chore: determine formbricks version on release (#4985 )

feat: optional cron jobs check (#4966 )
fix: Harden GitHub Actions (#4982 )
2025-12-24 15:10:36 -06:00 · 2025-03-18 11:49:12 +01:00 · 2025-03-18 10:13:31 +00:00 · 2025-03-18 11:23:10 +01:00
16 changed files with 83 additions and 88 deletions
--- a/.env.example
+++ b/.env.example
@@ -97,6 +97,9 @@ PASSWORD_RESET_DISABLED=1
 # Organization Invite. Disable the ability for invited users to create an account.
 # INVITE_DISABLED=1

+# Docker cron jobs. Disable the supercronic cron jobs in the Docker image (useful for cluster setups).
+# DOCKER_CRON_ENABLED=1
+
 ##########
 # Other  #
 ##########
--- a/.github/workflows/cron-surveyStatusUpdate.yml
+++ b/.github/workflows/cron-surveyStatusUpdate.yml
@@ -19,7 +19,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit

--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -142,7 +142,7 @@ jobs:
          path: playwright-report/
          retention-days: 30

-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
        if: failure()
        with:
          name: app-logs
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -1,67 +0,0 @@
-name: Prepare release
-run-name: Prepare release ${{ inputs.next_version }}
-
-on:
-  workflow_dispatch:
-    inputs:
-      next_version:
-        required: true
-        type: string
-        description: "Version name"
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  prepare_release:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-
-      - uses: ./.github/actions/dangerous-git-checkout
-
-      - name: Configure git
-        run: |
-          git config --local user.email "github-actions@github.com"
-          git config --local user.name "GitHub Actions"
-
-      - name: Setup Node.js 20.x
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
-        with:
-          node-version: 20.x
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2
-
-      - name: Install dependencies
-        run: pnpm install --config.platform=linux --config.architecture=x64
-
-      - name: Bump version
-        run: |
-          cd apps/web
-          pnpm version ${{ inputs.next_version }} --no-workspaces-update
-
-      - name: Commit changes and create a branch
-        run: |
-          branch_name="release-v${{ inputs.next_version }}"
-          git checkout -b "$branch_name"
-          git add .
-          git commit -m "chore: release v${{ inputs.next_version }}"
-          git push origin "$branch_name"
-
-      - name: Create pull request
-        run: |
-          gh pr create \
-            --base main \
-            --head "release-v${{ inputs.next_version }}" \
-            --title "chore: bump version to v${{ inputs.next_version }}" \
-            --body "This PR contains the changes for the v${{ inputs.next_version }} release."
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release-docker-github.yml
+++ b/.github/workflows/release-docker-github.yml
@@ -42,6 +42,18 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

+      - name: Get Release Tag
+        id: extract_release_tag
+        run: |
+          TAG=${{ github.ref }}
+          TAG=${TAG#refs/tags/v}
+          echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
+
+      - name: Update package.json version
+        run: |
+          sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ env.RELEASE_TAG }}\"/" ./apps/web/package.json
+          cat ./apps/web/package.json | grep version
+
      - name: Set up Depot CLI
        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0

--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -27,6 +27,18 @@ jobs:
      - name: Checkout Repo
        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0

+      - name: Get Release Tag
+        id: extract_release_tag
+        run: |
+          TAG=${{ github.ref }}
+          TAG=${TAG#refs/tags/v}
+          echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
+
+      - name: Update package.json version
+        run: |
+          sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ env.RELEASE_TAG }}\"/" ./apps/web/package.json
+          cat ./apps/web/package.json | grep version
+
      - name: Log in to Docker Hub
        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
        with:
@@ -36,13 +48,6 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0

-      - name: Get Release Tag
-        id: extract_release_tag
-        run: |
-          TAG=${{ github.ref }}
-          TAG=${TAG#refs/tags/v}
-          echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
-
      - name: Build and push Docker image
        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
        with:
--- a/.github/workflows/release-helm-chart.yml
+++ b/.github/workflows/release-helm-chart.yml
@@ -5,6 +5,9 @@ on:
    types:
      - published

+permissions:
+  contents: read
+
 jobs:
  publish:
    runs-on: ubuntu-latest
@@ -12,14 +15,19 @@ jobs:
      packages: write
      contents: read
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Extract release version
        run: echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV

      - name: Set up Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: latest

@@ -27,7 +35,7 @@ jobs:
        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin

      - name: Install YQ
-        uses: dcarbone/install-yq-action@v1.3.1
+        uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1

