Merge branch 'main' of github.com:RMCampos/tasknote

Author: RMCampos

.github/workflows/deploy.yml .github/workflows/cd-main.yml.github/workflows/deploy.yml renamed to .github/workflows/cd-main.yml

@@ -1,4 +1,4 @@
-name: Deploy to prod
+name: Main CD-Deploy to Prod
 
 on:
   workflow_dispatch:
@@ -14,7 +14,7 @@ on:
         required: false
         default: "true"
   workflow_run:
-    workflows: [ "Backend Main", "Frontend Main" ]
+    workflows: [ "Main CI-Backend", "Main CI-Frontend" ]
     types: [ completed ]
 
 jobs:
@@ -135,6 +135,7 @@ jobs:
       && needs.terraform-plan.outputs.no_changes == 'false'
     environment:
       name: production
+      url: https://tasknote.darkroasted.vps-kinghost.net
     permissions:
       contents: read
     steps:

.github/workflows/deploy-stg.yml .github/workflows/cd-pr.yml.github/workflows/deploy-stg.yml renamed to .github/workflows/cd-pr.yml

@@ -1,14 +1,15 @@
-name: Deploy to staging
+name: Pull Request CD-Deploy to Staging
 
 on:
   workflow_dispatch:
   workflow_run:
-    workflows: [ "Backend PR", "Frontend PR" ]
+    workflows: [ "Pull Request CI-Backend", "Pull Request CI-Frontend" ]
     types: [ completed ]
 
 jobs:
   terraform-plan-stg:
     name: Plan changs to staging
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     outputs:
       no_changes: ${{ steps.check-changes.outputs.no_changes }}
@@ -99,6 +100,7 @@ jobs:
     if: needs.terraform-plan-stg.outputs.no_changes == 'false'
     environment:
       name: staging
+      url: https://tasknote-stg.darkroasted.vps-kinghost.net
     permissions:
       contents: read
     steps:

.github/workflows/main-server.yml .github/workflows/ci-main-backend.yml.github/workflows/main-server.yml renamed to .github/workflows/ci-main-backend.yml

@@ -1,4 +1,4 @@
-name: Backend Main
+name: Main CI-Backend
 
 on:
   workflow_dispatch:
@@ -69,18 +69,29 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build Docker image with Spring Boot
-        working-directory: ./server
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Find PR number
+        id: find_pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          ./mvnw -Pnative -DskipTests spring-boot:build-image \
-            -Dspring-boot.build-image.imageName=ghcr.io/${{ steps.repo.outputs.name }}/api:latest \
-            -Dspring-boot.build-image.builder=paketobuildpacks/builder-jammy-tiny:latest
+          PR_NUMBER=$(gh pr list --search "${{ github.sha }}" --state merged --json number --jq '.[0].number')
+          if [ -z "$PR_NUMBER" ]; then
+            echo "No merged PR found for this commit. Falling back to 'candidate' tag."
+            PR_NUMBER="candidate"
+          else
+            PR_NUMBER="pr-${PR_NUMBER}"
+          fi
+          echo "tag=${PR_NUMBER}" >> $GITHUB_OUTPUT
 
-      - name: Tag and push Docker image
+      - name: Promote Docker image
         run: |
-          docker tag ghcr.io/${{ steps.repo.outputs.name }}/api:latest ghcr.io/${{ steps.repo.outputs.name }}/api:${{ steps.version.outputs.version }}
-          docker push ghcr.io/${{ steps.repo.outputs.name }}/api:latest
-          docker push ghcr.io/${{ steps.repo.outputs.name }}/api:${{ steps.version.outputs.version }}
+          docker buildx imagetools create \
+            --tag ghcr.io/${{ steps.repo.outputs.name }}/api:latest \
+            --tag ghcr.io/${{ steps.repo.outputs.name }}/api:${{ steps.version.outputs.version }} \
+            ghcr.io/${{ steps.repo.outputs.name }}/api:${{ steps.find_pr.outputs.tag }}
 
       - name: Create and push Git tag
         run: |

.github/workflows/main-client.yml .github/workflows/ci-main-frontend.yml.github/workflows/main-client.yml renamed to .github/workflows/ci-main-frontend.yml

