Feat/monitoring

.github/workflows/ci-deploy.yml

@@ -2,12 +2,19 @@ name: CI and Deploy to Render
 
 on:
   push:
-    branches:
-      - feat/devops-workflow
-      - develop
+    branches: [develop, feat/monitoring]
+    paths: ["apps/backend/**", ".github/workflows/ci-deploy.yml"]
   pull_request:
-    branches:
-      - develop
+    branches: [develop, feat/monitoring]
+    paths: ["apps/backend/**"]
+
+permissions:
+  contents: read
+  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   ci-backend:
@@ -28,6 +35,9 @@ jobs:
           cache: 'pnpm'
           cache-dependency-path: apps/backend/pnpm-lock.yaml
 
+      - name: Install Doppler CLI
+        uses: dopplerhq/cli-action@v1
+
       - name: Install dependencies
         run: |
           cd apps/backend
@@ -39,30 +49,58 @@ jobs:
           cd apps/backend
           pnpm audit --audit-level=high
 
-      - name: Install Doppler CLI
-        uses: dopplerhq/cli-action@v1
+      - name: Lint Backend
+        run: |
+          cd apps/backend
+          pnpm lint
 
-      - name: Install Snyk CLI
-        run: pnpm install -g snyk
+      - name: Generate Prisma Client
+        run: |
+          cd apps/backend
+          pnpm prisma generate
 
-      - name: Snyk Security Scan
+      - name: Run Tests
         continue-on-error: true
         env:
           DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
         run: |
           cd apps/backend
-          doppler run --project example-project --config prd_rwby -- snyk test --severity-threshold=high
+          doppler run --project example-project --config prd_rwby -- pnpm test -- --passWithNoTests
 
-      - name: Lint Backend
+      - name: Trivy Security Scan
+        uses: aquasecurity/trivy-action@master
+        if: always()
+        with:
+          scan-type: 'fs'
+          scan-ref: 'apps/backend'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+
+      - name: Check Trivy Report exists
+        id: check_trivy
         run: |
-          cd apps/backend
-          pnpm lint
+          if [ -f trivy-results.sarif ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Upload Trivy results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v4
+        if: steps.check_trivy.outputs.exists == 'true'
+        with:
+          sarif_file: 'trivy-results.sarif'
 
   deploy:
     needs: ci-backend
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/feat/devops-workflow' || github.ref == 'refs/heads/develop')
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/feat/monitoring')
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
       - name: Install Doppler CLI
         uses: dopplerhq/cli-action@v1
 
@@ -71,4 +109,4 @@ jobs:
           DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
         run: |
           DEPLOY_HOOK=$(doppler secrets get RENDER_DEPLOY_HOOK_URL --project example-project --config prd_rwby --plain)
-          curl -sS "$DEPLOY_HOOK"
+          curl -sS "$DEPLOY_HOOK"

apps/backend/.env.example

@@ -1,2 +1,7 @@
 DATABASE_URL=
-JWT_SECRET=
+JWT_SECRET=
+DIRECT_URL=
+SENTRY_DSN=
+SENTRY_ORG=
+SENTRY_PROJECT=
+SENTRY_AUTH_TOKEN=

apps/backend/Dockerfile

@@ -35,6 +35,10 @@ CMD ["pnpm", "run", "dev"]
 # Production stage
 FROM base AS production
 
+# Argument for Sentry Auth Token (provided by Render during build)
+ARG SENTRY_AUTH_TOKEN
+ENV SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN
+
 # Install all dependencies to build
 RUN pnpm install --frozen-lockfile
 
@@ -60,6 +64,8 @@ RUN pnpm install --frozen-lockfile --prod
 COPY --from=production /app/dist ./dist
 # Prisma folder is needed for the client
 COPY --from=production /app/prisma ./prisma
+# Copy src folder so swagger-jsdoc can read annotations from .ts files in production
+COPY --from=production /app/src ./src
 
 # Create non-root user
 RUN addgroup -g 1001 -S nodejs && \

apps/backend/package.json

@@ -6,7 +6,7 @@
   "scripts": {
     "start": "node dist/server.js",
     "dev": "nodemon --exec ts-node server.ts",
-    "build": "tsc",
+    "build": "tsc && sentry-cli sourcemaps inject --org rwby --project node ./dist && sentry-cli sourcemaps upload --org rwby --project node ./dist",
     "test": "vitest",
     "test:run": "vitest run",
     "test:ui": "vitest --ui",
@@ -17,6 +17,7 @@
   "dependencies": {
     "@prisma/adapter-pg": "^7.4.0",
     "@prisma/client": "^7.4.0",
+    "@sentry/node": "^8.26.0",
     "@types/swagger-jsdoc": "^6.0.4",
     "@types/swagger-ui-express": "^4.1.8",
     "bcrypt": "^6.0.0",
@@ -34,6 +35,7 @@
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
+    "@sentry/cli": "^2.33.1",
     "@types/bcrypt": "^6.0.0",
     "@types/body-parser": "^1.19.6",
     "@types/cors": "^2.8.19",