A small end-to-end demo of a static site on Firebase Hosting calling a serverless REST API (Cloud Functions v2 + Express) that stores comments in Firestore.
This repo is designed to show more than a basic Firebase demo. It demonstrates a small deployed cloud application with live runtime verification, multiple automated API assurance layers, a narrow but real Infrastructure as Code (IaC) slice, and practical security/dependency hygiene.
For reviewers: Start with v1.13.0 – Review Snapshot (stable). The
mainbranch may include ongoing updates. Initial snapshot: v1.0.0.
Reviewer tip: GitHub README links open in the same tab. Use Ctrl+click on Windows or Cmd+click on macOS to open reviewer links in a new tab.
- A deployed end-to-end Firebase application using Hosting, Cloud Functions v2, and Firestore
- API documentation and contract visibility through OpenAPI and Swagger UI
- Multiple automated verification layers including Jest, Pact, Playwright, Newman, and a Go deployed smokecheck
- Basic Infrastructure as Code and CI/CD-oriented project hygiene
- Security-minded practices including CodeQL, Dependency Review, Dependabot, controlled CORS configuration, and failure-only Slack alerts
- Completed a broad Dependabot maintenance pass across runtime dependencies, transitive packages, developer tooling, and GitHub Actions security workflow components
- Updated key production dependencies including
firebase-adminfrom 13.8.0 to 13.10.0 andexpress-rate-limitfrom 8.3.2 to 8.5.2, alongside supporting indirect dependency refreshes forip-address,fast-xml-parser,fast-xml-builder,protobufjs,@protobufjs/utf8, andaxios - Updated test and development tooling including
eslint,@pact-foundation/pact,jest, andfirebase-functions-test, and upgradedactions/dependency-review-actionfrom v4 to v5 - Resolved the remaining reported Dependabot vulnerability through the completed upstream dependency refresh, with the repository security dashboard returning to 0 open security and quality items
- Refreshed the README reviewer path and release summary for
v1.13.0
Previous release highlights
- v1.12.0 – Cleared the open Dependabot vulnerability alerts affecting
/functionsdependencies by merging theaxiosandfollow-redirectsupdates, merged routine dependency maintenance updates forfirebase-functionsandfirebase-admin, re-verified that Dependabot vulnerability alerts showed 0 open after the updates, re-verified recentmainbranch GitHub Actions workflow runs passed, and refreshed the README reviewer path and release summary. - v1.11.0 – Added rate limiting to
POST /commentsand/api/commentsusingexpress-rate-limit, added automated test coverage for429 Too Many Requests, tracked and deployed deny-allfirestore.rulesfor client access, corrected Firebase project mapping toassignment4-54794, merged dependency maintenance updates forfirebase-functions,eslint, andlodash, and re-verified the live site, comment posting flow, and/api/health. - v1.10.2 – Cleared the open Dependabot security alerts affecting
/functionsdependencies, merged dependency maintenance updates forpath-to-regexp,brace-expansion, andpicomatch, re-verified that Dependabot vulnerability alerts show 0 open at release time, re-verified that Dependabot malware alerts show 0 open at release time, re-verified that Code scanning alerts show 0 open at release time, re-verified that Secret scanning alerts show 0 open at release time, and updated the Postman Newman workflow to useactions/checkout@v6andactions/setup-node@v6. - v1.10.1 – Fixed Firebase Hosting custom-domain rewrites for
/apiand/api/*, re-verified the live custom-domain API responses, and refreshed reviewer setup notes for Node.js 22, first-run Playwright, and opening README links in a new tab. - v1.10.0 – Added a custom-domain reviewer path under
firebase.stephendaly.dev, added same-host API routing under/api/*, switched the front-end comments UI to the same-host/apipath, updated the hosted OpenAPI production server, added a front-endLoad morecontrol, removed placeholder copyright text from the footer, and refreshed reviewer links and Postman evidence references. - v1.9.1 – Cleared open Dependabot security alerts, refreshed reviewer documentation, updated operational evidence, and re-verified the deployed API.
- v1.9.0 – Added Cloud Logging and Cloud Monitoring to the Terraform service set, added TFLint to the Terraform workflow, added Terraform outputs for project ID and region, removed unused Terraform variables, tightened Terraform documentation, and kept Terraform intentionally narrow in scope.
- v1.8.1 – Aligned the OpenAPI comment contract, corrected the
POST /commentsresponse, improved the reviewer path, corrected the Terraform default region, and applied a safe dependency refresh. - v1.8.0 – Added OpenAPI 3.0, Swagger UI, Postman collection, Postman environment, and a Newman GitHub Actions workflow.
- v1.7.0 – Hardened the Go smokecheck, added unit tests, enforced
gofmt/go vet/go test, and tightened CORS with an allowlist. - v1.6.1 – Replaced the old Terraform placeholder with real GCP service enablement.
- v1.6.0 – Added Pact consumer and provider contract tests.
