Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
2593292
AMP-31141 : Re-enable and redesign CSRF protection for state-changing…
brianbrix Jun 15, 2026
b604a60
AMP-31141 : Failing maven build
brianbrix Jun 15, 2026
afcafc4
AMP-31141 : Re-enable and redesign CSRF protection for state-changing…
brianbrix Jun 15, 2026
c3f64d8
AMP-31141 : Re-enable and redesign CSRF protection for state-changing…
brianbrix Jun 15, 2026
00da6aa
AMP-31141 : Re-enable and redesign CSRF protection for state-changing…
brianbrix Jun 16, 2026
5ecea45
AMP-31141 : Re-enable and redesign CSRF protection for state-changing…
brianbrix Jun 16, 2026
97bb146
AMP-31141 : Activity form not saving due to CSRF
brianbrix Jun 16, 2026
0a70668
AMP-31141 : Activity form not saving due to CSRF
brianbrix Jun 16, 2026
0103f69
AMP-31140 : CSRF protection on REST endpoints
brianbrix Jun 16, 2026
e465941
AMP-31140 : CSRF protection on REST endpoints
brianbrix Jun 16, 2026
e84e47d
AMP-31142 : Modernize authentication handling
brianbrix Jun 16, 2026
e5fa1c7
AMP-31143 : Restore browser hardening headers and document cookie and…
brianbrix Jun 16, 2026
14d4a62
AMP-31141 : Failing to get resources
brianbrix Jun 16, 2026
a21da26
AMP-31141 : Failing to get resources
brianbrix Jun 16, 2026
5b21037
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 16, 2026
ffe9285
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 16, 2026
d57eff9
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 16, 2026
478e2db
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 16, 2026
b1f8e11
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 16, 2026
2689305
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 16, 2026
af575e2
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 17, 2026
edab738
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 17, 2026
ab2da48
AMP-31144 : Add dependency and CVE scanning for OWASP audit
brianbrix Jun 17, 2026
e316304
Merge branch 'develop' into task/AMP-31140/Priority-changes-before-Tr…
brianbrix Jun 23, 2026
b907ad7
AMP-31140: Add audit evidence docs and operational scripts
brianbrix Jun 23, 2026
0d6c08a
AMP-31140 : Add NVD API Key
brianbrix Jun 24, 2026
2bf2c44
AMP-31140 : Add NVD API Key to actions
brianbrix Jun 24, 2026
3672d1d
AMP-31140 : Failing to upload scan report
brianbrix Jun 24, 2026
e9badfe
AMP-31140 : Failing to upload scan report
brianbrix Jun 24, 2026
ea8d912
AMP-31140 : NVD API Key is forbidden
brianbrix Jun 24, 2026
d922991
AMP-31140 : NVD API Key is forbidden
brianbrix Jun 24, 2026
e613022
AMP-31140 : NVD API Key is forbidden
brianbrix Jun 24, 2026
5fe7b11
AMP-31140 : Change CVE scan dependency for CI
brianbrix Jun 24, 2026
e01943c
AMP-31140 : Change CVE scan dependency for CI
brianbrix Jun 24, 2026
a15860b
AMP-31140 : Failing scan due to invalid code paths
brianbrix Jun 24, 2026
4887189
AMP-31140 : Failing scan due to invalid code paths
brianbrix Jun 24, 2026
cd067e5
AMP-31140 : Failing scan due to invalid code paths
brianbrix Jun 24, 2026
bdccaa3
AMP-31140 : Missing output directory
brianbrix Jun 24, 2026
a1b53e1
AMP-31140 : Missing output directory
brianbrix Jun 24, 2026
cdc50cd
AMP-31140 : Missing output directory
brianbrix Jun 24, 2026
222fe8f
AMP-31140 : Try resolving P1 CVEs
brianbrix Jun 25, 2026
0695bd6
AMP-31140 : Try resolving P1 CVEs
brianbrix Jun 26, 2026
8142a94
AMP-31140 : Try resolving CRITICAL CVEs
brianbrix Jun 26, 2026
caf91c5
AMP-31140 : Try resolving CRITICAL CVEs
brianbrix Jun 26, 2026
bb95bc1
AMP-31140 : Avoid failing on earlier failures
brianbrix Jun 26, 2026
68a3e25
AMP-31140 : Avoid failing on earlier failures
brianbrix Jun 26, 2026
aded411
AMP-31140 : NPM CVEs Critical fixes
brianbrix Jun 26, 2026
33f5208
AMP-31140 : NPM CVEs Critical fixes
brianbrix Jun 26, 2026
656bc36
AMP-31140 : NPM CVEs Critical fixes
brianbrix Jun 26, 2026
2fe6c60
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
7bfb150
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
fe6bae3
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
b82f4a0
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
d2a6264
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
3ba0ec8
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
fe12081
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
dc2cd8d
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
51d2253
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
8dab647
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 27, 2026
a6f4cfd
fix: add missing transitive deps for reampv2 npm workspace (react-ove…
brianbrix Jun 27, 2026
f8bab95
AMP-31140 : Failing build due to CVE fix
brianbrix Jun 28, 2026
a99eba6
fix: add missing transitive deps (memoize-one, @nivo/scales, react-ca…
brianbrix Jun 28, 2026
c954cf7
fix: pin react-fit@1.7.0, add @types/node root dep to fix npm ci sync…
brianbrix Jun 28, 2026
99f3124
fix: add styled-components@5.3.11 (peer dep of react-data-table-compo…
brianbrix Jun 28, 2026
245a224
fix: type initialValues explicitly to match FormikProps generic in Ou…
brianbrix Jun 28, 2026
890ca1d
fix: type initialValues explicitly in OutputModal to match FormikProp…
brianbrix Jun 28, 2026
f7420c2
fix: restore browserify transform configs (brfs for dashboard, browse…
brianbrix Jun 29, 2026
b9b053f
fix: explicitly load leaflet before esri-leaflet in lib-load-hacks (b…
brianbrix Jun 29, 2026
bbff511
AMP-31140 : Failing to open GIS due to missing L
brianbrix Jun 29, 2026
355de59
AMP-31152: Unexpected error on generate report
brianbrix Jun 29, 2026
0c14338
fix: bump amp-filter submodule to cd2ba56 (datepicker fix) and update…
brianbrix Jun 29, 2026
4067234
AMP-31153: explicitly hide #filter-popup on apply/cancel (position:fi…
brianbrix Jun 30, 2026
bf81550
AMP-31152: always assign window.jQuery before i18n to fix datepicker.…
brianbrix Jun 30, 2026
3092694
AMP-31153: fix crash on 3rd filter apply
brianbrix Jun 30, 2026
f5aa91f
AMP-31152: fix datepicker.regional - add require('jquery') to jquery-…
brianbrix Jun 30, 2026
49b5657
Merge branch 'develop' into task/AMP-31140/Priority-changes-before-Tr…
brianbrix Jul 1, 2026
b56ac81
AMP-31140: fix compareActivityVersions CSRF 403 redirect to login
brianbrix Jul 1, 2026
1630349
AMP-31154 : wrong data on activity preview
brianbrix Jul 1, 2026
9932590
AMP-31140: update reamp package-lock.json to pin amp-ui to fix commit
brianbrix Jul 1, 2026
5d31352
ci: free disk space on runner before build
brianbrix Jul 1, 2026
b59bc53
AMP-31154 : wrong data on activity preview
brianbrix Jul 2, 2026
3cbeddc
AMP-31154 : wrong data on activity preview
brianbrix Jul 2, 2026
fb67b6d
AMP-31154 : wrong data on activity preview
brianbrix Jul 3, 2026
e482a6d
AMP-31140 : Error with Activity display
brianbrix Jul 5, 2026
668967b
AMP-31155 Update reamp lock to amp-ui base/target disaggregation fix
brianbrix Jul 5, 2026
c1ebe86
AMP-31155 Prevent npm cache race in Docker frontend stages
brianbrix Jul 5, 2026
0835ca7
AMP-31155 Bump amp-ui lock for M&E preview readability
brianbrix Jul 5, 2026
8b602d4
AMP-31155 Bump amp-ui lock to display revised M&E values
brianbrix Jul 5, 2026
b78c2c9
AMP-31140 : Admin not able to delete activity
brianbrix Jul 5, 2026
d1cef6f
AMP-31140 : Admin not able to delete activity
brianbrix Jul 5, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,21 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 60 # Add timeout to prevent hanging jobs
steps:
# - name: Free disk space
# run: |
# echo "Disk space before cleanup:"
# df -h /
# # Remove large pre-installed tool sets not needed for this build
# sudo rm -rf /usr/local/lib/android
# sudo rm -rf /usr/share/dotnet
# sudo rm -rf /opt/ghc
# sudo rm -rf /usr/local/share/boost
# sudo rm -rf "$AGENT_TOOLSDIRECTORY"
# sudo apt-get clean
# docker system prune -af --volumes 2>/dev/null || true
# echo "Disk space after cleanup:"
# df -h /

