Set up linting

.github/workflows/lint.yml

@@ -0,0 +1,44 @@
+name: Lint
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: "npm"
+          cache-dependency-path: |
+            frontend/package.json
+            backend/package.json
+            filebrowser/package.json
+
+      - name: Install NPM packages
+        run: |
+          cd frontend
+          npm ci
+          cd ../backend
+          npm ci
+          cd ../filebrowser
+          npm ci
+
+      - name: Install Tools
+        uses: jdx/mise-action@v3
+        with:
+          version: 2026.1.4
+          install: true
+          mise_toml: |
+            [tools]
+            hadolint = "2.14.0"
+            golangci-lint = "2.8.0"
+
+      - name: Lint
+        run: ./.github/workflows/lint/lint.sh

.github/workflows/lint/lint.sh

@@ -0,0 +1,74 @@
+#!/bin/bash
+set -uo pipefail
+
+CURRENT_DIR=$(dirname "$0")
+PROJECT_ROOT="$PWD/$CURRENT_DIR/../../../"
+
+cd "$PROJECT_ROOT" || exit 1
+
+ERROR=0
+
+check_error() {
+  if [ $? -ne 0 ]; then
+    echo "Command exited with an error"
+    ERROR=1
+  else
+    echo "Success"
+  fi
+}
+
+# Shellcheck: shell scripts
+printf "\n======================================\nRunning Shellcheck\n======================================\n"
+find . -name "*.sh" -and -not -wholename '**node_modules**' -and -not -wholename '**.husky**' -exec shellcheck {} +
+check_error
+
+# Hadolint: Dockerfiles
+printf "\n======================================\nRunning Hadolint\n======================================\n"
+find . -name "*Dockerfile" -exec hadolint {} +
+check_error
+
+# golangci-lint: Go files
+printf "\n======================================\nRunning golangci-lint (log-shipper)\n======================================\n"
+cd "$PROJECT_ROOT/log-shipper" || exit 1
+golangci-lint run ./...
+check_error
+
+printf "\n======================================\nRunning golangci-lint (regclient-napi)\n======================================\n"
+cd "$PROJECT_ROOT/backend/regclient-napi" || exit 1
+npx node-gyp configure
+
+NAPI_HEADER_DIR=$(node -p 'require("node-addon-api").include' | cut -d\" -f 2 -)
+NODE_HEADER_DIR="$(grep nodedir build/config.gypi | cut -d\" -f 4 -)/include/node"
+cd src || exit 1
+
+go build -o ../gobuild/main.a -buildmode=c-archive main.go
+export CGO_CXXFLAGS="-I../gobuild -I$NODE_HEADER_DIR -I$NAPI_HEADER_DIR"
+
+golangci-lint run ./...
+
+check_error
+
+# ESLint: TypeScript files
+cd "$PROJECT_ROOT/openapi" || exit 1
+npm ci
+npm run generate
+
+cd "$PROJECT_ROOT/backend" || exit 1
+DATABASE_URL=placeholder npx prisma generate
+
+printf "\n======================================\nRunning eslint (frontend)\n======================================\n"
+cd "$PROJECT_ROOT/frontend" || exit 1
+npm run lint
+check_error
+
+printf "\n======================================\nRunning eslint (backend)\n======================================\n"
+cd "$PROJECT_ROOT/backend" || exit 1
+npm run lint
+check_error
+
+printf "\n======================================\nRunning eslint (filebrowser)\n======================================\n"
+cd "$PROJECT_ROOT/filebrowser" || exit 1
+npm run lint
+check_error
+
+exit $ERROR

.github/workflows/release.yml

@@ -1,3 +1,5 @@
+name: Release
+
 on:
   workflow_dispatch:
     inputs:
@@ -16,6 +18,7 @@ on:
 
 jobs:
   release:
+    name: Release
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -46,7 +49,7 @@ jobs:
           docker buildx inspect --bootstrap
 
       - name: Release
-        run: ./.github/workflows/scripts/release-${{ inputs.environment }}.sh "${{ inputs.version }}"
+        run: ./.github/workflows/release/release-${{ inputs.environment }}.sh "${{ inputs.version }}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/scripts/release-production.sh → .github/workflows/release/release-production.sh

@@ -12,15 +12,15 @@ if [ -z "$1" ]; then
 fi
 
 if [ ! -v CI ]; then
-  read -p "Script isn't being called from CI; are you sure you want to create a new GitHub release and push to the production registry namespace? (y/n): " response
+  read -pr "Script isn't being called from CI; are you sure you want to create a new GitHub release and push to the production registry namespace? (y/n): " response
 
   if [ "$response" != "y" ]; then
     exit 0
   fi
 fi
 
 if [ "$BRANCH" != "main" ]; then
-  read -p "Current branch isn't main; are you sure you want to create a new GitHub release and push to the production registry namespace? (y/n): " response
+  read -pr "Current branch isn't main; are you sure you want to create a new GitHub release and push to the production registry namespace? (y/n): " response
 
   if [ "$response" != "y" ]; then
     exit 0
@@ -32,4 +32,4 @@ export HELM_ARTIFACT_TAG="oci://registry.anvil.rcac.purdue.edu/anvilops/chart"
 export GENERATE_GITHUB_RELEASE="1"
 
