leanstacks · mwarman · Feb 19, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/.env.example b/.env.example
@@ -1,12 +1,11 @@
-
 ############################################################
 # Example .env file for NestJS Starter
 #
 # Copy this file to `.env` and adjust values as needed.
 #
 # This file defines environment variables used to configure
 # the application at runtime. Variables can be accessed via
-# process.env or configuration libraries.
+# the configuration service.
 ############################################################
 
 # Application Settings

diff --git a/.github/ISSUE_TEMPLATE/bug.md → .github/ISSUE_TEMPLATE/BUG.md b/.github/ISSUE_TEMPLATE/bug.md → .github/ISSUE_TEMPLATE/BUG.md
diff --git a/.github/ISSUE_TEMPLATE/story.md → .github/ISSUE_TEMPLATE/STORY.md b/.github/ISSUE_TEMPLATE/story.md → .github/ISSUE_TEMPLATE/STORY.md
diff --git a/.github/ISSUE_TEMPLATE/task.md → .github/ISSUE_TEMPLATE/TASK.md b/.github/ISSUE_TEMPLATE/task.md → .github/ISSUE_TEMPLATE/TASK.md
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,4 +1,4 @@
-name: Continuous Integration
+name: CI
 
 on:
   pull_request:
@@ -21,10 +21,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: 'npm'
@@ -63,7 +63,7 @@ jobs:
           echo "${{ vars.CDK_ENV_DEV }}" > .env
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ vars.AWS_ROLE_ARN_DEV }}
           role-session-name: ci-nestjs-starter

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -9,6 +9,7 @@ on:
     branches: [main]
     paths:
       - 'src/**'
+      - 'infrastructure/**'
       - 'package.json'
       - 'tsconfig.json'
       - '.github/workflows/**'
@@ -21,12 +22,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0 # Full history for better analysis
 
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: 'npm'
@@ -110,7 +111,7 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## Security Audit" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          npm audit --audit-level=moderate > security-output.txt 2>&1 || true
+          npm audit --audit-level moderate --omit dev > security-output.txt 2>&1 || true
 
           if grep -q "found 0 vulnerabilities" security-output.txt; then
             echo "✅ No security vulnerabilities found" >> $GITHUB_STEP_SUMMARY
@@ -138,6 +139,98 @@ jobs:
             echo "✅ All packages are up to date" >> $GITHUB_STEP_SUMMARY
           fi
 
+      - name: Install infrastructure dependencies
+        working-directory: ./infrastructure
+        run: npm ci
+
+      - name: Run infrastructure tests with detailed coverage
+        working-directory: ./infrastructure
+        run: |
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## Infrastructure Test Coverage Analysis" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          npm run test:coverage -- --silent --verbose
+
+          # Extract coverage summary
+          if [ -f coverage/coverage-summary.json ]; then
+            echo "### Coverage Summary:" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+
+            # Use Node.js to parse JSON and create a table
+            node -e "
+              const fs = require('fs');
+              const coverage = JSON.parse(fs.readFileSync('coverage/coverage-summary.json', 'utf8'));
+              const total = coverage.total;
+
+              console.log('| Metric | Percentage | Covered/Total |');
+              console.log('|--------|------------|---------------|');
+              console.log(\`| Lines | \${total.lines.pct}% | \${total.lines.covered}/\${total.lines.total} |\`);
+              console.log(\`| Functions | \${total.functions.pct}% | \${total.functions.covered}/\${total.functions.total} |\`);
+              console.log(\`| Branches | \${total.branches.pct}% | \${total.branches.covered}/\${total.branches.total} |\`);
+              console.log(\`| Statements | \${total.statements.pct}% | \${total.statements.covered}/\${total.statements.total} |\`);
+            " >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Infrastructure build check
+        working-directory: ./infrastructure
+        run: |
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## Infrastructure Build" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          npm run build > infra-tsc-output.txt 2>&1
+          if [ $? -eq 0 ]; then
+            echo "✅ Build successful" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ Build failed:" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            cat infra-tsc-output.txt >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Infrastructure security audit
+        working-directory: ./infrastructure
+        run: |
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## Infrastructure Security Audit" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          npm audit --audit-level moderate --omit dev > infra-security-output.txt 2>&1 || true
+
+          if grep -q "found 0 vulnerabilities" infra-security-output.txt; then
+            echo "✅ No security vulnerabilities found" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "⚠️ Security vulnerabilities detected:" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            cat infra-security-output.txt >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Infrastructure package analysis
+        working-directory: ./infrastructure
+        run: |
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## Infrastructure Package Analysis" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # Check for outdated packages
+          echo "### Outdated Packages:" >> $GITHUB_STEP_SUMMARY
+          npm outdated > infra-outdated-output.txt 2>&1 || true
+          if [ -s infra-outdated-output.txt ]; then
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            cat infra-outdated-output.txt >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          else
+            echo "✅ All packages are up to date" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Clean up sensitive files
+        if: always()
+        run: |
+          echo "🧹 Cleaning up sensitive files..."
+          rm -f .env
+          rm -f infrastructure/.env
+          rm -rf infrastructure/cdk.out
+          echo "✅ Sensitive files cleaned up"
+
       - name: Archive test results
         if: always()
         uses: actions/upload-artifact@v4
@@ -148,7 +241,9 @@ jobs:
             eslint-output.txt
             prettier-output.txt
             tsc-output.txt
-            infra-tsc-output.txt
             security-output.txt
             outdated-output.txt
+            infra-tsc-output.txt
+            infra-security-output.txt
+            infra-outdated-output.txt
           retention-days: 7
diff --git a/.github/workflows/release-reusable.yml b/.github/workflows/release-reusable.yml
@@ -37,18 +37,18 @@ jobs:
     steps:
       # Step 1: Checkout repository
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Step 2: Setup Node.js using .nvmrc
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: 'npm'
 
