📦 new: add workflows and update env

Author: warengonzaga

.env.example

@@ -11,14 +11,18 @@ UNTHREAD_SLACK_CHANNEL_ID=your_unthread_slack_channel_id_here
 UNTHREAD_WEBHOOK_SECRET=your_unthread_webhook_secret_here
 
 # ======= Infrastructure =======
+# Database Credentials (CHANGE THESE IN PRODUCTION!)
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=your_secure_password_here
+
 # Local: redis://localhost:6379, redis://localhost:6380
 # Docker: redis://redis-platform:6379, redis://redis-webhook:6379
 PLATFORM_REDIS_URL=redis://localhost:6379
 WEBHOOK_REDIS_URL=redis://localhost:6380
 
 # Local: postgresql://postgres:postgres@localhost:5432/unthread_telegram_bot
-# Docker: postgresql://postgres:postgres@postgres-platform:5432/unthread_telegram_bot
-POSTGRES_URL=postgresql://postgres:postgres@localhost:5432/unthread_telegram_bot
+# Docker: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres-platform:5432/unthread_telegram_bot
+POSTGRES_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhost:5432/unthread_telegram_bot
 
 # ======= Application Settings =======
 NODE_ENV=development

.github/workflows/build.yml

@@ -0,0 +1,75 @@
+name: Build
+
+on:
+  push:
+    branches: [dev]
+
+env:
+  REGISTRY_DOCKERHUB: wgtechlabs/unthread-telegram-bot
+  REGISTRY_GHCR: ghcr.io/wgtechlabs/unthread-telegram-bot
+
+jobs:
+  build-dev:
+    name: Build Development Images
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Extract metadata
+        id: meta
+        run: |
+          echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+          echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          
+      - name: Build and push development images
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: |
+            ${{ env.REGISTRY_DOCKERHUB }}:dev
+            ${{ env.REGISTRY_DOCKERHUB }}:dev-${{ steps.meta.outputs.short_sha }}
+            ${{ env.REGISTRY_GHCR }}:dev
+            ${{ env.REGISTRY_GHCR }}:dev-${{ steps.meta.outputs.short_sha }}
+          labels: |
+            org.opencontainers.image.title=Unthread Telegram Bot
+            org.opencontainers.image.description=Turn private Telegram groups into real-time support ticket hubs — powered by Unthread.io.
+            org.opencontainers.image.version=dev-${{ steps.meta.outputs.short_sha }}
+            org.opencontainers.image.created=${{ steps.meta.outputs.build_date }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.licenses=GPL-3.0
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          
+      - name: Development build summary
+        run: |
+          echo "## 🔨 Development Build Complete" >> $GITHUB_STEP_SUMMARY
+          echo "**Images built and pushed:**" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:dev\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:dev-${{ steps.meta.outputs.short_sha }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:dev\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:dev-${{ steps.meta.outputs.short_sha }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Test the dev image:**" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_DOCKERHUB }}:dev" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/release.yml

