Skip to content

feat: implement high-priority infrastructure improvements#98

Merged
NormB merged 1 commit intomainfrom
fix/high-priority-improvements
Dec 27, 2025
Merged

feat: implement high-priority infrastructure improvements#98
NormB merged 1 commit intomainfrom
fix/high-priority-improvements

Conversation

@NormB
Copy link
Copy Markdown
Owner

@NormB NormB commented Dec 27, 2025

Summary

This PR implements the three high-priority improvements identified during the project analysis.

1. Centralized Docker Image Versions

Problem: Docker image versions were hardcoded throughout docker-compose.yml, making upgrades difficult and error-prone.

Solution:

  • Added new "Docker Image Versions" section to .env.example with all image versions
  • Updated docker-compose.yml to use environment variables with sensible defaults
  • Updated Dockerfiles (pgbouncer, forgejo, vector) to accept version as build args

Images centralized:

Service Variable Default Version
Vault VAULT_VERSION 1.18
PostgreSQL POSTGRES_VERSION 18
MySQL MYSQL_VERSION 8.0.40
MongoDB MONGODB_VERSION 7.0
Redis REDIS_VERSION 7.4-alpine3.21
RabbitMQ RABBITMQ_VERSION 3.13-management-alpine
Prometheus PROMETHEUS_VERSION v2.48.0
Grafana GRAFANA_VERSION 10.2.2
Loki LOKI_VERSION 2.9.3
Vector VECTOR_VERSION 0.50.0-debian
cAdvisor CADVISOR_VERSION v0.47.2
PgBouncer PGBOUNCER_VERSION latest
Forgejo FORGEJO_VERSION 1.21.11-0
Redis Exporter REDIS_EXPORTER_VERSION v1.55.0

2. Actual Vulnerability Scanning

Problem: Security workflow mentioned "consider using Trivy" but didn't actually scan images.

Solution:

  • Install Trivy in the dependency-scan job
  • Parse docker-compose.yml to extract all image references
  • Handle environment variable substitution to get actual image names
  • Scan each image for CRITICAL and HIGH vulnerabilities
  • Report vulnerability counts with actionable summaries

3. Unit Test Execution in CI

Problem: Test workflow only validated configuration but didn't run actual tests.

Solution:

  • Added new unit-tests job that runs tests for Python, Go, and Rust
  • Tests run with continue-on-error since some require running services
  • Clear messaging about which tests require infrastructure
  • Updated test-summary to include unit test status

Test plan

  • CI workflows pass (linting, security, tests)
  • Docker Compose config validates with new variables
  • Unit tests execute (with expected partial failures for service-dependent tests)
  • Vulnerability scanning runs and reports results

@NormB
feat: implement high-priority improvements
7b6c28c 
1. Centralize Docker image versions in .env
   - Add Docker image version variables to .env.example
   - Update docker-compose.yml to use environment variables with defaults
   - Update Dockerfiles (pgbouncer, forgejo, vector) to use build args
   - Enables easy version management and consistent upgrades

2. Add actual vulnerability scanning to security workflow
   - Install and run Trivy on all Docker images
   - Parse environment variable defaults from docker-compose.yml
   - Report CRITICAL vulnerabilities with counts
   - Provide actionable scan summaries

3. Add unit test execution to test workflow
   - New 'unit-tests' job running Python, Go, and Rust tests
   - Tests run with continue-on-error (some require services)
   - Clear messaging about which tests require infrastructure
   - Updated test-summary to include unit test results
@NormB NormB merged commit 4341b9d into main Dec 27, 2025
31 checks passed
@NormB NormB deleted the fix/high-priority-improvements branch December 27, 2025 19:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NormB