 CURRENT_DIR=$(dirname "$0")
-$CURRENT_DIR/release.sh "$1"
+"$CURRENT_DIR"/release.sh "$1"

.github/workflows/scripts/release-staging.sh → .github/workflows/release/release-staging.sh

@@ -11,4 +11,4 @@ COMMIT="$(git rev-parse HEAD)"
 VERSION="0.0.0-staging.$(date +%s)-${COMMIT:0:10}"
 
 CURRENT_DIR=$(dirname "$0")
-$CURRENT_DIR/release.sh "$VERSION"
+"$CURRENT_DIR"/release.sh "$VERSION"

.github/workflows/scripts/release.sh → .github/workflows/release/release.sh

@@ -58,15 +58,15 @@ build_and_push() {
     -t "$IMAGE_TAG" \
     --cache-from="type=registry,ref=$CACHE_TAG" \
     --cache-to="type=registry,ref=$CACHE_TAG,mode=max" \
-    --build-arg BUILD_DATE=$(date -uIseconds) \
+    --build-arg BUILD_DATE="$(date -uIseconds)" \
     "$BUILD_CONTEXT"
 
   IMAGE_ID=$(cat "$IIDFILE") # looks like "sha256:32975dcafd44d8c6f921d2276e2a39f42f268e8c9584d6c4d4c88f5a073b7b1d"
   rm "$IIDFILE"
 
   IMAGE_REF="$IMAGE_TAG@$IMAGE_ID"
   echo "Built image: $IMAGE_REF"
-  echo "- \`$IMAGE_REF\`" >> $NOTES_FILE
+  echo "- \`$IMAGE_REF\`" >> "$NOTES_FILE"
 
   set_value "$VALUES_FILE" "$CHART_KEY" "$IMAGE_REF"
 }
@@ -94,10 +94,10 @@ copy_image() {
 
   IMAGE_REF="$DEST@$IMAGE_ID"
   set_value "$VALUES_FILE" "$KEY" "$IMAGE_REF"
-  echo "- \`$IMAGE_REF\`" >> $NOTES_FILE
+  echo "- \`$IMAGE_REF\`" >> "$NOTES_FILE"
 }
 
-RAILPACK_VERSION=$(cat "$PROJECT_ROOT/builders/railpack/Dockerfile" | grep "RAILPACK_VERSION=" | cut -d= -f 2)
+RAILPACK_VERSION=$(grep "RAILPACK_VERSION=" "$PROJECT_ROOT/builders/railpack/Dockerfile" | cut -d= -f 2)
 RAILPACK_RELEASE_SHA=$(gh api "repos/railwayapp/railpack/commits/v$RAILPACK_VERSION" --jq '.sha')
 
 get_railpack_image_tag() {
@@ -122,7 +122,7 @@ get_railpack_image_tag() {
 }
 
 build_images() {
-  echo "### Container Images" >> $NOTES_FILE
+  echo "### Container Images" >> "$NOTES_FILE"
 
   build_and_push "Dockerfile" "" ".anvilops.image" "$REGISTRY_BASE/anvilops"
   build_and_push "backend/prisma/Dockerfile" "backend" ".anvilops.dbMigrateImage" "$REGISTRY_BASE/migrate-db"
@@ -151,12 +151,12 @@ publish_chart() {
   CHART_PACKAGE_DIR=$(mktemp -d)
 
   helm package --destination "$CHART_PACKAGE_DIR" "$CHART_DIR"
-  CHART_PACKAGE_FILE="$CHART_PACKAGE_DIR/$(ls $CHART_PACKAGE_DIR)"
+  CHART_PACKAGE_FILE="$CHART_PACKAGE_DIR/$(ls "$CHART_PACKAGE_DIR")"
 
   helm push "$CHART_PACKAGE_FILE" "$HELM_ARTIFACT_TAG"
   rm -rf "$CHART_PACKAGE_DIR"
 
-  cat << EOF >> $NOTES_FILE
+  cat << EOF >> "$NOTES_FILE"
 
 ### Install with Helm
 \`\`\`sh

.github/workflows/security-scan.yml

@@ -0,0 +1,26 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  security-scan:
+    name: Run Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v6
+
+      - name: Install Tools
+        uses: jdx/mise-action@v3
+        with:
+          version: 2026.1.4
+          install: true
+          mise_toml: |
+            [tools]
+            trivy = "0.68.2"
+
+      - name: Run Trivy
+        run: trivy repository --exit-code 1 .

