You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* chore: migrate from yarn to pnpm
KK-1539
- Pin pnpm@11.5.0 via packageManager field + engines.pnpm
- Convert yarn.lock to pnpm-lock.yaml via pnpm import
- Translate yarn resolutions to pnpm overrides in pnpm-workspace.yaml
- Add supply-chain guardrail: minimumReleaseAge 10080
- Allow native build scripts: esbuild, full-icu, @ffmpeg-installer
- Declare formerly-phantom deps that yarn's flat node_modules
hoisted (lodash, react-query, react-hook-form, react-router,
react-router-dom, ra-core, ra-i18n-polyglot, @mui/styled-engine),
deduped to the versions react-admin already resolves
- Drop stale v5 @types/react-router* (code uses v6, ships own types)
- Remove CRA-leftover src/react-app-env.d.ts (imported react-scripts)
- Update Dockerfile to install pnpm via corepack (ubi9/Node 20)
- CI to City-of-Helsinki/.github ci-pnpm-node.yml reusable workflow
- Replace yarn with pnpm in husky hooks, lint-staged, README, scripts
- Add yarn.lock, .yarn/, .yarnrc.yml to .gitignore
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* feat: runtime env config, Node 24 and Helsinki base images
KK-1539
Phase 2 of the pnpm migration: adopt the runtime environment
configuration approach from kukkuu-ui (PR #757) and move onto the
shared Helsinki base images on Node 24.
- Add envUtils getEnvValue(key): window._env_ -> process.env ->
import.meta.env fallback (src/common/utils/envUtils.ts)
- Generate public/env-config.js via scripts/update-runtime-env.ts,
load it in index.html; add src/types/env.d.ts and tsx devDep
- Prefix start/build scripts with update-runtime-env
- Migrate all import.meta.env.VITE_* reads to getEnvValue
- Bump to Node 24 (.nvmrc, engines.node, @types/node, CI)
- Dockerfile: ubi9/nodejs-24-pnpm-builder-base builder +
ubi10/nginx-126-spa-standard production with runtime env.sh
injection; COPY .env.example as .env; drop build-time VITE_ args
(kept VITE_CSP_REPORT_URI for the index.html CSP)
- Remove the custom .prod/nginx.conf.template (base image provides
nginx and the /readiness endpoint)
- Ignore generated env-config.js in eslint/prettier
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix: restrict runtime env-config.js to VITE_ keys (no secret leakage)
KK-1539
env-config.js is served publicly, so anything in window._env_ is
world-readable. Harden the runtime env injection so it cannot expose
secrets, restoring the secure-by-default boundary that Vite's envPrefix
gave the old import.meta.env model.
- update-runtime-env.ts: emit only VITE_-prefixed keys (plus NODE_ENV)
into env-config.js, mirroring Vite's envPrefix. Secrets such as
BROWSER_TESTS_JWT_SIGN_SECRET can no longer leak into the browser
bundle even if present in the build/runtime environment.
- .env.example: drop BROWSER_TESTS_* keys. This file is also copied
into the production image as the env-config.js key template;
browser-test settings (incl. secrets) belong in .env.test.local
(see .env.test.local.example).
Recommended hardening for other City-of-Helsinki SPAs using the same
runtime env-config.js pattern.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* build: temporaly ref to review pipeline
* chore: sync pnpm lockfile with main's vite 8 / vitest 4 bumps
* fix: parse boolean env vars correctly, fix OIDC scope error label
Address bot review findings on PR #394:
- Add getEnvBoolean() helper. getEnvValue() returns env values as strings,
so Boolean(value) treated "false"/"0" as true. This broke
IS_TEST_ENVIRONMENT (".env.example"/".env.test" set it to 0, so it was
always true) and made VITE_OIDC_AUTOMATIC_SILENT_RENEW_ENABLED impossible
to disable. The helper recognizes true/1 and false/0 (case-insensitive).
- Fix trailing-comma typo in the VITE_OIDC_SCOPE getEnvOrError label.
- Add regression tests for IS_TEST_ENVIRONMENT parsing.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* build: trim Docker build context via .dockerignore
Address review feedback (mikkojamG) on the broad `COPY . ./` in the
build stage. The final production image is already lean (only /build
is copied into the nginx stage), but the shared appbase/staticbuilder
layers and the build context pulled in everything. Exclude paths
outside the production build graph (tsconfig "include" is ["src"]):
tests, browser-tests, docs, pipelines, .github, and the
codegen/lint/release tooling and quality reports.
Also:
- exclude *.local env files so local secrets (e.g. the browser-test
JWT secret in .env.test.local) are never baked into an image layer.
- fix a stale entry: LICENSE -> LICENSE.md (old pattern never matched).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* build: copy only build-needed files in Dockerfile
Replace the broad `COPY . ./` in the build stage with explicit copies,
matching the pattern used in other City-of-Helsinki UI repos (e.g.
kerrokantasi-ui). Per stage:
- copy scripts/, public/ and .env* before running update-runtime-env;
- copy the build configs (Vite, .babelrc for @vitejs/plugin-react, and
the eslint/prettier configs run by @nabla/vite-plugin-eslint) plus
src/ for the `tsc && vite build`.
Editing src/ no longer invalidates the install/update-runtime-env
layers, and only the production build graph enters the image.
Verified locally: staticbuilder, production and development targets all
build successfully (tsc + vite build pass, assets emitted).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix: sanitize env before copying to container
* fix: set dev OIDC config for review env browser tests
The browser-test harness mints its login-bypass session for the
dev OIDC client (kukkuu-admin-ui-dev) and uses the dev API, but the
deployed review app read its client id from env-config.js, which
fell back to the test default (kukkuu-admin-ui-test) from
.env.example. oidc-client-ts keys the stored session as
oidc.user:{authority}:{client_id}, so the mismatch meant the app
never found the injected session and every test was stuck on the
login page.
Override the dev VITE_OIDC_* / VITE_API_URI values in the review
pipeline's configMap so the runtime env-config.js matches what the
harness expects. The kukkuu-pipelines template ref (pnpm_KK-1539)
currently omits these; this override can be dropped once that ref
is reverted to default.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* build: removed temporal ref
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Tero Virtanen <tero.tapio.virtanen@gmail.com>
0 commit comments