From 5ff8f35fe9b871ac0523215c23dab02c342ee554 Mon Sep 17 00:00:00 2001
From: "ivan.kaliuzhnyi" <ivan.kaliuzhnyi@kyivcity.gov.ua>
Date: Wed, 3 Dec 2025 13:56:00 +0000
Subject: [PATCH 1/3] docker-related + nginx

---
 angular-17-client/.dockerignore               | 13 +++++
 angular-17-client/Dockerfile                  | 25 ++++++++
 angular-17-client/nginx.conf                  | 34 +++++++++++
 docker-compose.yml                            | 57 +++++++++++++++++++
 spring-boot-server/.dockerignore              | 10 ++++
 spring-boot-server/Dockerfile                 | 24 ++++++++
 .../controller/TutorialController.java        |  2 +-
 7 files changed, 164 insertions(+), 1 deletion(-)
 create mode 100644 angular-17-client/.dockerignore
 create mode 100644 angular-17-client/Dockerfile
 create mode 100644 angular-17-client/nginx.conf
 create mode 100644 docker-compose.yml
 create mode 100644 spring-boot-server/.dockerignore
 create mode 100644 spring-boot-server/Dockerfile

diff --git a/angular-17-client/.dockerignore b/angular-17-client/.dockerignore
new file mode 100644
index 0000000..f453d7d
--- /dev/null
+++ b/angular-17-client/.dockerignore
@@ -0,0 +1,13 @@
+node_modules
+dist
+.angular
+.vscode
+.git
+.gitignore
+*.md
+npm-debug.log
+yarn-error.log
+coverage
+.editorconfig
+karma.conf.js
+.browserslistrc
diff --git a/angular-17-client/Dockerfile b/angular-17-client/Dockerfile
new file mode 100644
index 0000000..85bc74d
--- /dev/null
+++ b/angular-17-client/Dockerfile
@@ -0,0 +1,25 @@
+# Stage 1: Build 
+FROM node:18-alpine AS build
+
+WORKDIR /app
+
+COPY package*.json ./
+# Install dependencies
+RUN npm ci
+# Copy application source code
+COPY . .
+
+# Build the application 
+RUN npm run build
+
+
+# Stage 2: Runtime
+FROM nginx:alpine
+# Copy nginx.conf (or minimalistic nginx2.conf)
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+# Copy from build stage
+COPY --from=build /app/dist/angular-17-crud/browser /usr/share/nginx/html
+
+EXPOSE 8081
+
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/angular-17-client/nginx.conf b/angular-17-client/nginx.conf
new file mode 100644
index 0000000..fdc103b
--- /dev/null
+++ b/angular-17-client/nginx.conf
@@ -0,0 +1,34 @@
+server {
+    listen 80;
+    server_name localhost;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    location /api/ {
+        proxy_pass http://spring-boot-server:8080;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..158e08a
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,57 @@
+services:
+  mysql:
+    image: mysql:8.0
+    container_name: mysql-db
+    environment:
+      MYSQL_ROOT_PASSWORD: 12345678
+      MYSQL_DATABASE: testdb
+    ports:
+      - "3306:3306"
+    volumes:
+      - mysql_data:/var/lib/mysql
+    networks:
+      - app-network
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-p12345678"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  spring-boot-server:
+    build:
+      context: ./spring-boot-server
+      dockerfile: Dockerfile
+    container_name: spring-boot-app
+    environment:
+      SPRING_DATASOURCE_URL: jdbc:mysql://mysql:3306/testdb?useSSL=false&allowPublicKeyRetrieval=true
+      SPRING_DATASOURCE_USERNAME: root
+      SPRING_DATASOURCE_PASSWORD: 12345678
+      SPRING_JPA_HIBERNATE_DDL_AUTO: update
+    ports:
+      - "8080:8080"
+    depends_on:
+      mysql:
+        condition: service_healthy
+    networks:
+      - app-network
+    restart: unless-stopped
+
+  angular-client:
+    build:
+      context: ./angular-17-client
+      dockerfile: Dockerfile
+    container_name: angular-app
+    ports:
+      - "4200:80"
+    depends_on:
+      - spring-boot-server
+    networks:
+      - app-network
+    restart: unless-stopped
+
+networks:
+  app-network:
+    driver: bridge
+
+volumes:
+  mysql_data:
\ No newline at end of file
diff --git a/spring-boot-server/.dockerignore b/spring-boot-server/.dockerignore
new file mode 100644
index 0000000..26ef35d
--- /dev/null
+++ b/spring-boot-server/.dockerignore
@@ -0,0 +1,10 @@
+target
+.mvn
+mvnw
+mvnw.cmd
+*.md
+.git
+.gitignore
+.vscode
+.idea
+*.iml
diff --git a/spring-boot-server/Dockerfile b/spring-boot-server/Dockerfile
new file mode 100644
index 0000000..031acd5
--- /dev/null
+++ b/spring-boot-server/Dockerfile
@@ -0,0 +1,24 @@
+# Stage 1: Build 
+FROM maven:3.9-eclipse-temurin-17 AS build
+
+WORKDIR /app
+
+COPY pom.xml .
+RUN mvn dependency:go-offline -B
+
+COPY src ./src
+
+RUN mvn clean package -DskipTests
+
+
+# Stage 2: Run the application
+FROM eclipse-temurin:17-jre-alpine
+
+WORKDIR /app
+
+# Copy the JAR from build stage
+COPY --from=build /app/target/*.jar app.jar
+
+EXPOSE 8080
+# Run the application
+ENTRYPOINT ["java", "-jar", "app.jar"]
diff --git a/spring-boot-server/src/main/java/com/bezkoder/spring/datajpa/controller/TutorialController.java b/spring-boot-server/src/main/java/com/bezkoder/spring/datajpa/controller/TutorialController.java
index c988754..2f79fef 100644
--- a/spring-boot-server/src/main/java/com/bezkoder/spring/datajpa/controller/TutorialController.java
+++ b/spring-boot-server/src/main/java/com/bezkoder/spring/datajpa/controller/TutorialController.java
@@ -21,7 +21,7 @@
 import com.bezkoder.spring.datajpa.model.Tutorial;
 import com.bezkoder.spring.datajpa.repository.TutorialRepository;
 