- name: Setup SSH agent with build and deploy keys
uses: webfactory/ssh-agent@v0.9.0
with:
Expand Down
288 changes: 288 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,288 @@
name: Security Scan

on:
push:
# Scan the default branch directly on merge; feature branches are covered
# by the pull_request trigger below, avoiding duplicate runs.
branches:
- develop
- main
pull_request:
branches: [ "**" ]
schedule:
# Re-scan every Monday at 06:00 UTC to catch newly published CVEs.
# Runs on the default branch; push/PR triggers cover all other branches.
- cron: '0 6 * * 1'
workflow_dispatch:
inputs:
pr_number:
description: 'PR number to scan (optional — leave blank to scan the branch selected above)'
required: false
type: string
default: ''

permissions:
contents: read

jobs:
# -----------------------------------------------------------------------
# Resolve the exact commit to scan.
# - Automatic triggers (push / PR / schedule): use the triggering SHA.
# - Manual (workflow_dispatch, no pr_number): use the branch selected in
# the "Run workflow" UI — GitHub checks out that branch automatically.
# - Manual (workflow_dispatch + pr_number): fetch the PR head SHA via API.
# -----------------------------------------------------------------------
setup:
name: Resolve target ref
runs-on: ubuntu-latest
outputs:
ref: ${{ steps.resolve.outputs.ref }}
steps:
- name: Resolve checkout ref
id: resolve
run: |
PR="${{ inputs.pr_number }}"
if [ -n "$PR" ]; then
if ! [[ "$PR" =~ ^[0-9]+$ ]]; then
echo "::error::pr_number must be numeric, got: ${PR}"
exit 1
fi
DATA=$(curl -sf \
-H "Authorization: Bearer ${{ github.token }}" \
"https://github.com/ghapi/repos/${{ github.repository }}/pulls/${PR}")
STATE=$(echo "$DATA" | jq -r '.state')
if [ "$STATE" != "open" ]; then
echo "::error::PR #${PR} is not open (state: ${STATE})"
exit 1
fi
HEAD_REF=$(echo "$DATA" | jq -r '.head.ref')
HEAD_SHA=$(echo "$DATA" | jq -r '.head.sha')
echo "Scanning PR #${PR}: branch=${HEAD_REF} sha=${HEAD_SHA}"
echo "ref=${HEAD_SHA}" >> $GITHUB_OUTPUT
else
echo "ref=${{ github.sha }}" >> $GITHUB_OUTPUT
fi

# -----------------------------------------------------------------------
# Job 1: OWASP Dependency-Check (Java / Maven) + sequential npm audit
# OWASP covers Java/Maven artifacts and static JS files (via RetireJS).
# NodeAudit and NodePackage analyzers are disabled — npm coverage is
# handled entirely by the sequential 'npm audit' steps below, which
# avoid the npm registry rate limit (429) that OWASP's NodeAudit
# analyzer triggers and also eliminate false-negative warnings about
# missing node_modules from the NodePackage analyzer.
# -----------------------------------------------------------------------
owasp-maven:
name: OWASP Dependency-Check (Maven + npm)
runs-on: ubuntu-latest
timeout-minutes: 60
needs: setup

steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ needs.setup.outputs.ref }}

