Merge pull request #10 from fccview/feature/security-improvement

Ehm.. refactored a bunch.. sorry

Author: kiliantyler

.github/workflows/build.yml

@@ -0,0 +1,128 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      push-to-registry:
+        description: "Whether to push images to the container registry"
+        required: false
+        default: false
+        type: boolean
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            arch: amd64
+            runner: ubuntu-latest
+            test: true
+          - platform: linux/arm64
+            arch: arm64
+            runner: ubuntu-24.04-arm
+            test: true
+          - platform: linux/arm/v7
+            arch: armv7
+            runner: ubuntu-24.04-arm
+            test: false
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        if: inputs.push-to-registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        if: inputs.push-to-registry
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build Docker image
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          load: ${{ matrix.test }}
+          tags: hypermind-test:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run container for testing
+        if: matrix.test
+        run: docker run -d --name hypermind-test -p 3000:3000 hypermind-test:${{ github.sha }}
+
+      - name: Wait for server to be ready
+        if: matrix.test
+        run: |
+          for i in {1..30}; do
+            if curl -sf http://localhost:3000/api/stats; then
+              echo "Server is ready"
+              exit 0
+            fi
+            echo "Waiting for server... ($i/30)"
+            sleep 1
+          done
+          echo "Server failed to start"
+          docker logs hypermind-test
+          exit 1
+
+      - name: Verify API response
+        if: matrix.test
+        run: |
+          response=$(curl -sf http://localhost:3000/api/stats)
+          echo "Response: $response"
+          echo "$response" | jq -e '.count != null and .id != null'
+
+      - name: Cleanup test container
+        if: always() && matrix.test
+        run: docker rm -f hypermind-test || true
+
+      - name: Push by digest
+        if: inputs.push-to-registry
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+
+      - name: Export digest
+        if: inputs.push-to-registry
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.push.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        if: inputs.push-to-registry
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.arch }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1

.github/workflows/ci.yml

@@ -0,0 +1,13 @@
+name: CI
+
+on:
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+    with:
+      push-to-registry: false

.github/workflows/publish.yml

@@ -1,8 +1,6 @@
 name: Publish Docker Image
 
 on:
-  pull_request:
-    branches: ["main"]
   push:
     branches: ["main"]
   release:
@@ -15,73 +13,16 @@ env:
 
 jobs:
   build:
-    runs-on: ${{ matrix.runner }}
+    uses: ./.github/workflows/build.yml
     permissions:
       contents: read
       packages: write
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-          - platform: linux/arm/v7
-            runner: ubuntu-24.04-arm
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to the Container registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      - name: Build and push by digest
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: ${{ matrix.platform }}
-          labels: ${{ steps.meta.outputs.labels }}
-          outputs: ${{ github.event_name != 'pull_request' && format('type=image,name={0}/{1},push-by-digest=true,name-canonical=true,push=true', env.REGISTRY, env.IMAGE_NAME) || 'type=docker' }}
-
-      - name: Export digest
-        if: github.event_name != 'pull_request'
-        run: |
-          mkdir -p ${{ runner.temp }}/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "${{ runner.temp }}/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        if: github.event_name != 'pull_request'
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || matrix.platform == 'linux/arm64' && 'arm64' || 'armv7' }}
-          path: ${{ runner.temp }}/digests/*
-          if-no-files-found: error
-          retention-days: 1
+    secrets: inherit
+    with:
+      push-to-registry: true
 
   merge:
     runs-on: ubuntu-latest
-    if: github.event_name != 'pull_request'
     needs: build
     permissions:
       contents: read

Dockerfile

@@ -6,7 +6,9 @@ COPY package*.json ./
 
 RUN npm ci --omit=dev
 
+COPY public/ ./public/
 COPY server.js hypermind2.svg LICENSE ./
+COPY src/ ./src/
 
 ENV PORT=3000
 ENV NODE_ENV=production

README.md

@@ -73,6 +73,13 @@ services:
 
 ```
 
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `PORT` | `3000` | The port the web dashboard listens on. Since `--network host` is used, this port opens directly on the host. |
+| `MAX_PEERS` | `10000` | Maximum number of peers to track in the swarm. Unless you're expecting the entire internet to join, the default is probably fine. |
+
 ## Usage
 
 Open your browser to: `http://localhost:3000`

docker-compose.yml

@@ -6,3 +6,4 @@ services:
     restart: unless-stopped
     environment:
       - PORT=3000
+      - MAX_PEERS=10000

package-lock.json

@@ -26,6 +26,7 @@
   "homepage": "https://github.com/lklynet/hypermind#readme",
   "type": "commonjs",
   "dependencies": {
+    "dotenv": "^17.2.3",
     "express": "^5.2.1",
     "hyperswarm": "^4.16.0"
   }