Merge pull request #86 from JohanDevl/review/complete-project-review

review: complete project audit with critical fixes

Author: JohanDevl

.github/dependabot.yml

@@ -0,0 +1,79 @@
+# Dependabot configuration for automated dependency updates
+# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Go module dependencies
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Europe/Paris"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "JohanDevl"
+    commit-message:
+      prefix: "deps"
+      prefix-development: "deps-dev"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "go"
+    # Group minor and patch updates
+    groups:
+      go-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    # Allow direct dependencies to be updated
+    allow:
+      - dependency-type: "direct"
+      - dependency-type: "indirect"
+
+  # Docker base images
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Europe/Paris"
+    open-pull-requests-limit: 3
+    reviewers:
+      - "JohanDevl"
+    commit-message:
+      prefix: "docker"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "docker"
+
+  # GitHub Actions workflows
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Europe/Paris"
+    open-pull-requests-limit: 3
+    reviewers:
+      - "JohanDevl"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    # Group all GitHub Actions updates
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/auto-tag.yml

@@ -1,5 +1,25 @@
 name: Auto Tag on Merge
 
+# ═══════════════════════════════════════════════════════════════════════════════
+# IMPORTANT: PAT_TOKEN Requirement
+# ═══════════════════════════════════════════════════════════════════════════════
+#
+# This workflow requires PAT_TOKEN secret to trigger downstream workflows.
+#
+# Why PAT_TOKEN is needed:
+# - GitHub Actions workflows cannot trigger other workflows using GITHUB_TOKEN
+# - This workflow creates tags that should trigger the CI/CD pipeline
+# - Without PAT_TOKEN, the Docker build workflow will NOT be triggered
+#
+# Setup instructions:
+# 1. Create a Personal Access Token with 'repo' and 'workflow' scopes
+# 2. Add it as a repository secret named 'PAT_TOKEN'
+# 3. See docs/CI_CD_SETUP.md for detailed instructions
+#
+# If PAT_TOKEN is not configured, the workflow falls back to GITHUB_TOKEN,
+# but this will NOT trigger CI/CD workflows automatically.
+# ═══════════════════════════════════════════════════════════════════════════════
+
 on:
   pull_request:
     types:
@@ -22,6 +42,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          # IMPORTANT: PAT_TOKEN is required to trigger CI/CD workflows
+          # Fallback to GITHUB_TOKEN will NOT trigger workflows
           token: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Set up Git
@@ -68,7 +90,8 @@ jobs:
           # Add PR info to tag message
           TAG_MESSAGE="Release $NEW_TAG from PR #${{ steps.pr_info.outputs.pr_number }}: ${{ github.event.pull_request.title }}"
 
-          # Create and push tag using PAT for workflow triggering
+          # Create and push tag using PAT_TOKEN for workflow triggering
+          # PAT_TOKEN is required to trigger ci-cd.yml workflow
           git tag -a "$NEW_TAG" -m "$TAG_MESSAGE"
           git push https://x-access-token:${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git "$NEW_TAG"
 
@@ -97,6 +120,8 @@ jobs:
       - name: Trigger CI/CD for Docker Build
         uses: actions/github-script@v7
         with:
+          # CRITICAL: PAT_TOKEN is required to trigger ci-cd.yml
+          # GITHUB_TOKEN will NOT work for triggering workflows
           github-token: ${{ secrets.PAT_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
             const response = await github.rest.actions.createWorkflowDispatch({

.github/workflows/ci-cd.yml

@@ -308,17 +308,60 @@ jobs:
 
       - name: Test Docker image
         run: |
+          echo "🧪 Testing Docker image functionality..."
+
           # Create test directories
           mkdir -p ./test_config ./test_logs ./test_exports
 
-          # Basic image test - check if it runs properly
+          IMAGE="${{ env.REGISTRY_IMAGE }}:develop"
+
+          # Test 1: Help command
+          echo "Test 1: --help command"
           docker run --rm \
             -v $(pwd)/test_config:/app/config \
             -v $(pwd)/test_logs:/app/logs \
             -v $(pwd)/test_exports:/app/exports \
-            ${{ env.REGISTRY_IMAGE }}:develop --help
+            $IMAGE --help
+          echo "✅ Test 1 passed: Help command works"
+
+          # Test 2: Version command
+          echo "Test 2: --version command"
+          docker run --rm $IMAGE --version
+          echo "✅ Test 2 passed: Version command works"
 
