Commit Graph

11 Commits

Author SHA1 Message Date
Julien Gautier 9b6967d352 fix(ci): restrict Trivy to vulnerability scanner only
CI / commits (pull_request) Successful in 2m20s
CI / check (pull_request) Successful in 2m41s
CI / scan (pull_request) Failing after 2m50s
CI / a11y (pull_request) Successful in 2m52s
CI / perf (pull_request) Successful in 5m31s
The first successful Trivy run (after #45 wired the manual install)
came back red on three "secret" findings, all of them demo RSA
private keys embedded in the README / test fixtures of a
cryptographic npm package, sitting deep in `.pnpm-store/v10/files/`
where pnpm content-addressably caches its packages. They are not
our secrets.

Two observations:

- The job already chains `gitleaks/gitleaks-action@v2` after Trivy
  — running two secret scanners over the same tree is just twice
  the false-positive surface.
- Trivy's own log helpfully suggests `--scanners vuln` when secret
  scanning is not the focus, and ADR-0015 always framed this step
  as "dependency vulnerability scan", singular.

Restrict Trivy to `--scanners vuln` so it only runs the vuln check
(against `pnpm-lock.yaml`, complementing `pnpm audit`'s npm-advisory
view with Trivy's broader source). Gitleaks remains the single
secret-scan source.

No `--skip-dirs` change needed: the vuln scan reads `pnpm-lock.yaml`,
not the unpacked store contents.
2026-05-07 12:42:42 +02:00
julien 57a08c3b71 fix(ci): replace trivy-action with manual curl install (#45)
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m45s
CI / scan (push) Failing after 2m59s
CI / a11y (push) Successful in 1m26s
CI / perf (push) Successful in 3m33s
## Summary
PR #44's `GITHUB_TOKEN` env injection didn't actually authenticate the github.com clone. Root cause: `aquasecurity/trivy-action` wraps `actions/checkout`, whose `with.token` input defaults to `${{ github.token }}` (Gitea's auto-token, useless against github.com), and that wins over our env var. The clone keeps hitting the anonymous rate limit.

Rather than fight the action's internals (`INPUT_TOKEN` overrides, `git config insteadOf` injection, etc.), drop it and install Trivy directly via `curl + tar` from the GitHub release artefact.

## Side benefits
- **Version pinned** (`TRIVY_VERSION=0.70.0`) — no more `@master`. Moving-target tags are exactly what bit us in #43 (the TS6 / ESLint10 / webpack-cli7 mess); not adding a new instance of the same anti-pattern.
- **Predictable** — straight curl + tar, no third-party action indirection to debug.
- `GITHUBCOM_TOKEN` passed as Bearer header on the curl — defensive: release artefact downloads are usually unmetered, but auth is free insurance against rate-limit surprises.

## Trade-off
Trivy version bumps become manual. Renovate can't track this pin out of the box. A custom regex manager in `renovate.json` could be added later if the cadence justifies it; for now, manual review of [Trivy releases](https://github.com/aquasecurity/trivy/releases) every few months is acceptable.

## Test plan
- [ ] `scan` job goes green on this PR — both `Install Trivy` and `Run Trivy` steps succeed.
- [ ] `trivy --version` in the install step's logs reports `0.70.0`.
- [ ] No regression on the `pnpm ci:audit` or `gitleaks` sub-steps of `scan`.
- [ ] On `push` to main post-merge, scan stays green.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #45
2026-05-07 00:17:13 +02:00
julien 6153c81602 fix(ci): authenticate trivy-action's github.com clone (#44)
CI / check (push) Successful in 54s
CI / commits (push) Has been skipped
CI / perf (push) Successful in 1m54s
CI / a11y (push) Successful in 57s
CI / scan (push) Failing after 6m23s
## Summary
On cache miss, `aquasecurity/trivy-action@master` falls back to `git clone https://github.com/aquasecurity/trivy` to fetch its install script. Our act_runner cache server is currently unreachable from job containers (documented as "Cache server (deferred)" in `infra/README.md`), so every CI run is a cache miss, every run does the clone, and every clone hits github.com's 60 req/h anonymous rate limit:

Pass `GITHUBCOM_TOKEN` (same zero-scope github.com PAT used for Renovate) as `GITHUB_TOKEN` env on the trivy step. The action picks it up automatically and authenticates the clone, lifting the rate limit from 60 → 5 000 req/h.

## Test plan
- [ ] `scan` job goes green on this PR (the trivy step in particular).
- [ ] On `push` to main post-merge, scan stays green.
- [ ] No regression on the audit / gitleaks sub-steps of `scan`.

## Related
- The deeper fix (re-enabling the act_runner cache server so trivy gets a real cache hit and skips the clone entirely) is tracked as "Cache server (deferred)" in `infra/README.md`. Worth doing eventually; this PR is the surgical fix.
- The `@master` pin on the trivy-action is also worth replacing with a tagged version (`renovate.json` will surface bumps once we lift the major-dashboard gate for it). Out of scope for this PR.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #44
2026-05-06 23:43:19 +02:00
APF Portal Bot 3e4c580519 chore(deps): update pnpm/action-setup action to v6 (#37)
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m37s
CI / scan (push) Failing after 1m37s
CI / a11y (push) Successful in 1m22s
CI / perf (push) Failing after 2m3s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [pnpm/action-setup](https://github.com/pnpm/action-setup) | action | major | `v3` -> `v6` |

---

### Release Notes

<details>
<summary>pnpm/action-setup (pnpm/action-setup)</summary>

### [`v6`](https://github.com/pnpm/action-setup/compare/v5...v6)

[Compare Source](https://github.com/pnpm/action-setup/compare/v5...v6)

### [`v5`](https://github.com/pnpm/action-setup/compare/v4...v5)

[Compare Source](https://github.com/pnpm/action-setup/compare/v4...v5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #37
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-06 01:23:13 +02:00
APF Portal Bot 9fbf37c2ef chore(deps): update actions/upload-artifact action to v7 (#28)
CI / check (push) Successful in 1m14s
CI / commits (push) Has been skipped
CI / scan (push) Failing after 1m17s
CI / a11y (push) Successful in 1m59s
CI / perf (push) Successful in 4m3s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | major | `v4` -> `v7` |

---

### Release Notes

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

### [`v7`](https://github.com/actions/upload-artifact/compare/v6...v7)

[Compare Source](https://github.com/actions/upload-artifact/compare/v6...v7)

### [`v6`](https://github.com/actions/upload-artifact/compare/v5...v6)

[Compare Source](https://github.com/actions/upload-artifact/compare/v5...v6)

### [`v5`](https://github.com/actions/upload-artifact/compare/v4...v5)

[Compare Source](https://github.com/actions/upload-artifact/compare/v4...v5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #28
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-05 23:26:09 +02:00
APF Portal Bot 4244f63831 chore(deps): update actions/setup-node action to v6 (#27)
CI / check (push) Successful in 1m0s
CI / commits (push) Has been skipped
CI / scan (push) Failing after 2m13s
CI / a11y (push) Successful in 1m58s
CI / perf (push) Successful in 3m21s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v4` -> `v6` |

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

### [`v6`](https://github.com/actions/setup-node/compare/v5...v6)

[Compare Source](https://github.com/actions/setup-node/compare/v5...v6)

### [`v5`](https://github.com/actions/setup-node/compare/v4...v5)

[Compare Source](https://github.com/actions/setup-node/compare/v4...v5)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #27
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-05 23:25:41 +02:00
APF Portal Bot adc14c14e0 chore(deps): update actions/checkout action to v6 (#26)
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m16s
CI / scan (push) Failing after 1m25s
CI / a11y (push) Successful in 1m0s
CI / perf (push) Successful in 2m38s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action | major | `v4` -> `v6` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

### [`v6`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602)

[Compare Source](https://github.com/actions/checkout/compare/v5...v6)

- Fix tag handling: preserve annotations and explicit fetch-tags by [@&#8203;ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2356

### [`v5`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v501)

[Compare Source](https://github.com/actions/checkout/compare/v4...v5)

- Port v6 cleanup to v5 by [@&#8203;ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2301