       # Step 3: Configure AWS credentials
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ inputs.aws_role_arn }}
           role-session-name: release-nestjs-starter-${{ inputs.environment }}

diff --git a/.github/workflows/tag-image.yml b/.github/workflows/tag-image.yml
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Step 1: Configure AWS credentials
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ inputs.environment == 'dev' && vars.AWS_ROLE_ARN_DEV || inputs.environment == 'qa' && vars.AWS_ROLE_ARN_QA || vars.AWS_ROLE_ARN_PRD }}
           role-session-name: tag-ecr-image-${{ inputs.environment }}

diff --git a/.github/workflows/teardown-manual.yml b/.github/workflows/teardown-manual.yml
@@ -29,18 +29,18 @@ jobs:
     steps:
       # Step 1: Checkout repository
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Step 2: Setup Node.js using .nvmrc
       - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: 'npm'
 
       # Step 3: Configure AWS credentials
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: ${{ inputs.environment == 'dev' && vars.AWS_ROLE_ARN_DEV || inputs.environment == 'qa' && vars.AWS_ROLE_ARN_QA || vars.AWS_ROLE_ARN_PRD }}
           role-session-name: teardown-nestjs-starter-${{ inputs.environment }}

diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-24.13.0
+24.13.1
diff --git a/infrastructure/.env.example b/infrastructure/.env.example
@@ -1,5 +1,12 @@
-# Environment configuration for AWS CDK
-# Copy this file to .env and update with your specific values
+############################################################
+# Example .env file for NestJS Starter AWS CDK
+#
+# Copy this file to `.env` and adjust values as needed.
+#
+# This file defines environment variables used to configure
+# the AWS CDK infrastructure at runtime. Variables can be 
+# accessed via the configuration utility.
+############################################################
 
 # AWS Account and Region
 # Optional: If not set, CDK will use the default AWS CLI configured account and region

diff --git a/infrastructure/jest.config.ts b/infrastructure/jest.config.ts
@@ -10,7 +10,7 @@ const config: Config = {
   },
   collectCoverageFrom: ['utils/**/*.ts', 'stacks/**/*.ts'],
   coverageDirectory: 'coverage',
-  coverageReporters: ['text', 'lcov', 'html', 'json'],
+  coverageReporters: ['text', 'lcov', 'html', 'json', 'json-summary'],
   // CDK-specific settings
   testTimeout: 30000, // CDK tests can take longer
   setupFilesAfterEnv: ['<rootDir>/jest.setup.ts'],