Merge pull request #174 from ShipSecAI/betterclever/prod-image-setup

feat: Easy self-hosting with just prod start-latest

Author: betterclever

.github/workflows/release.yml

@@ -118,6 +118,8 @@ jobs:
           tags: ${{ steps.tags.outputs.backend_tags }}
           build-args: |
             VITE_GIT_SHA=${{ steps.git_sha.outputs.sha }}
+            POSTHOG_API_KEY=${{ secrets.POSTHOG_API_KEY }}
+            POSTHOG_HOST=${{ secrets.POSTHOG_HOST }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -131,6 +133,8 @@ jobs:
           tags: ${{ steps.tags.outputs.worker_tags }}
           build-args: |
             VITE_GIT_SHA=${{ steps.git_sha.outputs.sha }}
+            POSTHOG_API_KEY=${{ secrets.POSTHOG_API_KEY }}
+            POSTHOG_HOST=${{ secrets.POSTHOG_HOST }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -146,6 +150,8 @@ jobs:
             VITE_GIT_SHA=${{ steps.git_sha.outputs.sha }}
             VITE_PUBLIC_POSTHOG_KEY=${{ secrets.POSTHOG_API_KEY }}
             VITE_PUBLIC_POSTHOG_HOST=${{ secrets.POSTHOG_HOST }}
+            POSTHOG_API_KEY=${{ secrets.POSTHOG_API_KEY }}
+            POSTHOG_HOST=${{ secrets.POSTHOG_HOST }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 

Dockerfile

@@ -40,6 +40,12 @@ FROM base AS backend
 # Switch to user
 USER shipsec
 
+# PostHog analytics (optional)
+ARG POSTHOG_API_KEY=""
+ARG POSTHOG_HOST=""
+ENV POSTHOG_API_KEY=${POSTHOG_API_KEY}
+ENV POSTHOG_HOST=${POSTHOG_HOST}
+
 # Set working directory for backend
 WORKDIR /app/backend
 
@@ -57,6 +63,12 @@ FROM base AS worker
 # Switch to user
 USER shipsec
 
+# PostHog analytics (optional)
+ARG POSTHOG_API_KEY=""
+ARG POSTHOG_HOST=""
+ENV POSTHOG_API_KEY=${POSTHOG_API_KEY}
+ENV POSTHOG_HOST=${POSTHOG_HOST}
+
 # Set working directory for worker
 WORKDIR /app/worker
 

README.md

@@ -61,15 +61,54 @@ Get started with ShipSec Studio in minutes:
 3. **Run a scan** with pre-built components like Subfinder, Nuclei, or HTTPx
 4. **View results** in real-time as the workflow executes
 
-### Option 2: Run Locally
+### Option 2: Self-Host with Docker (Recommended)
+
+The easiest way to run ShipSec Studio on your own infrastructure:
+
+#### Prerequisites
+
+- **[docker](https://www.docker.com/)** - For running the application and security components
+- **[just](https://github.com/casey/just)** - Command runner for simplified workflows
+- **curl** and **jq** - For fetching release information
+
+#### Quick Start
+
+```bash
+# Clone the repository
+git clone https://github.com/ShipSecAI/studio.git
+cd studio
+
+# Download the latest release and start
+just prod start-latest
+
+# Visit http://localhost:8090 to access ShipSec Studio
+```
+
+This command automatically:
+- Fetches the latest release version from GitHub
+- Pulls pre-built Docker images from GHCR
+- Starts the full stack (frontend, backend, worker, and infrastructure)
+
+#### Other Commands
+
+```bash
+just prod stop      # Stop the environment
+just prod logs      # View logs
+just prod status    # Check status
+just prod clean     # Remove all data
+```
+
+### Option 3: Development Setup
+
+For contributors who want to modify the source code:
 
 #### Prerequisites
 
 - **[bun.sh](https://bun.sh)** - Fast JavaScript runtime and package manager
 - **[docker](https://www.docker.com/)** - For running security components in isolated containers
 - **[just](https://github.com/casey/just)** - Command runner for simplified development workflows
 