-@CrossOrigin(origins = "http://localhost:8081")
+@CrossOrigin(origins = "*")
 @RestController
 @RequestMapping("/api")
 public class TutorialController {

From cca5c102eb6b5b126541aa142c5f1cee9a4057c2 Mon Sep 17 00:00:00 2001
From: iviul <iviul@outlook.com>
Date: Wed, 3 Dec 2025 16:44:06 +0200
Subject: [PATCH 2/3] feat: Build and push action

---
 .github/workflows/build-and-push.yml | 75 ++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 .github/workflows/build-and-push.yml

diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
new file mode 100644
index 0000000..fd52ac0
--- /dev/null
+++ b/.github/workflows/build-and-push.yml
@@ -0,0 +1,75 @@
+name: Docker Build and Push
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx with Container Driver
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container 
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Define image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,format=long,prefix=
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=tag
+
+      - name: Lint Dockerfile
+        uses: hadolint/hadolint-action@v3.1.0
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Extract first tag
+        id: first_tag
+        run: |
+          FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
+          echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy vulnerability scanner (fail only on CRITICAL)
+        uses: aquasecurity/trivy-action@master
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: table
+          exit-code: 1
+          vuln-type: 'os,library'
+          severity: 'CRITICAL'
\ No newline at end of file

From 069f6754b7156617a77f124bedc7760282213494 Mon Sep 17 00:00:00 2001
From: "ivan.kaliuzhnyi" <ivan.kaliuzhnyi@kyivcity.gov.ua>
Date: Tue, 9 Dec 2025 09:47:06 +0000
Subject: [PATCH 3/3] Adding harbor in the workflow

---
 .github/workflows/build-and-push.yml | 99 +++++++++++++++++++++++-----
 1 file changed, 84 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
index fd52ac0..8d96013 100644
--- a/.github/workflows/build-and-push.yml
+++ b/.github/workflows/build-and-push.yml
@@ -6,7 +6,9 @@ on:
   workflow_dispatch:
 
 env:
-  REGISTRY: ghcr.io
+  GHCR_REGISTRY: ghcr.io
+  HARBOR_REGISTRY: demo.goharbor.io  
+  HARBOR_PROJECT: angular-17-spring-boot-mysql-example 
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
@@ -15,6 +17,15 @@ jobs:
     permissions:
       contents: read
       packages: write
+    strategy:
+      matrix:
+        include:
+          - service: backend
+            context: ./spring-boot-server
+            dockerfile: ./spring-boot-server/Dockerfile
+          - service: frontend  
+            context: ./angular-17-client
+            dockerfile: ./angular-17-client/Dockerfile
 
     steps:
       - name: Checkout repository
@@ -28,18 +39,35 @@ jobs:
         with:
           driver: docker-container 
 
