fix(ci): post-runner-image cleanup (#7)
CI / commits (push) Has been skipped
CI / scan (push) Failing after 6m19s
CI / check (push) Successful in 11m43s
CI / perf (push) Successful in 12m0s
CI / a11y (push) Successful in 10m8s

## Summary
Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image (smoke-test PR).

- **`check` job** — replace `nrwl/nx-set-shas@v4` (GitHub-API only, 404 on Gitea) with a manual shell step that derives `NX_BASE`/`NX_HEAD` from local git history (merge-base on `pull_request`, `HEAD~1` on `push`).
- **`perf` job** — pin to `catthehacker/ubuntu:full-22.04` so Lighthouse CI finds a real Chrome. The default act image (`act-22.04`) is the minimal variant, ships without browsers.
- **`package.json`** — declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build scripts" warning and approve only the post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers).

No ADR change — these are purely operational adjustments.

## Test plan
- [ ] CI run on this PR: `check` and `perf` jobs both green.
- [ ] No "Ignored build scripts" warning in `pnpm install` step output.
- [ ] After merge, `push` event on `main` re-runs `check`, `scan`, `perf`, `a11y` cleanly (no `nx-set-shas` 404).

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #7
This commit was merged in pull request #7.
This commit is contained in:
2026-05-04 14:55:14 +02:00
parent 25093db0b9
commit b7adf2e308
3 changed files with 51 additions and 1 deletions
+10
View File
@@ -23,6 +23,16 @@ module.exports = {
// Slow-4G profile so scores are stable across CI runners and
// comparable to industry public benchmarks.
preset: 'desktop',
// Chrome's user-namespace sandbox is disabled inside the act
// runner container (AppArmor restriction on the host kernel),
// so Chrome fails to launch with a "No usable sandbox" zygote
// error. `--no-sandbox` is the standard Lighthouse / Puppeteer
// / Playwright workaround for containerised CI: the residual
// risk is acceptable because Chrome only loads our own freshly
// built bundle from http://localhost:4200/ inside an ephemeral
// self-hosted runner container — no untrusted content reaches
// the browser process.
chromeFlags: '--no-sandbox',
},
},
assert: {