      - name: Update Chart.yaml with new version
        run: |
--- a/.github/workflows/terrafrom-plan-and-apply.yml
+++ b/.github/workflows/terrafrom-plan-and-apply.yml
@@ -19,17 +19,22 @@ jobs:
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: "eu-central-1"

      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2

      - name: Terraform Format
        id: fmt
@@ -53,7 +58,7 @@ jobs:
        working-directory: infra/terraform

      - name: Post PR comment
-        uses: borchero/terraform-plan-comment@v2
+        uses: borchero/terraform-plan-comment@3399d8dbae8b05185e815e02361ede2949cd99c4 # v2.4.0
        if: always() && github.ref != 'refs/heads/main' && (steps.validate.outcome == 'success' || steps.validate.outcome == 'failure')
        with:
          token: ${{ github.token }}
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -111,7 +111,12 @@ VOLUME /home/nextjs/apps/web/uploads/
 RUN mkdir -p /home/nextjs/apps/web/saml-connection
 VOLUME /home/nextjs/apps/web/saml-connection

-CMD supercronic -quiet /app/docker/cronjobs & \
+CMD if [ "${DOCKER_CRON_ENABLED:-1}" = "1" ]; then \
+      echo "Starting cron jobs..."; \
+      supercronic -quiet /app/docker/cronjobs & \
+    else \
+      echo "Docker cron jobs are disabled via DOCKER_CRON_ENABLED=0"; \
+    fi; \
    (cd packages/database && npm run db:migrate:deploy) && \
    (cd packages/database && npm run db:create-saml-database:deploy) && \
    exec node apps/web/server.js
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@formbricks/web",
-  "version": "3.4.0",
+  "version": "0.0.0",
  "private": true,
  "scripts": {
    "clean": "rimraf .turbo node_modules .next",
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -69,6 +69,9 @@ x-environment: &environment
    # Set the below to your Unsplash API Key for their Survey Backgrounds
    # UNSPLASH_ACCESS_KEY:

+    # Set the below to 0 to disable cron jobs
+    # DOCKER_CRON_ENABLED: 1
+
    ################################################### OPTIONAL (STORAGE) ###################################################

    # Set the below to set a custom Upload Directory
--- a/docs/self-hosting/configuration/environment-variables.mdx
+++ b/docs/self-hosting/configuration/environment-variables.mdx
@@ -59,9 +59,10 @@ These variables are present inside your machine’s docker-compose file. Restart
 | OIDC_ISSUER                  | Issuer URL for Custom OpenID Connect Provider (should have .well-known configured at this)                     | optional (required if OIDC auth is enabled)             |                                                                           |
 | OIDC_SIGNING_ALGORITHM       | Signing Algorithm for Custom OpenID Connect Provider                                                           | optional                                                | RS256                                                                     |
 | OPENTELEMETRY_LISTENER_URL   | URL for OpenTelemetry listener inside Formbricks.                                                              | optional                                                |                                                                           |
-| UNKEY_ROOT_KEY               | Key for the [Unkey](https://www.unkey.com/) service. This is used for Rate Limiting for management API.                                                              | optional                                                |                                                                           |
+| UNKEY_ROOT_KEY               | Key for the [Unkey](https://www.unkey.com/) service. This is used for Rate Limiting for management API.        | optional                                                |                                                                           |
 | CUSTOM_CACHE_DISABLED        | Disables custom cache handler if set to 1 (required for deployment on Vercel)                                  | optional                                                |                                                                           |
 | PROMETHEUS_ENABLED           | Enables Prometheus metrics if set to 1.                                                                        | optional                                                |                                                                           |
-| PROMETHEUS_EXPORTER_PORT     | Port for Prometheus metrics.                                                                                   | optional                                                | 9090                                                                      |                                                                                    | optional                                                |                                                                           |
+| PROMETHEUS_EXPORTER_PORT     | Port for Prometheus metrics.                                                                                   | optional                                                | 9090                                                                      |
+| DOCKER_CRON_ENABLED          | Controls whether cron jobs run in the Docker image. Set to 0 to disable (useful for cluster setups).           | optional                                                | 1                                                                         |

 Note: If you want to configure something that is not possible via above, please open an issue on our GitHub repo here or reach out to us on Github Discussions and we’ll try our best to work out a solution with you.
--- a/docs/self-hosting/setup/cluster-setup.mdx
+++ b/docs/self-hosting/setup/cluster-setup.mdx
@@ -160,6 +160,19 @@ When using S3 in a cluster setup, ensure that:
 - The bucket has appropriate CORS settings configured
 - IAM roles/users have sufficient permissions for read/write operations