- v1.5.0 – Added TypeScript Playwright deployed API automation checks.
- v1.4.0 – Added CodeQL, Dependency Review,
SECURITY.md, and dependency hygiene updates. - v1.3.1 – Improved reviewer path, evidence callout, and local quick start.
- v1.3.0 – Strengthened the review snapshot with better reviewer flow and clearer operational evidence.
- v1.2.0 – Added the deployed API smokecheck workflow and architecture/pipeline diagrams.
- v1.1.1 – Fixed review snapshot wording for consistency.
- v1.1.0 – Added the Terraform scaffold with CI format and validation checks.
- v1.0.0 – Created the initial stable review snapshot for the live Firebase Hosting + Cloud Functions + Firestore demo.
- Open the Live demo and submit a comment to verify the full flow from UI -> API -> Firestore -> UI.
- Open Swagger UI to inspect the live API contract and try the endpoints interactively.
- Open the Go smokecheck workflow to see automated runtime verification of the live deployment.
- Review the Evidence section below for the GitHub Actions smokecheck run and the Slack failure alert.
- Open the OpenAPI YAML directly if you want the raw contract file used by Swagger UI.
- Hit the API health check endpoint and confirm you receive
200 OK. - Review
functions/for API implementation and tests, thentools/smokecheck-go/for the Go runtime check. - Review
automation-tests-ts/for TypeScript API automation checks against the deployed endpoint.
- Website (Firebase Hosting): https://firebase.stephendaly.dev/
- Swagger UI (live): https://firebase.stephendaly.dev/swagger/
- OpenAPI YAML (live): https://firebase.stephendaly.dev/openapi/openapi.yaml
- API health check: https://firebase.stephendaly.dev/api/health
UI note: The front-end is intentionally minimal and acts as a lightweight test harness to demonstrate end-to-end data flow and API operation rather than UI/UX polish. UI note: The comments section now shows the first 5 comments initially and reveals more with a
Load morebutton to keep the page readable. Docs note: Swagger UI and the hosted OpenAPI YAML are included so reviewers can validate the API quickly without needing to inspect the repo first. Custom domain note: the deployed public reviewer path now usesfirebase.stephendaly.dev, with the API served under the same host via/api/*.
- Runtime verification: a scheduled and manual Go deployed smokecheck validates the deployed
/api/healthendpoint (not just unit tests). - Go workflow quality gates: the smokecheck workflow also runs
gofmt,go vet, andgo testbefore executing the deployed runtime check. - Failure visibility: on smokecheck failure, a Slack alert posts to
#ci-alerts(failure-only, no success spam). - CI quality gates: lint + tests run on pushes and pull requests for
functions/.
Screenshots of the live smokecheck workflow and failure-only Slack alert.
| Live smokecheck run | Slack failure alert |
|---|---|
 |
 |
Click either image to open the full-size version.
High-level deployed flow (Hosting -> Functions API -> Firestore):
Dev validation and deployed runtime check overview:
flowchart TD
A[GitHub repo]
B[Functions CI<br/>lint + tests]
C[Docker Functions CI<br/>container parity checks]
D[Postman Newman<br/>API regression / smoke]
E[Terraform workflow<br/>fmt + validate + lint]
F[CodeQL]
G[Deployed API Smokecheck Go<br/>manual + scheduled<br/>GET /api/health]
H[Slack alert to #ci-alerts<br/>failure only]
A --> B
A --> C
A --> D
A --> E
A --> F
A --> G
G -->|on failure| H
Ops note: on smokecheck failure, GitHub Actions posts a Slack alert to
#ci-alerts.
Prerequisites: Node.js 22 + Firebase CLI (firebase-tools)
cd functions
npm ci
npm run lint
npm test
cd ..
firebase emulators:startThis runs the Firebase Emulator Suite locally (Functions + Firestore + Hosting + Emulator UI) using the emulator settings in firebase.json.
Local URLs after startup:
- Hosting:
http://127.0.0.1:5000 - Emulator UI:
http://127.0.0.1:4000
If emulators fail to start: update Firebase CLI to the latest version.
npm install -g firebase-tools@latest
firebase --versionPrerequisites:
- Node.js 18+
- A deployed API base URL (example below)
Note:
DEPLOYED_BASE_URLpoints to a public demo endpoint used only for automated read/write checks.- On a fresh machine, if Playwright browsers are missing, run
npx playwright install.