-          echo "✅ Docker image tests passed successfully"
+          # Test 3: Validate command (check config validation)
+          echo "Test 3: validate command"
+          docker run --rm \
+            -v $(pwd)/config:/app/config:ro \
+            $IMAGE validate || echo "⚠️  Validation failed (expected without credentials)"
+          echo "✅ Test 3 completed: Validate command executed"
+
+          # Test 4: Check binary permissions and user
+          echo "Test 4: Binary permissions and non-root user"
+          docker run --rm $IMAGE sh -c "id; ls -la /app/export-trakt" 2>/dev/null || \
+          docker run --rm --entrypoint "" $IMAGE /bin/sh -c "id; ls -la /app/export-trakt" 2>/dev/null || \
+          echo "⚠️  Shell not available (distroless image)"
+          echo "✅ Test 4 completed: User and permissions check"
+
+          # Test 5: Health check (if binary supports --version)
+          echo "Test 5: Health check verification"
+          docker run --rm $IMAGE --version > /dev/null && \
+          echo "✅ Test 5 passed: Health check endpoint works" || \
+          echo "⚠️  Test 5 failed: Health check not available"
+
+          # Test 6: Volume mounts writable
+          echo "Test 6: Volume mount permissions"
+          docker run --rm \
+            -v $(pwd)/test_exports:/app/exports \
+            --entrypoint "" \
+            $IMAGE sh -c "touch /app/exports/test.txt && rm /app/exports/test.txt" 2>/dev/null && \
+          echo "✅ Test 6 passed: Export volume is writable" || \
+          echo "⚠️  Test 6: Could not test volume permissions (expected for distroless)"
+
+          echo ""
+          echo "═══════════════════════════════════════════════════════"
+          echo "✅ Docker image tests completed successfully"
+          echo "═══════════════════════════════════════════════════════"
 
   # Job 4: Notification and Summary
   notify:

.github/workflows/docker-cleanup.yml

@@ -5,8 +5,8 @@ on:
     types: [closed]
     branches: ["main", "develop"]
   schedule:
-    # Cleanup obsolete images daily at 2:00 AM UTC
-    - cron: '0 2 * * *'
+    # Cleanup obsolete images daily at 6:00 AM UTC (after tag monitoring at 2 AM)
+    - cron: '0 6 * * *'
   workflow_dispatch:
 
 env:

.github/workflows/docker-tag-monitor.yml

@@ -2,8 +2,8 @@ name: Docker Tag Monitor
 
 on:
   schedule:
-    # Run once daily at 6 AM UTC to check for missing Docker images
-    - cron: '0 6 * * *'
+    # Run once daily at 2 AM UTC to check for missing Docker images (before cleanup at 6 AM)
+    - cron: '0 2 * * *'
   workflow_dispatch:
     inputs:
       reason:

.github/workflows/go-tests.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: "1.21"
+          go-version: "1.23"
           cache: true
 
       - name: Install dependencies

.github/workflows/release.yml

@@ -49,24 +49,45 @@ jobs:
           # Create output directory
           mkdir -p security-reports
 
-          # Run gosec with error handling
-          gosec -fmt sarif -out gosec-results.sarif ./... || {
-            echo "❌ gosec scan failed with exit code $?"
-            echo "Attempting to run with different format for debugging..."
-            gosec -fmt text ./... || true
-            echo "Creating empty SARIF file to prevent upload failure..."
-            echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gosec","version":"0.0.0"}},"results":[]}]}' > gosec-results.sarif
-          }
+          # Run gosec and capture exit code
+          EXIT_CODE=0
+          gosec -fmt sarif -out gosec-results.sarif ./... || EXIT_CODE=$?
+
+          # Check if scan completed successfully
+          if [ $EXIT_CODE -ne 0 ]; then
+            echo "❌ gosec scan failed with exit code $EXIT_CODE"
+
+            # If SARIF file was created despite exit code (warnings treated as errors)
+            if [ -f "gosec-results.sarif" ] && [ -s "gosec-results.sarif" ]; then
+              echo "⚠️  SARIF file exists - scan completed with warnings/issues"
+              echo "Scan will be marked as failed but results will be uploaded"
+              # Continue to upload results but mark as failed
+            else
+              echo "❌ CRITICAL: gosec scan failed without producing results"
+              echo "Attempting to run with text format for debugging..."
+              gosec -fmt text ./... || true
+              echo ""
+              echo "🚨 SECURITY SCAN FAILURE - Please fix issues and re-run"
+              exit 1
+            fi
+          fi
 
           # Verify the SARIF file was created
-          if [ -f "gosec-results.sarif" ]; then
+          if [ -f "gosec-results.sarif" ] && [ -s "gosec-results.sarif" ]; then
             echo "✅ SARIF file created successfully"
             echo "File size: $(wc -c < gosec-results.sarif) bytes"
             echo "First few lines:"
             head -10 gosec-results.sarif || true
           else
-            echo "❌ SARIF file not found, creating empty file..."
-            echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"gosec","version":"0.0.0"}},"results":[]}]}' > gosec-results.sarif
+            echo "❌ CRITICAL: SARIF file not found or empty"
+            echo "🚨 SECURITY SCAN FAILURE - Cannot proceed without scan results"
+            exit 1
+          fi
+
+          # If we had issues detected, fail the job
+          if [ $EXIT_CODE -ne 0 ]; then
+            echo "🚨 Security scan detected issues - failing job"
+            exit $EXIT_CODE
           fi
 
       - name: Upload gosec results to GitHub Security tab

.github/workflows/security-scan.yml

@@ -271,5 +271,5 @@ coverage.txt
 # Go workspace file
 go.work
 
-.claude
-CLAUDE.md
+# Claude Code workspace files (not CLAUDE.md documentation files)
+.claude