Commit Graph

9 Commits

Author SHA1 Message Date
APF Portal Bot 412bb5e008 chore(deps): update dependency gitleaks/gitleaks to v8.30.1
CI / commits (pull_request) Has been skipped
CI / perf (pull_request) Has been skipped
CI / check (pull_request) Successful in 1m2s
CI / scan (pull_request) Successful in 1m10s
CI / a11y (pull_request) Successful in 59s
2026-05-10 02:52:56 +00:00
julien 4473b1d4a4 chore(ci): track trivy and gitleaks binary versions via renovate custom manager (#78)
CI / check (push) Successful in 1m28s
CI / commits (push) Has been skipped
CI / scan (push) Successful in 56s
CI / a11y (push) Successful in 56s
CI / perf (push) Successful in 2m18s
## Summary

Until now the Trivy and gitleaks pins in `.gitea/workflows/*.yml` were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. The comment in each workflow telling the next contributor to "bump manually from the releases page" is the kind of friction that gets forgotten between two security advisories.

Add a **custom regex manager** that picks up `# renovate: datasource=… depName=…` annotations immediately followed by an env-var assignment of the form `<NAME>_VERSION: '<version>'`. The 4 pins (`TRIVY_VERSION` + `GITLEAKS_VERSION` in both `ci.yml` and `security-scheduled.yml`) get annotated with the `github-releases` datasource and the upstream `owner/repo` depName.

`extractVersionTemplate: ^v?(?<version>.+)$` strips the `v` prefix used by both projects' release tags, so the version substituted into the env var (which our shell script consumes without `v`) stays correct.

## What lands

- **`renovate.json`** — new `customManagers` block. The dashboard triage header is updated to reflect the new tracking (was "not Renovate-tracked yet").
- **`.gitea/workflows/ci.yml`** — annotate the Trivy and gitleaks env vars; remove the dead "manual bump" comments.
- **`.gitea/workflows/security-scheduled.yml`** — same.

## Verified

Node-side dry-run of the regex against both workflow files:

```
ci.yml                       → trivy 0.70.0, gitleaks 8.21.0
security-scheduled.yml       → trivy 0.70.0, gitleaks 8.21.0
```

All 4 expected matches with the right `datasource` / `depName` / `currentValue` captures.

## Test plan

- [ ] CI green on this PR.
- [ ] After merge, the next Renovate run picks up Trivy and gitleaks as detected dependencies in the dashboard. New patch / minor releases should now produce normal Renovate PRs (auto-merging on patches per #74).
- [ ] No manual "bump from the releases page" reminders left in the workflow YAML.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #78
2026-05-10 04:07:06 +02:00
julien a0e8e095d0 fix(ci): run scanners before pnpm install to avoid node_modules false positives (#51)
CI / check (push) Successful in 2m26s
CI / commits (push) Has been skipped
CI / scan (push) Successful in 2m48s
CI / a11y (push) Successful in 1m32s
CI / perf (push) Successful in 3m51s
## Summary
First successful gitleaks run flagged **381 "leaks"** — all inside `node_modules/` and `.pnpm-store/`, populated by the `pnpm install --frozen-lockfile` step that ran earlier in the job. Upstream npm packages routinely embed demo RSA keys / fake API tokens in their READMEs and test fixtures, and gitleaks correctly (by its rules) flags them.

Same class of false-positive Trivy hit in #49 — solved there by `--scanners vuln`. Here, the cleanest solution is **reordering**: run the scanners *before* `pnpm install`, so the working tree contains only our committed source.

- **Trivy** scans `pnpm-lock.yaml` (committed) — doesn't need install.
- **Gitleaks** scans the working tree (`--no-git --source .` in ci.yml) — doesn't need install.
- **pnpm audit** reads `pnpm-lock.yaml` against the advisory DB — also doesn't need install. The install before audit remains for the workspace-integrity sanity check.

The ordering rationale is committed as a comment at the top of each job's `steps:` block, so a future contributor doesn't innocently shuffle the steps and re-flood the gate with FPs.

Same reordering applied to `.gitea/workflows/security-scheduled.yml` for consistency, even though its deep-history gitleaks scan doesn't suffer this issue (`node_modules` is `.gitignore`d from day one — never in history).

## Test plan
- [ ] `scan` job goes green end-to-end on this PR — gitleaks reports 0 leaks (or only real ones from our source, none expected).
- [ ] On `push` to main post-merge, scan stays green.
- [ ] Trigger `security-scheduled` manually before next Monday's cron to verify the same ordering doesn't break the deep scan.