@@ -1,4 +1,4 @@
-name: Frontend Main
+name: Main CI-Frontend
 
 on:
   workflow_dispatch:
@@ -31,6 +31,10 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Set lowercase repo name
+        id: repo
+        run: echo "name=${GITHUB_REPOSITORY,,}" >> $GITHUB_OUTPUT
+
       - name: Generate version tag
         id: version
         run: |
@@ -49,26 +53,26 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata for Docker
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}/app
-          tags: |
-            type=raw,value=${{ steps.version.outputs.tag }}
-            type=raw,value=latest,enable={{is_default_branch}}
+      - name: Find PR number
+        id: find_pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR_NUMBER=$(gh pr list --search "${{ github.sha }}" --state merged --json number --jq '.[0].number')
+          if [ -z "$PR_NUMBER" ]; then
+            echo "No merged PR found for this commit. Falling back to 'candidate' tag."
+            PR_NUMBER="candidate"
+          else
+            PR_NUMBER="pr-${PR_NUMBER}"
+          fi
+          echo "tag=${PR_NUMBER}" >> $GITHUB_OUTPUT
 
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
-        with:
-          context: ./client
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          build-args: |
-            VITE_BUILD=v${{ steps.version.outputs.tag }}
+      - name: Promote Docker image
+        run: |
+          docker buildx imagetools create \
+            --tag ghcr.io/${{ steps.repo.outputs.name }}/app:latest \
+            --tag ghcr.io/${{ steps.repo.outputs.name }}/app:${{ steps.version.outputs.tag }} \
+            ghcr.io/${{ steps.repo.outputs.name }}/app:${{ steps.find_pr.outputs.tag }}
 
       - name: Create and push Git tag
         run: |

.github/workflows/server-ci.yml .github/workflows/ci-pr-backend.yml.github/workflows/server-ci.yml renamed to .github/workflows/ci-pr-backend.yml

@@ -1,4 +1,4 @@
-name: Backend PR
+name: Pull Request CI-Backend
 
 on:
   workflow_dispatch:
@@ -51,6 +51,7 @@ jobs:
     needs: ["run-checks"]
     permissions:
       contents: read
+      deployments: write
       packages: write
 
     steps:
@@ -91,10 +92,38 @@ jobs:
         working-directory: ./server
         run: |
           ./mvnw -Pnative -DskipTests spring-boot:build-image \
-            -Dspring-boot.build-image.imageName=ghcr.io/rmcampos/tasknote/api:latest \
+            -Dspring-boot.build-image.imageName=ghcr.io/${{ steps.repo.outputs.name }}/api:latest \
             -Dspring-boot.build-image.builder=paketobuildpacks/builder-jammy-tiny:latest
 
       - name: Tag and push Docker image
         run: |
           docker tag ghcr.io/${{ steps.repo.outputs.name }}/api:latest ghcr.io/${{ steps.repo.outputs.name }}/api:candidate
+          docker tag ghcr.io/${{ steps.repo.outputs.name }}/api:latest ghcr.io/${{ steps.repo.outputs.name }}/api:pr-${{ github.event.pull_request.number }}
           docker push ghcr.io/${{ steps.repo.outputs.name }}/api:candidate
+          docker push ghcr.io/${{ steps.repo.outputs.name }}/api:pr-${{ github.event.pull_request.number }}
+
+      - name: Create GitHub deployment for staging
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const ref = context.payload.pull_request.head.sha;
+            const env = 'staging';
+            const resp = await github.rest.repos.createDeployment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref,
+              required_contexts: [],
+              environment: env,
+              description: `PR #${context.payload.pull_request.number} preview deployment`,
+              transient_environment: true,
+              auto_merge: false
+            });
+            // create a deployment status pointing to the staging URL
+            await github.rest.repos.createDeploymentStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              deployment_id: resp.data.id,
+              state: 'success',
+              environment_url: 'https://tasknote-stg.darkroasted.vps-kinghost.net'
+            });

.github/workflows/client-ci.yml .github/workflows/ci-pr-frontend.yml.github/workflows/client-ci.yml renamed to .github/workflows/ci-pr-frontend.yml

@@ -1,4 +1,4 @@
-name: Frontend PR
+name: Pull Request CI-Frontend
 
 on:
   workflow_dispatch:
@@ -60,6 +60,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      deployments: write
 
     steps:
       - name: Checkout code
@@ -84,6 +85,7 @@ jobs:
           images: ghcr.io/${{ github.repository }}/app
           tags: |
             type=raw,value=candidate
+            type=raw,value=pr-${{ github.event.pull_request.number }}
 
