wgtechlabs · warengonzaga · Jun 22, 2025 · Jun 21, 2025 · Jun 21, 2025 · Jun 21, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,67 @@
+# Include any files or directories that you don't want to be copied to your
+# container here (e.g., local build artifacts, temporary files, etc.).
+#
+# For more help, visit the .dockerignore file reference guide at
+# https://docs.docker.com/go/build-context-dockerignore/
+
+# Version control
+**/.git
+**/.gitignore
+
+# Environment files
+**/.env
+**/.env.local
+**/.env.development
+**/.env.production
+
+# IDE and editor files
+**/.classpath
+**/.project
+**/.settings
+**/.toolstarget
+**/.vs
+**/.vscode
+
+# Build artifacts and cache
+**/node_modules
+**/dist
+**/build
+**/coverage
+**/.nyc_output
+**/.next
+**/.cache
+
+# Logs
+**/*.log
+**/npm-debug.log
+
+# Docker related files
+**/.dockerignore
+**/docker-compose*
+**/compose.y*ml
+**/Dockerfile*
+
+# SBOM and security artifacts
+**/sbom
+
+# Documentation and metadata (already in image via COPY commands if needed)
+README.md
+LICENSE
+CONTRIBUTING.md
+CODE_OF_CONDUCT.md
+SECURITY.md
+
+# Test files
+**/*.test.ts
+**/*.spec.ts
+
+# Development configurations
+**/secrets.dev.yaml
+**/values.dev.yaml
+
+# Miscellaneous
+**/*.*proj.user
+**/*.dbmdl
+**/*.jfm
+**/charts
+**/obj
diff --git a/.env.example b/.env.example
@@ -1,10 +1,33 @@
+# =============================================================================
+# UNTHREAD TELEGRAM BOT - ENVIRONMENT CONFIGURATION
+# =============================================================================
+# Copy this file to .env and fill in your actual values
+# =============================================================================
+
+# ======= Bot Configuration =======
 TELEGRAM_BOT_TOKEN=your_telegram_bot_token_here
 UNTHREAD_API_KEY=your_unthread_api_key_here
-UNTHREAD_CHANNEL_ID=your_unthread_channel_id_here
+UNTHREAD_SLACK_CHANNEL_ID=your_unthread_slack_channel_id_here
 UNTHREAD_WEBHOOK_SECRET=your_unthread_webhook_secret_here
-PLATFORM_REDIS_URL=your_platform_redis_url_here
-WEBHOOK_REDIS_URL=your_webhook_redis_url_here
-POSTGRES_URL=postgresql://username:password@localhost:5432/unthread_bot
-WEBHOOK_POLL_INTERVAL=1000
+
+# ======= Infrastructure =======
+# Database Credentials (CHANGE THESE IN PRODUCTION!)
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=your_secure_password_here
+
+# Local: redis://localhost:6379, redis://localhost:6380
+# Docker: redis://redis-platform:6379, redis://redis-webhook:6379
+PLATFORM_REDIS_URL=redis://localhost:6379
+WEBHOOK_REDIS_URL=redis://localhost:6380
+
+# Local: postgresql://postgres:postgres@localhost:5432/unthread_telegram_bot
+# Docker: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres-platform:5432/unthread_telegram_bot
+POSTGRES_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhost:5432/unthread_telegram_bot
+
+# ======= Application Settings =======
 NODE_ENV=development
-COMPANY_NAME=Unthread
+WEBHOOK_POLL_INTERVAL=1000
+COMPANY_NAME=Unthread
+
+# SSL Configuration (true=secure default, false=local Docker only)
+DATABASE_SSL_VALIDATE=true
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,77 @@
+name: Build
+
+on:
+  push:
+    branches: [dev]
+
+env:
+  REGISTRY_DOCKERHUB: wgtechlabs/unthread-telegram-bot
+  REGISTRY_GHCR: ghcr.io/wgtechlabs/unthread-telegram-bot
+
+jobs:
+  build-dev:
+    name: Build Development Images
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        run: |
+          echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+          echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+      - name: Build and push development images
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: |
+            ${{ env.REGISTRY_DOCKERHUB }}:dev
+            ${{ env.REGISTRY_DOCKERHUB }}:dev-${{ steps.meta.outputs.short_sha }}
+            ${{ env.REGISTRY_GHCR }}:dev
+            ${{ env.REGISTRY_GHCR }}:dev-${{ steps.meta.outputs.short_sha }}
+          labels: |
+            org.opencontainers.image.title=Unthread Telegram Bot
+            org.opencontainers.image.description=Turn private Telegram groups into real-time support ticket hubs — powered by Unthread.io.