@@ -0,0 +1,139 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+
+env:
+  REGISTRY_DOCKERHUB: wgtechlabs/unthread-telegram-bot
+  REGISTRY_GHCR: ghcr.io/wgtechlabs/unthread-telegram-bot
+
+jobs:
+  build-production:
+    name: Build Production Images
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "wgtechlabs/unthread-bot-builder"
+          install: true
+          
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Extract version from package.json
+        id: version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "major=$(echo $VERSION | cut -d. -f1)" >> $GITHUB_OUTPUT
+          echo "minor=$(echo $VERSION | cut -d. -f1-2)" >> $GITHUB_OUTPUT
+          echo "patch=$(echo $VERSION | cut -d. -f1-3)" >> $GITHUB_OUTPUT
+          echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          
+      - name: Generate Docker tags
+        id: tags
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          MAJOR="${{ steps.version.outputs.major }}"
+          MINOR="${{ steps.version.outputs.minor }}"
+          PATCH="${{ steps.version.outputs.patch }}"
+          
+          # Docker Hub tags (no 'v' prefix)
+          DOCKERHUB_TAGS="${{ env.REGISTRY_DOCKERHUB }}:latest"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$VERSION"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$PATCH"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$MINOR"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$MAJOR"
+          
+          # GitHub Container Registry tags (with 'v' prefix)
+          GHCR_TAGS="${{ env.REGISTRY_GHCR }}:latest"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$VERSION"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$PATCH"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$MINOR"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$MAJOR"
+          
+          # Combine all tags
+          ALL_TAGS="$DOCKERHUB_TAGS,$GHCR_TAGS"          
+          echo "tags=$ALL_TAGS" >> $GITHUB_OUTPUT
+          
+      - name: Build and push production images
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.tags.outputs.tags }}
+          labels: |
+            org.opencontainers.image.title=Unthread Telegram Bot
+            org.opencontainers.image.description=Turn private Telegram groups into real-time support ticket hubs — powered by Unthread.io.
+            org.opencontainers.image.version=${{ steps.version.outputs.version }}
+            org.opencontainers.image.created=${{ steps.version.outputs.build_date }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.licenses=GPL-3.0
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        continue-on-error: true
+        with:
+          image-ref: ${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.version }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always() && hashFiles('trivy-results.sarif') != ''
+        with:
+          sarif_file: 'trivy-results.sarif'
+          
+      - name: Production release summary
+        run: |
+          echo "## 🚀 Production Release Complete" >> $GITHUB_STEP_SUMMARY
+          echo "**Version:** \`${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Release:** \`${{ github.event.release.tag_name }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Docker Hub Images:**" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:latest\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.patch }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.minor }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.major }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**GitHub Container Registry Images:**" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:latest\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.patch }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.minor }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.major }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Deploy with:**" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_DOCKERHUB }}:latest" >> $GITHUB_STEP_SUMMARY
+          echo "# OR" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_GHCR }}:latest" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/validate.yml

@@ -0,0 +1,37 @@
+name: Validate
+
+on:
+  pull_request:
+    branches: [dev, main]
+
+jobs:
+  validate:
+    name: Validate Changes
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'yarn'
+          
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+        
+      - name: Type checking
+        run: yarn type-check
+        
+      - name: Build TypeScript
+        run: yarn build
+        
+      - name: Test Docker build (no push)
+        run: |
+          echo "Testing Docker build..."
+          docker build -t test-build .
+          echo "Build successful, cleaning up..."
+          docker image rm test-build
+          echo "✅ Docker build test completed"

docker-compose.yaml

@@ -75,14 +75,14 @@ services:
     restart: always
     environment:
       POSTGRES_DB: unthread_telegram_bot    # Database name
-      POSTGRES_USER: postgres               # Username
-      POSTGRES_PASSWORD: postgres           # Password (change in production!)
+      POSTGRES_USER: ${POSTGRES_USER}       # Username from .env file
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}  # Password from .env file (secure!)
     ports:
       - "5432:5432"  # Expose for external connections (optional)
     volumes:
       - postgres_data:/var/lib/postgresql/data  # Persistent data storage
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
       interval: 10s
       timeout: 5s
       retries: 5

package.json

@@ -1,7 +1,7 @@
 {
   "name": "unthread-telegram-bot",
   "version": "1.0.0-beta.2",
-  "description": "A Telegram bot integrated with Unthread API featuring enhanced logging with @wgtechlabs/log-engine",
+  "description": "Turn private Telegram groups into real-time support ticket hubs — powered by Unthread.io.",
   "keywords": [
     "telegram",
     "bot"
@@ -22,6 +22,7 @@
     "preinstall": "npx only-allow yarn",
     "clean": "rm -rf dist",
     "build": "tsc",
+    "type-check": "tsc --noEmit",
     "start": "node dist/index.js",
     "dev": "nodemon --exec \"yarn build && yarn start\" src/index.ts",
     "dev:watch": "concurrently \"tsc --watch\" \"nodemon dist/index.js\"",