Files
apf_portal/.gitea/workflows/ci.yml
T
Julien Gautier 1117d7fb89
CI / check (pull_request) Failing after 8s
CI / scan (pull_request) Failing after 7m23s
CI / commits (pull_request) Successful in 13m50s
CI / a11y (pull_request) Successful in 13m47s
CI / perf (pull_request) Failing after 52m25s
fix(ci): post-runner-image cleanup
Three follow-up fixes uncovered by the first end-to-end CI run on the
self-hosted act_runner image:

- Replace `nrwl/nx-set-shas@v4` with a manual shell step. The action
  queries the GitHub API to discover the last successful workflow run
  and returns 404 on Gitea. The replacement derives NX_BASE/NX_HEAD
  from local git history (merge-base with the target branch on
  pull_request, HEAD~1 on push to main).
- Pin the `perf` job to `catthehacker/ubuntu:full-22.04` so Lighthouse
  CI finds a real Chrome. The default act image (act-22.04) is the
  minimal variant and ships without browsers.
- Declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build
  scripts" warning and approve only the packages whose post-install
  hooks we actually rely on (Nx, Prisma, esbuild, swc, native
  watchers/resolvers).
2026-05-04 13:22:21 +02:00

125 lines
4.2 KiB
YAML

# Per ADR-0015 (CI/CD on Gitea Actions).
# Thin YAML — orchestration lives in package.json scripts (ci:check,
# ci:audit, ci:commits, ci:perf) and Nx targets. Any change to gate
# behaviour belongs in those scripts, not in this file.
name: CI
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
check:
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Derive NX_BASE / NX_HEAD for `nx affected`. Replaces
# nrwl/nx-set-shas@v4, which is GitHub-only (it queries the GitHub
# API to find the last successful workflow run, returning 404 on
# Gitea). HEAD~1 is a reasonable approximation for push events on
# a squash-merge trunk; pull_request uses the merge-base with the
# target branch.
- name: Derive Nx affected base and head
shell: bash
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
git fetch origin "${{ github.base_ref }}" --depth=0
echo "NX_BASE=$(git merge-base HEAD origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
else
echo "NX_BASE=HEAD~1" >> "$GITHUB_ENV"
fi
echo "NX_HEAD=HEAD" >> "$GITHUB_ENV"
- uses: pnpm/action-setup@v3
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:check
scan:
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v3
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:audit
# Dependency vulnerability scan (binary tool, invoked via official
# action — Trivy is a Go binary, not an npm package, so it cannot
# live in package.json scripts as cleanly as audit/lint do).
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
ignore-unfixed: true
skip-dirs: node_modules
exit-code: '1'
severity: 'CRITICAL,HIGH'
# Secret scan, same reasoning (gitleaks is a Go binary).
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
commits:
if: github.event_name == 'pull_request'
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: pnpm/action-setup@v3
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: COMMIT_LINT_FROM=origin/main pnpm ci:commits
perf:
runs-on: [self-hosted, on-prem]
# Lighthouse CI drives a real Chrome instance; the default act runner
# image (catthehacker/ubuntu:act-22.04) ships without one. The :full
# variant adds Chrome, Firefox, and the GUI-test toolchain — pinned
# to the same Ubuntu 22.04 base as the default labels for parity.
container:
image: catthehacker/ubuntu:full-22.04
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v3
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:perf
- uses: actions/upload-artifact@v4
if: always()
with:
name: lighthouseci-report
path: .lighthouseci/
retention-days: 30
a11y:
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v3
- uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
# Placeholder until the e2e a11y suite (axe-core via Playwright,
# per ADR-0016) is wired with the first real screens. The job
# exists so branch protection can require it from day one - it
# currently no-ops with a clear message.
- run: echo "a11y gate placeholder - axe-core via Playwright wires up with the first real screens (ADR-0016)."