.prettierignore

@@ -3,4 +3,11 @@ charts/**/*.yaml
 !charts/**/values.yaml
 templates/extensions/**/*.yaml
 !templates/extensions/**/values.yaml
-# ^ Prettier doesn't know how to interpret Go templates so it thinks we're writing invalid YAML
+# ^ Prettier doesn't know how to interpret Go templates so it thinks we're writing invalid YAML
+
+frontend/dist
+frontend/src/generated
+backend/src/generated
+docs/dist
+docs/.astro
+backend/regclient-napi/dist

.prettierrc

@@ -1 +1,3 @@
-{}
+{
+  "plugins": ["prettier-plugin-tailwindcss"]
+}

.vscode/extensions.json

@@ -5,6 +5,8 @@
     "github.vscode-github-actions",
     "unifiedjs.vscode-mdx",
     "Prisma.prisma",
-    "redhat.vscode-yaml"
+    "redhat.vscode-yaml",
+    "dbaeumer.vscode-eslint",
+    "timonwong.shellcheck"
   ]
 }

.vscode/settings.json

@@ -4,6 +4,7 @@
   "editor.tabSize": 2,
   // Automatically sort imports when saving a file
   "editor.codeActionsOnSave": {
-    "source.organizeImports": "explicit"
+    "source.organizeImports": "explicit",
+    "source.fixAll.eslint": "explicit"
   }
 }

Dockerfile

@@ -52,12 +52,13 @@ RUN npm run prisma:generate
 # BACKEND: compile regclient Node-API bindings
 FROM base AS compile_regclient_bindings
 
+ARG TARGET_ARCH
 # https://docs.docker.com/reference/dockerfile/#example-cache-apt-packages
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && \
-    apt-get install -y --no-install-recommends build-essential golang ca-certificates python3
+    apt-get install -y --no-install-recommends build-essential=12.12 golang=2:1.24~2 ca-certificates=20250419 python3=3.13.5-1
 
 WORKDIR /app
 COPY backend/package*.json .

README.md

@@ -52,7 +52,7 @@ AnvilOps is not designed for public use. Access to AnvilOps should only be share
 #### Applications
 
 - End users' applications are deployed in separate namespaces.
-- ~~By default, [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) are created that prevent applications from communicating with other pods in the cluster. AnvilOps apps must be allowed to cross-communicate by placing them in the same App Group.~~ (WIP)
+- When enabled, [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) are created that prevent other pods in the cluster from connecting to AnvilOps applications. AnvilOps apps can be allowed to cross-communicate by placing them in the same App Group.
 - For stronger isolation, consider using something like [Kata Containers](https://katacontainers.io/), which places containers into separate microVMs.
 
 #### Secrets

backend/.env.example

@@ -35,15 +35,14 @@ APP_DOMAIN=http://local
 FIELD_ENCRYPTION_KEY=
 SESSION_SECRET=
 
-DELETE_REPO_HOST=
 DELETE_REPO_USERNAME=
 DELETE_REPO_PASSWORD=
 
 CURRENT_NAMESPACE=anvilops-dev
 
 CHART_PROJECT_NAME=anvilops-chart
-REGISTRY_API_URL=https://registry.anvil.rcac.purdue.edu/api/v2.0
 REGISTRY_HOSTNAME=registry.anvil.rcac.purdue.edu
+REGISTRY_PROTOCOL=https
 
 STORAGE_CLASS_NAME=standard
 STORAGE_ACCESS_MODES=ReadWriteOnce

backend/README.md

@@ -137,7 +137,8 @@ In order to correctly refresh the kubeconfig, set the key `use-cluster-name` in
 
 AnvilOps expects environment variables to be set to credentials of an account with repository delete permissions from your Harbor project:
 
-- `DELETE_REPO_HOST`: the hostname of the registry
+- `REGISTRY_HOSTNAME`: the hostname of the registry
+- `REGISTRY_PROTOCOL`: the protocol registry (`http` or `https`)
 - `DELETE_REPO_USERNAME`: the account's username (if you're using a robot account, which we recommend, make sure to include the `robot$<project name>+` prefix)
 - `DELETE_REPO_PASSWORD`: the account's password (if you're using a robot account, this is referred to as the account's secret in the Harbor UI)
 

backend/eslint.config.js

@@ -0,0 +1,38 @@
+// @ts-check
+
+import js from "@eslint/js";
+import { defineConfig } from "eslint/config";
+import globals from "globals";
+import tseslint from "typescript-eslint";
+
+export default defineConfig({
+  files: ["**/*.{ts,tsx}"],
+  ignores: ["src/generated/**"],
+  languageOptions: {
+    ecmaVersion: 2024,
+    globals: globals.node,
+    parserOptions: {
+      projectService: true,
+    },
+  },
+  linterOptions: {
+    reportUnusedInlineConfigs: "error",
+  },
+  rules: {
+    "array-callback-return": "error",
+    "preserve-caught-error": "warn",
+    "no-await-in-loop": "warn",
+    "no-control-regex": "error",
+    "no-unassigned-vars": "error",
+    "no-useless-assignment": "warn",
+    "no-use-before-define": ["error", { functions: false }],
+    "no-throw-literal": "error",
+    "no-unused-expressions": "warn",
+    "no-warning-comments": "warn",
+    "default-case": "warn",
+    "guard-for-in": "warn",
+    "no-console": "error",
+    "require-await": "warn",
+  },
+  extends: [js.configs.recommended, ...tseslint.configs.recommendedTypeChecked],
+});