\)$/\1-staging.\2/')
+      echo "Publishing version $RC_VERSION with dist-tag: staging"
+      npm version "$RC_VERSION" --no-git-tag-version --ignore-scripts --force
+      npm publish --tag staging --access public
+      echo "Published: @$(node -p "require('./package.json').name")@$RC_VERSION [staging]"
+
+# ────────────────────────────────────────────────────────────
+# STAGE: publish — production
+# Triggered by: prod-vX.Y.Z or prod-vX.Y.Z-hotfix.N tag (from main only)
+# Publishes with dist-tag "latest" — becomes the default install version
+# Manual gate — human must click Play in GitLab pipeline UI
+# Version stamped: prod-v2.2.0 → 2.2.0 | prod-v2.2.0-hotfix.1 → 2.2.0-hotfix.1
+# ────────────────────────────────────────────────────────────
+publish-prod:
+  stage: publish
+  needs: [build]
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^prod-v/'
+      when: manual
+      allow_failure: false
+  script:
+    - echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
+    - |
+      PROD_VERSION=$(echo "$CI_COMMIT_TAG" | sed 's/^prod-v//')
+      echo "Publishing version $PROD_VERSION with dist-tag: latest"
+      npm version "$PROD_VERSION" --no-git-tag-version --ignore-scripts --force
+      npm publish --tag latest --access public
+      echo "Published: @$(node -p "require('./package.json').name")@$PROD_VERSION [latest]"
+      echo "Pipeline: $CI_PIPELINE_URL"
+
+# ────────────────────────────────────────────────────────────
+# STAGE: notify — success
+# ────────────────────────────────────────────────────────────
+notify-success:
+  stage: notify
+  image: curlimages/curl:latest
+  needs:
+    - job: publish-test
+      optional: true
+    - job: publish-staging
+      optional: true
+    - job: publish-prod
+      optional: true
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^test-v/'
+      when: on_success
+    - if: '$CI_COMMIT_TAG =~ /^staging-v/'
+      when: on_success
+    - if: '$CI_COMMIT_TAG =~ /^prod-v/'
+      when: on_success
+  script:
+    - |
+      if echo "$CI_COMMIT_TAG" | grep -q "^test-v"; then
+        DIST_TAG="test"
+        COLOR=3066993
+      elif echo "$CI_COMMIT_TAG" | grep -q "^staging-v"; then
+        DIST_TAG="staging"
+        COLOR=16776960
+      elif echo "$CI_COMMIT_TAG" | grep -q "^prod-v"; then
+        DIST_TAG="latest"
+        COLOR=3066993
+      fi
+
+      curl -s -X POST "$DISCORD_WEBHOOK" \
+        -H "Content-Type: application/json" \
+        -d '{
+          "embeds": [{
+            "title": "Package published successfully",
+            "color": '"$COLOR"',
+            "fields": [
+              {"name": "Package",      "value": "'"$CI_PROJECT_NAME"'",  "inline": true},
+              {"name": "Tag",          "value": "'"$CI_COMMIT_TAG"'",    "inline": true},
+              {"name": "Dist-tag",     "value": "'"$DIST_TAG"'",         "inline": true},
+              {"name": "Published by", "value": "'"$GITLAB_USER_NAME"'", "inline": true},
+              {"name": "Pipeline",     "value": "'"$CI_PIPELINE_URL"'",  "inline": false}
+            ]
+          }]
+        }'
+
+# ────────────────────────────────────────────────────────────
+# STAGE: notify — failure
+# ────────────────────────────────────────────────────────────
+notify-failure:
+  stage: notify
+  image: curlimages/curl:latest
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^test-v/'
+      when: on_failure
+    - if: '$CI_COMMIT_TAG =~ /^staging-v/'
+      when: on_failure
+    - if: '$CI_COMMIT_TAG =~ /^prod-v/'
+      when: on_failure
+  script:
+    - |
+      curl -s -X POST "$DISCORD_WEBHOOK" \
+        -H "Content-Type: application/json" \
+        -d '{
+          "embeds": [{
+            "title": "Package publish FAILED",
+            "color": 15158332,
+            "fields": [
+              {"name": "Package",    "value": "'"$CI_PROJECT_NAME"'",  "inline": true},
+              {"name": "Tag",        "value": "'"$CI_COMMIT_TAG"'",    "inline": true},
+              {"name": "Failed by",  "value": "'"$GITLAB_USER_NAME"'", "inline": true},
+              {"name": "Pipeline",   "value": "'"$CI_PIPELINE_URL"'",  "inline": false}
+            ]
+          }]
+        }'

