diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..0cc300b00 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,38 @@ +# CODEOWNERS - Defines code ownership for PR review requirements +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# ============================================================================= +# Staging & Production Configuration +# ============================================================================= +# These files control production/staging deployments and require team lead review +# to prevent accidental configuration regressions (like HTTP vs HTTPS URLs) + +docker-compose.staging.yml @wuesteon +docker-compose.production.yml @wuesteon +docker/caddy/Caddyfile.staging @wuesteon +docker/caddy/Caddyfile.production @wuesteon + +# ============================================================================= +# CI/CD Workflows +# ============================================================================= +# Changes to deployment pipelines require review + +.github/workflows/cd-*.yml @wuesteon +.github/workflows/ci.yml @wuesteon + +# ============================================================================= +# Core Infrastructure +# ============================================================================= +# Shared packages and services that affect all apps + +services/mana-core-auth/ @wuesteon +packages/shared-nestjs-auth/ @wuesteon +packages/shared-auth/ @wuesteon + +# ============================================================================= +# Workspace Configuration +# ============================================================================= +# Root configuration files that affect the entire monorepo + +pnpm-workspace.yaml @wuesteon +turbo.json @wuesteon diff --git a/.github/workflows/staging-config-check.yml b/.github/workflows/staging-config-check.yml new file mode 100644 index 000000000..cfd9aef20 --- /dev/null +++ b/.github/workflows/staging-config-check.yml @@ -0,0 +1,103 @@ +name: Staging Config Check + +on: + pull_request: + paths: + - 'docker-compose.staging.yml' + - 'docker/caddy/Caddyfile.staging' + +jobs: + check-staging-urls: + name: Validate Staging URLs + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Check for HTTP IP addresses in _CLIENT URLs + run: | + echo "Checking docker-compose.staging.yml for HTTP IP addresses..." + + # Check that no _CLIENT URLs use HTTP IP addresses + if grep -E '_CLIENT:.*http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' docker-compose.staging.yml; then + echo "" + echo "::error::Found HTTP IP addresses in _CLIENT URLs!" + echo "All _CLIENT URLs must use HTTPS staging domains (e.g., https://auth.staging.manacore.ai)" + exit 1 + fi + + echo "No HTTP IP addresses found in _CLIENT URLs" + + - name: Check for non-HTTPS external URLs + run: | + echo "Checking for non-HTTPS external URLs in _CLIENT variables..." + + # Check that _CLIENT URLs use HTTPS (excluding localhost for dev) + VIOLATIONS=$(grep -E '_CLIENT:.*http://' docker-compose.staging.yml | grep -v localhost || true) + + if [ -n "$VIOLATIONS" ]; then + echo "" + echo "::error::Found non-HTTPS URLs in _CLIENT variables!" + echo "$VIOLATIONS" + echo "" + echo "All _CLIENT URLs must use HTTPS for staging domains." + exit 1 + fi + + echo "All _CLIENT URLs use HTTPS" + + - name: Verify required HTTPS domains + run: | + echo "Verifying required HTTPS staging domains are configured..." + + REQUIRED_DOMAINS=( + "https://auth.staging.manacore.ai" + "https://staging.manacore.ai" + ) + + MISSING=0 + for domain in "${REQUIRED_DOMAINS[@]}"; do + if ! grep -q "$domain" docker-compose.staging.yml; then + echo "::warning::Missing required domain: $domain" + MISSING=1 + fi + done + + if [ $MISSING -eq 1 ]; then + echo "" + echo "::warning::Some required staging domains are not configured. Please verify this is intentional." + fi + + echo "Domain verification complete" + + - name: Check CORS origins include HTTPS + run: | + echo "Checking CORS_ORIGINS for HTTPS staging domains..." + + # Extract CORS_ORIGINS lines and check they include staging domains + CORS_LINES=$(grep "CORS_ORIGINS:" docker-compose.staging.yml || true) + + if [ -n "$CORS_LINES" ]; then + # Check if any CORS line has HTTP staging domains (not localhost) + HTTP_CORS=$(echo "$CORS_LINES" | grep -E 'http://[a-z]+\.staging\.manacore\.ai' || true) + + if [ -n "$HTTP_CORS" ]; then + echo "" + echo "::error::Found HTTP (non-HTTPS) staging domains in CORS_ORIGINS!" + echo "$HTTP_CORS" + exit 1 + fi + fi + + echo "CORS origins are correctly configured" + + - name: Summary + run: | + echo "" + echo "======================================" + echo "Staging Configuration Check: PASSED" + echo "======================================" + echo "" + echo "All checks passed:" + echo " - No HTTP IP addresses in _CLIENT URLs" + echo " - All external _CLIENT URLs use HTTPS" + echo " - CORS origins correctly configured" diff --git a/docs/GIT_WORKFLOW.md b/docs/GIT_WORKFLOW.md index 4790adcb6..cdb6be794 100644 --- a/docs/GIT_WORKFLOW.md +++ b/docs/GIT_WORKFLOW.md @@ -224,6 +224,58 @@ git checkout till-dev git reset --hard origin/dev ``` +## Critical Configuration Files + +### Protected Files (CODEOWNERS) + +The following files are protected via `.github/CODEOWNERS` and require team lead review: + +| File | Reason | +|------|--------| +| `docker-compose.staging.yml` | Staging deployment config | +| `docker-compose.production.yml` | Production deployment config | +| `docker/caddy/Caddyfile.*` | Reverse proxy configuration | +| `.github/workflows/cd-*.yml` | Deployment pipelines | + +### Configuration Conflict Prevention + +**Problem:** When rebasing a long-lived branch, configuration files can accidentally overwrite critical settings (e.g., HTTPS URLs reverted to HTTP). + +**Solution:** Always review configuration files carefully during rebase conflicts: + +```bash +# During rebase, if docker-compose.staging.yml has conflicts: +git diff HEAD -- docker-compose.staging.yml # See what changed + +# Key things to verify: +# 1. _CLIENT URLs use HTTPS staging domains (not HTTP IP addresses) +# 2. CORS_ORIGINS include all HTTPS staging domains +# 3. Environment variables haven't regressed +``` + +### Staging URL Rules + +**NEVER** use HTTP IP addresses for `_CLIENT` variables: + +```yaml +# WRONG - HTTP IP address +PUBLIC_MANA_CORE_AUTH_URL_CLIENT: http://46.224.108.214:3001 + +# CORRECT - HTTPS staging domain +PUBLIC_MANA_CORE_AUTH_URL_CLIENT: https://auth.staging.manacore.ai +``` + +**CI Check:** The `staging-config-check.yml` workflow validates this on every PR that touches `docker-compose.staging.yml`. + +### Rebase Checklist for Config Files + +Before completing a rebase that touched configuration files: + +- [ ] `_CLIENT` URLs use `https://*.staging.manacore.ai` format +- [ ] `CORS_ORIGINS` include all HTTPS staging domains +- [ ] No HTTP IP addresses in client-facing URLs +- [ ] Caddy config matches docker-compose port mappings + ## Troubleshooting ### "fatal: no rebase in progress"