feat: initial import

Author: peterpeterparker

.env.development.example

@@ -0,0 +1,6 @@
+GITHUB_CLIENT_ID=your_github_oauth_client_id
+GITHUB_CLIENT_SECRET=your_github_oauth_client_secret
+GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer
+JWT_PRIVATE_KEY_PATH=./private-key.pem
+JWT_PUBLIC_KEY_PATH=./public-key.pem
+JWT_KEY_ID=your-api-key-1

.env.production.example

@@ -0,0 +1,3 @@
+GITHUB_CLIENT_ID=your_github_oauth_client_id
+GITHUB_CLIENT_SECRET=your_github_oauth_client_secret
+GITHUB_AUTH_ISSUER=https://your_unique_authentication_issuer

.env.test

@@ -0,0 +1,6 @@
+GITHUB_CLIENT_ID=test-client-id
+GITHUB_CLIENT_SECRET=test-client-secret
+GITHUB_AUTH_ISSUER=https://api.juno.build/auth/github
+JWT_PRIVATE_KEY_PATH=./test-private-key.pem
+JWT_PUBLIC_KEY_PATH=./test-public-key.pem
+JWT_KEY_ID=juno-key-1

.github/actions/prepare/action.yml

@@ -0,0 +1,13 @@
+name: Prepare
+
+description: Checkout and install dependencies
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+
+    - name: Install dependencies
+      shell: bash
+      run: bun install --frozen-lockfile

.github/workflows/build.yml

@@ -0,0 +1,70 @@
+name: Build
+
+on:
+  pull_request:
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          load: true
+          tags: juno-api:test
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+      - name: Run container
+        run: |
+          docker run -d --name juno-api-test \
+            -p 3000:3000 \
+            -e GITHUB_CLIENT_ID=test-client-id \
+            -e GITHUB_CLIENT_SECRET=test-client-secret \
+            -e GITHUB_AUTH_ISSUER=https://api.juno.build/auth/github \
+            juno-api:test
+
+      - name: Wait for container to be ready
+        run: |
+          timeout 30 sh -c 'until curl -f http://localhost:3000/v1/auth/certs 2>/dev/null; do sleep 1; done'
+
+      - name: Test JWKS endpoint
+        run: |
+          response=$(curl -s http://localhost:3000/v1/auth/certs)
+          echo "$response" | jq -e '.keys[0].kid' | grep -q "juno-api-"
+          echo "$response" | jq -e '.keys[0].n'
+          echo "$response" | jq -e '.keys[0].e == "AQAB"'
+          echo "✅ JWKS endpoint working"
+
+      - name: Check container logs
+        if: always()
+        run: docker logs juno-api-test
+
+      - name: Cleanup
+        if: always()
+        run: docker rm -f juno-api-test
+
+      # Move cache to avoid unbounded growth
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

.github/workflows/checks.yml

@@ -0,0 +1,72 @@
+name: Checks
+
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Prepare
+        uses: ./.github/actions/prepare
+
+      - name: Build
+        run: bun run build
+
+  format:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Prepare
+        uses: ./.github/actions/prepare
+
+      - name: Format
+        run: bun format:check
+
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Prepare
+        uses: ./.github/actions/prepare
+
+      - name: Lint
+        run: bun lint
+
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Prepare
+        uses: ./.github/actions/prepare
+
+      - name: Test
+        run: bun test
+
+  may-merge:
+    needs: ['format', 'lint', 'test', 'build']
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cleared for merging
+        run: echo OK

.github/workflows/publish.yml

@@ -0,0 +1,43 @@
+name: Publish Docker image
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  push_to_registry:
+    name: Push Docker image to Docker Hub
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - image_name: junobuild/api
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ matrix.image_name }}
+          tags: |
+            type=semver,pattern={{major}}
+            type=semver,pattern={{version}}
+
+      - name: Build and push Docker image for ${{ matrix.image_name }}
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64
+          file: ./Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -0,0 +1,50 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# Various IDEs and Editors
+.vscode/
+.idea/
+**/*~
+
+# Mac OSX temporary files
+.DS_Store
+**/.DS_Store
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.js
+
+# testing
+/coverage
+
+# next.js
+/.next/
+/out/
+
+# production
+/build
+
+# misc
+*.pem
+
+# debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# local env files
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+# vercel
+.vercel
+
+**/*.trace
+**/*.zip
+**/*.tar.gz
+**/*.tgz
+**/*.log
+package-lock.json
+**/*.bun

.prettierrc

@@ -0,0 +1,7 @@
+{
+	"useTabs": true,
+	"singleQuote": true,
+	"trailingComma": "none",
+	"printWidth": 100,
+	"plugins": ["prettier-plugin-organize-imports"]
+}

Dockerfile

@@ -0,0 +1,57 @@
+# use the official Bun image
+# see all versions at https://hub.docker.com/r/oven/bun/tags
+FROM oven/bun:1 AS base
+WORKDIR /usr/src/app
+
+# install dependencies into temp directory
+# this will cache them and speed up future builds
+FROM base AS install
+RUN mkdir -p /temp/dev
+COPY package.json bun.lock /temp/dev/
+RUN cd /temp/dev && bun install --frozen-lockfile
+
+# install with --production (exclude devDependencies)
+RUN mkdir -p /temp/prod
+COPY package.json bun.lock /temp/prod/
+RUN cd /temp/prod && bun install --frozen-lockfile --production
+
+# copy node_modules from temp directory
+# then copy all (non-ignored) project files into the image
+FROM base AS prerelease
+COPY --from=install /temp/dev/node_modules node_modules
+
+# copy required resources
+COPY src src
+COPY test test
+COPY biome.json biome.json
+COPY bunfig.toml bunfig.toml
+COPY package.json package.json
+COPY test-setup.ts test-setup.ts
+COPY tsconfig.json tsconfig.json
+
+# tests & build
+ENV NODE_ENV=production
+RUN bun run build
+
+# build final image
+FROM base AS release
+
+RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y \
+    openssl \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=install /temp/prod/node_modules node_modules
+COPY --from=prerelease /usr/src/app/build/server .
+
+# Add entrypoint script
+COPY entrypoint.sh .
+RUN chmod +x entrypoint.sh
+
+# Prepare folder for generating the keys on start
+RUN mkdir -p /usr/src/app/keys && chown -R bun:bun /usr/src/app/keys
+
+# run the app
+USER bun
+EXPOSE 3000/tcp
+
+CMD ["./entrypoint.sh"]