package/.husky/commit-msg

@@ -1,16 +1,16 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-npx commitlint --edit $1
-message="$(cat $1)"
-echo "$message"
-a=($(echo "$message" | tr ':' '\n'))
-echo "${a[0]}"
-# if [ "${a[0]}" = "feat" ];
-# then
-#     npm version --commit-hooks false --no-git-tag-version minor
-# else
-#     npm version --commit-hooks false --no-git-tag-version patch
-# fi
-git add .
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx commitlint --edit $1
+message="$(cat $1)"
+echo "$message"
+a=($(echo "$message" | tr ':' '\n'))
+echo "${a[0]}"
+# if [ "${a[0]}" = "feat" ];
+# then
+#     npm version --commit-hooks false --no-git-tag-version minor
+# else
+#     npm version --commit-hooks false --no-git-tag-version patch
+# fi
+git add .
 git commit -m "$message" --no-verify

package/.husky/pre-commit

@@ -1,7 +1,7 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
-npm run lint
-npm run format
-npm run build
-git add .
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npm run lint
+npm run format
+npm run build
+git add .

package/.prettierrc

@@ -1,4 +1,4 @@
-{
-  "singleQuote": true,
-  "trailingComma": "all"
-}
+{
+  "singleQuote": true,
+  "trailingComma": "all"
+}

package/Jenkinsfile

@@ -1,57 +1,57 @@
-pipeline {
-    agent {
-        kubernetes {
-            label 'jenkins-agent'
-            namespace 'devops-tools'
-        }
-    }
-    tools {nodejs "node18"}
-    stages {
-        stage('Install') {
-            steps {
-                echo 'Install Dependencies..'
-                sh 'npm install'
-            }
-        }
-        stage('Test') {
-            steps {
-                echo 'Testing..'
-                sh 'npm run test'
-            }
-        }
-        stage('Build') {
-            steps {
-                echo 'Building..'
-                sh 'npm run build'
-            }
-        }
-        stage('Publish') {
-            steps {
-                echo 'Publish..'
-                withCredentials([
-                    usernamePassword(credentialsId: 'npm-auth-token', usernameVariable: 'NPM_USERNAME', passwordVariable: 'AUTH_TOKEN')
-                ]) {
-                sh "npm set //registry.npmjs.org/:_authToken=$AUTH_TOKEN"
-                sh "npm publish"
-            }
-        }
-}
-    }
-
-    post {
-        success {
-            script {
-                def gitAuthor = sh(returnStdout: true, script: 'git log -1 --pretty=format:%an').trim()
-                discordSend description: "Git Commit: ${env.GIT_COMMIT}\nGit Branch: ${env.GIT_BRANCH}\nGit URL: ${env.GIT_URL}\nGit Author: ${gitAuthor}", footer: '', image: '', link: env.BUILD_URL, result: 'SUCCESS', scmWebUrl: '', thumbnail: '', title: "${env.JOB_NAME} Build #${env.BUILD_NUMBER} Success", webhookURL: 'https://discord.com/api/webhooks/1117705705466642434/UWgw32kQerM5HOr-fcCYD2aQxE1koeN_4CSCEzDZz1EAI3vNaysAw0YU7YUrb4TozOw0'
-            }
-        }
-
-        failure {
-            script {
-                def gitAuthor = sh(returnStdout: true, script: 'git log -1 --pretty=format:%an').trim()
-                discordSend description: "Git Commit: ${env.GIT_COMMIT}\nGit Branch: ${env.GIT_BRANCH}\nGit URL: ${env.GIT_URL}\nGit Author: ${gitAuthor}", footer: '', image: '', link: env.BUILD_URL, result: 'FAILURE', scmWebUrl: '', thumbnail: '', title: "${env.JOB_NAME} Build #${env.BUILD_NUMBER} Failed", webhookURL: 'https://discord.com/api/webhooks/1117705705466642434/UWgw32kQerM5HOr-fcCYD2aQxE1koeN_4CSCEzDZz1EAI3vNaysAw0YU7YUrb4TozOw0'
-            }
-        }
-    } 
-
-}
+pipeline {
+    agent {
+        kubernetes {
+            label 'jenkins-agent'
+            namespace 'devops-tools'
+        }
+    }
+    tools {nodejs "node18"}
+    stages {
+        stage('Install') {
+            steps {
+                echo 'Install Dependencies..'
+                sh 'npm install'
+            }
+        }
+        stage('Test') {
+            steps {
+                echo 'Testing..'
+                sh 'npm run test'
+            }
+        }
+        stage('Build') {
+            steps {
+                echo 'Building..'
+                sh 'npm run build'
+            }
+        }
+        stage('Publish') {
+            steps {
+                echo 'Publish..'
+                withCredentials([
+                    usernamePassword(credentialsId: 'npm-auth-token', usernameVariable: 'NPM_USERNAME', passwordVariable: 'AUTH_TOKEN')
+                ]) {
+                sh "npm set //registry.npmjs.org/:_authToken=$AUTH_TOKEN"
+                sh "npm publish"
+            }
+        }
+}
+    }
+
+    post {
+        success {
+            script {
+                def gitAuthor = sh(returnStdout: true, script: 'git log -1 --pretty=format:%an').trim()
+                discordSend description: "Git Commit: ${env.GIT_COMMIT}\nGit Branch: ${env.GIT_BRANCH}\nGit URL: ${env.GIT_URL}\nGit Author: ${gitAuthor}", footer: '', image: '', link: env.BUILD_URL, result: 'SUCCESS', scmWebUrl: '', thumbnail: '', title: "${env.JOB_NAME} Build #${env.BUILD_NUMBER} Success", webhookURL: 'https://discord.com/api/webhooks/1117705705466642434/UWgw32kQerM5HOr-fcCYD2aQxE1koeN_4CSCEzDZz1EAI3vNaysAw0YU7YUrb4TozOw0'
+            }
+        }
+
+        failure {
+            script {
+                def gitAuthor = sh(returnStdout: true, script: 'git log -1 --pretty=format:%an').trim()
+                discordSend description: "Git Commit: ${env.GIT_COMMIT}\nGit Branch: ${env.GIT_BRANCH}\nGit URL: ${env.GIT_URL}\nGit Author: ${gitAuthor}", footer: '', image: '', link: env.BUILD_URL, result: 'FAILURE', scmWebUrl: '', thumbnail: '', title: "${env.JOB_NAME} Build #${env.BUILD_NUMBER} Failed", webhookURL: 'https://discord.com/api/webhooks/1117705705466642434/UWgw32kQerM5HOr-fcCYD2aQxE1koeN_4CSCEzDZz1EAI3vNaysAw0YU7YUrb4TozOw0'
+            }
+        }
+    } 
+
+}