From the repo root:
cd automation-tests-ts
npm ci
$env:DEPLOYED_BASE_URL="https://firebase.stephendaly.dev/api"
npx playwright testcd automation-tests-ts
npm ci
export DEPLOYED_BASE_URL="https://firebase.stephendaly.dev/api"
npx playwright testpublic/— website files (HTML/CSS/JS/images)functions/— API code (Express app deployed as a Cloud Function)functions/__tests__/— Jest + Supertest API route testsautomation-tests-ts/— TypeScript Playwright deployed API automation checkstools/smokecheck-go/— Go tool for deployed/api/healthsmokecheckinfra/terraform/— Terraform for core GCP service enablement (fmt/validate/lint in CI).github/workflows/— CI + ops workflows.github/dependabot.yml— dependency update configurationfirebase.json/.firebaserc— Firebase project configuration
- Functions CI — lint + tests on push and pull requests
- Docker Functions CI — lint + tests in a container for parity checks
- Terraform (fmt, validate & lint) — formatting, validation and lint checks for
infra/terraform - Deployed API Smokecheck (Go) — scheduled and manual deployed
/api/healthverification, withgofmt,go vet, andgo testenforced before the runtime check - Postman Newman — API regression and smoke execution using the Postman collection and environment
These are stored in Repo -> Settings -> Secrets and variables -> Actions.
DEPLOYED_HEALTH_URL— deployed/api/healthendpoint URLSLACK_WEBHOOK_URL— Slack Incoming Webhook for#ci-alerts
Base URL: https://firebase.stephendaly.dev/api
If you open the base URL in a browser, you’ll see a small JSON response (
GET /), which makes manual checks quicker.
Convenience root route for quick browser checks.
Expected response:
{ "ok": true, "message": "Firebase Serverless REST API is running" }Quick check that the API is running.
Expected response:
{ "ok": true, "message": "API is running" }Returns the latest comments (newest first).
Example response
[
{
"id": "c4fdZfsbycWuJMTK4Je2",
"handle": "@stephen",
"text": "Posting from Postman",
"createdAt": "2026-02-07T20:20:25.524Z"
}
]Creates a new comment.
Example request body:
{ "handle": "@trailrunner23", "text": "Great run today!" }After posting a comment, it appears in the Latest comments list (end-to-end check from website -> API -> Firestore -> website).
This repo includes an OpenAPI 3.0 specification and Swagger UI for the deployed API.
- OpenAPI spec:
public/openapi/openapi.yaml - Swagger UI:
public/swagger/index.html - Postman collection:
postman/firebase-serverless-rest-api.postman_collection.json - Postman environment:
postman/firebase-serverless-rest-api.postman_environment.json - Newman workflow:
.github/workflows/postman-newman.yml
- OpenAPI and Swagger: API contract and interactive documentation
- Postman and Newman: reviewer-friendly API regression and smoke checks
- Playwright: deployed endpoint automation
- Pact: consumer and provider contract verification
- Go smokecheck: lightweight live health verification
You can test the API directly (without the website) using Postman.
- Method:
GET - URL:
https://firebase.stephendaly.dev/api/health - Expected:
200 OKwith JSON showing the API is running
- Method:
GET - URL:
https://firebase.stephendaly.dev/api/comments - Expected:
200 OKwith a JSON list (array) of comments
- Method:
POST - URL:
https://firebase.stephendaly.dev/api/comments - Header:
Content-Type: application/json - Body (raw JSON):
{ "handle": "@trailrunner23", "text": "Posting from Postman" }- Expected:
201 Createdwith a JSON response containing a newid
Quick check: run GET /comments again and confirm the new comment appears near the top.
- Requires both
handleandtext - Blocks the handle
hacker(validated on the website and again on the API) - Displays comments as text, not rendered HTML/JavaScript (helps prevent script injection)
- Restricts cross-origin requests to approved deployed, preview, and local front-end origins
- Limits the function to 1 instance (
maxInstances: 1) to control cost and keep debugging simple
The infra/terraform folder contains a deliberately narrow Terraform implementation for this repo.
It manages a small project-level Infrastructure as Code (IaC) slice by enabling core GCP services that support the Firebase serverless application, including Artifact Registry, Cloud Build, Cloud Functions, Firestore, Cloud Logging, Cloud Monitoring, and Cloud Run.
A dedicated GitHub Actions workflow checks this Terraform with:
terraform fmt -check -recursiveterraform init -backend=false -input=falseterraform validate -no-colortflint --format compact
This Terraform does not manage:
- Firebase Hosting deployment
- Cloud Functions code deployment
- Firestore rules or indexes
- secrets management
- full environment provisioning
Those areas remain outside Terraform in this repo by design.
- Firebase Hosting
- Firebase Cloud Functions v2 (Node.js) + Express
- Firestore
- HTML / CSS / JavaScript (minimal UI harness)
- OpenAPI 3.0
- Swagger UI
- Jest + Supertest
- Playwright
- Pact
- Postman + Newman
- Go deployed smokecheck
- Terraform
- TFLint
- GitHub Actions
- Slack failure alerts
- CodeQL
- Dependabot
firebase deploy --only hosting,functionsTo practice building, validating and deploying a small end-to-end cloud application (UI, REST API, database, Firebase Hosting/Cloud Functions).
Also to demonstrate production-minded practices: CI lint/tests, container-based parity checks, Terraform-managed GCP service enablement with fmt, validate and lint checks, deployed runtime smokechecks, and deployed-endpoint API automation checks (Playwright) with clear run instructions.