Merge pull request #206 from piyush97/og-image-fixes

fix: Resolve OG image generation CSS compatibility issues

Author: piyush97

.github/dependency-review-config.yml

@@ -0,0 +1,47 @@
+# Dependency Review Configuration
+# https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review
+
+# Allow moderate and low vulnerabilities in development dependencies
+fail-on-severity: 'critical'
+warn-on-severity: 'high'
+
+# Allow certain licenses
+allow-licenses:
+  - 'MIT'
+  - 'Apache-2.0'
+  - 'BSD-2-Clause'
+  - 'BSD-3-Clause'
+  - 'ISC'
+  - 'Unlicense'
+  - 'CC0-1.0'
+
+# Deny problematic licenses
+deny-licenses:
+  - 'GPL-2.0'
+  - 'GPL-3.0'
+  - 'AGPL-1.0'
+  - 'AGPL-3.0'
+
+# Allow certain package sources
+allow-dependencies-licenses:
+  - name: '@astrojs/*'
+  - name: '@types/*'
+  - name: '@vercel/*'
+
+# Exclude certain paths from analysis
+exclude-paths:
+  - '.github/**'
+  - 'node_modules/**'
+  - 'dist/**'
+
+# Configuration for vulnerability database
+vulnerability-check: true
+license-check: true
+
+# Allow vulnerabilities in specific packages with justification
+allow-vulnerabilities:
+  # Allow moderate vulnerabilities in transitive dependencies
+  # that cannot be easily updated without major refactoring
+  - name: 'path-to-regexp'
+    severity: 'moderate'
+    reason: 'Transitive dependency from @astrojs/vercel - awaiting upstream fix'

.github/workflows/ci-cd.yml

@@ -0,0 +1,201 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [ main, og-image-fixes ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+# Use least privilege principle
+permissions:
+  contents: read
+  pull-requests: read
+  security-events: write
+  actions: read
+
+env:
+  NODE_VERSION: '20'
+  BUN_VERSION: 'latest'
+
+jobs:
+  # Code quality and security checks
+  quality-checks:
+    name: Code Quality & Security
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
+        with:
+          bun-version: ${{ env.BUN_VERSION }}
+          
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+        
+      - name: Run code quality checks
+        run: |
+          echo "🔍 Running code quality checks..."
+          bun run check
+          
+      - name: Security audit (informational)
+        run: |
+          echo "🔒 Running security audit..."
+          bun audit --audit-level high || echo "Security audit completed - review findings above"
+        continue-on-error: true
+
+  # Build verification
+  build:
+    name: Build Verification
+    runs-on: ubuntu-latest
+    needs: quality-checks
+    
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
+        with:
+          bun-version: ${{ env.BUN_VERSION }}
+          
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+        
+      - name: Build project
+        run: |
+          echo "🏗️ Building project..."
+          bun run build
+          
+      - name: Verify build output
+        run: |
+          echo "✅ Verifying build artifacts..."
+          [ -d "dist" ] && echo "✅ Build directory exists" || exit 1
+          [ -f ".vercel/output/config.json" ] && echo "✅ Vercel config generated" || echo "⚠️ Vercel config missing (expected for some builds)"
+
+  # Enhanced testing
+  test:
+    name: End-to-End Testing
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name == 'pull_request'
+    continue-on-error: true
+    
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
+        with:
+          bun-version: ${{ env.BUN_VERSION }}
+          
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+        
+      - name: Install Playwright browsers
+        run: bunx playwright install --with-deps
+        
+      - name: Run tests
+        run: |
+          echo "🧪 Running end-to-end tests..."
+          bun run test
+        env:
+          CI: true
+          
+      - name: Upload test results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: playwright-report
+          path: test-reports/
+          retention-days: 7
+
+  # Security configuration verification
+  security-config:
+    name: Security Configuration Check
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+          
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          
+      - name: Verify security middleware
+        run: |
+          echo "🔒 Checking security configuration..."
+          
+          if [ -f "src/middleware/security.ts" ]; then
+            echo "✅ Security middleware found"
+            
+            # Check for CSP configuration
+            if grep -q "Content-Security-Policy" src/middleware/security.ts; then
+              echo "✅ Content Security Policy configured"
+            else
+              echo "❌ Content Security Policy not found"
+              exit 1
+            fi
+            
+            # Check for additional security headers
+            grep -q "X-Frame-Options" src/middleware/security.ts && echo "✅ X-Frame-Options configured" || echo "⚠️ X-Frame-Options missing"
+            grep -q "X-Content-Type-Options" src/middleware/security.ts && echo "✅ X-Content-Type-Options configured" || echo "⚠️ X-Content-Type-Options missing"
+            grep -q "Referrer-Policy" src/middleware/security.ts && echo "✅ Referrer-Policy configured" || echo "⚠️ Referrer-Policy missing"
+            
+          else
+            echo "❌ Security middleware not found"
+            exit 1
+          fi
+          
+          # Check for rate limiting
+          if [ -f "src/middleware/rateLimit.ts" ] || [ -f "src/middleware/advanced-rate-limit.ts" ]; then
+            echo "✅ Rate limiting middleware found"
+          else
+            echo "⚠️ Rate limiting middleware not found"
+          fi
+          
+          echo "🔒 Security configuration check completed"
+
+  # Deployment readiness (for main branch)
+  deployment-ready:
+    name: Deployment Ready
+    runs-on: ubuntu-latest
+    needs: [quality-checks, build, security-config]
+    if: github.ref == 'refs/heads/main'
+    
+    steps:
+      - name: Deployment status
+        run: |
+          echo "🚀 All checks passed - ready for deployment"
+          echo "Branch: ${{ github.ref }}"
+          echo "Commit: ${{ github.sha }}"
+          echo "Workflow: ${{ github.workflow }}"