.eslintignore

@@ -0,0 +1 @@
+.gitignore

.eslintrc.js

@@ -1,10 +1,7 @@
 module.exports = {
-  extends: ['./node_modules/@api3/commons/dist/eslint/universal', './node_modules/@api3/commons/dist/eslint/jest'],
+  extends: ['plugin:@api3/eslint-plugin-commons/universal', 'plugin:@api3/eslint-plugin-commons/jest'],
   parserOptions: {
     project: ['./tsconfig.json', './packages/*/tsconfig.json'],
   },
-  rules: {
-    '@typescript-eslint/prefer-destructuring': 'off', // The commons universal ESLint configuration already uses "prefer-destructuring" and this extended version is not needed.
-    '@typescript-eslint/max-params': 'off', // It is sometimes necessary to have enough arguments. This rule is too strict.
-  },
+  rules: {},
 };

.github/workflows/main.yml

@@ -1,12 +1,26 @@
+########################################################################################
+# The following secrets are required:
+#
+# 1. GH_ACCESS_TOKEN - A "fine-grained personal access token" generated through the
+#    Github UI. It seems like these tokens are scoped to a user, rather than an
+#    organisation.
+#
+#    The following minimum permissions are required:
+#      Read - access to metadata
+#      Read & write - access to actions and code
+# 2. GH_USER_NAME - The name (not username) associated with the Git user. e.g. John Smith
+# 3. GH_USER_EMAIL - The email associated with the Git user
+# 4. NPM_TOKEN - A token for publishing to npm
+# 5. DOCKERHUB_USERNAME - Username for publishing to Docker Hub
+# 6. DOCKERHUB_TOKEN - Docker Hub publishing token
+########################################################################################
 name: Continuous Build
 
 on:
   push:
     branches:
       - main
   pull_request:
-    branches:
-      - main
 
 jobs:
   documentation:
@@ -24,13 +38,11 @@ jobs:
       - name: Clone repo
         uses: actions/checkout@v4
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8.x
+        uses: pnpm/action-setup@v4
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: '18.x'
+          node-version: '22.16.0'
           cache: 'pnpm'
       - name: Install Dependencies
         run: pnpm install --frozen-lockfile
@@ -49,13 +61,11 @@ jobs:
       - name: Clone repo
         uses: actions/checkout@v4
       - name: Install pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 8.x
+        uses: pnpm/action-setup@v4
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: '18.x'
+          node-version: '22.16.0'
           cache: 'pnpm'
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -65,6 +75,8 @@ jobs:
         run: pnpm run docker:build
       - name: Copy Airnode feed secrets
         run: cd packages/e2e/src && cp airnode-feed/secrets.example.env airnode-feed/secrets.env
+      - name: Copy Signed API secrets
+        run: cd packages/e2e/src && cp signed-api/secrets.example.env signed-api/secrets.env
       - name: Start services
         # Start the e2e services in the background and wait a small amount of time for them to start.
         run: |
@@ -81,3 +93,90 @@ jobs:
     needs: [documentation, lint-build-test, e2e]
     steps:
       - run: exit 0
+
+  tag-and-release:
+    name: Tag and release
+    runs-on: ubuntu-latest
+    needs: required-checks-passed
+    # Only tag and release on pushes to main
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    strategy:
+      matrix:
+        node-version: [20]
+    permissions:
+      id-token: write
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GH_ACCESS_TOKEN }}
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'pnpm'
+      - name: Configure Git credentials
+        run: |
+          git config --global user.name '${{ secrets.GH_USER_NAME }}'
+          git config --global user.email '${{ secrets.GH_USER_EMAIL }}'
+      - name: Install Dependencies
+        run: pnpm install
+      - name: Build
+        run: pnpm run build
+      - name: Get package.json version
+        id: get-version
+        run: echo "version=$(cat package.json | jq -r '.version' | sed 's/^/v/')" >> $GITHUB_OUTPUT
+      - name: Validate tag
+        id: validate-tag
+        run: test "$(git tag -l '${{ steps.get-version.outputs.version }}' | awk '{print $NF}')" = "${{ steps.get-version.outputs.version }}" || echo "new-tag=true" >> $GITHUB_OUTPUT
+      - name: Tag and release on Github
+        if: ${{ steps.validate-tag.outputs.new-tag }}
+        run: pnpm run release:tag
+        env:
+          GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
+      - name: Publish airnode-feed to npm
+        if: ${{ steps.validate-tag.outputs.new-tag }}
+        run: |
+          npm config set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
+          cd packages/airnode-feed && pnpm publish --access public
+        env:
+          NPM_CONFIG_PROVENANCE: true
+      - name: Publish signed-api to npm
+        if: ${{ steps.validate-tag.outputs.new-tag }}
+        run: |
+          npm config set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
+          cd packages/signed-api && pnpm publish --access public
+        env:
+          NPM_CONFIG_PROVENANCE: true
+      - name: Set up Docker Buildx
+        if: ${{ steps.validate-tag.outputs.new-tag }}
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        if: ${{ steps.validate-tag.outputs.new-tag }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push airnode-feed Docker image
+        if: ${{ steps.validate-tag.outputs.new-tag }}
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          target: airnode-feed
+          tags: |
+            api3/airnode-feed:latest
+            api3/airnode-feed:${{ steps.get-version.outputs.version }}
+      - name: Build and push signed-api Docker image
+        if: ${{ steps.validate-tag.outputs.new-tag }}
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          target: signed-api
+          tags: |
+            api3/signed-api:latest
+            api3/signed-api:${{ steps.get-version.outputs.version }}

