Skip to content

feat(jobs): polish job creation wizard #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JoachimLK merged 13 commits into from
Jun 19, 2026
Merged

feat(jobs): polish job creation wizard #207

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
d0f424e
Add Playwright script for sign-in page testing
JoachimLK Jun 17, 2026
de193e5
Fix stalled E2E dependency install
JoachimLK Jun 17, 2026
9b20abd
refactor: remove unused aiScoringChosen state and update form storage…
JoachimLK Jun 18, 2026
69ace61
refactor: remove JobQuestions component to streamline job wizard UI
JoachimLK Jun 18, 2026
5118b6e
feat: add ApplicationBuilderPreview and ApplicationFormBody component…
JoachimLK Jun 18, 2026
b269934
Refactor code structure for improved readability and maintainability
JoachimLK Jun 18, 2026
b128764
feat: enhance job creation wizard with validation and schema updates;…
JoachimLK Jun 19, 2026
9acc0f7
chore: update nodemailer to version 9.0.1 and protobufjs to version 8…
JoachimLK Jun 19, 2026
22fb5c3
Merge remote-tracking branch 'origin/main' into ui/job-wizard-polish
JoachimLK Jun 19, 2026
4975411
chore: remove debug sign-in script
JoachimLK Jun 19, 2026
18bdd9f
feat: enhance job question validation and update schemas; add questio…
JoachimLK Jun 19, 2026
29fa699
fix: improve log handling in migration and S3 bucket readiness checks
JoachimLK Jun 19, 2026
0d9c219
fix: refine rate limiting logic for production environment
JoachimLK Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .github/workflows/docker-readme-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,9 +165,10 @@ jobs:
id: db_migrations
run: |
set -euo pipefail
if ! docker compose logs app | grep -q "Database migrations applied successfully"; then
logs="$(docker compose logs app)"
if ! grep -q "Database migrations applied successfully" <<<"$logs"; then
echo "❌ Migration success message not found in app logs"
docker compose logs app
printf '%s\n' "$logs"
exit 1
fi
echo "✅ Migrations applied successfully"
Expand All @@ -176,9 +177,10 @@ jobs:
id: s3_bucket
run: |
set -euo pipefail
if ! docker compose logs app | grep -q 'S3 bucket "reqcore" is ready'; then
logs="$(docker compose logs app)"
if ! grep -q 'S3 bucket "reqcore" is ready' <<<"$logs"; then
echo "❌ S3 bucket ready message not found in app logs"
docker compose logs app
printf '%s\n' "$logs"
exit 1
fi
echo "✅ S3 bucket is ready"
Expand Down
30 changes: 18 additions & 12 deletions .github/workflows/e2e-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,25 @@ jobs:
S3_FORCE_PATH_STYLE: "true"

steps:
- name: Checkout
uses: actions/checkout@v6

- name: Setup Node.js
uses: actions/setup-node@v6
with:
Comment on lines +52 to +57

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/e2e-tests.yml | head -80

Repository: reqcore-inc/reqcore

Length of output: 2807

🌐 Web query:

GitHub Actions security best practices pin actions by SHA persist-credentials false

💡 Result:

To harden your GitHub Actions workflows, implementing both SHA pinning and the persist-credentials: false setting are standard security best practices [1][2][3]. Pinning Actions by SHA Pinning an action to a full-length commit SHA is considered the most secure way to reference actions [1][2]. Unlike tags or branch names (e.g., v4, main), which are mutable and can be force-updated to point to malicious code by an attacker who compromises the action's repository, a commit SHA is cryptographically immutable [1][4][5]. - Implementation: Reference the action using its 40-character commit hash: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 [4][6]. - Governance: You can enforce this practice across your organization or repository using GitHub Actions policy settings, which allow administrators to mandate SHA pinning [1][7]. Using persist-credentials: false By default, the actions/checkout action stores the GITHUB_TOKEN in the local .git/config file to enable subsequent git commands [8][6]. This makes the token accessible to any step in your job, increasing the risk of credential theft if a dependency or script in your workflow is compromised [3][9][10]. - Implementation: Explicitly set persist-credentials: false in your checkout step if your workflow does not require git push or authenticated git operations [3][10][6]: yaml - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: persist-credentials: false - Use Case: If a job needs to perform git operations, evaluate whether you can isolate that task into a separate, restricted job or use a more granular authentication method [10][5]. Always follow the principle of least privilege by setting appropriate permissions at the workflow or job level [11][12][5].

Citations:

🏁 Script executed:

grep -n "upload\|artifact" .github/workflows/e2e-tests.yml

Repository: reqcore-inc/reqcore

Length of output: 265

Pin GitHub Actions by commit SHA and disable credential persistence in checkout.

Lines 53 and 56 use mutable tags (@v6), and line 52 does not set persist-credentials: false. This weakens supply-chain integrity; the GITHUB_TOKEN persisted in git config is accessible to any workflow step and risks exposure through artifact uploads (lines 111, 119).

Suggested hardening diff 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          persist-credentials: false

       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@8f152de45cc393bb48ce5d6f9a02fee1e4b622f4
         with:
           node-version: 22.22
           cache: npm
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@8f152de45cc393bb48ce5d6f9a02fee1e4b622f4
with:
node-version: 22.22
cache: npm
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 52-53: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 53-53: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-tests.yml around lines 52 - 57, Replace the mutable
version tags in the GitHub Actions with pinned commit SHAs for both the Checkout
action (line 52-53) and the Setup Node.js action (line 56). For the Checkout
action specifically, add `persist-credentials: false` in the with section to
prevent the GITHUB_TOKEN from being stored in git config, which reduces the risk
of credential exposure through artifact uploads in subsequent workflow steps.

Source: Linters/SAST tools

node-version: 22.22
cache: npm

- name: Install dependencies
timeout-minutes: 20
env:
npm_config_fetch_retries: 5
npm_config_fetch_retry_mintimeout: 20000
npm_config_fetch_retry_maxtimeout: 120000
run: npm ci --no-audit

- name: Start MinIO
timeout-minutes: 2
run: |
docker run -d \
--name minio-ci \
Expand All @@ -64,18 +82,6 @@ jobs:
--endpoint-url http://localhost:9000 \
--region us-east-1

- name: Checkout
uses: actions/checkout@v6

- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 22.22
cache: npm

- name: Install dependencies
run: npm ci

- name: Push database schema
run: npx drizzle-kit push

Expand Down
Loading
Loading