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'

- name: Create report output directory
run: mkdir -p amp/target/dependency-check-report

- name: Run OWASP Dependency-Check
uses: dependency-check/Dependency-Check_Action@main
id: owasp
continue-on-error: true
with:
project: 'amp'
path: 'amp'
format: 'ALL'
out: 'amp/target/dependency-check-report'
args: >
--nvdApiKey ${{ secrets.NVD_API_KEY }}
--nvdApiDelay 10000
--failOnCVSS 7
--suppression /github/workspace/security/owasp-suppressions.xml
--scan /github/workspace/amp/ckeditor_4.4.6
--disableNodeAudit
--enableExperimental

- name: Upload HTML report
if: always()
uses: actions/upload-artifact@v4
with:
name: owasp-dependency-check-report
path: amp/target/dependency-check-report/
retention-days: 30
if-no-files-found: warn

- name: Show report directory (debug)
if: always()
run: |
echo "=== Dependency-Check output ==="
find . -path "*/dependency-check*" -print 2>/dev/null || true

- name: Fail if OWASP found CVEs
if: steps.owasp.outcome == 'failure'
run: exit 1

# Run npm audit sequentially (one package at a time) to stay within the
# npm registry rate limit. Each package waits for the previous to finish.
#
# KNOWN_UNFIXABLE: amp/TEMPLATE/reamp uses webpack 1 + babel 6, which have
# CVEs with no npm fix (all marked no-auto-fix). These are BUILD-TIME only
# devDependencies, not deployed to production. Fixing requires migrating to
# webpack 5 + babel 7. Tracked as tech debt — audited but excluded from gate.
- name: npm audit (all frontend packages)
id: npm_audit
if: always()
continue-on-error: true
run: |
PACKAGES=(
amp/TEMPLATE/ampTemplate/amp-state
amp/TEMPLATE/ampTemplate/amp-boilerplate
amp/TEMPLATE/ampTemplate/amp-filter
amp/TEMPLATE/ampTemplate/amp-translate
amp/TEMPLATE/ampTemplate/amp-url
amp/TEMPLATE/ampTemplate/amp-settings
amp/TEMPLATE/ampTemplate/gis-layers-manager
amp/TEMPLATE/ampTemplate/dashboard/dev
amp/TEMPLATE/ampTemplate/gisModule/dev
amp/TEMPLATE/reampv2
)
# Packages excluded from the failure gate due to unfixable build-tool CVEs.
# These are still audited and reported, but do not cause CI failure.
EXCLUDED=(
"amp/TEMPLATE/reamp"
)
FAIL=0
mkdir -p amp/target/dependency-check-report/npm-audit
for PKG in "${PACKAGES[@]}" "${EXCLUDED[@]}"; do
if [ ! -f "$PKG/package.json" ]; then
echo "Skipping $PKG (no package.json)"
continue
fi
NAME=$(basename "$PKG")
echo "--- npm audit: $PKG ---"
# Generate lock file if absent (required by npm audit)
if [ ! -f "$PKG/package-lock.json" ]; then
npm install --package-lock-only --ignore-scripts --prefix "$PKG" 2>&1 || true
fi
npm audit \
--prefix "$PKG" \
--audit-level high \
--json > "amp/target/dependency-check-report/npm-audit/${NAME}.json" 2>&1 || true
# Count only CRITICAL vulnerabilities that have a fix available.
# Excludes fix:false (no fix exists anywhere) and isSemVerMajor:true
# (would require a breaking dependency change — tracked as tech debt).
# This avoids false failures from browser-only crypto polyfills
# (cipher-base, sha.js, pbkdf2, elliptic) and abandoned deps like
# amp-translate/jquery (CISA KEV — requires code changes, not a dep bump).
CRIT=$(jq '[.vulnerabilities // {} | to_entries[] |
select(.value.severity == "critical") |
select(
.value.fixAvailable == true or
(.value.fixAvailable | type == "object" and .isSemVerMajor == false)
)] | length' \
"amp/target/dependency-check-report/npm-audit/${NAME}.json" 2>/dev/null || echo 0)
HIGH=$(jq '[.vulnerabilities // {} | to_entries[] |
select(.value.severity == "high") |
select(
.value.fixAvailable == true or
(.value.fixAvailable | type == "object" and .isSemVerMajor == false)
)] | length' \
"amp/target/dependency-check-report/npm-audit/${NAME}.json" 2>/dev/null || echo 0)
CRIT_ALL=$(jq '.metadata.vulnerabilities.critical // 0' \
"amp/target/dependency-check-report/npm-audit/${NAME}.json" 2>/dev/null || echo 0)
HIGH_ALL=$(jq '.metadata.vulnerabilities.high // 0' \
"amp/target/dependency-check-report/npm-audit/${NAME}.json" 2>/dev/null || echo 0)
echo "$NAME: critical=${CRIT_ALL} (${CRIT} actionable) high=${HIGH_ALL} (${HIGH} actionable)"
# Check if this package is excluded from the failure gate
GATED=true
for SKIP in "${EXCLUDED[@]}"; do
if [ "$PKG" = "$SKIP" ]; then GATED=false; break; fi
done
if $GATED && [ "$(( CRIT + HIGH ))" -gt 0 ]; then
echo "::error::$NAME: ${CRIT} critical + ${HIGH} high npm vulnerabilities. Run 'npm audit' in $PKG for details."
FAIL=1
elif ! $GATED && [ "$(( CRIT + HIGH ))" -gt 0 ]; then
echo "::warning::$NAME (excluded from gate): ${CRIT} critical + ${HIGH} high known unfixable CVEs in build tooling (webpack 1 / babel 6). Requires migration to webpack 5 + babel 7."
fi
done
exit $FAIL