.husky/pre-push

@@ -1,4 +1,2 @@
 #!/bin/sh
-. "$(dirname "$0")/_/husky.sh"
-
 pnpm run prettier:check && pnpm run eslint:check

.prettierignore

@@ -0,0 +1 @@
+.gitignore

Dockerfile

@@ -14,19 +14,26 @@
 # The above commands will allow you to inspect the output of the build stage. You can change the target to debug other
 # stages and verify that the image is correct.
 
-# We use the alpine image because of its small size. The alternative considered was the "slim" image, but it is larger
-# and we already use alpine (without issues) in other projects, so the size reduction seems worth it.
-FROM node:18-alpine AS build
+# Extract the pnpm version from the package.json file and store it in an environment variable.
+FROM node:20-slim AS version-extract
 WORKDIR /app
-RUN npm install -g pnpm
+COPY package.json .
+RUN apt-get update && \
+    apt-get install -y jq && \
+    echo "PNPM_VERSION=$(jq -r .packageManager package.json | sed 's/pnpm@//')" >> /tmp/env-vars
+
+FROM node:20-slim AS build
+WORKDIR /app
+COPY --from=version-extract /tmp/env-vars /tmp/env-vars
+RUN . /tmp/env-vars && npm install -g pnpm@${PNPM_VERSION}
 # Copy just the "pnpm-lock.yaml" file and use "pnpm fetch" to download all dependencies just from the lockfile. This
 # command is specifically designed to improve building a docker image because it only installs the dependencies if the
 # lockfile has changed (otherwise uses the cached value).
 COPY pnpm-lock.yaml /app
 RUN pnpm fetch
 # Copies all of the contents (without files listed in .dockerignore) of the monorepo into the image.
 COPY . /app
-# Ideally, we would use "--offline" option, but it seems pnpm has a bug. Fortunately, the instalation times are similar.
+# Ideally, we would use "--offline" option, but it seems pnpm has a bug. Fortunately, the installation times are similar.
 # See: https://github.com/pnpm/pnpm/issues/6058 for details.
 RUN pnpm install --recursive --prefer-offline
 # Build all packages in the monorepo.
@@ -39,16 +46,18 @@ LABEL application="airnode-feed" description="Airnode feed container"
 FROM build AS deployed-airnode-feed
 
 RUN pnpm --filter=@api3/airnode-feed --prod deploy deployed-airnode-feed
-FROM node:18-alpine as airnode-feed
+FROM node:20-slim as airnode-feed
 WORKDIR /app
-ENV NODE_ENV=production
 
-RUN addgroup -S deployed-airnode-feed && \
-    adduser -h /app -s /bin/false -S -D -H -G deployed-airnode-feed deployed-airnode-feed && \
-    chown -R deployed-airnode-feed /app
-USER deployed-airnode-feed
+# Update package lists and install wget
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y wget ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
-COPY --chown=deployed-airnode-feed:deployed-airnode-feed --from=deployed-airnode-feed /app/deployed-airnode-feed .
+RUN chown --recursive node:node /app
+COPY --chown=node:node --from=deployed-airnode-feed /app/deployed-airnode-feed .
+USER node
+ENV NODE_ENV=production
 ENTRYPOINT ["node", "dist/src/index.js"]
 
 # Create a separate stage for signed-api package. We create a temporary stage for deployment and then copy the result
@@ -58,18 +67,23 @@ LABEL application="signed-api" description="Signed API container"
 FROM build AS deployed-signed-api
 
 RUN pnpm --filter=@api3/signed-api --prod deploy deployed-signed-api
-FROM node:18-alpine as signed-api
+FROM node:20-slim as signed-api
 WORKDIR /app
-ENV NODE_ENV=production
 
