Refresh CI lab runtimes and workflow wiring

darestack · darestack · commit cf83072a8c4b · 2026-05-07T11:32:34.000+01:00
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -7,7 +7,7 @@ on:
     branches: [main]
 
 env:
-  NODE_VERSION: "18.x"
+  NODE_VERSION: "24.x"
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
@@ -19,26 +19,18 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18.x, 20.x]
+        node-version: [22.x, 24.x]
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
 
-      - name: Cache Node modules
-        uses: actions/cache@v3
-        with:
-          path: ~/.npm
-          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-node-
-
       - name: Install dependencies
         run: npm ci
 
@@ -52,9 +44,9 @@ jobs:
         run: npm run test:coverage
 
       - name: Upload coverage reports
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
-          file: ./coverage/lcov.info
+          files: ./coverage/lcov.info
           flags: unittests
           name: codecov-umbrella
           fail_ci_if_error: false
@@ -76,7 +68,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: "npm"
@@ -110,7 +102,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0.35.0
         with:
           scan-type: "fs"
           scan-ref: "."
@@ -126,28 +118,28 @@ jobs:
   build:
     name: Build Application
     runs-on: ubuntu-latest
-    needs: [test, code-quality]
+    needs: [test, code-quality, security]
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     permissions:
       contents: read
       packages: write
 
     outputs:
       image-digest: ${{ steps.build.outputs.digest }}
-      image-url: ${{ steps.build.outputs.image-url }}
+      image-tags: ${{ steps.meta.outputs.tags }}
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: "npm"
 
       - name: Install dependencies
-        run: npm ci --only=production
+        run: npm ci --omit=dev
 
       - name: Create production build
         run: |
@@ -197,13 +189,16 @@ jobs:
     environment:
       name: staging
       url: ${{ steps.deploy.outputs.url }}
+    outputs:
+      url: ${{ steps.deploy.outputs.url }}
 
     steps:
       - name: Deploy to staging environment
         id: deploy
         run: |
-          echo "🚀 Deploying to staging environment..."
-          echo "Image: ${{ needs.build.outputs.image-url }}"
+          echo "Simulating staging deployment"
+          echo "Image tags:"
+          echo "${{ needs.build.outputs.image-tags }}"
           echo "This would typically deploy to a staging server"
           echo "url=https://staging.your-app.com" >> $GITHUB_OUTPUT
 
@@ -223,12 +218,12 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Install test dependencies
-        run: npm install --only=dev
+        run: npm ci
 
       - name: Run integration tests against staging
         run: |
@@ -244,13 +239,16 @@ jobs:
     environment:
       name: production
       url: ${{ steps.deploy.outputs.url }}
+    outputs:
+      url: ${{ steps.deploy.outputs.url }}
 
     steps:
       - name: Deploy to production environment
         id: deploy
         run: |
-          echo "🚀 Deploying to production environment..."
-          echo "Image: ${{ needs.build.outputs.image-url }}"
+          echo "Simulating production deployment"
+          echo "Image tags:"
+          echo "${{ needs.build.outputs.image-tags }}"
           echo "This would typically deploy to production servers"
           echo "url=https://your-app.com" >> $GITHUB_OUTPUT
 
@@ -279,7 +277,7 @@ jobs:
   notify:
     name: Deployment Notification
     runs-on: ubuntu-latest
-    needs: [smoke-tests]
+    needs: [smoke-tests, deploy-production]
     if: always() && github.ref == 'refs/heads/main'
 
     steps:
@@ -291,4 +289,4 @@ jobs:
           else
             echo "❌ Deployment failed or was cancelled"
             echo "🔍 Check the workflow logs for details"
-          fi
+          fi
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Multi-stage build for production optimization
-FROM node:18-alpine AS builder
+FROM node:24-alpine AS builder
 
 # Set working directory
 WORKDIR /app
@@ -17,7 +17,7 @@ COPY src/ ./src/
 RUN mkdir -p dist && cp -r src/* dist/
 
 # Production stage
-FROM node:18-alpine AS production
+FROM node:24-alpine AS production
 
 # Create app directory
 WORKDIR /app
@@ -30,7 +30,7 @@ RUN addgroup -g 1001 -S nodejs && \
 COPY package*.json ./
 
 # Install only production dependencies
-RUN npm ci --only=production && npm cache clean --force
+RUN npm ci --omit=dev && npm cache clean --force
 
 # Copy built application from builder stage
 COPY --from=builder /app/dist ./src/
@@ -47,4 +47,4 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD node -e "require('http').get('http://localhost:3000/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1) })"
 
 # Start the application
-CMD ["node", "src/app.js"]
+CMD ["node", "src/app.js"]
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # github-actions-cicd-demo
 
-> Node.js CI/CD lab demonstrating matrix tests, linting, Trivy SARIF upload, Docker Buildx, GHCR publishing, and simulated staged deploys with GitHub Actions.
+> Node.js CI/CD lab demonstrating supported Node.js matrix tests, linting, Trivy SARIF upload, Docker Buildx, GHCR publishing, and simulated staged deploys with GitHub Actions.
 