package/README.md

@@ -1,23 +1,23 @@
-## SSO Package
-
-### How to use
-- run `npm i`
-- Make sure you set the environment in .sampledotenv in your project `.env` file
-- run `npm run start:dev`
-
-### How create a new migration
-- Make sure you have `DATABASE_URL` and `SHADOW_DATABASE_URL` in your project `.env` file
-- create a new empty database. dont do migration on it and set the `SHADOW_DATABASE_URL` to it
-- Create a database user 
-- Grant the above user privileges to alter sso tables and shadow database. The user should have access to the sso table and shadow database only. Use `create-sso-user.sql` as an example to create the user and grant privileges
-- Make changes to the `schema.prisma` file 
-- Run `npx prisma migrate dev --name <migration-name> --preview-feature --create-only` to create the migration. The migration will be created in the `migrations` folder.
-- open the newly created migration. review the migration and make changes if necessary.
-
-notes:
-- if you create a new table, after migration has been created, change the default character set to `latin1` from `utf8mb4` and remove COLLATE phrase.please also add it to the `create-sso-user.sql` file for references
-
-### How to run migration
-- run `npx prisma migrate deploy` to run the migration
-- run `npx prisma generate` to generate the prisma client
-
+## SSO Package
+
+### How to use
+- run `npm i`
+- Make sure you set the environment in .sampledotenv in your project `.env` file
+- run `npm run start:dev`
+
+### How create a new migration
+- Make sure you have `DATABASE_URL` and `SHADOW_DATABASE_URL` in your project `.env` file
+- create a new empty database. dont do migration on it and set the `SHADOW_DATABASE_URL` to it
+- Create a database user 
+- Grant the above user privileges to alter sso tables and shadow database. The user should have access to the sso table and shadow database only. Use `create-sso-user.sql` as an example to create the user and grant privileges
+- Make changes to the `schema.prisma` file 
+- Run `npx prisma migrate dev --name <migration-name> --preview-feature --create-only` to create the migration. The migration will be created in the `migrations` folder.
+- open the newly created migration. review the migration and make changes if necessary.
+
+notes:
+- if you create a new table, after migration has been created, change the default character set to `latin1` from `utf8mb4` and remove COLLATE phrase.please also add it to the `create-sso-user.sql` file for references
+
+### How to run migration
+- run `npx prisma migrate deploy` to run the migration
+- run `npx prisma generate` to generate the prisma client
+