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #26
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-05 23:25:10 +02:00
julien f9ed3cf82a chore(ci): skip perf and commits gates on Renovate-authored PRs (#23)
CI / commits (push) Has been skipped
CI / check (push) Successful in 2m20s
CI / scan (push) Failing after 2m34s
CI / a11y (push) Successful in 1m7s
CI / perf (push) Successful in 3m43s
## Summary
Renovate's dep-bump PRs run the full pipeline today (`check`, `scan`, `commits`, `perf`, `a11y`). Two of those gates have near-zero signal on a typical bump and dominate the wall-clock cost:

- **`perf`** — Lighthouse build + 3-iteration median across the critical-routes list. 3-5 min per PR for a metric that is essentially zero on a patch/minor dep bump (the SPA today serves the static placeholder; even with real routes a typical bump stays inside the median noise floor).
- **`commits`** — re-validates commit messages that Renovate generates from a Conventional-Commits-conformant template. Tautological.

Skip both when the PR author is the `apf-portal-bot` Gitea user. The `push` event on `main` still runs the full pipeline post-merge, so any regression caught by `perf` is detected seconds after merge — fast enough to revert.

Net result: Renovate PRs run `check + scan + a11y` only, ≈ 4-5 min faster per PR.

## ADR amendment

ADR-0017 is amended in the same change:
- "Where Lighthouse CI runs" table now distinguishes human PR / bot PR / push to main / scheduled / local.
- New "Pre-merge gating policy: human PRs vs bot PRs" subsection records the rationale and the human-takeover edge case.
- §Confirmation entry for `perf` is reworded to reflect the conditional gate.

## Test plan
- [ ] After merge, the next Renovate-triggered PR (auto-rebase or new bump) shows only `check`, `scan`, `a11y` queued — no `perf`, no `commits`.
- [ ] A human-opened PR (e.g. this one) still queues all 5 gates.
- [ ] On `push` to `main` post-merge, the full pipeline runs including `perf`.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #23
2026-05-05 16:12:19 +02:00
julien f2440fbf24 fix(ci): disable broken pnpm cache on actions/setup-node (#8)
CI / a11y (push) Successful in 45s
CI / perf (push) Successful in 2m40s
CI / commits (push) Failing after 12m17s
CI / scan (push) Failing after 12m18s
CI / check (push) Failing after 12m19s
## Summary
`act_runner`'s built-in GitHub-Actions-cache server binds inside the runner container on the compose-defined `apf-portal-act-runners` bridge. Jobs spawned via the mounted Docker socket land on Docker's default `bridge` network and can't reach it. Every job opting into `cache: 'pnpm'` ate ~2 min `ETIMEDOUT` on restore + another ~2 min on save — across the 5 jobs, ~20 min wasted per CI run for zero cache hits.

Drop `cache: 'pnpm'` everywhere. `pnpm install --frozen-lockfile` is fast on the warm store inside the job container, so removing the cache layer is a net gain today.

The proper fix (cross-container networking / fixed-port cache binding) is documented in `infra/README.md` → "Cache server (deferred)" so it can be picked up as an isolated infra spike later.

## Test plan
- [ ] CI run on this PR: every job's `Set up Node.js` step finishes in seconds (no ETIMEDOUT warning).
- [ ] `Complete job` step also finishes promptly (no `reserveCache failed` warning).
- [ ] Total wall-clock time for the run should drop by ~15-20 min vs. previous runs.

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #8
2026-05-04 15:33:04 +02:00
julien b7adf2e308 fix(ci): post-runner-image cleanup (#7)
CI / commits (push) Has been skipped
CI / scan (push) Failing after 6m19s
CI / check (push) Successful in 11m43s
CI / perf (push) Successful in 12m0s
CI / a11y (push) Successful in 10m8s
## Summary
Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image (smoke-test PR).

- **`check` job** — replace `nrwl/nx-set-shas@v4` (GitHub-API only, 404 on Gitea) with a manual shell step that derives `NX_BASE`/`NX_HEAD` from local git history (merge-base on `pull_request`, `HEAD~1` on `push`).
- **`perf` job** — pin to `catthehacker/ubuntu:full-22.04` so Lighthouse CI finds a real Chrome. The default act image (`act-22.04`) is the minimal variant, ships without browsers.
- **`package.json`** — declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build scripts" warning and approve only the post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers).

