HSLdevcom · ahjyrkia · Feb 11, 2026 · Feb 11, 2026
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,37 @@
+name: "Code analysis"
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '0 8 * * *' # 8 am
+jobs:
+  analyze:
+    name: Analyze code
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: Javascript
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependecy-scan.yml b/.github/workflows/dependecy-scan.yml
@@ -0,0 +1,14 @@
+name: 'Dependency scan'
+on: [pull_request]
+permissions:
+  contents: read
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: critical
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,17 @@
 FROM node:20-bookworm-slim
 
-# This installs the necessary libs to make the bundled version of Chromium that Pupppeteer installs work
-RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -yq wget curl gnupg pdftk fontconfig fonts-liberation ca-certificates --no-install-recommends \
-    # This installs the necessary libs to make the bundled version of Chromium that Puppeteer installs work
-    && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \
-    && sh -c 'echo "deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list' \
-    && apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -yq google-chrome-stable libxss1 --no-install-recommends \
-  && wget -O azcopy_v10.tar.gz https://aka.ms/downloadazcopy-v10-linux && tar -xf azcopy_v10.tar.gz --strip-components=1 && rm azcopy_v10.tar.gz \
-  && mv ./azcopy /usr/bin/ \
-  && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+  apt-get update; \
+  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    ca-certificates curl gnupg wget pdftk fontconfig fonts-liberation supervisor; \
+  install -d -m 0755 /etc/apt/keyrings; \
+  curl -fsSL https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /etc/apt/keyrings/google-chrome.gpg; \
+  chmod a+r /etc/apt/keyrings/google-chrome.gpg; \
+  echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list; \
+  apt-get update; \
+  DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends google-chrome-stable libxss1; \
+  rm -rf /var/lib/apt/lists/*
+
 
 ENV WORK=/opt/publisher
 # ENV NODE_ENV production # Cannot use until devdependency list is fixed in package.json
@@ -28,18 +29,13 @@ COPY . ${WORK}
 
 ARG BUILD_ENV=prod
 COPY .env.${BUILD_ENV} ${WORK}/.env
+COPY docker/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
 ARG DIGITRANSIT_APIKEY
 ENV DIGITRANSIT_APIKEY=${DIGITRANSIT_APIKEY}
 RUN yarn build
 
 EXPOSE 4000
 
-CMD \
-  ./fonts.sh && \
-  fc-cache -f -v && \
-  yarn run forever start -c "yarn serve" dist/ && \
-  yarn run forever start -c "yarn server" ./ && \
-  yarn run forever start -c "yarn worker" ./ && \
-  sleep 3 && \
-  yarn run forever -f logs 1
+CMD ./fonts.sh && fc-cache -f -v && exec supervisord -c /etc/supervisor/conf.d/supervisord.conf
+
diff --git a/docker/supervisord.conf b/docker/supervisord.conf
@@ -0,0 +1,34 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/null
+pidfile=/tmp/supervisord.pid
+
+[program:serve]
+directory=/opt/publisher
+command=yarn serve
+autostart=true
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/fd/2
+stderr_logfile_maxbytes=0
+
+[program:server]
+directory=/opt/publisher
+command=yarn server
+autostart=true
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/fd/2
+stderr_logfile_maxbytes=0
+
+[program:worker]
+directory=/opt/publisher
+command=yarn worker
+autostart=true
+autorestart=true
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/fd/2
+stderr_logfile_maxbytes=0
diff --git a/package.json b/package.json
@@ -79,7 +79,6 @@
     "apollo-link-http": "^1.2.0",
     "bullmq": "^1.86.2",
     "dotenv": "^8.0.0",
-    "forever": "^4.0.3",
     "fs-extra": "^8.1.0",
     "graphql": "^0.11.7",
     "graphql-tag": "^2.5.0",