From 45328f7af35a7e5574b16dc1afff68c8e54a463f Mon Sep 17 00:00:00 2001 From: Kaiohz Date: Thu, 12 Mar 2026 06:55:52 +0100 Subject: [PATCH 1/3] feat: Add CI workflow and Trivy scanning capabilities --- .github/workflows/ci.yaml | 32 ++++++++++++++++++++++++++++++++ .trivyignore | 3 +++ Makefile | 28 ++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 .github/workflows/ci.yaml create mode 100644 .trivyignore create mode 100644 Makefile diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..c13f782 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,32 @@ +name: CI + +on: + pull_request: + branches: [main] + +jobs: + trivy: + name: Trivy FS Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Trivy FS Scan (report) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '0' + trivy-config: trivy.yaml + + - name: Trivy FS Scan (CRITICAL gate) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'table' + severity: 'CRITICAL' + exit-code: '1' + trivy-config: trivy.yaml diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..f2a600c --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# .trivyignore - Known false positives and accepted risks +# Format: CVE-YYYY-NNNNN +# Add a comment above each entry explaining why it is ignored. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..100a03e --- /dev/null +++ b/Makefile @@ -0,0 +1,28 @@ +PROJECT_NAME := unispace-landing +IMAGE_TAG := $(PROJECT_NAME):local-scan + +.PHONY: trivy-fs trivy-image trivy-fs-critical trivy-image-critical trivy-all trivy-help + +trivy-fs: + trivy fs --severity CRITICAL,HIGH,MEDIUM --exit-code 0 --format table . + +trivy-image: + docker build -t $(IMAGE_TAG) -f Dockerfile . + trivy image --severity CRITICAL,HIGH,MEDIUM --exit-code 0 --format table $(IMAGE_TAG) + +trivy-fs-critical: + trivy fs --severity CRITICAL --exit-code 1 --format table . + +trivy-image-critical: + docker build -t $(IMAGE_TAG) -f Dockerfile . + trivy image --severity CRITICAL --exit-code 1 --format table $(IMAGE_TAG) + +trivy-all: trivy-fs trivy-image + +trivy-help: + @echo "Available Trivy scanning targets:" + @echo " make trivy-fs - Scan filesystem dependencies (report only)" + @echo " make trivy-image - Build and scan Docker image (report only)" + @echo " make trivy-fs-critical - Scan filesystem - fail on CRITICAL" + @echo " make trivy-image-critical - Build and scan image - fail on CRITICAL" + @echo " make trivy-all - Run both fs and image scans" From dd55f42fb7f4b753448e6a9b37e2bca87e0deb82 Mon Sep 17 00:00:00 2001 From: Kaiohz Date: Thu, 12 Mar 2026 07:09:00 +0100 Subject: [PATCH 2/3] chore: Update package dependencies for improved stability and features --- package.json | 6 ++--- pnpm-lock.yaml | 60 ++++++++++++++++++++++++++++++++++---------------- 2 files changed, 44 insertions(+), 22 deletions(-) diff --git a/package.json b/package.json index ceb2cf9..d42ffa9 100644 --- a/package.json +++ b/package.json @@ -17,7 +17,7 @@ "@astrojs/mdx": "4.3.12", "@astrojs/netlify": "6.6.3", "@astrojs/react": "4.4.2", - "@astrojs/rss": "4.0.14", + "@astrojs/rss": "4.0.17", "@astrojs/sitemap": "3.6.0", "@fontsource-variable/inter": "5.2.8", "@keystatic/astro": "5.0.6", @@ -35,7 +35,7 @@ "motion-on-scroll": "^1.0.0", "react": "19.2.0", "react-dom": "19.2.0", - "swiper": "12.0.3", + "swiper": "^12.1.2", "tailwind-merge": "3.4.0", "tailwind-variants": "3.2.2", "tailwindcss": "4.1.17", @@ -43,7 +43,7 @@ }, "devDependencies": { "@eslint/js": "^9.36.0", - "@playform/compress": "0.2.0", + "@playform/compress": "^0.2.0", "eslint": "^9.36.0", "eslint-plugin-astro": "^1.3.1", "eslint-plugin-jsx-a11y": "^6.10.