Merge pull request #5 from topcoder-platform/develop

[v6 PROD RELEASE] - dev -> master

Author: kkartunov

.circleci/config.yml

@@ -64,6 +64,7 @@ workflows:
           branches:
             only:
               - develop
+              - pm-2539
 
     # Production builds are exectuted only on tagged commits to the
     # master branch.

.github/workflows/trivy.yaml

@@ -0,0 +1,34 @@
+name: Trivy Scanner
+
+permissions:
+  contents: read
+  security-events: write
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+jobs:
+  trivy-scan:
+    name: Use Trivy
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,UNKNOWN"
+          scanners: vuln,secret,misconfig,license
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"

src/auth/guards/roles.guard.ts

@@ -48,7 +48,7 @@ export class RolesGuard implements CanActivate {
             .map((s: string) => s.trim())
             .filter(Boolean);
 
-      const scopeOk = fallbackScopes.every((s) => scopes.includes(s));
+      const scopeOk = fallbackScopes.some((s) => scopes.includes(s));
       if (scopeOk) return true;
     }
 

src/auth/guards/scopes.guard.ts

@@ -32,7 +32,7 @@ export class ScopesGuard implements CanActivate {
           .map((s: string) => s.trim())
           .filter(Boolean);
 
-    const ok = required.every((s) => scopes.includes(s));
+    const ok = required.some((s) => scopes.includes(s));
     if (ok) return true;
 
     const fallbackRoles = this.reflector.getAllAndOverride<string[]>(ROLES_KEY, [

src/common/members-lookup.service.ts

@@ -20,7 +20,14 @@ export class MembersLookupService {
       return;
     }
     // Create a dedicated Prisma client targeting the members DB
-    this.client = new PrismaClient({ datasources: { db: { url } } });
+    this.client = new PrismaClient({
+      transactionOptions: {
+        timeout: process.env.BA_SERVICE_PRISMA_TIMEOUT
+          ? parseInt(process.env.BA_SERVICE_PRISMA_TIMEOUT, 10)
+          : 10000,
+      },
+      datasources: { db: { url } }
+    });
     this.initialized = true;
   }
 

src/common/prisma.service.ts

@@ -3,6 +3,16 @@ import { PrismaClient } from "@prisma/client";
 
 @Injectable()
 export class PrismaService extends PrismaClient implements OnModuleInit {
+  constructor() {
+    super({
+      transactionOptions: {
+        timeout: process.env.BA_SERVICE_PRISMA_TIMEOUT
+          ? parseInt(process.env.BA_SERVICE_PRISMA_TIMEOUT, 10)
+          : 10000,
+      },
+    });
+  }
+
   async onModuleInit() {
     await this.$connect();
   }