 **Context:** This is the pipeline implementation from [devops-labs Module-3 Mini-Project 9](https://github.com/darestack/devops-labs/tree/main/Module-3/mini-project-09). Full implementation notes live there.
 
@@ -10,7 +10,7 @@
 
 | Stage | What It Does | Key Detail |
 |---|---|---|
-| `test` | Unit tests across multiple Node.js versions | Build matrix: Node 18 and 20 with npm dependency caching. This job also runs the hard lint gate. |
+| `test` | Unit tests across supported Node.js versions | Build matrix: Node 22 and 24 with npm dependency caching. This job also runs the hard lint gate. |
 | `code-quality` | ESLint SARIF upload | Publishes lint annotations to GitHub Code Scanning. The hard lint gate lives in the `test` job. |
 | `security` | Trivy vulnerability scan | Results uploaded as SARIF to GitHub Code Scanning |
 | `build` | Docker image creation | Pushes to GHCR tagged with both `branch-name` and `commit-SHA` |
@@ -23,7 +23,7 @@
 ```
 Push to main / PR opened
   │
-  ├── test (matrix: Node 18, 20)
+  ├── test (matrix: Node 22, 24)
   │     └── npm ci (cached) → npm run lint → npm test → coverage report
   │
   ├── code-quality
@@ -45,14 +45,18 @@ Push to main / PR opened
 
 ## Key Implementation Decisions
 
-**GHCR image tagging:** Each image is tagged with both `latest` and the commit SHA — enabling rollback to any previous build without relying on the `latest` tag alone.
+**Supported Node versions:** The workflow uses Node 22 and 24 rather than EOL runtime lines. The Docker image uses Node 24 Alpine for the build and runtime stages.
+
+**GHCR image tagging:** Each image is tagged with branch and commit-SHA-derived tags, and `latest` is emitted only for the default branch. That makes rollback easier than relying on `latest` alone.
 
 **ESLint as a hard gate:** The matrix `test` job runs `npm run lint` before tests. The separate `code-quality` job keeps `continue-on-error` for SARIF upload so annotations can still be published for review.
 
 **Trivy SARIF upload:** Required adding `security-events: write` to the job-level permissions block. Without this, the upload fails silently.
 
 **Docker Buildx:** The default GitHub Actions Docker driver does not support cache export. Fixed by adding `docker/setup-buildx-action@v3` before the build step.
 
+**Security scan before build:** The Docker build waits for tests, code-quality SARIF upload, and Trivy filesystem scanning.
+
 **GHCR push permissions:** `GITHUB_TOKEN` requires explicit `packages: write` in the build job permissions to create new container packages.
 
 ---
@@ -73,7 +77,7 @@ Push to `main` or open a PR to trigger the full pipeline.
 
 ## Current Boundary
 
-The staging and production deploy jobs are intentionally simulated in this lab. They show environment flow and dependency ordering, but they do not deploy to a real target yet. To make this a production deployment project, replace the `echo` deployment steps with a real target such as EC2, ECS, Kubernetes, or a PaaS and add deployment logs.
+The staging and production deploy jobs are intentionally simulated in this lab. They show environment flow, dependency ordering, image handoff, environment URLs, and notification wiring, but they do not deploy to a real target yet. To make this a production deployment project, replace the `echo` deployment steps with a real target such as EC2, ECS, Kubernetes, or a PaaS and add deployment logs.
 
 ---
 
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "github-actions-cicd-demo",
   "version": "1.0.0",
-  "description": "Continuous Integration demo with GitHub Actions",
+  "description": "Node.js CI/CD lab with GitHub Actions, Docker Buildx, GHCR, ESLint SARIF, and Trivy scanning",
   "main": "src/app.js",
   "scripts": {
     "start": "node src/app.js",
@@ -16,10 +16,13 @@
     "ci",
     "cd",
     "github-actions",
-    "node.js",
+    "nodejs",
+    "docker",
+    "ghcr",
+    "trivy",
     "testing"
   ],
-  "author": "Your Name",
+  "author": "Adeleke Dare",
   "license": "MIT",
   "dependencies": {
     "express": "^5.1.0"