-#### Quick Setup with `just` (Recommended)
+#### Setup
 
 ```bash
 # Clone the repository
@@ -79,7 +118,7 @@ cd studio
 # Initialize (installs dependencies and creates environment files)
 just init
 
-# Start development environment
+# Start development environment with hot-reload
 just dev
 
 # Visit http://localhost:5173 to access ShipSec Studio

docker/docker-compose.full.yml

@@ -167,7 +167,7 @@ services:
     restart: unless-stopped
 
   backend:
-    image: ghcr.io/shipsecai/studio-backend:latest
+    image: ghcr.io/shipsecai/studio-backend:${SHIPSEC_TAG:-latest}
     build:
       context: ..
       dockerfile: Dockerfile
@@ -198,10 +198,8 @@ services:
       - AUTH_PROVIDER=local
       - CLERK_PUBLISHABLE_KEY=
       - CLERK_SECRET_KEY=
-      # PostHog analytics (baked into Docker images)
-      - POSTHOG_API_KEY=${POSTHOG_API_KEY:-}
-      - POSTHOG_HOST=${POSTHOG_HOST:-}
-      - DISABLE_ANALYTICS=${DISABLE_ANALYTICS:-}
+      # Set to 'true' to disable analytics
+      - DISABLE_ANALYTICS=${DISABLE_ANALYTICS:-false}
     ports:
       - "3211:3211"
     depends_on:
@@ -214,9 +212,9 @@ services:
       redis:
         condition: service_healthy
     restart: unless-stopped
-    
+
   frontend:
-    image: ghcr.io/shipsecai/studio-frontend:latest
+    image: ghcr.io/shipsecai/studio-frontend:${SHIPSEC_TAG:-latest}
     build:
       context: ..
       dockerfile: Dockerfile
@@ -237,11 +235,6 @@ services:
       - VITE_AUTH_PROVIDER=clerk
       - VITE_DEFAULT_ORG_ID=local-dev
       - VITE_CLERK_PUBLISHABLE_KEY=
-      # PostHog analytics (optional). Set in your shell or a .env file next to this compose.
-      # If unset, the app disables analytics at runtime.
-      - VITE_PUBLIC_POSTHOG_KEY=${VITE_PUBLIC_POSTHOG_KEY:-}
-      - VITE_PUBLIC_POSTHOG_HOST=${VITE_PUBLIC_POSTHOG_HOST:-}
-      - VITE_DISABLE_ANALYTICS=${VITE_DISABLE_ANALYTICS:-}
     ports:
       - "8090:8080"
     depends_on:
@@ -254,7 +247,7 @@ services:
       retries: 5
 
   worker:
-    image: ghcr.io/shipsecai/studio-worker:latest
+    image: ghcr.io/shipsecai/studio-worker:${SHIPSEC_TAG:-latest}
     build:
       context: ..
       dockerfile: Dockerfile

justfile

@@ -156,8 +156,44 @@ prod action="start":
             docker system prune -f
             echo "✅ Production cleaned"
             ;;
+        start-latest)
+            echo "🔍 Fetching latest release information from GitHub API..."
+            if ! command -v curl &> /dev/null || ! command -v jq &> /dev/null; then
+                echo "❌ curl or jq is not installed. Please install them first."
+                exit 1
+            fi
+            
+            LATEST_TAG=$(curl -s https://api.github.com/repos/ShipSecAI/studio/releases | jq -r '.[0].tag_name')
+            
+            # Strip leading 'v' if present (v0.1-rc2 -> 0.1-rc2)
+            LATEST_TAG="${LATEST_TAG#v}"
+            
+            if [ "$LATEST_TAG" == "null" ] || [ -z "$LATEST_TAG" ]; then
+                echo "❌ Could not find any releases. Please check the repository at https://github.com/ShipSecAI/studio/releases"
+                exit 1
+            fi
+            
+            echo "📦 Found latest release: $LATEST_TAG"
+            
+            echo "📥 Pulling matching images from GHCR..."
+            docker pull ghcr.io/shipsecai/studio-backend:$LATEST_TAG
+            docker pull ghcr.io/shipsecai/studio-frontend:$LATEST_TAG
+            docker pull ghcr.io/shipsecai/studio-worker:$LATEST_TAG
+            
+            echo "🚀 Starting production environment with version $LATEST_TAG..."
+            export SHIPSEC_TAG=$LATEST_TAG
+            docker compose -f docker/docker-compose.full.yml up -d
+            
+            echo ""
+            echo "✅ ShipSec Studio $LATEST_TAG ready"
+            echo "   Frontend:    http://localhost:8090"
+            echo "   Backend:     http://localhost:3211"
+            echo "   Temporal UI: http://localhost:8081"
+            echo ""
+            echo "💡 Note: Using images tagged as $LATEST_TAG"
+            ;;
         *)
-            echo "Usage: just prod [start|stop|build|logs|status|clean]"
+            echo "Usage: just prod [start|start-latest|stop|build|logs|status|clean]"
             ;;
     esac
 
@@ -219,11 +255,15 @@ prod-images action="start":
 
             DOCKER_BUILDKIT=1 docker build \
                 --target backend \
+                --build-arg POSTHOG_API_KEY=$POSTHOG_API_KEY \
+                --build-arg POSTHOG_HOST=$POSTHOG_HOST \
                 -t ghcr.io/shipsecai/studio-backend:latest \
                 .
 
             DOCKER_BUILDKIT=1 docker build \
                 --target worker \
+                --build-arg POSTHOG_API_KEY=$POSTHOG_API_KEY \
+                --build-arg POSTHOG_HOST=$POSTHOG_HOST \
                 -t ghcr.io/shipsecai/studio-worker:latest \
                 .
 
@@ -325,6 +365,7 @@ help:
     @echo "Production (Docker):"
     @echo "  just prod          Start with cached images"
     @echo "  just prod build    Rebuild and start"
+    @echo "  just prod start-latest  Download latest release and start"
     @echo "  just prod stop     Stop production"
     @echo "  just prod logs     View production logs"
     @echo "  just prod status   Check production status"