Merge branch 'main' into dependabot/npm_and_yarn/frontend/eslint-10.1.0

Author: Boyeep

.github/dependency-review-config.yml

@@ -0,0 +1,23 @@
+# Keep the initial policy focused on risky dependency changes first.
+# This allowlist is intentionally based on the licenses already present in the
+# current dependency tree so normal updates do not become noisy immediately.
+fail-on-severity: high
+fail-on-scopes:
+  - runtime
+  - unknown
+license-check: true
+allow-licenses:
+  - Apache-2.0
+  - Apache-2.0 AND LGPL-3.0-or-later
+  - Apache-2.0 OR BSD-2-Clause
+  - BSD-2-Clause
+  - BSD-3-Clause
+  - BlueOak-1.0.0
+  - CC-BY-4.0
+  - CC0-1.0
+  - ISC
+  - MIT
+  - MPL-2.0
+  - PSF-2.0
+  - Python-2.0
+  - 0BSD

.github/labels.json

@@ -0,0 +1,62 @@
+[
+  {
+    "name": "frontend",
+    "color": "0e7490",
+    "description": "Changes focused on the Next.js app or UI flows."
+  },
+  {
+    "name": "ui",
+    "color": "0891b2",
+    "description": "Visual presentation, overlays, or interaction changes."
+  },
+  {
+    "name": "backend",
+    "color": "166534",
+    "description": "Changes focused on the FastAPI service or vision logic."
+  },
+  {
+    "name": "api",
+    "color": "15803d",
+    "description": "OpenAPI contract, schemas, or request-response behavior."
+  },
+  {
+    "name": "ci",
+    "color": "4f46e5",
+    "description": "Continuous integration or workflow changes."
+  },
+  {
+    "name": "release",
+    "color": "7c3aed",
+    "description": "Release automation, packaging, or publish flow changes."
+  },
+  {
+    "name": "infra",
+    "color": "4338ca",
+    "description": "Developer tooling, scripts, or environment setup changes."
+  },
+  {
+    "name": "docs",
+    "color": "ca8a04",
+    "description": "Documentation-only changes."
+  },
+  {
+    "name": "chore",
+    "color": "6b7280",
+    "description": "Maintenance work with little or no product impact."
+  },
+  {
+    "name": "patch",
+    "color": "1d4ed8",
+    "description": "Patch-level release bump."
+  },
+  {
+    "name": "minor",
+    "color": "2563eb",
+    "description": "Minor release bump."
+  },
+  {
+    "name": "major",
+    "color": "b91c1c",
+    "description": "Major release bump."
+  }
+]

.github/release-drafter.yml

@@ -0,0 +1,96 @@
+name-template: "v$NEXT_PATCH_VERSION"
+tag-template: "v$NEXT_PATCH_VERSION"
+change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
+template: |
+  ## Changes
+
+  $CHANGES
+
+  ## Docker Images
+
+  Replace `<repo-owner>` with the GitHub user or org that owns the repository.
+
+  - `ghcr.io/<repo-owner>/nextjs-python-computer-vision-kit-backend:$RESOLVED_VERSION`
+  - `ghcr.io/<repo-owner>/nextjs-python-computer-vision-kit-frontend:$RESOLVED_VERSION`
+
+categories:
+  - title: "Frontend"
+    labels:
+      - frontend
+      - ui
+  - title: "Backend"
+    labels:
+      - backend
+      - api
+  - title: "CI/CD"
+    labels:
+      - ci
+      - release
+      - infra
+  - title: "Docs"
+    labels:
+      - docs
+  - title: "Maintenance"
+    labels:
+      - chore
+
+change-title-escapes: '\<*_&'
+
+version-resolver:
+  major:
+    labels:
+      - major
+  minor:
+    labels:
+      - minor
+  patch:
+    labels:
+      - patch
+  default: patch
+
+autolabeler:
+  - label: frontend
+    files:
+      - "frontend/**"
+  - label: ui
+    files:
+      - "frontend/src/**"
+      - "docs/assets/**"
+  - label: backend
+    files:
+      - "backend/**"
+  - label: api
+    files:
+      - "docs/openapi.yaml"
+      - "backend/app/**"
+      - "backend/tests/test_inference_route.py"
+      - "frontend/src/generated/openapi.ts"
+      - "frontend/src/lib/api.ts"
+  - label: ci
+    files:
+      - ".github/workflows/**"
+  - label: release
+    files:
+      - ".github/release-drafter.yml"
+      - ".github/workflows/release-drafter.yml"
+      - ".github/workflows/release.yml"
+      - ".github/workflows/release-smoke.yml"
+      - ".github/workflows/sync-labels.yml"
+      - ".github/labels.json"
+      - "scripts/check-release-smoke.mjs"
+  - label: infra
+    files:
+      - "scripts/**"
+      - "backend/Dockerfile"
+      - "backend/.dockerignore"
+      - "frontend/Dockerfile"
+      - "frontend/.dockerignore"
+      - "docker-compose.yml"
+  - label: docs
+    files:
+      - "README.md"
+      - "CONTRIBUTING.md"
+      - "AGENTS.md"
+      - "SECURITY.md"
+      - "soon.md"
+      - "docs/**"

.github/workflows/codeql.yml

@@ -0,0 +1,48 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    - cron: "18 3 * * 1"
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: javascript-typescript
+            build-mode: none
+          - language: python
+            build-mode: none
+          - language: actions
+            build-mode: none
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,21 @@
+name: Dependency Review
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Review dependency changes
+        uses: actions/dependency-review-action@v4
+        with:
+          config-file: ./.github/dependency-review-config.yml

.github/workflows/license-report.yml

@@ -0,0 +1,58 @@
+name: License Report
+
+on:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "36 3 * * 2"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  license-report:
+    name: License Report
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: npm
+          cache-dependency-path: |
+            package-lock.json
+            frontend/package-lock.json
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+          cache-dependency-path: backend/pyproject.toml
+
+      - name: Install root tooling
+        run: npm ci
+
+      - name: Install frontend dependencies
+        run: npm ci
+        working-directory: frontend
+
+      - name: Install backend dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install -e ./backend[dev]
+
+      - name: Generate license reports
+        run: npm run report:licenses
+
+      - name: Upload license reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: license-reports
+          path: reports/licenses/
+          if-no-files-found: error

.github/workflows/release-drafter.yml

@@ -0,0 +1,27 @@
+name: Release Drafter
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-release-draft:
+    name: Update Release Draft
+    runs-on: ubuntu-latest
+    steps:
+      - name: Update draft release notes
+        uses: release-drafter/release-drafter@v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-smoke.yml

@@ -0,0 +1,56 @@
+name: Release Smoke
+
+on:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Release tag to smoke test, for example v0.1.0"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  smoke:
+    name: Smoke Test Published Images
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Resolve release tag and owner
+        id: vars
+        shell: bash
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "tag=${{ inputs.tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
+          fi
+          echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout repository at release tag
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.vars.outputs.tag }}
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Smoke test published backend and frontend images
+        run: npm run check:release-smoke
+        env:
+          BACKEND_IMAGE: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-backend:${{ steps.vars.outputs.tag }}
+          FRONTEND_IMAGE: ghcr.io/${{ steps.vars.outputs.owner }}/nextjs-python-computer-vision-kit-frontend:${{ steps.vars.outputs.tag }}