+            org.opencontainers.image.version=dev-${{ steps.meta.outputs.short_sha }}
+            org.opencontainers.image.created=${{ steps.meta.outputs.build_date }}
+            org.opencontainers.image.revision=${{ github.sha }}            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.licenses=GPL-3.0
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          # Generate SBOM and attestations for supply chain security
+          sbom: true
+          provenance: mode=max
+
+      - name: Development build summary
+        run: |
+          echo "## 🔨 Development Build Complete" >> $GITHUB_STEP_SUMMARY
+          echo "**Images built and pushed:**" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:dev\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:dev-${{ steps.meta.outputs.short_sha }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:dev\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:dev-${{ steps.meta.outputs.short_sha }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Test the dev image:**" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_DOCKERHUB }}:dev" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,141 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+
+env:
+  REGISTRY_DOCKERHUB: wgtechlabs/unthread-telegram-bot
+  REGISTRY_GHCR: ghcr.io/wgtechlabs/unthread-telegram-bot
+
+jobs:
+  build-production:
+    name: Build Production Images
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "wgtechlabs/unthread-bot-builder"
+          install: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from package.json
+        id: version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "major=$(echo $VERSION | cut -d. -f1)" >> $GITHUB_OUTPUT
+          echo "minor=$(echo $VERSION | cut -d. -f1-2)" >> $GITHUB_OUTPUT
+          echo "patch=$(echo $VERSION | cut -d. -f1-3)" >> $GITHUB_OUTPUT
+          echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+      - name: Generate Docker tags
+        id: tags
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          MAJOR="${{ steps.version.outputs.major }}"
+          MINOR="${{ steps.version.outputs.minor }}"
+          PATCH="${{ steps.version.outputs.patch }}"
+
+          # Docker Hub tags (no 'v' prefix)
+          DOCKERHUB_TAGS="${{ env.REGISTRY_DOCKERHUB }}:latest"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$VERSION"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$PATCH"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$MINOR"
+          DOCKERHUB_TAGS="$DOCKERHUB_TAGS,${{ env.REGISTRY_DOCKERHUB }}:$MAJOR"
+
+          # GitHub Container Registry tags (with 'v' prefix)
+          GHCR_TAGS="${{ env.REGISTRY_GHCR }}:latest"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$VERSION"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$PATCH"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$MINOR"
+          GHCR_TAGS="$GHCR_TAGS,${{ env.REGISTRY_GHCR }}:v$MAJOR"
+
+          # Combine all tags
+          ALL_TAGS="$DOCKERHUB_TAGS,$GHCR_TAGS"          
+          echo "tags=$ALL_TAGS" >> $GITHUB_OUTPUT
+
+      - name: Build and push production images
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.tags.outputs.tags }}
+          labels: |
+            org.opencontainers.image.title=Unthread Telegram Bot
+            org.opencontainers.image.description=Turn private Telegram groups into real-time support ticket hubs — powered by Unthread.io.
+            org.opencontainers.image.version=${{ steps.version.outputs.version }}
+            org.opencontainers.image.created=${{ steps.version.outputs.build_date }}
+            org.opencontainers.image.revision=${{ github.sha }}            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.licenses=GPL-3.0
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          # Generate SBOM and attestations for supply chain security
+          sbom: true
+          provenance: mode=max
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        continue-on-error: true
+        with:
+          image-ref: ${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.version }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always() && hashFiles('trivy-results.sarif') != ''
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Production release summary
+        run: |
+          echo "## 🚀 Production Release Complete" >> $GITHUB_STEP_SUMMARY
+          echo "**Version:** \`${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "**Release:** \`${{ github.event.release.tag_name }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Docker Hub Images:**" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:latest\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.patch }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.minor }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_DOCKERHUB }}:${{ steps.version.outputs.major }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**GitHub Container Registry Images:**" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:latest\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.patch }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.minor }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- \`${{ env.REGISTRY_GHCR }}:v${{ steps.version.outputs.major }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Deploy with:**" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_DOCKERHUB }}:latest" >> $GITHUB_STEP_SUMMARY
+          echo "# OR" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_GHCR }}:latest" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -0,0 +1,37 @@
+name: Validate
+
+on:
+  pull_request:
+    branches: [dev, main]
+
+jobs:
+  validate:
+    name: Validate Changes
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Type checking
+        run: yarn type-check
+
+      - name: Build TypeScript
+        run: yarn build
+
+      - name: Test Docker build (no push)
+        run: |
+          echo "Testing Docker build..."
+          docker build -t test-build .
+          echo "Build successful, cleaning up..."
+          docker image rm test-build
+          echo "✅ Docker build test completed"