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index ee31fc9..7ad9bdb 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -18,8 +18,8 @@ importers: specifier: 4.4.2 version: 4.4.2(@types/node@24.10.1)(@types/react-dom@19.2.3(@types/react@19.2.7))(@types/react@19.2.7)(jiti@2.6.1)(lightningcss@1.30.2)(react-dom@19.2.0(react@19.2.0))(react@19.2.0)(terser@5.42.0)(yaml@2.8.2) '@astrojs/rss': - specifier: 4.0.14 - version: 4.0.14 + specifier: 4.0.17 + version: 4.0.17 '@astrojs/sitemap': specifier: 3.6.0 version: 3.6.0 @@ -72,8 +72,8 @@ importers: specifier: 19.2.0 version: 19.2.0(react@19.2.0) swiper: - specifier: 12.0.3 - version: 12.0.3 + specifier: ^12.1.2 + version: 12.1.2 tailwind-merge: specifier: 3.4.0 version: 3.4.0 @@ -91,7 +91,7 @@ importers: specifier: ^9.36.0 version: 9.39.1 '@playform/compress': - specifier: 0.2.0 + specifier: ^0.2.0 version: 0.2.0(@netlify/blobs@10.4.1)(@types/node@24.10.1)(idb-keyval@6.2.2)(jiti@2.6.1)(rollup@4.53.3)(typescript@5.9.3)(yaml@2.8.2) eslint: specifier: ^9.36.0 @@ -188,8 +188,8 @@ packages: react: ^17.0.2 || ^18.0.0 || ^19.0.0 react-dom: ^17.0.2 || ^18.0.0 || ^19.0.0 - '@astrojs/rss@4.0.14': - resolution: {integrity: sha512-KCe1imDcADKOOuO/wtKOMDO/umsBD6DWF+94r5auna1jKl5fmlK9vzf+sjA3EyveXA/FoB3khtQ/u/tQgETmTw==} + '@astrojs/rss@4.0.17': + resolution: {integrity: sha512-eV+wdMbeVKC9+sPaV0LN8JL1LGo9YAh3GKl4Ou4nzMNLmXM/aswYpSGxVEAuHilgBZ6/++/Pv08ICmuOqX107w==} '@astrojs/sitemap@3.6.0': resolution: {integrity: sha512-4aHkvcOZBWJigRmMIAJwRQXBS+ayoP5z40OklTXYXhUDhwusz+DyDl+nSshY6y9DvkVEavwNcFO8FD81iGhXjg==} @@ -3521,8 +3521,11 @@ packages: fast-uri@3.1.0: resolution: {integrity: sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==} - fast-xml-parser@5.3.2: - resolution: {integrity: sha512-n8v8b6p4Z1sMgqRmqLJm3awW4NX7NkaKPfb3uJIBTSH7Pdvufi3PQ3/lJLQrvxcMYl7JI2jnDO90siPEpD8JBA==} + fast-xml-builder@1.1.2: + resolution: {integrity: sha512-NJAmiuVaJEjVa7TjLZKlYd7RqmzOC91EtPFXHvlTcqBVo50Qh7XV5IwvXi1c7NRz2Q/majGX9YLcwJtWgHjtkA==} + + fast-xml-parser@5.4.1: + resolution: {integrity: sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==} hasBin: true fastq@1.19.1: @@ -4996,6 +4999,10 @@ packages: resolution: {integrity: sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==} engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} + path-expression-matcher@1.1.3: + resolution: {integrity: sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==} + engines: {node: '>=14.0.0'} + path-key@3.1.1: resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==} engines: {node: '>=8'} @@ -5642,8 +5649,8 @@ packages: resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==} engines: {node: '>=8'} - strnum@2.1.1: - resolution: {integrity: sha512-7ZvoFTiCnGxBtDqJ//Cu6fWtZtc7Y3x+QOirG15wztbdngGSkht27o2pyGWrVy0b4WAy3jbKmnoK6g5VlVNUUw==} + strnum@2.2.0: + resolution: {integrity: sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==} style-to-js@1.1.21: resolution: {integrity: sha512-RjQetxJrrUJLQPHbLku6U/ocGtzyjbJMP9lCNK7Ag0CNh690nSH8woqWH9u16nMjYBAok+i7JO1NP2pOy8IsPQ==} @@ -5679,8 +5686,8 @@ packages: engines: {node: '>=16'} hasBin: true - swiper@12.0.3: - resolution: {integrity: sha512-BHd6U1VPEIksrXlyXjMmRWO0onmdNPaTAFduzqR3pgjvi7KfmUCAm/0cj49u2D7B0zNjMw02TSeXfinC1hDCXg==} + swiper@12.1.2: + resolution: {integrity: sha512-4gILrI3vXZqoZh71I1PALqukCFgk+gpOwe1tOvz5uE9kHtl2gTDzmYflYCwWvR4LOvCrJi6UEEU+gnuW5BtkgQ==} engines: {node: '>= 4.7.0'} synckit@0.11.11: @@ -5720,6 +5727,7 @@ packages: tar@7.5.2: resolution: {integrity: sha512-7NyxrTE4Anh8km8iEy7o0QYPs+0JKBTj5ZaqHg6B39erLg0qYXN3BijtShwbsNSvQ+LN75+KV+C4QR/f6Gwnpg==} engines: {node: '>=18'} + deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me terser@5.42.0: resolution: {integrity: sha512-UYCvU9YQW2f/Vwl+P0GfhxJxbUGLwd+5QrrGgLajzWAtC/23AX0vcise32kkP7Eu0Wu9VlzzHAXkLObgjQfFlQ==} @@ -6201,6 +6209,7 @@ packages: whatwg-encoding@3.1.1: resolution: {integrity: sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==} engines: {node: '>=18'} + deprecated: Use @exodus/bytes instead for a more spec-conformant and faster implementation whatwg-mimetype@4.0.0: resolution: {integrity: sha512-QaKxh0eNIi2mE9p2vEdzfagOKHCcj1pJ56EEHGQOVxp8r9/iszLUUV7v89x9O1p/T+NlTM5W7jW6+cz4Fq1YVg==} @@ -6379,6 +6388,9 @@ packages: zod@3.25.76: resolution: {integrity: sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==} + zod@4.3.6: + resolution: {integrity: sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==} + zwitch@2.0.4: resolution: {integrity: sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==} @@ -6559,10 +6571,11 @@ snapshots: - tsx - yaml - '@astrojs/rss@4.0.14': + '@astrojs/rss@4.0.17': dependencies: - fast-xml-parser: 5.3.2 + fast-xml-parser: 5.4.1 piccolore: 0.1.3 + zod: 4.3.6 '@astrojs/sitemap@3.6.0': dependencies: @@ -11034,9 +11047,14 @@ snapshots: fast-uri@3.1.0: {} - fast-xml-parser@5.3.2: + fast-xml-builder@1.1.2: dependencies: - strnum: 2.1.1 + path-expression-matcher: 1.1.3 + + fast-xml-parser@5.4.1: + dependencies: + fast-xml-builder: 1.1.2 + strnum: 2.2.0 fastq@1.19.1: dependencies: @@ -12830,6 +12848,8 @@ snapshots: path-exists@5.0.0: {} + path-expression-matcher@1.1.3: {} + path-key@3.1.1: {} path-key@4.0.0: {} @@ -13654,7 +13674,7 @@ snapshots: strip-json-comments@3.1.1: {} - strnum@2.1.1: {} + strnum@2.2.0: {} style-to-js@1.1.21: dependencies: @@ -13698,7 +13718,7 @@ snapshots: picocolors: 1.1.1 sax: 1.4.3 - swiper@12.0.3: {} + swiper@12.1.2: {} synckit@0.11.11: dependencies: @@ -14384,4 +14404,6 @@ snapshots: zod@3.25.76: {} + zod@4.3.6: {} + zwitch@2.0.4: {} From e2968f3f772b0d8d286fac9462e80535541c6a08 Mon Sep 17 00:00:00 2001 From: Kaiohz Date: Thu, 12 Mar 2026 07:43:29 +0100 Subject: [PATCH 3/3] fix: Update image tags from 'unispace' to 'pickpro' in CI/CD workflow --- .github/workflows/cd.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index 52a42d5..d41bb63 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -65,14 +65,14 @@ jobs: file: ./Dockerfile load: true platforms: linux/amd64 - tags: kaiohz/unispace:unispace-landing-scan + tags: kaiohz/pickpro:unispace-landing-scan cache-from: type=gha cache-to: type=gha,mode=max - name: Trivy Image Scan (report) uses: aquasecurity/trivy-action@master with: - image-ref: "kaiohz/unispace:unispace-landing-scan" + image-ref: "kaiohz/pickpro:unispace-landing-scan" format: "table" severity: "CRITICAL,HIGH,MEDIUM" exit-code: "0" @@ -81,7 +81,7 @@ jobs: - name: Trivy Image Scan (CRITICAL gate) uses: aquasecurity/trivy-action@master with: - image-ref: "kaiohz/unispace:unispace-landing-scan" + image-ref: "kaiohz/pickpro:unispace-landing-scan" format: "table" severity: "CRITICAL" exit-code: "1" @@ -95,8 +95,8 @@ jobs: push: true platforms: linux/amd64,linux/arm64 tags: | - kaiohz/unispace:unispace-landing-${{ steps.sha.outputs.result }} - kaiohz/unispace:unispace-landing-latest + kaiohz/pickpro:unispace-landing-${{ steps.sha.outputs.result }} + kaiohz/pickpro:unispace-landing-latest cache-from: type=gha cache-to: type=gha,mode=max @@ -108,7 +108,7 @@ jobs: run: | DEPLOYMENT_FILE="flux-repo/dev/unispace/unispace-landing/deployment.yaml" if [ -f "$DEPLOYMENT_FILE" ]; then - sed -i 's|image: kaiohz/unispace:unispace-landing-.*|image: kaiohz/unispace:unispace-landing-${{ steps.sha.outputs.result }}|g' "$DEPLOYMENT_FILE" + sed -i 's|image: kaiohz/pickpro:unispace-landing-.*|image: kaiohz/pickpro:unispace-landing-${{ steps.sha.outputs.result }}|g' "$DEPLOYMENT_FILE" else echo "Error: Deployment file not found at $DEPLOYMENT_FILE" exit 1