zcube
diff --git a/‎.dockerignore‎
Lines changed: 86 additions & 0 deletions b/‎.dockerignore‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎.env.example‎
Lines changed: 15 additions & 0 deletions b/‎.env.example‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.gitattributes‎
Lines changed: 37 additions & 0 deletions b/‎.gitattributes‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎.github/workflows/docker.yml‎
Lines changed: 257 additions & 0 deletions b/‎.github/workflows/docker.yml‎
Lines changed: 257 additions & 0 deletions
@@ -0,0 +1,86 @@
+# Dependencies
+node_modules
+npm-debug.log
+yarn-debug.log*
+yarn-error.log*
+# package-lock.json is needed for npm ci in Docker
+
+# Build output
+dist
+*.tsbuildinfo
+
+# Environment files
+.env
+.env.local
+.env.*.local
+.env.example
+
+# IDE / Editor
+.vscode
+.idea
+*.swp
+*.swo
+*~
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Git files
+.git
+.gitignore
+.gitattributes
+.github
+
+# Git hooks
+lefthook.yml
+.husky
+
+# Documentation (include only necessary docs)
+*.md
+!README.md
+CONTRIBUTING.md
+TESTING.md
+EXAMPLES.md
+VISUAL_PROPERTIES_EXAMPLES.md
+
+# Logs
+logs
+*.log
+
+# Test files
+test-*.ts
+check-*.ts
+*.test.ts
+*.spec.ts
+coverage
+.nyc_output
+
+# Docker files (avoid nested docker builds)
+Dockerfile*
+docker-compose*.yml
+.dockerignore
+
+# CI/CD
+.github
+.gitlab-ci.yml
+.travis.yml
+.circleci
+
+# Development tools
+.editorconfig
+.prettierrc*
+.eslintrc*
+.eslintignore
+# tsconfig.json is needed for Docker build
+
+# MCP configuration (contains sensitive tokens)
+.mcp.json
+
+# NPM package files
+.npmignore
+
+# Temporary files
+*.tmp
+.cache
+tmp
@@ -0,0 +1,15 @@
+# Penpot API Configuration
+PENPOT_API_URL=https://design.penpot.app
+PENPOT_ACCESS_TOKEN=your-access-token-here
+
+# Transport Mode (stdio or http)
+TRANSPORT=stdio
+
+# HTTP Mode Configuration (only used when TRANSPORT=http)
+HTTP_PORT=3000
+HTTP_HOST=0.0.0.0
+
+# Security Options (optional, for HTTP mode)
+ALLOWED_ORIGINS=https://example.com,https://app.example.com
+ALLOWED_HOSTS=localhost,example.com
+ENABLE_DNS_REBINDING_PROTECTION=false
@@ -0,0 +1,37 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Source code
+*.ts text eol=lf
+*.js text eol=lf
+*.json text eol=lf
+*.md text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+
+# Shell scripts
+*.sh text eol=lf
+
+# Docker
+Dockerfile text eol=lf
+docker-compose.yml text eol=lf
+
+# Configuration files
+.env.example text eol=lf
+.gitignore text eol=lf
+.gitattributes text eol=lf
+.npmignore text eol=lf
+tsconfig.json text eol=lf
+package.json text eol=lf
+package-lock.json text eol=lf linguist-generated=true
+
+# Binary files
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.pdf binary
+*.zip binary
+*.tar binary
+*.gz binary
@@ -0,0 +1,257 @@
+name: Docker Build and Test
+
+on:
+  push:
+    branches: [ main, develop ]
+    tags: [ 'v*' ]
+  pull_request:
+    branches: [ main, develop ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  # Check which features should be enabled based on secrets/repository
+  check-config:
+    runs-on: ubuntu-latest
+    outputs:
+      should-push-docker: ${{ steps.check.outputs.should-push-docker }}
+      should-publish-npm: ${{ steps.check.outputs.should-publish-npm }}
+    steps:
+      - id: check
+        env:
+          DOCKER_ENABLED: ${{ secrets.DOCKER_PUSH_ENABLED }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          # Check if Docker push should be enabled
+          if [ "${{ github.repository }}" == "zcube/penpot-mcp-server" ] || [ "$DOCKER_ENABLED" == "true" ]; then
+            echo "should-push-docker=true" >> $GITHUB_OUTPUT
+          else
+            echo "should-push-docker=false" >> $GITHUB_OUTPUT
+          fi
+
+          # Check if NPM publish should be enabled
+          if [ "${{ github.repository }}" == "zcube/penpot-mcp-server" ] || [ -n "$NPM_TOKEN" ]; then
+            echo "should-publish-npm=true" >> $GITHUB_OUTPUT
+          else
+            echo "should-publish-npm=false" >> $GITHUB_OUTPUT
+          fi
+
+  # Build and test the Docker image
+  build-and-test:
+    runs-on: ubuntu-latest
+    needs: check-config
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        # Only login if: not a PR AND push is enabled
+        if: |
+          github.event_name != 'pull_request' &&
+          needs.check-config.outputs.should-push-docker == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # Production tags (for version tags like v1.0.0)
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=semver,pattern=latest
+            # Development tag (for main branch only)
+            type=ref,event=branch,suffix=-dev
+
+      - name: Build builder stage (host platform only, for caching)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          target: builder
