Merge branch 'main' into 4730/upgrade-next-to-react19

Author: jaredcwhite

.github/workflows/docker_image_build.yml

@@ -0,0 +1,60 @@
+name: Docker Image Build
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  image_base: ghcr.io/${{ github.repository }}
+
+jobs:
+  build-image:
+    # Builds each image in a separate job in parallel.
+    strategy:
+      matrix:
+        # The docker/build-push-action uses the git repo as the docker build context instead of
+        # cloning the repo to the action runner disk and using the disk context. For the API image
+        # we need to set the context to just the api/ directory which the '{{defaultContext}}:api'
+        # syntax does: https://github.com/docker/build-push-action?tab=readme-ov-file#git-context.
+        include:
+          - container: api
+            docker_context: "{{defaultContext}}:api"
+            dockerfile: Dockerfile
+          - container: partners
+            docker_context: "{{defaultContext}}"
+            dockerfile: Dockerfile.sites.partners
+          - container: public
+            docker_context: "{{defaultContext}}"
+            dockerfile: Dockerfile.sites.public
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Required to use image layer cache.
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3.11.1
+
+      - name: "Build and push image"
+        uses: docker/build-push-action@v6.18.0
+        with:
+          push: true
+          cache-to: type=registry,mode=max,ref=${{ env.image_base }}/${{ matrix.container }}/container-layer-cache:latest
+          cache-from: type=registry,ref=${{ env.image_base }}/${{ matrix.container }}/container-layer-cache:latest
+          context: ${{ matrix.docker_context }}
+          file: ${{ matrix.dockerfile }}
+          tags: |
+            ${{ env.image_base }}/${{ matrix.container }}:latest
+            ${{ env.image_base }}/${{ matrix.container }}:gitsha-${{ github.sha }}
+          # Connects the image to the repository: https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package.
+          labels: org.opencontainers.image.source=https://github.com/${{ github.repository }}

.gitignore

@@ -99,3 +99,6 @@ dump.rdb
 # Development planning files
 memory-bank/
 .github/copilot-instructions.md
+
+# Terraform providers
+.terraform

Dockerfile.sites.partners

@@ -0,0 +1,25 @@
+# Keep up to date with Active LTS: https://nodejs.org/en/about/previous-releases
+FROM node:22@sha256:23c24e85395992be118734a39903e08c8f7d1abc73978c46b6bda90060091a49
+
+# Create a non-root user to build and run (principle of least privilege).
+WORKDIR /app
+RUN groupadd --gid 2002 next && useradd --gid 2002 --uid 2002 --home /app next
+RUN chown 2002:2002 /app
+USER 2002:2002
+
+# Copy package.json and yarn.lock in a separate layer from the source code and install the
+# dependencies. This allows docker to cache this step if dependencies haven't changed from the last
+# docker build, making build times a lot faster.
+COPY --chown=2002:2002 package.json yarn.lock .
+COPY --chown=2002:2002 shared-helpers ./shared-helpers
+COPY --chown=2002:2002 sites/partners/package.json ./sites/partners/
+WORKDIR /app/sites/partners
+RUN yarn install --frozen-lockfile
+
+# Copy in the source code. `next build` needs the tsconfig.json at repo root for type
+# checking.
+COPY --chown=2002:2002 tsconfig.json /app/tsconfig.json
+COPY --chown=2002:2002 sites/partners .
+
+ENV NEXT_TELEMETRY_DISABLED=1
+CMD [ "/bin/bash", "-c", "yarn build && yarn start" ]

Dockerfile.sites.public

@@ -0,0 +1,25 @@
+# Keep up to date with Active LTS: https://nodejs.org/en/about/previous-releases
+FROM node:22@sha256:23c24e85395992be118734a39903e08c8f7d1abc73978c46b6bda90060091a49
+
+# Create a non-root user to build and run (principle of least privilege).
+WORKDIR /app
+RUN groupadd --gid 2002 next && useradd --gid 2002 --uid 2002 --home /app next
+RUN chown 2002:2002 /app
+USER 2002:2002
+
+# Copy package.json and yarn.lock in a separate layer from the source code and install the
+# dependencies. This allows docker to cache this step if dependencies haven't changed from the last
+# docker build, making build times a lot faster.
+COPY --chown=2002:2002 package.json yarn.lock .
+COPY --chown=2002:2002 shared-helpers ./shared-helpers
+COPY --chown=2002:2002 sites/public/package.json ./sites/public/
+WORKDIR /app/sites/public
+RUN yarn install --frozen-lockfile
+
+# Copy in the source code. `next build` needs the tsconfig.json at repo root for type
+# checking.
+COPY --chown=2002:2002 tsconfig.json /app/tsconfig.json
+COPY --chown=2002:2002 sites/public .
+
+ENV NEXT_TELEMETRY_DISABLED=1
+CMD [ "/bin/bash", "-c", "yarn build && yarn start" ]

README.md

@@ -82,6 +82,10 @@ You can also run each process individually from separate terminals with the foll
 
 We have a number of default users seeded for local development, the most basic of which being (email: `admin@example.com`, password: `abcdef`) which will login to both the public and partners sites, but you can view other default seeded users and their permissions by checking out the user section of the [seed file](https://github.com/bloom-housing/bloom/blob/aed77bf06525be359ef9205044fabbea2ab2576d/api/prisma/seed-staging.ts#L67).
 
+### Running locally in docker
+
+Docker documentation is in [docker.md](./docker.md).
+
 ### Bloom UIC development
 
 Because Bloom's ui-components package is a separate open source repository, developing in Bloom while concurrently iterating in ui-components requires linking the folders with the following steps:

api/.env.template

@@ -44,6 +44,8 @@ LOTTERY_PUBLISH_PROCESSING_CRON_STRING=58 23 * * *
 LOTTERY_PROCESSING_CRON_STRING=0 * * * *
 # how many days till lottery data expires
 LOTTERY_DAYS_TILL_EXPIRY=45
+# how many days until application PII data exists
+APPLICATION_DAYS_TILL_EXPIRY=
 # the list of allowed urls that can make requests to the api (strings must be exact matches)
 CORS_ORIGINS=["http://localhost:3000", "http://localhost:3001"]
 # spill over list of allowed urls that can make requests to the api (strings are turned into regex)

api/Dockerfile

@@ -1,31 +1,56 @@
-
-# Base image
-FROM node:18
-
-# Create working directory
-WORKDIR /usr/src/api
-
-# Copy package.json
-COPY package.json ./
-
-# Copy yarn.lcok
-COPY yarn.lock ./
-
-# run yarn install
-RUN yarn install
-
-# Copy source code into docker image
-COPY . .
-
-# Copy .env
-COPY .env ./
-
-# run build commands
+# Keep up to date with Active LTS: https://nodejs.org/en/about/previous-releases
+#
+# IMPORTANT: keep the 'run' layer below in sync.
+FROM node:22@sha256:23c24e85395992be118734a39903e08c8f7d1abc73978c46b6bda90060091a49 AS build
+
+
+# Create a non-root user to build (principle of least privilege).
+WORKDIR /build
+RUN groupadd --gid 2002 build && useradd --gid 2002 --uid 2002 --home /build build
+RUN chown 2002:2002 /build
+USER 2002:2002
+
+# Install only runtime dependencies into a separate directory. This will be copied into the runner
+# image.
+WORKDIR /build/runtime_dependencies
+COPY --chown=2002:2002 package.json yarn.lock ./
+RUN yarn install --frozen-lockfile --production
+
+# Copy package.json and yarn.lock in a separate layer from the source code and install the
+# dependencies. This allows docker to cache this step if package.json and yarn.lock haven't changed
+# from the last docker build, making build times a lot faster.
+WORKDIR /build
+COPY --chown=2002:2002 package.json yarn.lock ./
+RUN yarn install --frozen-lockfile
+
+# Copy the source code and build.
+COPY --chown=2002:2002 . .
 RUN yarn prisma generate
 RUN yarn build
 
-# Expose port 3100 for api
-EXPOSE 3100
-
-# Start api
-CMD ["yarn", "dev"]
+# Start a new container filesystem and copy in just the runtime dependencies and the built
+# application.
+#
+# IMPORTANT: keep the 'build' layer above in sync.
+FROM node:22@sha256:23c24e85395992be118734a39903e08c8f7d1abc73978c46b6bda90060091a49 AS run
+WORKDIR /run
+
+# Copy over build artifacts.
+COPY --from=build /build/runtime_dependencies/ .
+COPY --from=build /build/dist ./dist
+
+# Need to copy the prisma schema file and generated package from `yarn prisma generate`.
+# TODO: be explicit about where the client package is generated:
+# https://www.prisma.io/docs/orm/prisma-client/setup-and-configuration/generating-prisma-client
+COPY --from=build /build/prisma/schema.prisma ./prisma/schema.prisma
+COPY --from=build /build/prisma/migrations ./prisma/migrations
+COPY --from=build /build/node_modules/.prisma ./node_modules/.prisma
+
+# Create a non-root user to run (priciple of least priviledge).
+WORKDIR /run
+RUN groupadd --gid 2002 run && useradd --gid 2002 --uid 2002 --home /run run
+RUN chown --recursive 2002:2002 /run
+USER 2002:2002
+
+# Run any DB migrations then start the server.
+CMD [ "/bin/bash", "-c", "yarn db:migration:run && yarn start:prod" ]