## After this PR
With #43 (TS/ESLint reverts), #45 (Trivy install), #49 (Trivy `--scanners vuln`), #50 (gitleaks install), and now this — every gate of the CI pipeline should be green end-to-end. Phase-1 CI bring-up is then complete and we can move to **A — local infra recipe** (Postgres + Redis + OTel Collector).

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #51
2026-05-08 00:18:56 +02:00
julien 0d27f835c3 fix(ci): replace gitleaks-action with manual install (#50)
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m59s
CI / scan (push) Failing after 2m37s
CI / a11y (push) Successful in 1m24s
CI / perf (push) Successful in 3m34s
## Summary
`gitleaks/gitleaks-action@v2` is now paywalled for organisations — the action requires a `GITLEAKS_LICENSE` secret from gitleaks.io (commercial) or it errors out:

​```
🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE.
​```

Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The **gitleaks binary itself stays MIT-licensed and free** — only the wrapper went commercial.

Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI.

## Scope of the PR
The same two broken integrations existed in `.gitea/workflows/security-scheduled.yml` and would have failed silently at next Monday's cron. Fix both files in one PR for consistency.

- **`ci.yml`** — gitleaks step replaced. Per-PR scan uses `--no-git --source .` (working tree only — the scan job uses a shallow checkout anyway).
- **`security-scheduled.yml`** — both gitleaks AND trivy steps replaced; `fetch-depth: 0` added so gitleaks can do its **deep history scan** here (the value-add of the scheduled job over the per-PR gate); `cache: 'pnpm'` dropped from `actions/setup-node` (consistency with #8 — the act_runner cache server is unreachable from job containers).
- `--redact` on both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts).

## Trade-off
Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps.

## Test plan
- [ ] `scan` job goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓).
- [ ] `gitleaks version` line in the install step's logs shows `8.21.0`.
- [ ] On `push` to main post-merge, scan stays green.
- [ ] Trigger `security-scheduled` manually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #50
2026-05-08 00:05:16 +02:00
APF Portal Bot 3e4c580519 chore(deps): update pnpm/action-setup action to v6 (#37)
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m37s
CI / scan (push) Failing after 1m37s
CI / a11y (push) Successful in 1m22s
CI / perf (push) Failing after 2m3s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [pnpm/action-setup](https://github.com/pnpm/action-setup) | action | major | `v3` -> `v6` |

---

### Release Notes

<details>
<summary>pnpm/action-setup (pnpm/action-setup)</summary>

### [`v6`](https://github.com/pnpm/action-setup/compare/v5...v6)

[Compare Source](https://github.com/pnpm/action-setup/compare/v5...v6)

### [`v5`](https://github.com/pnpm/action-setup/compare/v4...v5)

[Compare Source](https://github.com/pnpm/action-setup/compare/v4...v5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #37
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-06 01:23:13 +02:00
APF Portal Bot 9fbf37c2ef chore(deps): update actions/upload-artifact action to v7 (#28)
CI / check (push) Successful in 1m14s
CI / commits (push) Has been skipped
CI / scan (push) Failing after 1m17s
CI / a11y (push) Successful in 1m59s
CI / perf (push) Successful in 4m3s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | major | `v4` -> `v7` |

---

### Release Notes

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

### [`v7`](https://github.com/actions/upload-artifact/compare/v6...v7)

[Compare Source](https://github.com/actions/upload-artifact/compare/v6...v7)

### [`v6`](https://github.com/actions/upload-artifact/compare/v5...v6)

[Compare Source](https://github.com/actions/upload-artifact/compare/v5...v6)

### [`v5`](https://github.com/actions/upload-artifact/compare/v4...v5)

[Compare Source](https://github.com/actions/upload-artifact/compare/v4...v5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #28
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-05 23:26:09 +02:00
APF Portal Bot 4244f63831 chore(deps): update actions/setup-node action to v6 (#27)
CI / check (push) Successful in 1m0s
CI / commits (push) Has been skipped
CI / scan (push) Failing after 2m13s
CI / a11y (push) Successful in 1m58s
CI / perf (push) Successful in 3m21s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v4` -> `v6` |

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

### [`v6`](https://github.com/actions/setup-node/compare/v5...v6)

[Compare Source](https://github.com/actions/setup-node/compare/v5...v6)