-      - name: Log in to the Container registry
+      - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.GHCR_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Define image metadata
-        id: meta
+      - name: Log in to Harbor Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.HARBOR_REGISTRY }}
+          username: ${{ secrets.HARBOR_USERNAME }}
+          password: ${{ secrets.HARBOR_PASSWORD }}
+
+      - name: Define image metadata for GHCR
+        id: meta-ghcr
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}/${{ matrix.service }}
+          tags: |
+            type=sha,format=long,prefix=
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=tag
+
+      - name: Define image metadata for Harbor
+        id: meta-harbor
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.HARBOR_REGISTRY }}/${{ env.HARBOR_PROJECT }}/${{ matrix.service }}
           tags: |
             type=sha,format=long,prefix=
             type=raw,value=latest,enable={{is_default_branch}}
@@ -47,28 +75,69 @@ jobs:
 
       - name: Lint Dockerfile
         uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: ${{ matrix.dockerfile }}
+
+      - name: Build and push to GHCR
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.context }}
+          file: ${{ matrix.dockerfile }}
+          push: true
+          tags: ${{ steps.meta-ghcr.outputs.tags }}
+          labels: ${{ steps.meta-ghcr.outputs.labels }}
+          cache-from: type=gha,scope=${{ matrix.service }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.service }}
 
-      - name: Build and push Docker image
+      - name: Build and push to Harbor
+        id: harbor-build
         uses: docker/build-push-action@v5
         with:
-          context: .
+          context: ${{ matrix.context }}
+          file: ${{ matrix.dockerfile }}
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          tags: ${{ steps.meta-harbor.outputs.tags }}
+          labels: ${{ steps.meta-harbor.outputs.labels }}
+          cache-from: type=gha,scope=${{ matrix.service }}
+
+      - name: Extract Harbor image details
+        id: harbor-image
+        run: |
+          FIRST_TAG=$(echo "${{ steps.meta-harbor.outputs.tags }}" | head -n 1)
+          REPO_TAG=$(echo "$FIRST_TAG" | cut -d'/' -f3-)
+          REPO=$(echo "$REPO_TAG" | cut -d':' -f1)
+          TAG=$(echo "$REPO_TAG" | cut -d':' -f2)
+          
+          echo "project=${{ env.HARBOR_PROJECT }}" >> $GITHUB_OUTPUT
+          echo "repo=$REPO" >> $GITHUB_OUTPUT
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "full_image=$FIRST_TAG" >> $GITHUB_OUTPUT
+
+      - name: Wait for Harbor deployment
+        uses: kyberorg/wait_for_harbor@v0.1
+        with:
+          hostname: ${{ env.HARBOR_REGISTRY }}
+          schema: 'https'
+          robot: ${{ secrets.HARBOR_USERNAME }}
+          token: ${{ secrets.HARBOR_PASSWORD }}
+          imageProject: ${{ steps.harbor-image.outputs.project }}
+          imageRepo: ${{ steps.harbor-image.outputs.repo }}
+          imageTag: ${{ steps.harbor-image.outputs.tag }}
+          imageSha: ${{ steps.harbor-build.outputs.digest }}
+          interval: 5
+          timeout: 300  
 
-      - name: Extract first tag
+      - name: Extract first GHCR tag for security scan
         id: first_tag
         run: |
-          FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n 1)
+          FIRST_TAG=$(echo "${{ steps.meta-ghcr.outputs.tags }}" | head -n 1)
           echo "tag=$FIRST_TAG" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner (fail only on CRITICAL)
         uses: aquasecurity/trivy-action@master
         continue-on-error: true
         with:
-          image-ref: ${{ steps.meta.outputs.tags }}
+          image-ref: ${{ steps.first_tag.outputs.tag }}
           format: table
           exit-code: 1
           vuln-type: 'os,library'