Commit Graph

6 Commits

Author SHA1 Message Date
Dmitry Gusev
df3d3d32b8 fix(security): GitLeaks allowlist + Dockerfile DL4006 + npm audit в CI
Some checks failed
deploy / deploy (push) Has been cancelled
security / security (push) Has been cancelled
GitLeaks: 8 false-positives на vgrf_ru (IndexNow public key + legacy
WP plugin code) — добавлен .gitleaks.toml с allowlist:
- public/<32hex>.txt + корневой <32hex>.txt (IndexNow validation files)
- wp-content/** (legacy WordPress plugin code, не настоящие секреты)
- const KEY = '<32hex>' паттерн

Hadolint DL4006: добавлен SHELL pipefail в начале каждой stage.

npm audit: убран из Dockerfile (там кэшировался Docker layer'ом и
по факту не запускался при unchanged package-lock.json). Вынесен в
.gitea/workflows/security.yml как отдельный job — каждый push, реально.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 18:54:02 +03:00
Dmitry Gusev
6005ec32f7 fix(security): nativе binaries вместо docker run (Gitea fix)
Some checks failed
deploy / deploy (push) Has been cancelled
security / security (push) Has been cancelled
Gitea act_runner не имеет docker внутри workflow-контейнера —
"docker not found" маскировался через `|| true`, Layer C по факту
не работал. Заменено на:
- Hadolint v2.12.0 binary (curl + chmod)
- GitLeaks v8.21.2 (tarball)
- Semgrep через python3 venv + pip

Все три по-прежнему warning-only, но теперь реально сканируют.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 17:49:20 +03:00
Dmitry Gusev
7f891c4759 feat(security): Hadolint + GitLeaks + Semgrep workflow (Layer C)
Some checks failed
deploy / deploy (push) Has been cancelled
security / security (push) Has been cancelled
Новый workflow .gitea/workflows/security.yml — параллельно с deploy.yml,
запускается на push в main + на PR. Все три инструмента warning-only:

- Hadolint: bad practices в Dockerfile
- GitLeaks: поиск секретов в истории (полный clone fetch-depth: 0)
- Semgrep: SAST с конфигами p/javascript + p/react + p/typescript + p/security-audit

Не блокируют deploy — findings собираются в логи job'а.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 16:51:01 +03:00
bd6ab03b2e feat(seo): discoverability + Schema.org + IndexNow + Trivy (#1)
All checks were successful
deploy / deploy (push) Successful in 3m7s
2026-05-21 14:25:12 +03:00
8cab51d590 ci: workflow по стандартному шаблону Gitea Actions
All checks were successful
deploy / deploy (push) Successful in 46s
Workflow приведён к шаблону из memory/reference_gitea_actions.md:
- runs-on: ubuntu-latest (act_runner на str-u-01 даёт node:20-bookworm)
- apt-get install openssh-client (нет в node:20 by default)
- secrets: SSH_DEPLOY_KEY (raw private key, не base64) + SSH_KNOWN_HOSTS
- ssh ... bash -s <<'REMOTE' с git clone/pull, docker compose build+up,
  health-check curl, docker image prune retention 7d
2026-05-21 02:53:52 +03:00
db0d27cf4e build: Dockerfile + nginx.conf + docker-compose + Gitea CI + 404 page
Some checks failed
Deploy to web.hhivp.com / deploy (push) Failing after 3s
- Dockerfile multi-stage: node:22-alpine builds Astro → nginx:1.29-alpine
  отдаёт dist/. healthcheck wget --spider /
- nginx.conf: gzip с подходящими типами (RSS/JSON/SVG/woff2), кэш /_astro/
  immutable 1y, кэш css/js/img 30d, MIME application/rss+xml для feed,
  text/plain для robots/ai/llms/sitemap, кастомная 404
- docker-compose: контейнер anotherreflections-ru-v2 на 127.0.0.1:4084
  (старый WP на :4080 остаётся для отката)
- .gitea/workflows/deploy.yml: push в main → SSH-деплой на web,
  git fetch+reset → docker compose build → up -d → docker image prune
  (retention 7d по правилу проекта). Verify-шаг curl на :4084
- src/pages/404.astro — тематическая страница «не найдено» с навигацией
2026-05-21 02:37:46 +03:00