No ADR change — these are purely operational adjustments.

## Test plan
- [ ] CI run on this PR: `check` and `perf` jobs both green.
- [ ] No "Ignored build scripts" warning in `pnpm install` step output.
- [ ] After merge, `push` event on `main` re-runs `check`, `scan`, `perf`, `a11y` cleanly (no `nx-set-shas` 404).

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #7
2026-05-04 14:55:14 +02:00
Julien Gautier be7187d5f2 chore: scaffold Gitea Actions pipelines per ADR-0015 / ADR-0017
CI / commits (push) Has been skipped
CI / check (push) Failing after 36s
CI / a11y (push) Failing after 2s
CI / perf (push) Failing after 38s
CI / scan (push) Failing after 2m15s
Wire the CI/CD pipeline scaffolding. Implements the level-2 (Gitea
Actions) part of ADR-0015 with the thin-YAML pattern, plus the perf
gate from ADR-0017. The level-1 decisions (gates list, branch model,
secrets policy) are unchanged.

Files:
- .nvmrc pins Node 24 (latest LTS major) for actions/setup-node.
- package.json gains four ci:* scripts that the workflows call:
  - ci:check  - 'nx affected -t format:check lint test build'
  - ci:audit  - 'pnpm audit --audit-level=moderate'
  - ci:commits- 'commitlint --from $COMMIT_LINT_FROM --to HEAD'
  - ci:perf   - 'nx build portal-shell --configuration=production
                 && lhci autorun --config=./lighthouserc.js'
  All four runnable locally; CI workflows are thin wrappers.
- @lhci/cli added as a dev dependency for ci:perf.
- lighthouserc.js encodes the Core Web Vitals thresholds from
  ADR-0017 (LCP <= 2500ms, CLS <= 0.1, TBT <= 200ms, server
  response <= 800ms, Performance >= 0.9). v1 measures only the
  static-served portal-shell bundle (Nx Welcome placeholder); the
  critical-routes list expands as real screens land.
- .gitea/workflows/ci.yml runs five jobs on PR + push to main:
  check, scan (audit + Trivy + gitleaks), commits (PR-only), perf,
  a11y. The a11y job is a placeholder that no-ops with a clear
  message; it wires up for real with the first Playwright e2e suite
  (ADR-0016). All gates are blocking - branch protection on main
  will require all five jobs green.
- .gitea/workflows/security-scheduled.yml runs weekly (Mon 04:00
  UTC) for full-tree Trivy + gitleaks (no severity filter, no
  skip-dirs - broader than per-PR) plus a Lighthouse run against
  the prod URL when vars.LHCI_PROD_URL is set.

Slight deviation from ADR-0015 §'Level 2': Trivy and gitleaks are
binaries (Go) and don't have clean npm wrappers, so they are
invoked through their official Gitea-Actions-compatible actions
inside the YAML rather than via 'pnpm ci:scan'. The high-level
decision (gates: audit + secret-scan + dep-scan) is unchanged; the
script/action boundary is shifted by one tool. Documented here for
traceability; no ADR amendment needed.

Operational TODOs (not blocking the scaffold):
- pnpm audit currently reports 6 moderate transitive vulnerabilities
  (ajv, brace-expansion, yaml, @hono/node-server, follow-redirects,
  uuid) in deep deps of Nx/Angular plugins. CI will fail on this
  gate until upstream updates land or Renovate bumps; expected and
  documented.
- act_runner self-hosted instances are not yet registered against
  the Gitea organisation; the workflows reference [self-hosted,
  on-prem] runner labels per ADR-0015. CI will not actually execute
  until the runners are up - that's an infra task.
- Branch protection rules on main (require all five jobs green) are
  configured in Gitea UI, not in this commit.
- Lighthouse-prod scheduled job runs only when vars.LHCI_PROD_URL
  is set - skipped silently otherwise. To be configured once a prod
  environment exists.
2026-04-30 19:48:20 +02:00