Merge pull request #1260 from NFDI4Chem/development

Development

Author: NishaSharma14

.env.example

@@ -104,6 +104,10 @@ ORCID_CLIENT_SECRET=
 ORCID_REDIRECT_URL=http://localhost/auth/login/orcid/callback
 ORCID_ENVIRONMENT=sandbox
 
+NFDIAAI_CLIENT_ID=
+NFDIAAI_CLIENT_SECRET=
+NFDIAAI_REDIRECT_URL="${APP_URL}/auth/login/regapp/callback"
+
 TELESCOPE_ENABLED=false
 
 #DATACITE Properties
@@ -117,4 +121,6 @@ NMRKIT_URL=https://nodejs.nmrxiv.org
 CAS_URL=https://commonchemistry.cas.org
 PUBCHEM_URL=https://pubchem.ncbi.nlm.nih.gov
 COMMON_CHEMISTRY_URL=https://commonchemistry.cas.org
-CHEMISTRY_STANDARDIZE_URL=https://api.cheminf.studio/latest/chem/standardize
+CHEMISTRY_STANDARDIZE_URL=https://api.cheminf.studio/latest/chem/standardize
+
+BACKUP_KEEP_DAYS=7

.github/workflows/dev-build.yml

@@ -16,11 +16,23 @@ env:
   REPOSITORY_NAMESPACE: nfdi4chem
 
 jobs:
+  lint-security:
+    name: Lint & Security (reusable)
+    uses: ./.github/workflows/lint-security-check.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      run_php: true
+      run_js: true
+      run_secrets: true
+
   # Build and publish Docker images for the development environment
   setup-build-publish-deploy:
     name: Build & deploy to development
     runs-on: ubuntu-latest
-    # Tip: gate deploys on tests with `needs: php-unit-test` once a tests job exists
+    needs: [lint-security]
+
     # Environment provides secrets and protection rules
     environment:
       name: Dev

.github/workflows/lint-security-check.yml

@@ -0,0 +1,148 @@
+name: Lint and Security Checks
+
+on:
+  workflow_call:
+    inputs:
+      run_php:
+        description: "Run PHP lint & security job"
+        required: false
+        type: boolean
+        default: true
+      run_js:
+        description: "Run JS lint & security job"
+        required: false
+        type: boolean
+        default: true
+      run_secrets:
+        description: "Run secret leakage detection job"
+        required: false
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+  security-events: write
+
+concurrency:
+  group: lint-security-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # Lints PHP code style (Pint) and audits Composer dependencies for vulnerabilities
+  php:
+    if: ${{ inputs.run_php }}
+    name: PHP Lint & Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+          coverage: none
+          tools: composer
+          extensions: mbstring, intl, pdo, pdo_mysql, pdo_pgsql
+          ini-values: memory_limit=512M
+
+      - name: Cache Composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.composer/cache/files
+            ~/.cache/composer/files
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-composer-
+      - name: Validate composer.json
+        run: composer validate --no-check-publish --strict
+
+      - name: Install PHP dependencies
+        run: composer install --no-interaction --prefer-dist --no-progress
+
+      - name: PHP code style (Pint)
+        run: vendor/bin/pint --test
+
+      - name: Composer security audit
+        run: composer audit --no-interaction --locked
+
+  # Runs JS/Vue linting (ESLint), formatting check (Prettier), and npm security audit
+  js:
+    if: ${{ inputs.run_js }}
+    name: JS Lint & Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install Node dependencies
+        run: npm ci
+
+      - name: ESLint
+        run: npx eslint --ext .js,.vue --ignore-path .gitignore resources/js
+
+      - name: Prettier (check)
+        run: npx prettier resources/js --check
+
+      - name: npm audit (high+)
+        run: npm audit --audit-level=high
+
+  # Scans the repository for hard-coded secrets using Gitleaks
+  secrets:
+    if: ${{ inputs.run_secrets }}
+    name: Secret Leakage Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Gitleaks
+        run: |
+          set -e
+          GITLEAKS_VERSION=8.18.4
+          curl -sSL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
+          tar -xzf gitleaks.tar.gz gitleaks
+          sudo mv gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+
+      - name: Gitleaks scan
+        id: gitleaks
+        run: |
+          set +e
+          gitleaks detect --source . --no-git --redact --report-format sarif --report-path gitleaks.sarif
+          code=$?
+          echo "$code" > gitleaks-exit-code.txt
+          if [ ! -f gitleaks.sarif ]; then
+            echo "Gitleaks did not produce SARIF file; creating empty stub." >&2
+            printf '%s\n' '{' \
+              '  "version": "2.1.0",' \
+              '  "runs": [' \
+              '    {' \
+              '      "tool": { "driver": { "name": "Gitleaks", "informationUri": "https://github.com/gitleaks/gitleaks" } },' \
+              '      "results": []' \
+              '    }' \
+              '  ]' \
+              '}' > gitleaks.sarif
+          fi
+          # Always succeed here; we fail after uploading SARIF for annotations
+          exit 0
+
+      - name: Upload SARIF (code scanning)
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks.sarif
+      - name: Fail if Gitleaks found leaks
+        run: |
+          code=$(cat gitleaks-exit-code.txt || echo 0)
+          if [ "$code" -ne 0 ]; then
+            echo "Gitleaks detected potential secrets (exit code $code). Failing job after SARIF upload." >&2
+            exit 1
+          fi

