refactor: remove deploy.cmd and update Dockerfile for health checks

- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>

.woodpecker/01-test.yml

@@ -2,18 +2,53 @@ when:
   event: [push, pull_request, manual]
   branch: [dev, stage, main]
 
+matrix:
+  include:
+    - PLATFORM: arm64
+      TAG_SUFFIX: arm
+    # - PLATFORM: amd64
+    #   TAG_SUFFIX: amd
+
 labels:
-  platform: arm64
+  platform: ${PLATFORM}
 
 steps:
+  - name: lint-format
+    image: mcr.microsoft.com/dotnet/sdk:10.0
+    commands:
+      - dotnet format Azaion.AdminApi.sln --verify-no-changes --verbosity diagnostic
+
   - name: unit-tests
     image: mcr.microsoft.com/dotnet/sdk:10.0
     commands:
       - dotnet restore Azaion.AdminApi.sln
       - dotnet test Azaion.AdminApi.sln --no-restore --configuration Release --logger "console;verbosity=normal" --logger "trx;LogFileName=test-results.trx" --results-directory /app/test-results
 
-  - name: e2e-tests
+  - name: deps-audit
     image: mcr.microsoft.com/dotnet/sdk:10.0
     commands:
-      - dotnet restore e2e/Azaion.E2E/Azaion.E2E.csproj
-      - dotnet test e2e/Azaion.E2E/Azaion.E2E.csproj --no-restore --configuration Release --logger "console;verbosity=normal" --logger "trx;LogFileName=e2e-results.trx" --results-directory /app/test-results
+      # Security audit recommendation 13: fail the build on any High or Critical
+      # vulnerable dependency. The grep returns non-zero when no match is found,
+      # which we want to treat as success — hence the explicit inversion.
+      - dotnet restore Azaion.AdminApi.sln
+      - dotnet list Azaion.AdminApi.sln package --vulnerable --include-transitive 2>&1 | tee deps-audit.log
+      - if grep -E "^\s+>\s+\S+\s+\S+\s+\S+\s+(High|Critical)\s*$" deps-audit.log; then echo "Vulnerable High/Critical dependency found"; exit 1; fi
+
+  - name: e2e-tests
+    image: docker
+    commands:
+      # Mirrors scripts/run-tests.sh: drop volumes from any prior run so the DB
+      # init scripts re-run on a clean data dir, then run compose to completion.
+      - docker compose -f docker-compose.test.yml down -v --remove-orphans
+      - docker compose -f docker-compose.test.yml up --build --abort-on-container-exit --exit-code-from e2e-consumer
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  - name: e2e-cleanup
+    image: docker
+    when:
+      status: [success, failure]
+    commands:
+      - docker compose -f docker-compose.test.yml down -v --remove-orphans
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock

.woodpecker/02-build-push.yml

@@ -29,15 +29,25 @@ steps:
         from_secret: registry_token
     commands:
       - echo "$REGISTRY_TOKEN" | docker login "$REGISTRY_HOST" -u "$REGISTRY_USER" --password-stdin
-      - export TAG=${CI_COMMIT_BRANCH}-${TAG_SUFFIX}
+      - export BRANCH_TAG=${CI_COMMIT_BRANCH}-${TAG_SUFFIX}
+      # 12-char SHA prefix is human-readable while still globally-unique inside
+      # the repo. Pair with TAG_SUFFIX so multi-arch entries don't collide.
+      - export SHA_TAG=$(echo "$CI_COMMIT_SHA" | cut -c1-12)-${TAG_SUFFIX}
       - export BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+      - export IMAGE=$REGISTRY_HOST/azaion/admin
       - |
         docker build -f Dockerfile \
           --build-arg CI_COMMIT_SHA=$CI_COMMIT_SHA \
+          --build-arg BUILD_DATE=$BUILD_DATE \
           --label org.opencontainers.image.revision=$CI_COMMIT_SHA \
           --label org.opencontainers.image.created=$BUILD_DATE \
           --label org.opencontainers.image.source=$CI_REPO_URL \
-          -t $REGISTRY_HOST/azaion/admin:$TAG .
-      - docker push $REGISTRY_HOST/azaion/admin:$TAG
+          -t $IMAGE:$BRANCH_TAG \
+          -t $IMAGE:$SHA_TAG .
+      # Mutable branch tag for "give me whatever's latest on dev" pulls.
+      - docker push $IMAGE:$BRANCH_TAG
+      # Immutable SHA tag — the deploy scripts pin to this and rollback uses it.
+      - docker push $IMAGE:$SHA_TAG
+      - echo "Pushed $IMAGE:$BRANCH_TAG and $IMAGE:$SHA_TAG"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock