Figure out how to do semantic versioning

Ideas:

• semantic versioning on PR merge based on branch prefix (Github Action?)
  • fix - patch
  • patch - patch
  • feature/feature - minor
  • build/internal? - minor
  • test - patch
  • ignore/skip-release? - patch (none?)
  • doc - none? (no changes to js files allowed?)
• Use tags? https://github.com/mdomke/git-semver
• auto/semantic-release?
  • https://github.com/semantic-release/semantic-release
  • https://github.com/intuit/auto
    • git-tags: https://github.com/intuit/auto/tree/master/plugins/git-tag
  • hook that runs on merge to master?
    • npm version 'auto version' --no-commit-hooks (see notes)
  • changelog?
    • based on commit messages?
  • --no-git-tag-version to not add git tag on npm version change
  • release github action event
• create release in action: https://github.com/marketplace/actions/create-release
  • create branch (e.g. develop has 1.1-SNAPSHOT, release branch created is 1.1)
  • build artifact?
  • tag?
  • update version in release branch (e.g. to 1.1.1)
  • new builds in branch create artifact with current number (e.g. 1.1.1 and do prev step to become 1.1.2 in branch)
• README: https://hodgkins.io/automating-semantic-versioning

Research graphQL: https://graphql.org/

• https://www.apollographql.com/docs/apollo-server/v1/servers/hapi/
• Look into react integration
• current base/server.js would become restServer.js
  • Hapi server is parameter to the constructors of this and graphQlServer.js class
• Apollo?

IDEA: Basic template HTML pages that fetch data from graphql endpoint

• JavaScript framework/react for UI changes?

Tests for external APIs we use to verify they still behave how expected

• running tests on build complete?
  • should we do same as fend project?
  • difference between tests run that way vs npm run test

• check nvm installed and node correct version
• require node 10+
• npm install?
• db sql scripts/setup?
• sequelize?

• Helper class to connect to external service via REST API
• Use config helper to get service details: https://github.com/devlinjunker/template.node.hapi/blob/master/conf/config.yaml#L41
  • weather?
  • connect to github via public api? (retrieve issues/prs?)
• GET/POST/PUT/DELETE requests
• Trace log the request and responses
• performance logging?

Later:

• oauth/google drive
• private config file containing any hidden/secret keys (or just env.properties -- added to .gitignore)

• Build status/stable version?
• license?
• dependencies (up to date)
• dev-dependencies (up to date)
• documentation link
  • https://github.com/Naereen/badges#read-the-docs-status
  • esdoc badge
• npm version?
• node version?
• tests passing? https://help.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow#adding-a-workflow-status-badge-to-your-repository
• Coverage (https://codecov.io/)
• Code Quality? app.codacy.com
• Maintainability? codeclimate.com
• contributors? https://github.com/badges/shields/graphs/contributors
• commits/week? https://github.com/badges/shields
• add engines.node to package.json (lowest node version supported)
  https://shields.io/
• http://app.fossa.com

Other README stuff:

• add link to wiki in README
• Also cleanup todos to other file (notes.md - eventually move all to github issues)
• add gif of command line install/startup and server response

setup config helper class to read from config.yaml (and env.properties?)

• config.yaml contains the structure of configuration and default values
• env.properties file should just be format <name>=<value> for parsing and setting values in config.yaml
• think about simple replacement in these name value pairs so we can have "variables" in config file

e.g. 
var=1
host=domain-name-${var}.com

RESULT host=domain-nomain-1.com

Describe the Improvement:
Use webpack 4+ and updated plugins

Steps:

1. Update plugins
2. Update webpack

Additional Context and Links:
N/A

Testing:
Server still builds and runs after upgrade

• Helper to connect to MongoDB instance (similar to MariaDB Helper that exists, but should be simpler)
• use config to setup connection: https://github.com/devlinjunker/template.node.hapi/blob/master/conf/config.yaml#L17
• create/read/update/delete operations

Next:

• Simple endpoints for rapid development and storage of JSON objects created in the UI components while doing UI development
• CrudDataservice class that can be extended
  • defines name and properties (JOI validation?)
  • create/read/readAll/update/delete methods that can be overwritten and called in child classes

Add menu items next to logo for links to issues and PRs

• Easy: use JavaScript to create a badge with the number of items at the link (from Github API)

  • https://api.github.com/repos/devlinjunker/template.node.hapi/issues
  • issues
  • pull requests

• Dashboard?

  • high priority issues
  • releases?
  • actions log?

• update esdoc extension?

  • extend brand-plugin for github specific: https://www.npmjs.com/package/esdoc-brand-plugin
  • Include Matomo script?
  • healthcheck
  • swagger

https://github.com/devlinjunker/template.node.hapi/actions/new

First:

• Lint/Flow/Build/Test on PR
• Update wiki with pages matching all READMEs: https://github.com/marketplace/actions/wiki-page-creator-action

On PR:

• Create dependency graph of files modified and comment on PR
• Check if READMEs exist at each directory level?
• Check if spec files exist (except where special comment in file header)
• Pull request labeler based on the branch name
  • https://github.com/marketplace/issue-label-bot
• Lint PR Body/Name
  • https://github.com/marketplace/actions/pr-linter
• Provide Label Assistance?
  • https://github.com/marketplace/actions/pr-label-assistant
• CRAZY: Deploy to test/demo server and add link to PR (via comment)
• ERROR on console logs or unfinished tests (in release?)
  • create npm run merge-lint in package.json
  • adds rule errors via command line flags: ./node_modules/.bin/eslint src/ --rule 'no-console: error' --rule 'mocha/no-pending-tests: error'
  • NEED to remove console log and finish tests before this

On Merge to master:

