Skip to content

fix(deploy): hardening + doc corrections from 2026-07-04 quality report#158

Open
Anuraj-dev wants to merge 6 commits into
mainfrom
fix/deploy-docs-hardening
Open

fix(deploy): hardening + doc corrections from 2026-07-04 quality report#158
Anuraj-dev wants to merge 6 commits into
mainfrom
fix/deploy-docs-hardening

Conversation

@Anuraj-dev

Copy link
Copy Markdown
Owner

Deploy/docs items from the 2026-07-04 quality report.

Deploy hardening

  • Automated rollback in deploy-backend.yml: the running image ref is recorded before each release; if (and only if) the post-deploy health check fails, the workflow SSHes back, checks out the prior SHA, redeploys the last-good immutable tag, and re-verifies health. The job still ends red so the existing alarm path notifies a human.
  • Compose: healthcheck on the server container (/api/health via node fetch — slim image has no curl) + mem/cpu limits.
  • nginx: HSTS + X-Content-Type-Options at the TLS edge with always (covers nginx-generated 301/404), stripping helmet's upstream duplicates; explicit proxy_read_timeout 3600s on the Socket.io path.

Doc corrections

  • README: mediasoup UDP range 10000–59999 → 40000–40100 (matches .env.example, env.ts, e2e constants — the old range provisions a wrong ~50k-port security group); Meeting model → Room; added the missing cp client/.env.example client/.env setup step.
  • CONTRIBUTING: VideoTile.test.jsx.tsx; server-image CI trigger paths synced with actual workflow YAML.
  • server/.env.example: documented LOG_LEVEL / AWS_REGION.
  • engines.node on all package.json files (root/server ≥22.13, client/shared/e2e ≥20.19).

Validated: docker compose config clean; workflow YAML parses; no application source touched.

- Correct security-group UDP RTC range 10000-59999 -> 40000-40100 to match
  .env.example, server config defaults, and e2e constants
- Fix project-structure diagram: models are User/Room, not a Meeting model
- Add the missing 'cp client/.env.example client/.env' step; client Socket.io
  has no VITE_SERVER_URL fallback so fresh clones fail to signal without it
- Container healthcheck hits /api/health (the endpoint the deploy workflow
  already polls) via node's global fetch; no curl/wget in the slim runtime
- mem_limit/mem_reservation/cpus ceilings so a runaway process can't starve
  the box; sized for a small single node and tunable per instance
- Emit HSTS and X-Content-Type-Options once at the TLS edge (with 'always' so
  the port-80 redirect and catch-all 404 are covered too)
- Strip helmet's duplicate copies on proxied /api and /socket.io responses
- Add explicit proxy_read_timeout on /socket.io/ so long-lived, mostly-idle
  WebSocket upgrades aren't dropped at nginx's default 60s
- Record the running container's image before switching (.rollback-image)
- If the post-deploy health check fails, redeploy that prior immutable :<sha>
  tag and re-verify health on the box
- Gate strictly on the health step failing (not a failed pull/start, where the
  old container is still up), and let the job still end red so the existing
  alarm path notifies a human
- VideoTile test is now .tsx, not .jsx
- Correct the Server image smoke trigger paths to match the workflow YAML
  (add shared/**, package.json, package-lock.json; .dockerignore is at root)
- typecheck workflow header no longer calls the codebase 'mostly JavaScript'
- engines.node floors: root+server >=22.13 (mediasoup >=22, eslint 10 on the
  22.x branch needs >=22.13); client/shared/e2e >=20.19 (vite 8 + eslint 10)
- server/.env.example now documents LOG_LEVEL and AWS_REGION
@vercel

vercel Bot commented Jul 5, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
a-meet Ready Ready Preview, Comment Jul 5, 2026 10:01pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant