2f41178935
The deferred-since-day-one cache-server gap (documented as
"Cache server (deferred)" in infra/README.md, mentioned every
time we hit a slow CI install). Root cause: act_runner's
built-in cache server binds inside the runner container and
advertises an IP on the compose-defined `apf-portal-act-runners`
bridge — but jobs are spawned via the mounted /var/run/docker.
sock, which puts them on Docker's anonymous default `bridge`
instead. The advertised URL is unreachable from the job, every
cache request burns a ~2 min ETIMEDOUT (restore + save), the
hit rate is zero.
Fix: tell act_runner to attach jobs to the same compose-defined
bridge as the runners, via `container.network` in the shared
runner-config.yaml. The advertised cache URL becomes a normal
internal-network DNS hop, jobs reach the cache server, and
`cache: 'pnpm'` works end-to-end.
The blast-radius trade-off is bounded: every container on the
apf-portal-act-runners network is one of our runner containers
(plus the jobs they spawn), all of which already have full
docker-socket access. Sharing a network does not widen what a
malicious workflow can already do; it just lets jobs reach the
cache server.
Changes:
- infra/runner-config.yaml: add `container.network: apf-portal-
act-runners`. Surface the `cache.enabled: true` default
explicitly so a future contributor knows where the toggle is.
- .gitea/workflows/ci.yml: re-enable `cache: 'pnpm'` on every
actions/setup-node step (5 jobs). Drop the now-stale block
comment that explained the disablement.
- .gitea/workflows/security-scheduled.yml: same on the two
setup-node steps in this workflow.
- infra/README.md "Cache server" section rewritten — was
"(deferred)", now describes the working setup, with the
rationale and blast-radius note. The disable toggle is
documented inline.
- ci.yml's Trivy comment trimmed to drop the cross-reference to
the deferred-cache-server section that no longer exists.
Roll-out on the runner host (manual, post-merge):
cd <repo>/infra
git pull
./ci-runners.sh rotate
`rotate` recreates the containers with the new
runner-config.yaml mount intact. The first CI job after rollout
seeds the cache from cold (~30-60 s install); subsequent jobs
should report `reused N` instead of `downloaded N` in the
`pnpm install --frozen-lockfile` line and finish a few minutes
faster overall.
106 lines
4.2 KiB
YAML
106 lines
4.2 KiB
YAML
# Per ADR-0015 (CI/CD on Gitea Actions). Weekly full-tree security
|
|
# scans plus a Lighthouse run against the production environment when
|
|
# its URL is configured. Complements the per-PR ci.yml workflow with
|
|
# broader / longer-running checks that don't fit the per-PR budget.
|
|
|
|
name: Security and perf — scheduled
|
|
|
|
on:
|
|
schedule:
|
|
# Mondays, 04:00 UTC — outside business hours; before the week starts.
|
|
- cron: '0 4 * * 1'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
full-tree-scan:
|
|
runs-on: [self-hosted, on-prem]
|
|
# Step ordering mirrors ci.yml: scanners run before `pnpm install`
|
|
# so the working tree is not polluted with node_modules content
|
|
# (READMEs / fixtures of upstream packages contain demo
|
|
# secrets that gitleaks false-positives on by the hundreds).
|
|
# The deep-history gitleaks scan here doesn't strictly need it
|
|
# (history doesn't contain node_modules), but consistency with
|
|
# ci.yml keeps the two workflows reading the same way.
|
|
steps:
|
|
# fetch-depth: 0 → full history. The per-PR gitleaks scan is
|
|
# shallow + working-tree-only; this scheduled job is where we
|
|
# do the deep history scan that catches secrets ever committed
|
|
# (and not just what's currently checked in).
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
- uses: pnpm/action-setup@v6
|
|
- uses: actions/setup-node@v6
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
# Full-tree Trivy (no skip-dirs, no severity filter — the per-PR
|
|
# gate filters by severity for speed; this run wants the full
|
|
# surface for the security feed). Manual install + curl, same
|
|
# pattern as ci.yml — see the rationale there.
|
|
- name: Install Trivy
|
|
env:
|
|
# renovate: datasource=github-releases depName=aquasecurity/trivy
|
|
TRIVY_VERSION: '0.70.0'
|
|
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
|
run: |
|
|
curl -sfL \
|
|
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
|
-o /tmp/trivy.tar.gz \
|
|
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
|
|
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
|
|
trivy --version
|
|
- name: Run Trivy
|
|
run: |
|
|
trivy fs \
|
|
--scanners vuln \
|
|
--ignore-unfixed \
|
|
.
|
|
# Deep gitleaks scan (full git history). Same install pattern as
|
|
# ci.yml. `--redact` masks any matched secret in the log so we
|
|
# don't leak it via CI logs themselves.
|
|
- name: Install gitleaks
|
|
env:
|
|
# renovate: datasource=github-releases depName=gitleaks/gitleaks
|
|
GITLEAKS_VERSION: '8.30.1'
|
|
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
|
|
run: |
|
|
curl -sfL \
|
|
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
|
-o /tmp/gitleaks.tar.gz \
|
|
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
|
|
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
|
|
gitleaks version
|
|
- name: Run gitleaks (full history)
|
|
run: |
|
|
gitleaks detect \
|
|
--source . \
|
|
--redact \
|
|
--exit-code 1
|
|
# npm-advisory check (against pnpm-lock.yaml). Run last so
|
|
# `pnpm install` does not pollute the working tree before the
|
|
# scanners above.
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: pnpm audit
|
|
|
|
lighthouse-prod:
|
|
# Skipped silently if the prod URL hasn't been configured yet.
|
|
if: vars.LHCI_PROD_URL != ''
|
|
runs-on: [self-hosted, on-prem]
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: pnpm/action-setup@v6
|
|
- uses: actions/setup-node@v6
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3
|
|
- run: pnpm exec lhci assert --config=./lighthouserc.js
|
|
- uses: actions/upload-artifact@v7
|
|
if: always()
|
|
with:
|
|
name: lighthouseci-prod-report
|
|
path: .lighthouseci/
|
|
retention-days: 90
|