merge develop

Author: VKronmar

.github/workflows/deploy.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - main
       - develop
+      - feature/vapor-env-updates
   workflow_dispatch:
     inputs:
       environment:
@@ -60,11 +61,14 @@ jobs:
           if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
             echo "VAPOR_ENV=${{ github.event.inputs.environment }}" >> "$GITHUB_ENV"
             echo "TEST_MODE=${{ github.event.inputs.test_mode }}" >> "$GITHUB_ENV"
+          elif [[ "${{ github.ref_name }}" == "main" ]]; then
+            echo "VAPOR_ENV=production" >> "$GITHUB_ENV"
+            echo "TEST_MODE=false" >> "$GITHUB_ENV"
           elif [[ "${{ github.ref_name }}" == "develop" ]]; then
             echo "VAPOR_ENV=staging" >> "$GITHUB_ENV"
             echo "TEST_MODE=false" >> "$GITHUB_ENV"
           else
-            echo "VAPOR_ENV=production" >> "$GITHUB_ENV"
+            echo "VAPOR_ENV=staging" >> "$GITHUB_ENV"
             echo "TEST_MODE=false" >> "$GITHUB_ENV"
           fi
 
@@ -73,6 +77,21 @@ jobs:
           echo "🚀 Deploying to Vapor environment: ${{ env.VAPOR_ENV }}"
           echo "🧪 Test mode: ${{ env.TEST_MODE }}"
 
+      - name: Configure AWS Credentials
+        if: env.TEST_MODE != 'true'
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ID }}
+          aws-region: eu-west-1
+
+      - name: Download Encrypted Environment File from S3
+        if: env.TEST_MODE != 'true'
+        working-directory: ./backend
+        run: |
+          aws s3 cp s3://hi.events-env-secrets/.env.${{ env.VAPOR_ENV }}.encrypted .env.${{ env.VAPOR_ENV }}.encrypted
+          echo "✅ Downloaded .env.${{ env.VAPOR_ENV }}.encrypted from S3"
+
       - name: Validate Deployment Configuration
         working-directory: ./backend
         run: |
@@ -83,6 +102,7 @@ jobs:
           fi
 
       - name: Deploy to Vapor
+        if: env.TEST_MODE != 'true'
         working-directory: ./backend
         run: vapor deploy ${{ env.VAPOR_ENV }}
         env:
@@ -105,11 +125,14 @@ jobs:
               echo "DO_APP_ID=${{ secrets.DIGITALOCEAN_PRODUCTION_APP_ID }}" >> "$GITHUB_ENV"
             fi
             echo "TEST_MODE=${{ github.event.inputs.test_mode }}" >> "$GITHUB_ENV"
+          elif [[ "${{ github.ref_name }}" == "main" ]]; then
+            echo "DO_APP_ID=${{ secrets.DIGITALOCEAN_PRODUCTION_APP_ID }}" >> "$GITHUB_ENV"
+            echo "TEST_MODE=false" >> "$GITHUB_ENV"
           elif [[ "${{ github.ref_name }}" == "develop" ]]; then
             echo "DO_APP_ID=${{ secrets.DIGITALOCEAN_STAGING_APP_ID }}" >> "$GITHUB_ENV"
             echo "TEST_MODE=false" >> "$GITHUB_ENV"
           else
-            echo "DO_APP_ID=${{ secrets.DIGITALOCEAN_PRODUCTION_APP_ID }}" >> "$GITHUB_ENV"
+            echo "DO_APP_ID=${{ secrets.DIGITALOCEAN_STAGING_APP_ID }}" >> "$GITHUB_ENV"
             echo "TEST_MODE=false" >> "$GITHUB_ENV"
           fi
 

.github/workflows/post-release-push-images.yml

@@ -9,6 +9,7 @@ jobs:
   push_to_registry:
     name: Push Docker images to Docker Hub
     runs-on: ubuntu-latest
+
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -28,6 +29,9 @@ jobs:
         uses: docker/metadata-action@v3
         with:
           images: daveearley/hi.events-all-in-one
+          tags: |
+            type=ref,event=tag
+            type=raw,value=latest,enable=${{ github.event.release.prerelease == false }}
 
       - name: Build and push All-in-one Docker image
         uses: docker/build-push-action@v3
@@ -44,6 +48,9 @@ jobs:
         uses: docker/metadata-action@v3
         with:
           images: daveearley/hi.events-backend
+          tags: |
+            type=ref,event=tag
+            type=raw,value=latest,enable=${{ github.event.release.prerelease == false }}
 
       - name: Build and push Backend Docker image
         uses: docker/build-push-action@v3
@@ -60,6 +67,9 @@ jobs:
         uses: docker/metadata-action@v3
         with:
           images: daveearley/hi.events-frontend
+          tags: |
+            type=ref,event=tag
+            type=raw,value=latest,enable=${{ github.event.release.prerelease == false }}
 
       - name: Build and push Frontend Docker image
         uses: docker/build-push-action@v3

.gitignore

@@ -5,6 +5,7 @@
 /.idea/**
 frontend/.env
 backend/.env
+docker/all-in-one/.env
 todo.md
 CLAUDE.md
 /prompts/**