.github/workflows/pr-lint.yml

@@ -0,0 +1,21 @@
+name: PR Lint & Security
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - development
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  lint-security:
+    name: Lint & Security (PR)
+    uses: ./.github/workflows/lint-security-check.yml
+    with:
+      run_php: true
+      run_js: true
+      run_secrets: true

.github/workflows/prod-build.yml

@@ -20,10 +20,22 @@ env:
   REPOSITORY_NAMESPACE: nfdi4chem
 
 jobs:
+  lint-security:
+    name: Lint & Security (reusable)
+    uses: ./.github/workflows/lint-security-check.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      run_php: true
+      run_js: true
+      run_secrets: true
+
   # Guard: confirm input and authorize actor
   guard:
     name: Access control and confirmation
     runs-on: ubuntu-latest
+    needs: [lint-security]
     steps:
       - name: Validate actor and confirmation
         shell: bash

.github/workflows/test.yml

@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Jobs\CleanupBackupsJob;
+use Illuminate\Console\Command;
+
+class CleanupBackups extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'nmrxiv:backup-cleanup';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Cleanup of postgres backups from ceph and retain only last 7 backups.';
+
+    /**
+     * Execute the console command.
+     */
+    public function handle(): void
+    {
+        CleanupBackupsJob::dispatch();
+    }
+}

.phpunit.cache/test-results

@@ -21,13 +21,63 @@ class ApplicationController extends Controller
     public function compounds(Request $request)
     {
         $query = $request->get('query');
-        $limit = $request->get('limit') ? $limit : 24;
+        $limit = $request->get('limit') ? $request->get('limit') : 24;
         $page = $request->query('page');
         $tagType = $request->query('tagType') ? $request->query('tagType') : null;
 
         return Inertia::render('Public/Compounds', compact(['query', 'limit', 'page', 'tagType']));
     }
 
+    /**
+     * Resolve compound by ID and render the appropriate view
+     *
+     * @return Inertia\Inertia
+     */
+    public function resolveCompound(Request $request, $identifier)
+    {
+        $resolvedModel = resolveIdentifier($identifier);
+        $namespace = $resolvedModel['namespace'];
+        $model = $resolvedModel['model'];
+
+        if ($model && $namespace === 'Molecule') {
+            // Redirect to spectra page with compound parameter for now
+            // This maintains the current compound viewing functionality
+            return redirect('/spectra?compound='.substr($identifier, 1));
+        } else {
+            abort(404, 'Compound not found');
+        }
+    }
+
+    /**
+     * Resolve sample by ID and render the appropriate view
+     *
+     * @return Inertia\Inertia
+     */
+    public function resolveSample(Request $request, $identifier)
+    {
+        return $this->resolve($request, $identifier);
+    }
+
+    /**
+     * Resolve project by ID and render the appropriate view
+     *
+     * @return Inertia\Inertia
+     */
+    public function resolveProject(Request $request, $identifier)
+    {
+        return $this->resolve($request, $identifier);
+    }
+
+    /**
+     * Resolve dataset by ID and render the appropriate view
+     *
+     * @return Inertia\Inertia
+     */
+    public function resolveDataset(Request $request, $identifier)
+    {
+        return $this->resolve($request, $identifier);
+    }
+
     /**
      * Resolve the incoming request into right models and render the
      * inertia view

app/Console/Commands/CleanupBackups.php

@@ -63,6 +63,7 @@ public function share(Request $request)
             'twitter' => (env('TWITTER_CLIENT_ID') !== null && env('TWITTER_CLIENT_ID') !== ''),
             'github' => (env('GITHUB_CLIENT_ID') !== null && env('GITHUB_CLIENT_ID') !== ''),
             'orcid' => (env('ORCID_CLIENT_ID') !== null && env('ORCID_CLIENT_ID') !== ''),
+            'nfdiaai' => (env('NFDIAAI_CLIENT_ID') !== null && env('NFDIAAI_CLIENT_ID') !== ''),
             'config.announcements' => Schema::hasTable('announcements') ? Announcement::active() : null,
             'url' => env('APP_URL'),
             'nmriumURL' => env('NMRIUM_URL'),