- name: Upload npm audit reports
if: always()
uses: actions/upload-artifact@v4
with:
name: npm-audit-reports
path: amp/target/dependency-check-report/npm-audit/
retention-days: 30
if-no-files-found: ignore

- name: Fail if OWASP or npm audit found issues
if: always()
run: |
if [ "${{ steps.owasp.outcome }}" = "failure" ]; then
echo "::error::OWASP Dependency-Check found vulnerabilities above the CVSS threshold."
exit 1
fi
if [ "${{ steps.npm_audit.outcome }}" = "failure" ]; then
echo "::error::npm audit found HIGH or CRITICAL vulnerabilities."
exit 1
fi

# -----------------------------------------------------------------------
# Job 2: Trivy — container image CVE scan (runs on push to main / PRs)
# Catches OS-level CVEs that OWASP cannot see (e.g. base image packages)
# -----------------------------------------------------------------------
trivy-image:
name: Trivy (Container Image)
runs-on: ubuntu-latest
timeout-minutes: 30
needs: setup
# Only scan the image on pushes to main/master or on PRs targeting them,
# to avoid redundant scans on every feature branch push.
if: |
github.event_name == 'pull_request' ||
github.ref == 'refs/heads/main' ||
github.ref == 'refs/heads/master' ||
github.event_name == 'schedule' ||
github.event_name == 'workflow_dispatch'

steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ needs.setup.outputs.ref }}

- name: Build Docker image (no push)
working-directory: amp
run: |
docker build \
--build-arg BUILD_SOURCE=security-scan \
--build-arg AMP_URL=http://localhost/ \
-t amp-security-scan:${{ github.sha }} \
. || echo "::warning::Docker build failed; skipping Trivy image scan"

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: 'amp-security-scan:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
exit-code: '1'
ignore-unfixed: true
continue-on-error: true