Dockerfile.all-in-one

@@ -1,4 +1,4 @@
-FROM node:alpine AS node-frontend
+FROM node:22-alpine AS node-frontend
 
 WORKDIR /app/frontend
 

backend/.gitignore

@@ -7,6 +7,8 @@
 /vendor
 .env
 .env.backup
+.env.production.*
+.env.staging.*
 .env.production
 .env.staging
 .phpunit.result.cache

backend/Dockerfile

@@ -9,7 +9,7 @@ RUN echo "" >> /usr/local/etc/php-fpm.d/docker-php-serversideup-pool.conf && \
     echo "user = www-data" >> /usr/local/etc/php-fpm.d/docker-php-serversideup-pool.conf && \
     echo "group = www-data" >> /usr/local/etc/php-fpm.d/docker-php-serversideup-pool.conf
 
-RUN install-php-extensions intl
+RUN install-php-extensions intl imagick
 
 COPY --chown=www-data:www-data . .
 

backend/Dockerfile.dev

@@ -12,7 +12,7 @@ COPY --chown=www-data:www-data . /var/www/html
 
 # Switch to root user to install PHP extensions
 USER root
-RUN install-php-extensions intl
+RUN install-php-extensions intl imagick
 USER www-data
 
 RUN chmod -R 755 /var/www/html/storage \

backend/app/Console/Commands/AssignSuperAdminCommand.php

@@ -0,0 +1,102 @@
+<?php
+
+namespace HiEvents\Console\Commands;
+
+use Exception;
+use HiEvents\DomainObjects\Enums\Role;
+use HiEvents\Repository\Interfaces\AccountUserRepositoryInterface;
+use HiEvents\Repository\Interfaces\UserRepositoryInterface;
+use Illuminate\Console\Command;
+use Psr\Log\LoggerInterface;
+
+class AssignSuperAdminCommand extends Command
+{
+    protected $signature = 'user:make-superadmin {userId : The ID of the user to make a superadmin}';
+
+    protected $description = 'Assign SUPERADMIN role to a user. WARNING: This grants complete system access.';
+
+    public function __construct(
+        private readonly UserRepositoryInterface        $userRepository,
+        private readonly AccountUserRepositoryInterface $accountUserRepository,
+        private readonly LoggerInterface                $logger,
+    )
+    {
+        parent::__construct();
+    }
+
+    public function handle(): int
+    {
+        $userId = $this->argument('userId');
+
+        $this->warn('⚠️  WARNING: This command will grant COMPLETE SYSTEM ACCESS to the user.');
+        $this->warn('⚠️  SUPERADMIN users have unrestricted access to all accounts and data.');
+        $this->newLine();
+
+        if (!$this->confirm('Are you sure you want to proceed?', false)) {
+            $this->info('Operation cancelled.');
+            return self::FAILURE;
+        }
+
+        try {
+            $user = $this->userRepository->findById((int)$userId);
+        } catch (Exception $exception) {
+            $this->error("Error finding user with ID: $userId" . " Message: " . $exception->getMessage());
+            return self::FAILURE;
+        }
+
+        $this->info("Found user: {$user->getFullName()} ({$user->getEmail()})");
+        $this->newLine();
+
+        if (!$this->confirm('Confirm assigning SUPERADMIN role to this user?', false)) {
+            $this->info('Operation cancelled.');
+            return self::FAILURE;
+        }
+
+        $accountUsers = $this->accountUserRepository->findWhere([
+            'user_id' => $userId,
+        ]);
+
+        if ($accountUsers->isEmpty()) {
+            $this->error('User is not associated with any accounts.');
+            return self::FAILURE;
+        }
+
+        $updatedCount = 0;
+        foreach ($accountUsers as $accountUser) {
+            if ($accountUser->getRole() === Role::SUPERADMIN->name) {
+                $this->comment("User already has SUPERADMIN role for account ID: {$accountUser->getAccountId()}");
+                continue;
+            }
+
+            $this->accountUserRepository->updateWhere(
+                attributes: [
+                    'role' => Role::SUPERADMIN->name,
+                ],
+                where: [
+                    'id' => $accountUser->getId(),
+                ]
+            );
+
+            $updatedCount++;
+
+            $this->logger->critical('SUPERADMIN role assigned via console command', [
+                'user_id' => $userId,
+                'user_email' => $user->getEmail(),
+                'account_id' => $accountUser->getAccountId(),
+                'previous_role' => $accountUser->getRole(),
+                'command' => $this->signature,
+            ]);
+        }
+
+        $this->newLine();
+        $this->info("✓ Successfully assigned SUPERADMIN role to user across $updatedCount account(s).");
+        $this->warn("⚠️  User {$user->getFullName()} now has COMPLETE SYSTEM ACCESS.");
+
+        $this->logger->critical('SUPERADMIN role assignment completed', [
+            'user_id' => $userId,
+            'accounts_updated' => $updatedCount,
+        ]);
+
+        return self::SUCCESS;
+    }
+}