• Build docs:
  • https://github.com/ad-m/github-push-action
  • https://github.com/marketplace/actions/create-pull-request
  • TODO This only works when branch protections are not enabled
    • can we do have action disable branch protection for this merge then re-enable using Github API? https://developer.github.com/v3/repos/branches/#update-branch-protection
• Deploy? https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys
• versioning? https://github.com/marketplace/actions/create-release

Other:

• Label Manager (consistent labels across repos):

  • https://github.com/marketplace/actions/github-labeler
  • devlinjunker/template.github.semver#8

• Release:

  • Generate artifact?
  • Cut release branch
  • Github Release?
  • Git Tag

• PR Landmine Action (For Mutation testing)

  • https://github.com/tylermurry/github-pr-landmine

Notes
https://help.github.com/en/actions/reference/events-that-trigger-workflows

• IDEA: github action to sync todos.md file with github issues
  • whenever line with checkbox added, create issue and append number
  • when checked in file and committed, close issue
  • when issue created, add name and number to file
  • when issue closed, check in file

Describe the change:
There are a couple of sections in the Core Initiative checklist that seem valuable to include in documentation

• Semantic versioning (#13)
• Release Notes
• Vulnerability report response (14 days - last 6 months)
• Tests coverage percentage (80% branches? 90% lines)
• Tests for all feature policy (add formally)
• Warning flags (< 1/100 lines of code)
• Security Notes to SECURITY.md:
  • economy of mechanism (keep the design as simple and small as practical, e.g., by adopting sweeping simplifications)
  • fail-safe defaults (access decisions should deny by default, and projects' installation should be secure by default)
  • complete mediation (every access that might be limited must be checked for authority and be non-bypassable)
  • open design (security mechanisms should not depend on attacker ignorance of its design, but instead on more easily protected and changed information like keys and passwords)
  • separation of privilege (ideally, access to important objects should depend on more than one condition, so that defeating one protection system won't enable complete access. E.G., multi-factor authentication, such as requiring both a password and a hardware token, is stronger than single-factor authentication)
  • least privilege (processes should operate with the least privilege necessary)
  • least common mechanism (the design should minimize the mechanisms common to more than one user and depended on by all users, e.g., directories for temporary files)
  • psychological acceptability (the human interface must be designed for ease of use - designing for "least astonishment" can help)
  • limited attack surface (the attack surface - the set of the different points where an attacker can try to enter or extract data - should be limited)
  • input validation with allowlists (inputs should typically be checked to determine if they are valid before they are accepted; this validation should use allowlists (which only accept known-good values), not denylists (which attempt to list known-bad values)).
• Dynamic code analysis
  • https://github.com/Samsung/jalangi2

Additional context/Links:
https://bestpractices.coreinfrastructure.org/en/projects/4288/

Related
#29
#13

Helper class with methods for logging

• to file
• output to terminal during development
  • https://seashells.io/ for displaying logs on website
• to ELK or Grafana?
• params:
  • service
  • timestamp
  • level?
  • body
  • error (true/false)
• endpoint and controller for logging from client side
  • client param (sets service log param)
• bunyan? https://nodejs.org/es/blog/module/service-logging-in-json-with-bunyan/

Files to explain how to contribute to the repo and more

https://github.com/devlinjunker/template.hapi.rest/community

• LICENSE.md (fix)
• Code of Conduct?
• CONTRIBUTING.md file:
  • How to report issues
  • PRs/Githooks/Github Actions
  • Scripts
  • Folder Structure
  • Technologies/Dependencies
  • Styleguide
  • Code Review? https://blogs.oracle.com/javamagazine/five-code-review-antipatterns
• SECURITY.md
  • https://github.com/devlinjunker/template.hapi.rest/security/policy
• Issue Templates
  • Enhancement
  • Build Feature
  • Cleanup
• Pull Request Templates
  • Description
  • Related
  • Visual
  • TODO
    • Complete PR Fields
    • Update READMEs

• Update dependencies defined in Security tab
• Run npm update in project and save package (maybe fix that caniuse-lite is outdated error)

Spinoff from #4 so we have a new task to track this idea

• /admin/logs websocket endpoint that shows logfile
  • tails the file with websocket to dispaly most recent logs
  • look into https://seashells.io/ for this?
• Prettier version linked at /docs/logs
  • filtering/searching
• think about securing behind password/secret kept in config?

• Only if .js files are changed should we run the entire build process (or spec files).
• enforce branch prefix: https://itnext.io/using-git-hooks-to-enforce-branch-naming-policy-ffd81fa01e5e
  • fix
  • feat/feature
  • doc (no changes to js files allowed?)
  • dep/library
  • build/internal?
  • release?
  • test
  • ignore? (no commit builds)
• look into https://www.conventionalcommits.org/en/v1.0.0/
• check branch protections for githook blocking branch
  • https://api.github.com/repos/devlinjunker/template.hapi.rest/branches/master/protection
  • https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-branch-protection
  • problem right now is "Doc build" action fails while there are protections
    • can we disable branch protection for doc build action?

Add Build job and Configuration for Production Code Generation

• Webpack config
• Minimization? Probably not on API
• No Linter Warnings allowed?
• No output/uncaught exceptions in tests?
• pm2 for production
• config file/env.properties
• log rotation
• Uncaught exceptions in production build send message
  • slack?
  • email?
  • text?

• Add Hapi Swagger and validation to endpoints: https://github.com/glennjones/hapi-swagger
• Update version when change to API
  • compare api doc vs older version
  • part of npm run doc
  • ask version update from developer patch/minor/major
• Postman tests based on generated api
  • Newman?
• copy openapi.yaml on build complete (after generated from code)
• proper http codes: https://medium.com/@nelsonparente/modeling-your-rest-api-responses-d9286eaa6ce3