Compare commits

..

3 Commits

Author SHA1 Message Date
Julien Gautier b25d4fb944 ci(gitlab): land .gitlab-ci.yml alongside gitea workflow (ADR-0028 phase 2)
CI / scan (pull_request) Successful in 2m39s
CI / commits (pull_request) Successful in 2m38s
CI / check (pull_request) Successful in 2m51s
CI / a11y (pull_request) Successful in 2m28s
CI / perf (pull_request) Successful in 6m37s
Port .gitea/workflows/ci.yml job-by-job to GitLab CI per ADR-0028
section Migration sequence Phase 2. Architectural principles from
ADR-0015 preserved verbatim (thin YAML, gates as package.json
scripts, defense-in-depth on conventional commits).

Job parity:
- check / commits / perf / a11y -> 1:1 port; Gitea variable names
  rewritten to GitLab equivalents.
- scan -> sast + secret_detection (built-in GitLab includes) + audit
  (pnpm audit kept for npm-advisory defense in depth). The manual
  Trivy + gitleaks install plus the two paywalled-action workarounds
  documented in the Gitea workflow go away per ADR-0028 section
  What changes.

Notable adaptations: explicit cache block keyed on pnpm-lock.yaml,
no default:image (would override analyzer images), Playwright image
for perf to dovetail with the upcoming ADR-0016 axe-core e2e.

Phase 2 keeps both pipelines green for ~1 calendar week per
ADR-0028 section Confirmation. Phase 3 deletes .gitea/workflows
and tightens the push rule to main only.
2026-05-27 17:50:56 +02:00
APF Portal Bot a848e0fabd chore(deps): update dependency @swc/helpers to v0.5.23 (#239)
CI / commits (push) Has been skipped
CI / check (push) Successful in 3m25s
CI / scan (push) Successful in 1m54s
CI / a11y (push) Successful in 2m55s
CI / perf (push) Successful in 5m2s
Docs site / build (push) Successful in 4m42s
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [@swc/helpers](https://swc.rs) ([source](https://github.com/swc-project/swc/tree/HEAD/packages/helpers)) | devDependencies | patch | [`0.5.21` -> `0.5.23`](https://renovatebot.com/diffs/npm/@swc%2fhelpers/0.5.21/0.5.23) |

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: #239
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-27 17:34:46 +02:00
julien e2894afc4a chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65) (#240)
CI / commits (push) Has been skipped
CI / check (push) Successful in 3m39s
CI / scan (push) Successful in 2m21s
CI / a11y (push) Successful in 2m43s
CI / perf (push) Successful in 4m44s
Docs site / build (push) Successful in 4m25s
## Summary

Bump the existing `tmp` security override from `>=0.2.4` to `>=0.2.6` to cover [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — a path-traversal vulnerability via unsanitized prefix/postfix in `tmp@<0.2.6`. Surfaced by `pnpm ci:audit` on the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this.

## Why this isn't an upstream upgrade

`tmp` is a transitive dependency. The two consuming paths today:

| Path | Latest available |
| --- | --- |
| `.>nx>tmp` | `nx@22.7.4` still declares `tmp@^0.2.4` |
| `.>@lhci/cli>tmp` | `@lhci/cli@0.15.1` (latest) still declares `tmp@^0.1.0` |

Upgrading `nx` or `@lhci/cli` does not move `tmp` to 0.2.6. The pre-existing `pnpm.overrides` entry was already pinning `tmp@<0.2.4` → `>=0.2.4` against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line.

## What lands

| File | Change |
| --- | --- |
| `package.json` | `"tmp@<0.2.4": ">=0.2.4"` → `"tmp@<0.2.6": ">=0.2.6"` (one line). |
| `pnpm-lock.yaml` | `tmp@0.2.4` → `tmp@0.2.6` resolved; `@scalar/nestjs-api-reference@1.1.16 → 1.1.19` picked up as a natural transitive resolution during `pnpm install` (no semver-major, both are within the existing `^1.1.14` range and match Renovate's "patch + auto-merge" policy). |

## Risk

Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible.

## Test plan

- [x] `pnpm audit --audit-level=moderate` returns `No known vulnerabilities found` (exit 0).
- [x] `pnpm why tmp` shows `tmp@0.2.6` as the single resolved version (no duplicate).
- [ ] CI green on Gitea (`check` + `scan` jobs).
- [ ] Once merged, rebase `ci/gitlab-pipeline-phase2` on top and retry the GitLab `audit` job — expected green.

## Related

- [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — the advisory.
- Unblocks [ADR-0028](../docs/decisions/0028-migrate-cicd-and-git-hosting-to-gitlab.md) Phase 2 pipeline parity validation (see `ci/gitlab-pipeline-phase2` branch).

---------

Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #240
2026-05-27 17:29:41 +02:00
2 changed files with 211 additions and 217 deletions
+2 -2
View File
@@ -49,7 +49,7 @@
"follow-redirects@<1.16.0": ">=1.16.0", "follow-redirects@<1.16.0": ">=1.16.0",
"ip-address@<10.1.1": ">=10.1.1", "ip-address@<10.1.1": ">=10.1.1",
"protobufjs@<8.0.2": ">=8.0.2", "protobufjs@<8.0.2": ">=8.0.2",
"tmp@<0.2.4": ">=0.2.4", "tmp@<0.2.6": ">=0.2.6",
"uuid@<11.1.1": ">=11.1.1", "uuid@<11.1.1": ">=11.1.1",
"vitepress>vite": ">=6.4.2 <7", "vitepress>vite": ">=6.4.2 <7",
"ws@>=8.0.0 <8.20.1": ">=8.20.1", "ws@>=8.0.0 <8.20.1": ">=8.20.1",
@@ -95,7 +95,7 @@
"@schematics/angular": "~21.2.0", "@schematics/angular": "~21.2.0",
"@swc-node/register": "1.11.1", "@swc-node/register": "1.11.1",
"@swc/core": "1.15.40", "@swc/core": "1.15.40",
"@swc/helpers": "0.5.21", "@swc/helpers": "0.5.23",
"@tailwindcss/postcss": "^4.2.4", "@tailwindcss/postcss": "^4.2.4",
"@types/cookie-parser": "^1.4.10", "@types/cookie-parser": "^1.4.10",
"@types/d3": "^7.4.3", "@types/d3": "^7.4.3",
+209 -215
View File
File diff suppressed because it is too large Load Diff