api/Dockerfile.dbseed

@@ -0,0 +1,21 @@
+# Keep up to date with Active LTS: https://nodejs.org/en/about/previous-releases
+FROM node:22 AS build
+
+# Create a non-root user to build (priciple of least priviledge).
+WORKDIR /dbseed
+RUN groupadd --gid 2002 dbseed && useradd --gid 2002 --uid 2002 --home /dbseed dbseed
+RUN chown 2002:2002 /dbseed
+USER 2002:2002
+
+# Copy package.json and yarn.lock in a separate layer from the source code and install the
+# dependencies. This allows docker to cache this step if package.json and yarn.lock haven't changed
+# from the last docker build, making build times a lot faster.
+WORKDIR /build
+COPY --chown=2002:2002 package.json yarn.lock ./
+RUN yarn install --frozen-lockfile
+
+# Copy the source code and generate the prisma client.
+COPY --chown=2002:2002 . .
+RUN yarn prisma generate
+
+CMD [ "yarn", "db:seed:staging" ]

api/package.json

@@ -19,10 +19,10 @@
     "test:cov": "yarn db:resetup && yarn db:migration:run && jest --config ./test/jest-with-coverage.config.js --logHeapUsage",
     "test:cov-ci": "yarn db:migration:run && jest --config ./test/jest-with-coverage.config.js --runInBand --logHeapUsage",
     "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "db:resetup": "psql -c 'DROP DATABASE IF EXISTS bloom_prisma WITH (FORCE);' && psql -c 'CREATE DATABASE bloom_prisma;' && psql -d bloom_prisma -c 'CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\";'",
+    "db:resetup": "psql -c \"DROP DATABASE IF EXISTS bloom_prisma WITH (FORCE);\" && psql -c \"CREATE DATABASE bloom_prisma;\" && psql -d bloom_prisma -c \"CREATE EXTENSION IF NOT EXISTS \\\"uuid-ossp\\\";\"",
     "db:migration:run": "yarn prisma migrate deploy",
     "db:seed:production": "npx prisma db seed -- --environment production",
-    "db:seed:staging": "npx prisma db seed -- --environment staging",
+    "db:seed:staging": "npx prisma db seed -- --environment staging --jurisdictionName Bloomington",
     "db:seed:development": "npx prisma db seed -- --environment development --jurisdictionName Bloomington",
     "generate:client": "ts-node scripts/generate-axios-client.ts && prettier -w ../shared-helpers/src/types/backend-swagger.ts",
     "test:e2e": "yarn db:resetup && yarn db:migration:run && jest --config ./test/jest-e2e.config.js",
@@ -48,7 +48,7 @@
     "@nestjs/schedule": "^4.1.1",
     "@nestjs/swagger": "^7.4.2",
     "@nestjs/throttler": "^5.1.2",
-    "@prisma/client": "^5.0.0",
+    "@prisma/client": "^5.3.0",
     "@sendgrid/helpers": "^8.0.0",
     "@sendgrid/mail": "7.7.0",
     "@turf/boolean-point-in-polygon": "6.5.0",
@@ -66,7 +66,7 @@
     "cookie-parser": "~1.4.6",
     "cron": "^3.1.7",
     "dayjs": "~1.11.9",
-    "dotenv": "^16.4.5",
+    "dotenv": "^17.2.3",
     "exceljs": "^4.4.0",
     "express": "^4.21.1",
     "handlebars": "~4.7.8",
@@ -76,7 +76,7 @@
     "passport": "~0.6.0",
     "passport-jwt": "~4.0.1",
     "passport-local": "~1.0.0",
-    "prisma": "^5.0.0",
+    "prisma": "^5.3.0",
     "qs": "~6.11.2",
     "reflect-metadata": "~0.1.13",
     "rimraf": "^3.0.2",

api/prisma/migrations/35_add_waitlist_lottery_feature_flag/migration.sql

@@ -0,0 +1,2 @@
+-- AlterEnum
+ALTER TYPE "listings_review_order_type_enum" ADD VALUE 'waitlistLottery';