e389567a3c4909f6b058816a8ae96099d701d21b
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
04675b1b59 |
fix(ci): perf job — point Lighthouse at /fr/ and /en/, drop spa fallback (#92)
## Summary The previous PR (#91) enabled `--localize` on the production build, so the output layout became `dist/apps/portal-shell/browser/{en,fr}/` with **no top-level `index.html`**. The `perf` CI job broke in two places downstream: 1. **`nx run portal-shell:serve-static`** had `spa: true`. The `@nx/web:file-server` executor reads that as "copy `<staticFilePath>/index.html` to `404.html` for SPA fallback". The source file no longer exists, so the executor crashed with `ENOENT … copyfile … index.html` before opening the port. lhci then failed its healthcheck and exited 1. 2. **`lighthouserc.js`** was hitting `http://localhost:4200/`, which now lands on `http-server`'s directory listing (no index.html at that path). Even if the server had started, the audit would have measured the wrong page. ## What changes - **Drop `spa: true`** from the `serve-static` target in [`apps/portal-shell/project.json`](apps/portal-shell/project.json). Deep-link fallback in production is the reverse proxy's job (it routes `/{en,fr}/anything` to the matching `index.html`); `nx serve-static` is only used here for the perf gate and for local prod-build inspection of entry points. For deep-link testing in dev, `nx serve` is the right tool. - **Update [`lighthouserc.js`](lighthouserc.js)** `url` list to `['http://localhost:4200/fr/', 'http://localhost:4200/en/']`, matching the directive in ADR-0019 that both locales clear the same performance bar. ## Verification Local repro (against the merged plumbing PR's build): ``` $ pnpm exec nx run portal-shell:serve-static $ curl -s -o /dev/null -w '%{http_code}\n' http://localhost:4200/en/ # 200 $ curl -s -o /dev/null -w '%{http_code}\n' http://localhost:4200/fr/ # 200 ``` Served files have the right metadata per locale: ``` /tmp/probe-en.html: lang="en" <base href="/en/"> /tmp/probe-fr.html: lang="fr" <base href="/fr/"> ``` ## Side-effect to call out - `/en/deep/route` and `/fr/deep/route` now return 404 from `nx serve-static`. That's by design — Lighthouse only audits the root locale URLs, and the reverse proxy owns deep-link routing in production. - `http://localhost:4200/` returns http-server's directory listing under the new layout. Lighthouse doesn't hit it, so the perf gate is unaffected. We could disable the listing if it becomes a footgun. ## Test plan - [x] `pnpm exec nx run-many -t lint test build --projects=portal-shell` — green. - [x] Local `nx serve-static` + curl against `/en/` and `/fr/` returns the expected per-locale `index.html`. - [ ] CI: `pnpm ci:perf` runs through `serve-static` start → Lighthouse autorun (×3 per locale, ×2 locales = 6 audits) → assertions hold ≥ 90 on Performance for both. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #92 |
||
|
|
b7adf2e308 |
fix(ci): post-runner-image cleanup (#7)
## Summary Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image (smoke-test PR). - **`check` job** — replace `nrwl/nx-set-shas@v4` (GitHub-API only, 404 on Gitea) with a manual shell step that derives `NX_BASE`/`NX_HEAD` from local git history (merge-base on `pull_request`, `HEAD~1` on `push`). - **`perf` job** — pin to `catthehacker/ubuntu:full-22.04` so Lighthouse CI finds a real Chrome. The default act image (`act-22.04`) is the minimal variant, ships without browsers. - **`package.json`** — declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build scripts" warning and approve only the post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers). No ADR change — these are purely operational adjustments. ## Test plan - [ ] CI run on this PR: `check` and `perf` jobs both green. - [ ] No "Ignored build scripts" warning in `pnpm install` step output. - [ ] After merge, `push` event on `main` re-runs `check`, `scan`, `perf`, `a11y` cleanly (no `nx-set-shas` 404). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #7 |
||
|
|
be7187d5f2 |
chore: scaffold Gitea Actions pipelines per ADR-0015 / ADR-0017
Wire the CI/CD pipeline scaffolding. Implements the level-2 (Gitea
Actions) part of ADR-0015 with the thin-YAML pattern, plus the perf
gate from ADR-0017. The level-1 decisions (gates list, branch model,
secrets policy) are unchanged.
Files:
- .nvmrc pins Node 24 (latest LTS major) for actions/setup-node.
- package.json gains four ci:* scripts that the workflows call:
- ci:check - 'nx affected -t format:check lint test build'
- ci:audit - 'pnpm audit --audit-level=moderate'
- ci:commits- 'commitlint --from $COMMIT_LINT_FROM --to HEAD'
- ci:perf - 'nx build portal-shell --configuration=production
&& lhci autorun --config=./lighthouserc.js'
All four runnable locally; CI workflows are thin wrappers.
- @lhci/cli added as a dev dependency for ci:perf.
- lighthouserc.js encodes the Core Web Vitals thresholds from
ADR-0017 (LCP <= 2500ms, CLS <= 0.1, TBT <= 200ms, server
response <= 800ms, Performance >= 0.9). v1 measures only the
static-served portal-shell bundle (Nx Welcome placeholder); the
critical-routes list expands as real screens land.
- .gitea/workflows/ci.yml runs five jobs on PR + push to main:
check, scan (audit + Trivy + gitleaks), commits (PR-only), perf,
a11y. The a11y job is a placeholder that no-ops with a clear
message; it wires up for real with the first Playwright e2e suite
(ADR-0016). All gates are blocking - branch protection on main
will require all five jobs green.
- .gitea/workflows/security-scheduled.yml runs weekly (Mon 04:00
UTC) for full-tree Trivy + gitleaks (no severity filter, no
skip-dirs - broader than per-PR) plus a Lighthouse run against
the prod URL when vars.LHCI_PROD_URL is set.
Slight deviation from ADR-0015 §'Level 2': Trivy and gitleaks are
binaries (Go) and don't have clean npm wrappers, so they are
invoked through their official Gitea-Actions-compatible actions
inside the YAML rather than via 'pnpm ci:scan'. The high-level
decision (gates: audit + secret-scan + dep-scan) is unchanged; the
script/action boundary is shifted by one tool. Documented here for
traceability; no ADR amendment needed.
Operational TODOs (not blocking the scaffold):
- pnpm audit currently reports 6 moderate transitive vulnerabilities
(ajv, brace-expansion, yaml, @hono/node-server, follow-redirects,
uuid) in deep deps of Nx/Angular plugins. CI will fail on this
gate until upstream updates land or Renovate bumps; expected and
documented.
- act_runner self-hosted instances are not yet registered against
the Gitea organisation; the workflows reference [self-hosted,
on-prem] runner labels per ADR-0015. CI will not actually execute
until the runners are up - that's an infra task.
- Branch protection rules on main (require all five jobs green) are
configured in Gitea UI, not in this commit.
- Lighthouse-prod scheduled job runs only when vars.LHCI_PROD_URL
is set - skipped silently otherwise. To be configured once a prod
environment exists.
|