fix(ci): post-runner-image cleanup #7

Merged
julien merged 3 commits from fix/ci/post-runner-image-cleanup into main 2026-05-04 14:55:15 +02:00
Owner

Summary

Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image (smoke-test PR).

  • check job — replace nrwl/nx-set-shas@v4 (GitHub-API only, 404 on Gitea) with a manual shell step that derives NX_BASE/NX_HEAD from local git history (merge-base on pull_request, HEAD~1 on push).
  • perf job — pin to catthehacker/ubuntu:full-22.04 so Lighthouse CI finds a real Chrome. The default act image (act-22.04) is the minimal variant, ships without browsers.
  • package.json — declare pnpm.onlyBuiltDependencies to silence the "Ignored build scripts" warning and approve only the post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers).

No ADR change — these are purely operational adjustments.

Test plan

  • CI run on this PR: check and perf jobs both green.
  • No "Ignored build scripts" warning in pnpm install step output.
  • After merge, push event on main re-runs check, scan, perf, a11y cleanly (no nx-set-shas 404).
## Summary Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image (smoke-test PR). - **`check` job** — replace `nrwl/nx-set-shas@v4` (GitHub-API only, 404 on Gitea) with a manual shell step that derives `NX_BASE`/`NX_HEAD` from local git history (merge-base on `pull_request`, `HEAD~1` on `push`). - **`perf` job** — pin to `catthehacker/ubuntu:full-22.04` so Lighthouse CI finds a real Chrome. The default act image (`act-22.04`) is the minimal variant, ships without browsers. - **`package.json`** — declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build scripts" warning and approve only the post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers). No ADR change — these are purely operational adjustments. ## Test plan - [ ] CI run on this PR: `check` and `perf` jobs both green. - [ ] No "Ignored build scripts" warning in `pnpm install` step output. - [ ] After merge, `push` event on `main` re-runs `check`, `scan`, `perf`, `a11y` cleanly (no `nx-set-shas` 404).
julien added 1 commit 2026-05-04 13:24:23 +02:00
fix(ci): post-runner-image cleanup
CI / check (pull_request) Failing after 8s
CI / scan (pull_request) Failing after 7m23s
CI / commits (pull_request) Successful in 13m50s
CI / a11y (pull_request) Successful in 13m47s
CI / perf (pull_request) Failing after 52m25s
1117d7fb89
Three follow-up fixes uncovered by the first end-to-end CI run on the
self-hosted act_runner image:

- Replace `nrwl/nx-set-shas@v4` with a manual shell step. The action
  queries the GitHub API to discover the last successful workflow run
  and returns 404 on Gitea. The replacement derives NX_BASE/NX_HEAD
  from local git history (merge-base with the target branch on
  pull_request, HEAD~1 on push to main).
- Pin the `perf` job to `catthehacker/ubuntu:full-22.04` so Lighthouse
  CI finds a real Chrome. The default act image (act-22.04) is the
  minimal variant and ships without browsers.
- Declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build
  scripts" warning and approve only the packages whose post-install
  hooks we actually rely on (Nx, Prisma, esbuild, swc, native
  watchers/resolvers).
julien added 1 commit 2026-05-04 13:28:49 +02:00
fix(ci): drop invalid git fetch --depth=0 in Nx base resolution
CI / check (pull_request) Successful in 13m40s
CI / scan (pull_request) Failing after 8m16s
CI / commits (pull_request) Successful in 15m29s
CI / perf (pull_request) Failing after 24m22s
CI / a11y (pull_request) Successful in 11m14s
e59d3a010b
`actions/checkout@v4` already runs with `fetch-depth: 0`, which pulls
every branch and tag — origin/<base_ref> is therefore present locally
and the explicit fetch is redundant. The flag value `--depth=0` is
itself invalid (git requires a positive integer), so the step failed
with `fatal: depth 0 is not a positive number` on every PR run.
julien added 1 commit 2026-05-04 14:25:59 +02:00
fix(ci): pass --no-sandbox to Chrome in Lighthouse CI
CI / scan (pull_request) Failing after 6m4s
CI / commits (pull_request) Successful in 11m3s
CI / check (pull_request) Successful in 11m16s
CI / perf (pull_request) Successful in 10m49s
CI / a11y (pull_request) Successful in 10m4s
0ceb7fea68
Chrome's user-namespace sandbox is unusable inside the act runner
container — the host kernel's AppArmor profile (Ubuntu 23.10+) blocks
unprivileged user namespaces, so Chrome aborts at the zygote stage
with `No usable sandbox`. Lighthouse never connects to the browser
and the perf gate fails.

`--no-sandbox` is the standard workaround documented by Lighthouse,
Puppeteer, and Playwright for containerised CI. The residual risk is
acceptable: the browser only loads our own freshly built bundle from
http://localhost:4200/ inside an ephemeral self-hosted runner — no
untrusted content reaches the renderer.
julien merged commit b7adf2e308 into main 2026-05-04 14:55:15 +02:00
julien deleted branch fix/ci/post-runner-image-cleanup 2026-05-04 14:55:15 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#7