npm: add basic example from sample-nodejs-app

[derasdf]

Migrate the basic npm sample from cachito-testing/sample-nodejs-app to doc-examples and adapt it to use Hermeto for npm dependencies.

[gemini-code-assist]

Summary of Changes

Hello @derasdf, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a comprehensive example demonstrating the integration of Hermeto with a Node.js application using npm for dependency management. The primary goal is to illustrate how to achieve reproducible and offline builds by leveraging Hermeto's capabilities to manage and inject dependencies, ensuring that the application can be built within a container without external network access for package resolution. This addition enhances the documentation with a practical, runnable scenario for npm users.

Highlights

• New npm example: A new basic npm example has been added, demonstrating how to manage Node.js dependencies with Hermeto.
• Migration from existing sample: The example was migrated from the cachito-testing/sample-nodejs-app repository and adapted for doc-examples.
• Hermeto integration: The example showcases the use of Hermeto for pre-fetching npm dependencies, generating environment variables, and injecting project files to enable offline builds.
• Containerization setup: A Containerfile and .dockerignore have been added to facilitate building and running the Node.js application within a container, ensuring network-less dependency resolution during the build process.
• Updated documentation: The README.md file has been extensively updated with step-by-step instructions for setting up, building, and running the example using Hermeto and Podman.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .dockerignore
  • Added a new .dockerignore file to exclude .git and node_modules directories from the Docker build context.
• Containerfile
  • Added a new Containerfile to define the Docker image for the Node.js application, using node:18 as the base image, setting up a working directory, copying files, running npm install, exposing port 9000, and defining the startup command.
• README.md
  • Completely rewrote the README.md to provide detailed instructions for the npm example, including commands for hermeto fetch-deps, hermeto generate-env, hermeto inject-files, and podman build/run.
• index.js
  • Added a new index.js file containing a basic Express.js application that listens on port 9000 and responds with 'Hello Dude!'.
• package-lock.json
  • Added a new package-lock.json file, generated by npm, detailing the exact versions and dependencies for the express package.
• package.json
  • Added a new package.json file, defining the basic Node.js project with express as a dependency.

Activity

• No human activity (comments, reviews) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a basic npm example. The changes are generally good, but I've identified several areas for improvement regarding Docker best practices, documentation clarity, and Node.js project conventions. My comments include suggestions to optimize the Docker build, enhance security by running as a non-root user, correct the example's usage instructions, fix a typo, and add a standard start script.

[gemini-code-assist]

For security, it's a best practice to run containers with a non-root user. The official node images include a node user for this purpose. You can switch to this user here before the CMD instruction.

USER node

[gemini-code-assist]

To optimize Docker build times, you should leverage layer caching for dependencies. The current setup copies all files before running npm install, which means any code change will invalidate the cache for the npm install layer.

A better approach is to copy only the package.json and package-lock.json files, install dependencies, and then copy the rest of the application code.

I'd suggest changing this part of the Containerfile to:

COPY package*.json ./
RUN npm install --verbose
COPY . .

[gemini-code-assist]

The podman build command mounts hermeto.env, but the Containerfile doesn't use it. The RUN npm install step won't pick up any environment variables from that file.

To make this example work as intended (especially if hermeto.env contains variables in the future), the Containerfile should be modified to source this file. For example:

RUN . /tmp/hermeto.env && npm install --verbose

Since the README states that this file might be used in the future, the example should demonstrate its correct usage.

[gemini-code-assist]

There's a typo in the log message ('o' should be 'on'). Also, it's a common convention to end files with a newline character.

Suggested change

	app.listen(port, () => console.log(`App started o port ${port}...`));
	app.listen(port, () => console.log(`App started on port ${port}...`));

[gemini-code-assist]

It's a good practice to add a start script to define how to run the application. This is idiomatic in Node.js projects and makes it easier for others to run the app. You could then change the CMD in your Containerfile to CMD ["npm", "start"].

    "start": "node index.js",
    "test": "echo \"Error: no test specified\" && exit 1"

[a-ovchinnikov]

LGTM: migration comes first, cleanup after that (a typo in a message is safe to fix now though).