       - name: Generate version tag
         id: version
@@ -104,3 +106,29 @@ jobs:
           cache-to: type=gha,mode=max
           build-args: |
             VITE_BUILD=${{ steps.version.outputs.tag }}
+
+      - name: Create GitHub deployment for staging
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const ref = context.payload.pull_request.head.sha;
+            const env = 'staging';
+            const resp = await github.rest.repos.createDeployment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              ref,
+              required_contexts: [],
+              environment: env,
+              description: `PR #${context.payload.pull_request.number} preview deployment`,
+              transient_environment: true,
+              auto_merge: false
+            });
+            // create a deployment status pointing to the staging URL
+            await github.rest.repos.createDeploymentStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              deployment_id: resp.data.id,
+              state: 'success',
+              environment_url: 'https://tasknote-stg.darkroasted.vps-kinghost.net'
+            });

client/src/__test__/utils/UrlUtils.test.ts

@@ -0,0 +1,35 @@
+import { describe, it, expect } from 'vitest';
+import { isSafeUrl } from '../../utils/UrlUtils';
+
+describe('UrlUtils', () => {
+  it('should allow http:// URLs', () => {
+    expect(isSafeUrl('http://example.com')).toBe(true);
+  });
+
+  it('should allow https:// URLs', () => {
+    expect(isSafeUrl('https://example.com')).toBe(true);
+  });
+
+  it('should allow # URLs', () => {
+    expect(isSafeUrl('#section')).toBe(true);
+  });
+
+  it('should disallow javascript: URLs', () => {
+    expect(isSafeUrl('javascript:alert(1)')).toBe(false);
+  });
+
+  it('should disallow data: URLs', () => {
+    expect(isSafeUrl('data:text/html,<script>alert(1)</script>')).toBe(false);
+  });
+
+  it('should disallow empty or null URLs', () => {
+    expect(isSafeUrl('')).toBe(false);
+    expect(isSafeUrl(null)).toBe(false);
+    expect(isSafeUrl(undefined)).toBe(false);
+  });
+
+  it('should be case insensitive for protocol', () => {
+    expect(isSafeUrl('HTTP://example.com')).toBe(true);
+    expect(isSafeUrl('HTTPS://example.com')).toBe(true);
+  });
+});

client/src/api-service/apiConfig.ts

@@ -1,6 +1,6 @@
 import { env } from '../env';
 
-const server = env.VITE_BACKEND_SERVER;
+const server = env.VITE_BACKEND_SERVER || '/api';
 
 const ApiConfig = {
 

client/src/components/NoteTitle/index.tsx

@@ -1,5 +1,6 @@
 import React from 'react';
 import ExternalLinkIcon from '../../assets/icons8-external-link-30.png';
+import { isSafeUrl } from '../../utils/UrlUtils';
 
 interface Props {
   readonly title: string;
@@ -18,8 +19,8 @@ function NoteTitle(props: React.PropsWithChildren<Props>): React.ReactNode {
     <span className="task-title-icon">
       <span className="poppins-semibold">
         {props.title}
-        {props.noteUrl && props.noteUrl.length > 0 && (
-          <a href={props.noteUrl} target="_blank" rel="noreferrer" className="task-note-external-link">
+        {isSafeUrl(props.noteUrl) && (
+          <a href={props.noteUrl!} target="_blank" rel="noreferrer" className="task-note-external-link">
             <img src={ExternalLinkIcon} width={20} alt="external link" />
           </a>
         )}

client/src/components/TaskTitle/index.tsx

@@ -1,5 +1,6 @@
 import React from 'react';
 import ExternalLinkIcon from '../../assets/icons8-external-link-30.png';
+import { isSafeUrl } from '../../utils/UrlUtils';
 import './style.css';
 
 interface Props {
@@ -24,7 +25,7 @@ function TaskTitle(props: React.PropsWithChildren<Props>): React.ReactNode {
         data-testid={`task-title-text-${props.title}`}
       >
         {props.title}
-        {props.taskUrl && props.taskUrl.length > 0 && (
+        {props.taskUrl && props.taskUrl.length > 0 && isSafeUrl(props.taskUrl[0]) && (
           <a href={props.taskUrl[0]} target="_blank" rel="noreferrer" className="task-note-external-link">
             <img src={ExternalLinkIcon} width={20} alt="external link" />
           </a>