Feat/auth

.github/workflows/deploy-auth.yml

@@ -0,0 +1,139 @@
+name: Deploy Auth
+
+on:
+  push:
+    tags:
+      - "auth@*"
+
+concurrency:
+  group: deploy-auth-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  IMAGE_NAME: f3-auth
+  STAGING_PROJECT: f3-authentication-staging
+  PROD_PROJECT: f3-authentication
+  AR_REPO: cloud-run-builds
+  REGION: us-east1
+  SERVICE_NAME: f3-auth
+
+jobs:
+  # Wait for CI to pass on the tagged commit
+  ci-gate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Wait for CI checks
+        uses: lewagon/wait-on-check-action@v1.3.4
+        with:
+          ref: ${{ github.sha }}
+          check-regexp: "^(build|lint|typecheck|format-check|test-coverage)$"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 15
+
+  build:
+    needs: ci-gate
+    runs-on: ubuntu-latest
+    environment: auth-staging
+    permissions:
+      contents: read
+      id-token: write
+    outputs:
+      image: ${{ steps.meta.outputs.image }}
+      version: ${{ steps.meta.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Authenticate to GCP (staging project for AR)
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.WIF_PROVIDER }}
+          service_account: ${{ vars.WIF_SA }}
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Authorize Docker to Artifact Registry
+        run: gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet
+
+      - name: Extract tag version
+        id: meta
+        run: |
+          TAG="${GITHUB_REF_NAME}"          # e.g. auth@1.2.3
+          VERSION="${TAG#auth@}"            # e.g. 1.2.3
+          IMAGE="${REGION}-docker.pkg.dev/${STAGING_PROJECT}/${AR_REPO}/${IMAGE_NAME}:${VERSION}"
+          echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker image
+        run: |
+          docker build \
+            --file apps/auth/Dockerfile \
+            --tag "${{ steps.meta.outputs.image }}" \
+            .
+          docker push "${{ steps.meta.outputs.image }}"
+
+  deploy-staging:
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: auth-staging
+      url: https://staging.auth.f3nation.com
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Authenticate to GCP (staging)
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.WIF_PROVIDER }}
+          service_account: ${{ vars.WIF_SA }}
+
+      - name: Deploy to Cloud Run (staging)
+        uses: google-github-actions/deploy-cloudrun@v2
+        with:
+          service: ${{ env.SERVICE_NAME }}
+          image: ${{ needs.build.outputs.image }}
+          region: ${{ env.REGION }}
+          project_id: ${{ env.STAGING_PROJECT }}
+
+  deploy-production:
+    needs: [build, deploy-staging]
+    runs-on: ubuntu-latest
+    environment:
+      name: auth-production
+      url: https://auth.f3nation.com
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Authenticate to GCP (staging — pull image from staging AR)
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.WIF_PROVIDER }}
+          service_account: ${{ vars.WIF_SA }}
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Promote image to production AR
+        run: |
+          STAGING_IMAGE="${{ needs.build.outputs.image }}"
+          PROD_IMAGE="${REGION}-docker.pkg.dev/${PROD_PROJECT}/${AR_REPO}/${IMAGE_NAME}:${STAGING_IMAGE##*:}"
+          gcloud auth configure-docker ${REGION}-docker.pkg.dev --quiet
+          docker pull "${STAGING_IMAGE}"
+          docker tag "${STAGING_IMAGE}" "${PROD_IMAGE}"
+          docker push "${PROD_IMAGE}"
+          echo "prod_image=${PROD_IMAGE}" >> "$GITHUB_ENV"
+
+      - name: Authenticate to GCP (prod)
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.WIF_PROVIDER }}
+          service_account: ${{ vars.WIF_SA }}
+
+      - name: Deploy to Cloud Run (prod)
+        uses: google-github-actions/deploy-cloudrun@v2
+        with:
+          service: ${{ env.SERVICE_NAME }}
+          image: ${{ env.prod_image }}
+          region: ${{ env.REGION }}
+          project_id: ${{ env.PROD_PROJECT }}

apps/auth/.env.cloud-run.example

@@ -0,0 +1,21 @@
+# .env.cloud-run.<staging|prod>
+# Copy this file and populate with real values:
+#   cp .env.cloud-run.example .env.cloud-run.staging
+#   cp .env.cloud-run.example .env.cloud-run.prod
+
+# ── Secrets (pushed to GCP Secret Manager) ──
+DATABASE_HOST=host
+DATABASE_USER=user
+DATABASE_PASSWORD=pass
+DATABASE_NAME=dbname
+
+AUTH_SECRET=generate-a-random-secret
+AUTH_JWT_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\"
+SENDGRID_API_KEY=SG.xxxx
+API_KEY=f3_xxxx
+
+# ── Per-environment plain env vars ──
+NEXTAUTH_URL=https://auth.f3nation.com
+NEXT_PUBLIC_AUTH_URL=https://auth.f3nation.com
+NEXT_PUBLIC_API_URL=https://api.f3nation.com
+EMAIL_FROM=noreply@f3nation.com

apps/auth/Dockerfile

@@ -0,0 +1,62 @@
+# ---------- Stage 1: Prune monorepo ----------
+FROM node:20-alpine AS builder
+
+ENV TURBO_TELEMETRY_DISABLED=1
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
+RUN apk add --no-cache libc6-compat && apk update
+WORKDIR /app
+
+RUN corepack enable && corepack prepare pnpm@8.15.1 --activate
+RUN pnpm add -g turbo@^1.12.3
+
+COPY . .
+RUN turbo prune f3-auth --docker
+
+# ---------- Stage 2: Install + build ----------
+FROM node:20-alpine AS installer
+
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV TURBO_TELEMETRY_DISABLED=1
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
+RUN apk add --no-cache libc6-compat openssl && apk update
+WORKDIR /app
+
+RUN corepack enable && corepack prepare pnpm@8.15.1 --activate
+RUN pnpm add -g turbo@^1.12.3
+
+# Install dependencies from pruned lockfile
+COPY --from=builder /app/out/json/ .
+COPY --from=builder /app/out/pnpm-lock.yaml ./pnpm-lock.yaml
+RUN pnpm install --frozen-lockfile
+
+# Copy source and build
+COPY --from=builder /app/out/full/ .
+
+ENV NODE_ENV=production
+ENV CI=true
+ENV SKIP_ENV_VALIDATION=true
+
+RUN pnpm turbo build --filter=f3-auth
+
+# ---------- Stage 3: Production runner ----------
+FROM node:20-alpine AS runner
+
+RUN apk add --no-cache libc6-compat openssl && apk update
+WORKDIR /app
+
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser --system --uid 1001 auth
+
+# Copy standalone output
+COPY --from=installer --chown=auth:nodejs /app/apps/auth/.next/standalone ./
+COPY --from=installer --chown=auth:nodejs /app/apps/auth/.next/static ./apps/auth/.next/static
+COPY --from=installer --chown=auth:nodejs /app/apps/auth/public ./apps/auth/public
+
+USER auth
+
+ENV PORT=8080
+EXPOSE 8080
+
+CMD ["node", "apps/auth/server.js"]