### [`v5`](https://github.com/actions/setup-node/compare/v4...v5)

[Compare Source](https://github.com/actions/setup-node/compare/v4...v5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #27
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-05 23:25:41 +02:00
APF Portal Bot adc14c14e0 chore(deps): update actions/checkout action to v6 (#26)
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m16s
CI / scan (push) Failing after 1m25s
CI / a11y (push) Successful in 1m0s
CI / perf (push) Successful in 2m38s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action | major | `v4` -> `v6` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

### [`v6`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602)

[Compare Source](https://github.com/actions/checkout/compare/v5...v6)

- Fix tag handling: preserve annotations and explicit fetch-tags by [@&#8203;ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2356

### [`v5`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v501)

[Compare Source](https://github.com/actions/checkout/compare/v4...v5)

- Port v6 cleanup to v5 by [@&#8203;ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2301

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #26
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-05 23:25:10 +02:00
Julien Gautier be7187d5f2 chore: scaffold Gitea Actions pipelines per ADR-0015 / ADR-0017
CI / commits (push) Has been skipped
CI / check (push) Failing after 36s
CI / a11y (push) Failing after 2s
CI / perf (push) Failing after 38s
CI / scan (push) Failing after 2m15s
Wire the CI/CD pipeline scaffolding. Implements the level-2 (Gitea
Actions) part of ADR-0015 with the thin-YAML pattern, plus the perf
gate from ADR-0017. The level-1 decisions (gates list, branch model,
secrets policy) are unchanged.

Files:
- .nvmrc pins Node 24 (latest LTS major) for actions/setup-node.
- package.json gains four ci:* scripts that the workflows call:
  - ci:check  - 'nx affected -t format:check lint test build'
  - ci:audit  - 'pnpm audit --audit-level=moderate'
  - ci:commits- 'commitlint --from $COMMIT_LINT_FROM --to HEAD'
  - ci:perf   - 'nx build portal-shell --configuration=production
                 && lhci autorun --config=./lighthouserc.js'
  All four runnable locally; CI workflows are thin wrappers.
- @lhci/cli added as a dev dependency for ci:perf.
- lighthouserc.js encodes the Core Web Vitals thresholds from
  ADR-0017 (LCP <= 2500ms, CLS <= 0.1, TBT <= 200ms, server
  response <= 800ms, Performance >= 0.9). v1 measures only the
  static-served portal-shell bundle (Nx Welcome placeholder); the
  critical-routes list expands as real screens land.
- .gitea/workflows/ci.yml runs five jobs on PR + push to main:
  check, scan (audit + Trivy + gitleaks), commits (PR-only), perf,
  a11y. The a11y job is a placeholder that no-ops with a clear
  message; it wires up for real with the first Playwright e2e suite
  (ADR-0016). All gates are blocking - branch protection on main
  will require all five jobs green.
- .gitea/workflows/security-scheduled.yml runs weekly (Mon 04:00
  UTC) for full-tree Trivy + gitleaks (no severity filter, no
  skip-dirs - broader than per-PR) plus a Lighthouse run against
  the prod URL when vars.LHCI_PROD_URL is set.

Slight deviation from ADR-0015 §'Level 2': Trivy and gitleaks are
binaries (Go) and don't have clean npm wrappers, so they are
invoked through their official Gitea-Actions-compatible actions
inside the YAML rather than via 'pnpm ci:scan'. The high-level
decision (gates: audit + secret-scan + dep-scan) is unchanged; the
script/action boundary is shifted by one tool. Documented here for
traceability; no ADR amendment needed.

Operational TODOs (not blocking the scaffold):
- pnpm audit currently reports 6 moderate transitive vulnerabilities
  (ajv, brace-expansion, yaml, @hono/node-server, follow-redirects,
  uuid) in deep deps of Nx/Angular plugins. CI will fail on this
  gate until upstream updates land or Renovate bumps; expected and
  documented.
- act_runner self-hosted instances are not yet registered against
  the Gitea organisation; the workflows reference [self-hosted,
  on-prem] runner labels per ADR-0015. CI will not actually execute
  until the runners are up - that's an infra task.
- Branch protection rules on main (require all five jobs green) are
  configured in Gitea UI, not in this commit.
- Lighthouse-prod scheduled job runs only when vars.LHCI_PROD_URL
  is set - skipped silently otherwise. To be configured once a prod
  environment exists.
2026-04-30 19:48:20 +02:00