+## Disabling Docker Cron Jobs
+
+When running Formbricks in a cluster setup, you should disable the built-in cron jobs in the Docker image to prevent them from running on multiple instances simultaneously. Instead, you should set up cron jobs in your orchestration system (like Kubernetes) to run on a single instance or as separate jobs.
+
+To disable the Docker cron jobs, set the following environment variable:
+
+```sh env
+# Disable Docker cron jobs (0 = disabled, 1 = enabled)
+DOCKER_CRON_ENABLED=0
+```
+
+This will prevent the cron jobs from starting in the Docker container while still allowing all other Formbricks functionality to work normally.
+
 ## Kubernetes Setup

 Formbricks provides an official Helm chart for deploying the entire cluster stack on Kubernetes. The Helm chart is available in the [Formbricks GitHub repository](https://github.com/formbricks/formbricks/tree/main/helm-chart).
@@ -167,6 +180,7 @@ Formbricks provides an official Helm chart for deploying the entire cluster stac
 ### Features of the Helm Chart

 The Helm chart provides a complete deployment solution that includes:
+
 - Formbricks application with configurable replicas
 - PostgreSQL database (with optional HA configuration)
 - Redis cluster for caching
@@ -176,12 +190,14 @@ The Helm chart provides a complete deployment solution that includes:
 ### Installation Steps

 1. Add the Formbricks Helm repository:
+
 ```sh
 helm repo add formbricks https://raw.githubusercontent.com/formbricks/formbricks/main/helm-chart
 helm repo update
 ```

 2. Install the chart:
+
 ```sh
 helm install formbricks formbricks/formbricks
 ```
@@ -189,6 +205,7 @@ helm install formbricks formbricks/formbricks
 ### Configuration Options

 The Helm chart can be customized using a `values.yaml` file to configure:
+
 - Number of Formbricks replicas
 - Resource limits and requests
 - Database configuration
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -296,4 +296,4 @@ postgresql:
    containerSecurityContext:
      enabled: true
      runAsUser: 1001
-      readOnlyRootFilesystem: false
+      readOnlyRootFilesystem: false
--- a/packages/lib/env.ts
+++ b/packages/lib/env.ts
@@ -22,6 +22,7 @@ export const env = createEnv({
    BREVO_LIST_ID: z.string().optional(),
    DATABASE_URL: z.string().url(),
    DEBUG: z.enum(["1", "0"]).optional(),
+    DOCKER_CRON_ENABLED: z.enum(["1", "0"]).optional(),
    DEFAULT_ORGANIZATION_ID: z.string().optional(),
    DEFAULT_ORGANIZATION_ROLE: z.enum(["owner", "manager", "member", "billing"]).optional(),
    E2E_TESTING: z.enum(["1", "0"]).optional(),
@@ -153,6 +154,7 @@ export const env = createEnv({
    DEBUG: process.env.DEBUG,
    DEFAULT_ORGANIZATION_ID: process.env.DEFAULT_ORGANIZATION_ID,
    DEFAULT_ORGANIZATION_ROLE: process.env.DEFAULT_ORGANIZATION_ROLE,
+    DOCKER_CRON_ENABLED: process.env.DOCKER_CRON_ENABLED,
    E2E_TESTING: process.env.E2E_TESTING,
    EMAIL_AUTH_DISABLED: process.env.EMAIL_AUTH_DISABLED,
    EMAIL_VERIFICATION_DISABLED: process.env.EMAIL_VERIFICATION_DISABLED,
--- a/turbo.json
+++ b/turbo.json
@@ -94,6 +94,7 @@
        "BREVO_LIST_ID",
        "DEFAULT_ORGANIZATION_ID",
        "DEFAULT_ORGANIZATION_ROLE",
+        "DOCKER_CRON_ENABLED",
        "CRON_SECRET",
        "CUSTOM_CACHE_DISABLED",
        "DATABASE_URL",
Author	SHA1	Message	Date
Matti Nannt	ca5ea315d6	chore: determine formbricks version on release (#4985 )	2025-03-18 11:49:12 +01:00
Piyush Gupta	646fe9c67f	feat: optional cron jobs check (#4966 )	2025-03-18 10:13:31 +00:00
StepSecurity Bot	6a123a2399	fix: Harden GitHub Actions (#4982 ) Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>	2025-03-18 11:23:10 +01:00