-# Make sure the non-root user can bind to port 80.
-RUN apk add --no-cache libcap
-RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/node
+# Update package lists and install wget
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y wget ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
-RUN addgroup -S deployed-signed-api && \
-    adduser -h /app -s /bin/false -S -D -H -G deployed-signed-api deployed-signed-api && \
-    chown -R deployed-signed-api /app
-USER deployed-signed-api
+# Update package lists and install libcap
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y libcap2-bin && \
+    rm -rf /var/lib/apt/lists/*
+# Set capabilities to allow Node.js to bind to well-known ports (<1024) as a non-root user
+RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/node
 
-COPY --chown=deployed-signed-api:deployed-signed-api --from=deployed-signed-api /app/deployed-signed-api .
+RUN chown --recursive node:node /app
+COPY --chown=node:node --from=deployed-signed-api /app/deployed-signed-api .
+USER node
+ENV NODE_ENV=production
 ENTRYPOINT ["node", "dist/src/index.js"]

README.md

@@ -2,8 +2,8 @@
 
 A monorepo for managing signed data. Consists of:
 
-- [api](./packages/signed-api/README.md) - A service for storing and accessing signed data. It provides endpoints to
-  handle signed data for a specific airnode.
+- [signed-api](./packages/signed-api/README.md) - A service for storing and accessing signed data. It provides endpoints
+  to handle signed data for a specific airnode.
 - [airnode-feed](./packages/airnode-feed/README.md) - A service for pushing data provider signed data.
 - [e2e](./packages/e2e/README.md) - End to end test utilizing Mock API, Airnode feed and signed API.
 - [performance-test](./packages/performance-test/README.md) - Configurations and scripts to allow running performance
@@ -27,7 +27,7 @@ and to build the packages:
 pnpm run build
 ```
 
-Note, that everytime you make a change to a workspace that is used as a dependency of another, you need to rebuild the
+Note, that every time you make a change to a workspace that is used as a dependency of another, you need to rebuild the
 changed package (otherwise you might get weird JS/TS errors).
 
 ## Versioning and release
@@ -39,13 +39,10 @@ There is a script that automates the process of creating new NPM packages and Do
 
 1. `pnpm run create-release:npm [major|minor|patch]` - The script ensures publishing happens from up-to-date `main`
    branch. It updates the package versions for `airnode-feed` and `signed-api`, updates fixtures and example files, does
-   basic checks to ensure the changes are valid and creates a version commit with a git tag. The command intentionally
-   does not do the publishing so that the changes can be reviewed before publishing.
+   basic checks to ensure the changes are valid and creates a version commit. The command intentionally does not do the
+   publishing so that the changes can be reviewed before pushing.
 2. `git show` - To inspect the changes of the version commit.
 3. Run the e2e tests locally. This is not automated due to implementation complexity.
-4. `pnpm run publish:airnode-feed && pnpm run publish:signed-api` - To publish Airnode feed and Signed API package to
-   NPM.
-5. `git push --follow-tags` - Push the tagged version commit upstream.
-6. `pnpm run create-release:docker` - To build the Docker images and tag them correctly. The script uses the current
-   package.json version so it expects the NPM release is done first.
-7. The command outputs the publish instructions to push the images.
+4. `git push` - Push the version commit upstream. This will trigger the `tag-and-release` GitHub Actions job and result
+   in 1) the commit being tagged with the new version, 2) the release being created on GitHub, 3) both packages being
+   released on npm, and 4) both Docker images being built and pushed to Docker Hub.

funding.json

@@ -0,0 +1,5 @@
+{
+  "opRetro": {
+    "projectId": "0x2725d5ff44dd7e375ac3a54baa024ec90eafe91185cdc6d1b3c84256c14ff92a"
+  }
+}

jest.config.js

@@ -1,6 +1,7 @@
-const { join } = require('path');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { join } = require('node:path');
 
-/*
+/**
  * For a detailed explanation regarding each configuration property and type check, visit:
  * https://jestjs.io/docs/configuration
  */
@@ -11,6 +12,7 @@ module.exports = {
   modulePathIgnorePatterns: ['<rootDir>/.build', '<rootDir>/dist/', '<rootDir>/build/'],
   preset: 'ts-jest',
   restoreMocks: true,
+  resetMocks: true,
   setupFiles: [join(__dirname, './jest.setup.js')],
   testEnvironment: 'jest-environment-node',
 };

jest.setup.js

@@ -17,4 +17,4 @@ Object.defineProperty = function (object, name, meta) {
 };
 
 // Disable logger if it is not explicitly set to true.
-process.env.LOGGER_ENABLED = process.env.LOGGER_ENABLED || 'false';
+process.env.LOGGER_ENABLED = process.env.LOGGER_ENABLED ?? 'false';