- name: Upload Trivy SARIF artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: trivy-sarif
path: trivy-results.sarif
retention-days: 30
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,6 @@ amp/src/main/java/org/digijava/module/xmlpatcher/jaxb/ConditionType.java
amp/src/main/java/org/digijava/module/xmlpatcher/jaxb/package-info.java
amp/src/main/java/org/digijava/module/xmlpatcher/jaxb/ConditionParam.java
amp/src/main/java/org/digijava/module/help/jaxbi/AmpHelpType.java

# ISO 27001 evidence CSVs and raw DB exports — contain personal data, never commit
audit-evidence/evidence/
20 changes: 12 additions & 8 deletions amp/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ WORKDIR /tmp/amp/TEMPLATE/ampTemplate/node_modules/gis-layers-manager
COPY --from=compile-amp-translate /tmp/amp/TEMPLATE/ampTemplate/node_modules/amp-translate ../amp-translate
# Copy package files for dependency installation
COPY TEMPLATE/ampTemplate/node_modules/gis-layers-manager/package*.json ./
RUN --mount=type=cache,target=/root/.npm \
RUN --mount=type=cache,id=npm-cache-gis-layers-manager,target=/root/.npm,sharing=locked \
npm-install-with-retry.sh
# Copy source code after dependencies are installed
COPY TEMPLATE/ampTemplate/node_modules/gis-layers-manager .
Expand Down Expand Up @@ -127,6 +127,7 @@ RUN cd dev \
&& rm -rf node_modules

FROM node as compile-dashboard
SHELL ["/bin/bash", "-c"]
# Copy npm install helper script
COPY docker/npm-install-with-retry.sh /usr/local/bin/npm-install-with-retry.sh
RUN chmod +x /usr/local/bin/npm-install-with-retry.sh
Expand All @@ -146,11 +147,13 @@ RUN --mount=type=cache,target=/root/.npm \
npm-install-with-retry.sh dev
# Copy source code after dependencies are installed
COPY TEMPLATE/ampTemplate/dashboard .
RUN cd dev \
&& npm run build \
&& rm -rf node_modules
RUN set -euxo pipefail \
&& cd dev \
&& npm ci --no-audit --prefer-offline \
&& npm run build --verbose \
&& rm -rf node_modules

FROM node as compile-reamp
FROM node:16.20.2 as compile-reamp
# Copy npm install helper script
COPY docker/npm-install-with-retry.sh /usr/local/bin/npm-install-with-retry.sh
RUN chmod +x /usr/local/bin/npm-install-with-retry.sh
Expand All @@ -159,15 +162,16 @@ WORKDIR /tmp/amp/TEMPLATE/reamp
COPY --from=compile-amp-boilerplate /tmp/amp/TEMPLATE/ampTemplate/node_modules/amp-boilerplate ../ampTemplate/node_modules/amp-boilerplate
# Copy package files for dependency installation
COPY TEMPLATE/reamp/package*.json ./
RUN --mount=type=cache,target=/root/.npm \
RUN --mount=type=cache,id=npm-cache-reamp,target=/root/.npm,sharing=locked \
--mount=type=ssh \
npm-install-with-retry.sh
NPM_CONFIG_LEGACY_PEER_DEPS=true npm-install-with-retry.sh
# Copy source code after dependencies are installed
COPY TEMPLATE/reamp .
RUN npm run build \
&& node -e "const fs=require('fs'); const source=fs.readFileSync('dependencies-bundle.js','utf8'); const start=source.indexOf('key:\"getFieldDef\"'); const method=start === -1 ? '' : source.slice(start, start + 900); if (start === -1 || /[a-z]\s*\+=\s*2/.test(method)) { console.error('Stale amp-ui FieldsManager.getFieldDef detected in dependencies-bundle.js'); process.exit(1); }" \
&& rm -rf node_modules

FROM node as compile-reampv2
FROM node:20 as compile-reampv2
# Copy npm install helper script
COPY docker/npm-install-with-retry.sh /usr/local/bin/npm-install-with-retry.sh
RUN chmod +x /usr/local/bin/npm-install-with-retry.sh
Expand Down
Loading
Loading