# Per ADR-0015 (CI/CD on Gitea Actions). # Thin YAML — orchestration lives in package.json scripts (ci:check, # ci:audit, ci:commits, ci:perf) and Nx targets. Any change to gate # behaviour belongs in those scripts, not in this file. name: CI on: pull_request: branches: [main] push: branches: [main] jobs: check: runs-on: [self-hosted, on-prem] steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: nrwl/nx-set-shas@v4 - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm ci:check scan: runs-on: [self-hosted, on-prem] steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm ci:audit # Dependency vulnerability scan (binary tool, invoked via official # action — Trivy is a Go binary, not an npm package, so it cannot # live in package.json scripts as cleanly as audit/lint do). - uses: aquasecurity/trivy-action@master with: scan-type: fs ignore-unfixed: true skip-dirs: node_modules exit-code: '1' severity: 'CRITICAL,HIGH' # Secret scan, same reasoning (gitleaks is a Go binary). - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} commits: if: github.event_name == 'pull_request' runs-on: [self-hosted, on-prem] steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: COMMIT_LINT_FROM=origin/main pnpm ci:commits perf: runs-on: [self-hosted, on-prem] steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm ci:perf - uses: actions/upload-artifact@v4 if: always() with: name: lighthouseci-report path: .lighthouseci/ retention-days: 30 a11y: runs-on: [self-hosted, on-prem] steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'pnpm' - run: pnpm install --frozen-lockfile # Placeholder until the e2e a11y suite (axe-core via Playwright, # per ADR-0016) is wired with the first real screens. The job # exists so branch protection can require it from day one - it # currently no-ops with a clear message. - run: echo "a11y gate placeholder - axe-core via Playwright wires up with the first real screens (ADR-0016)."