Add health check endpoint and update Dockerfiles for non-root user

max-ostapenko · max-ostapenko · commit e61490dea0ea · 2025-08-26T22:42:49.000+02:00
diff --git a/.github/linters/.trivyignore b/.github/linters/.trivyignore
@@ -0,0 +1,3 @@
+# Ignore the dataplexAdmin role issue
+
+AVD-GCP-0007
diff --git a/.github/linters/.zizmor.yml b/.github/linters/.zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  unpinned-uses:
+    ignore: true
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -24,6 +24,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@v8.1.0
diff --git a/infra/bigquery-export/Dockerfile b/infra/bigquery-export/Dockerfile
@@ -4,6 +4,9 @@ FROM node:22-slim
 # Set the working directory
 WORKDIR /app
 
+# Create a non-root user
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+
 # Copy package files first for better layer caching
 COPY package*.json ./
 
@@ -15,4 +18,13 @@ ENV EXPORT_CONFIG=""
 # Copy source code
 COPY . .
 
+# Change ownership of the app directory to the non-root user
+RUN chown -R appuser:appuser /app
+
+# Switch to non-root user
+USER appuser
+
+# No healthcheck needed for one-time job containers
+HEALTHCHECK NONE
+
 CMD ["node", "index.js"]
diff --git a/infra/dataform-service/Dockerfile b/infra/dataform-service/Dockerfile
@@ -3,6 +3,9 @@ FROM node:22-slim
 # Set the working directory
 WORKDIR /app
 
+# Create a non-root user
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+
 # Copy package files first for better layer caching
 COPY package*.json ./
 
@@ -12,11 +15,21 @@ RUN npm ci --only=production --quiet --no-fund --no-audit && npm cache clean --f
 # Copy source code
 COPY . .
 
+# Change ownership of the app directory to the non-root user
+RUN chown -R appuser:appuser /app
+
+# Switch to non-root user
+USER appuser
+
 # Set default port (Cloud Run will override this)
 ENV PORT=8080
 
 # Expose port for Cloud Run
 EXPOSE 8080
 
+# Add healthcheck
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD node -e "require('http').get('http://localhost:$PORT/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1) }).on('error', () => { process.exit(1) })" || exit 1
+
 # Start the function
 CMD ["npm", "start"]
diff --git a/infra/dataform-service/index.js b/infra/dataform-service/index.js
@@ -223,14 +223,20 @@ async function mainHandler (req, res) {
 
   console.info(`Received request for path: ${path}`)
 
-  if (path === '/trigger' || path.startsWith('/trigger/')) {
+  if (path === '/health') {
+    // Health check endpoint
+    res.status(200).json({
+      status: 'healthy',
+      timestamp: new Date().toISOString()
+    })
+  } else if (path === '/trigger' || path.startsWith('/trigger/')) {
     await handleTrigger(req, res)
   } else if (path === '/') {
     await handleExport(req, res)
   } else {
     res.status(404).json({
       error: 'Not Found',
-      message: 'Available endpoints: /, /export'
+      message: 'Available endpoints: /, /trigger, /health'
     })
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Ignore the dataplexAdmin role issue`
	`2`	`+`
	`3`	`+AVD-GCP-0007`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+rules:`
	`2`	`+ unpinned-uses:`
	`3`	`+ ignore: true`