From 1117d7fb895560d642db1c53b0750cd9eb3919c1 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Mon, 4 May 2026 13:22:21 +0200 Subject: [PATCH 1/3] fix(ci): post-runner-image cleanup Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image: - Replace `nrwl/nx-set-shas@v4` with a manual shell step. The action queries the GitHub API to discover the last successful workflow run and returns 404 on Gitea. The replacement derives NX_BASE/NX_HEAD from local git history (merge-base with the target branch on pull_request, HEAD~1 on push to main). - Pin the `perf` job to `catthehacker/ubuntu:full-22.04` so Lighthouse CI finds a real Chrome. The default act image (act-22.04) is the minimal variant and ships without browsers. - Declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build scripts" warning and approve only the packages whose post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers). --- .gitea/workflows/ci.yml | 23 ++++++++++++++++++++++- package.json | 16 ++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 8b5c25e..139f51a 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -18,7 +18,22 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: nrwl/nx-set-shas@v4 + # Derive NX_BASE / NX_HEAD for `nx affected`. Replaces + # nrwl/nx-set-shas@v4, which is GitHub-only (it queries the GitHub + # API to find the last successful workflow run, returning 404 on + # Gitea). HEAD~1 is a reasonable approximation for push events on + # a squash-merge trunk; pull_request uses the merge-base with the + # target branch. + - name: Derive Nx affected base and head + shell: bash + run: | + if [ "${{ github.event_name }}" = "pull_request" ]; then + git fetch origin "${{ github.base_ref }}" --depth=0 + echo "NX_BASE=$(git merge-base HEAD origin/${{ github.base_ref }})" >> "$GITHUB_ENV" + else + echo "NX_BASE=HEAD~1" >> "$GITHUB_ENV" + fi + echo "NX_HEAD=HEAD" >> "$GITHUB_ENV" - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: @@ -70,6 +85,12 @@ jobs: perf: runs-on: [self-hosted, on-prem] + # Lighthouse CI drives a real Chrome instance; the default act runner + # image (catthehacker/ubuntu:act-22.04) ships without one. The :full + # variant adds Chrome, Firefox, and the GUI-test toolchain — pinned + # to the same Ubuntu 22.04 base as the default labels for parity. + container: + image: catthehacker/ubuntu:full-22.04 steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v3 diff --git a/package.json b/package.json index 2265fb8..3be8b8f 100644 --- a/package.json +++ b/package.json @@ -16,6 +16,22 @@ "prettier --write" ] }, + "pnpm": { + "onlyBuiltDependencies": [ + "@nestjs/core", + "@parcel/watcher", + "@prisma/client", + "@prisma/engines", + "@swc/core", + "esbuild", + "less", + "lmdb", + "msgpackr-extract", + "nx", + "prisma", + "unrs-resolver" + ] + }, "devDependencies": { "@analogjs/vite-plugin-angular": "~2.1.2", "@analogjs/vitest-angular": "~2.1.2", -- 2.30.2 From e59d3a010b529013cca899e64ad39e4c57e9b5f0 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Mon, 4 May 2026 13:28:19 +0200 Subject: [PATCH 2/3] fix(ci): drop invalid `git fetch --depth=0` in Nx base resolution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `actions/checkout@v4` already runs with `fetch-depth: 0`, which pulls every branch and tag — origin/ is therefore present locally and the explicit fetch is redundant. The flag value `--depth=0` is itself invalid (git requires a positive integer), so the step failed with `fatal: depth 0 is not a positive number` on every PR run. --- .gitea/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 139f51a..80db345 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -27,8 +27,11 @@ jobs: - name: Derive Nx affected base and head shell: bash run: | + # `actions/checkout@v4` with fetch-depth: 0 already pulls every + # branch and tag, so origin/ is present locally — no + # extra `git fetch` is needed (and `--depth=0` is invalid: git + # requires a positive integer). if [ "${{ github.event_name }}" = "pull_request" ]; then - git fetch origin "${{ github.base_ref }}" --depth=0 echo "NX_BASE=$(git merge-base HEAD origin/${{ github.base_ref }})" >> "$GITHUB_ENV" else echo "NX_BASE=HEAD~1" >> "$GITHUB_ENV" -- 2.30.2 From 0ceb7fea687646c8ad13d7827e7d495b2636edad Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Mon, 4 May 2026 14:25:28 +0200 Subject: [PATCH 3/3] fix(ci): pass --no-sandbox to Chrome in Lighthouse CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Chrome's user-namespace sandbox is unusable inside the act runner container — the host kernel's AppArmor profile (Ubuntu 23.10+) blocks unprivileged user namespaces, so Chrome aborts at the zygote stage with `No usable sandbox`. Lighthouse never connects to the browser and the perf gate fails. `--no-sandbox` is the standard workaround documented by Lighthouse, Puppeteer, and Playwright for containerised CI. The residual risk is acceptable: the browser only loads our own freshly built bundle from http://localhost:4200/ inside an ephemeral self-hosted runner — no untrusted content reaches the renderer. --- lighthouserc.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lighthouserc.js b/lighthouserc.js index 9d44732..d8a2575 100644 --- a/lighthouserc.js +++ b/lighthouserc.js @@ -23,6 +23,16 @@ module.exports = { // Slow-4G profile so scores are stable across CI runners and // comparable to industry public benchmarks. preset: 'desktop', + // Chrome's user-namespace sandbox is disabled inside the act + // runner container (AppArmor restriction on the host kernel), + // so Chrome fails to launch with a "No usable sandbox" zygote + // error. `--no-sandbox` is the standard Lighthouse / Puppeteer + // / Playwright workaround for containerised CI: the residual + // risk is acceptable because Chrome only loads our own freshly + // built bundle from http://localhost:4200/ inside an ephemeral + // self-hosted runner container — no untrusted content reaches + // the browser process. + chromeFlags: '--no-sandbox', }, }, assert: { -- 2.30.2