+          push: false
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build test image (host platform only)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false
+          load: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test
+          cache-from: type=gha
+
+      - name: Test Docker image
+        run: |
+          docker run --rm \
+            -e PENPOT_API_URL="${{ secrets.PENPOT_API_URL }}" \
+            -e PENPOT_ACCESS_TOKEN="${{ secrets.PENPOT_ACCESS_TOKEN }}" \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:test \
+            node -e "console.log('Container starts successfully')"
+
+      - name: Build and push production image (multi-arch)
+        # Only push if: not a PR AND (main branch OR version tag) AND push is enabled
+        if: |
+          github.event_name != 'pull_request' &&
+          (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) &&
+          needs.check-config.outputs.should-push-docker == 'true'
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+
+  # Run integration tests with npm test against external Penpot instance
+  # Requires penpot-test environment with PENPOT_API_URL and PENPOT_ACCESS_TOKEN secrets
+  # Forks can create this environment to enable integration tests
+  integration-test:
+    runs-on: ubuntu-latest
+    environment: penpot-test
+    needs: build-and-test
+    # Skip on forks without penpot-test environment configured
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+
+    steps:
+      - name: Check for Penpot credentials
+        id: check-secrets
+        env:
+          PENPOT_URL: ${{ secrets.PENPOT_API_URL }}
+          PENPOT_TOKEN: ${{ secrets.PENPOT_ACCESS_TOKEN }}
+        run: |
+          if [ -n "$PENPOT_URL" ] && [ -n "$PENPOT_TOKEN" ]; then
+            echo "has-secrets=true" >> $GITHUB_OUTPUT
+            echo "✅ Penpot credentials found - integration tests will run"
+          else
+            echo "has-secrets=false" >> $GITHUB_OUTPUT
+            echo "⚠️  Penpot credentials not found - skipping integration tests"
+          fi
+
+      - name: Checkout repository
+        if: steps.check-secrets.outputs.has-secrets == 'true'
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        if: steps.check-secrets.outputs.has-secrets == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        if: steps.check-secrets.outputs.has-secrets == 'true'
+        run: npm ci
+
+      - name: Build project
+        if: steps.check-secrets.outputs.has-secrets == 'true'
+        run: npm run build
+
+      - name: Run tests
+        if: steps.check-secrets.outputs.has-secrets == 'true'
+        env:
+          PENPOT_API_URL: ${{ secrets.PENPOT_API_URL }}
+          PENPOT_ACCESS_TOKEN: ${{ secrets.PENPOT_ACCESS_TOKEN }}
+        run: npm test
+
+      - name: Upload test results
+        if: always() && steps.check-secrets.outputs.has-secrets == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: integration-test-results
+          path: |
+            logs/
+            test-results/
+
+  # Security scanning - runs when images are pushed
+  # Scans the published Docker image for vulnerabilities
+  security-scan:
+    runs-on: ubuntu-latest
+    needs: [check-config, build-and-test]
+    # Only scan when image is pushed (same condition as image push)
+    if: |
+      github.event_name != 'pull_request' &&
+      (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) &&
+      needs.check-config.outputs.should-push-docker == 'true'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Determine image tag to scan
+        id: image-tag
+        run: |
+          if [[ $GITHUB_REF == refs/tags/v* ]]; then
+            # For version tags, extract version number (v1.0.0 -> 1.0.0)
+            VERSION=${GITHUB_REF#refs/tags/v}
+            echo "tag=$VERSION" >> $GITHUB_OUTPUT
+          else
+            # For main branch, use dev tag
+            echo "tag=main-dev" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.image-tag.outputs.tag }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  # Publish to npm when version tag is pushed
+  # Only publishes from original repo or when NPM_TOKEN is explicitly configured
+  publish-npm:
+    runs-on: ubuntu-latest
+    needs: [check-config, build-and-test]
+    if: |
+      startsWith(github.ref, 'refs/tags/v') &&
+      needs.check-config.outputs.should-publish-npm == 'true'
+    permissions:
+      contents: read
+      id-token: write  # Required for npm provenance
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project
+        run: npm run build
+
+      - name: Publish to npm
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --provenance --access public