0ceb7fea68
Chrome's user-namespace sandbox is unusable inside the act runner container — the host kernel's AppArmor profile (Ubuntu 23.10+) blocks unprivileged user namespaces, so Chrome aborts at the zygote stage with `No usable sandbox`. Lighthouse never connects to the browser and the perf gate fails. `--no-sandbox` is the standard workaround documented by Lighthouse, Puppeteer, and Playwright for containerised CI. The residual risk is acceptable: the browser only loads our own freshly built bundle from http://localhost:4200/ inside an ephemeral self-hosted runner — no untrusted content reaches the renderer.
61 lines
2.6 KiB
JavaScript
61 lines
2.6 KiB
JavaScript
/**
|
|
* Lighthouse CI configuration — per ADR-0017 (Performance budgets).
|
|
*
|
|
* Thresholds match the Google "Good" Core Web Vitals values plus the
|
|
* Lighthouse Performance score floor we set as the project bar.
|
|
*
|
|
* Critical-routes list grows as features land. v1 only checks the
|
|
* static-served portal-shell bundle (which today shows the Nx Welcome
|
|
* placeholder); meaningful per-route assertions land alongside the
|
|
* features that introduce those routes.
|
|
*/
|
|
module.exports = {
|
|
ci: {
|
|
collect: {
|
|
// Serve the production bundle statically (no BFF needed for v1
|
|
// measurements). When real auth / routes exist, the URL list
|
|
// expands to the critical-routes list documented in ADR-0017.
|
|
startServerCommand: 'pnpm nx run portal-shell:serve-static',
|
|
startServerReadyPattern: 'Available on:',
|
|
url: ['http://localhost:4200/'],
|
|
numberOfRuns: 3,
|
|
settings: {
|
|
// Slow-4G profile so scores are stable across CI runners and
|
|
// comparable to industry public benchmarks.
|
|
preset: 'desktop',
|
|
// Chrome's user-namespace sandbox is disabled inside the act
|
|
// runner container (AppArmor restriction on the host kernel),
|
|
// so Chrome fails to launch with a "No usable sandbox" zygote
|
|
// error. `--no-sandbox` is the standard Lighthouse / Puppeteer
|
|
// / Playwright workaround for containerised CI: the residual
|
|
// risk is acceptable because Chrome only loads our own freshly
|
|
// built bundle from http://localhost:4200/ inside an ephemeral
|
|
// self-hosted runner container — no untrusted content reaches
|
|
// the browser process.
|
|
chromeFlags: '--no-sandbox',
|
|
},
|
|
},
|
|
assert: {
|
|
assertions: {
|
|
// Core Web Vitals (Google "Good"), per ADR-0017
|
|
'largest-contentful-paint': ['error', { maxNumericValue: 2500 }],
|
|
'cumulative-layout-shift': ['error', { maxNumericValue: 0.1 }],
|
|
'total-blocking-time': ['error', { maxNumericValue: 200 }],
|
|
'server-response-time': ['error', { maxNumericValue: 800 }],
|
|
// Aggregate score — our gate is "Performance >= 90"
|
|
'categories:performance': ['error', { minScore: 0.9 }],
|
|
// a11y is enforced by the dedicated a11y gate (axe-core,
|
|
// ADR-0016) — keep Lighthouse a11y as a soft signal here.
|
|
'categories:accessibility': ['warn', { minScore: 0.9 }],
|
|
// Best practices and SEO are advisory in this gate.
|
|
'categories:best-practices': ['warn', { minScore: 0.9 }],
|
|
'categories:seo': 'off',
|
|
},
|
|
},
|
|
upload: {
|
|
target: 'filesystem',
|
|
outputDir: './.lighthouseci',
|
|
},
|
|
},
|
|
};
|