b7adf2e308
## Summary Three follow-up fixes uncovered by the first end-to-end CI run on the self-hosted act_runner image (smoke-test PR). - **`check` job** — replace `nrwl/nx-set-shas@v4` (GitHub-API only, 404 on Gitea) with a manual shell step that derives `NX_BASE`/`NX_HEAD` from local git history (merge-base on `pull_request`, `HEAD~1` on `push`). - **`perf` job** — pin to `catthehacker/ubuntu:full-22.04` so Lighthouse CI finds a real Chrome. The default act image (`act-22.04`) is the minimal variant, ships without browsers. - **`package.json`** — declare `pnpm.onlyBuiltDependencies` to silence the "Ignored build scripts" warning and approve only the post-install hooks we actually rely on (Nx, Prisma, esbuild, swc, native watchers/resolvers). No ADR change — these are purely operational adjustments. ## Test plan - [ ] CI run on this PR: `check` and `perf` jobs both green. - [ ] No "Ignored build scripts" warning in `pnpm install` step output. - [ ] After merge, `push` event on `main` re-runs `check`, `scan`, `perf`, `a11y` cleanly (no `nx-set-shas` 404). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #7
128 lines
4.4 KiB
YAML
128 lines
4.4 KiB
YAML
# Per ADR-0015 (CI/CD on Gitea Actions).
|
|
# Thin YAML — orchestration lives in package.json scripts (ci:check,
|
|
# ci:audit, ci:commits, ci:perf) and Nx targets. Any change to gate
|
|
# behaviour belongs in those scripts, not in this file.
|
|
|
|
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
push:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
check:
|
|
runs-on: [self-hosted, on-prem]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
# Derive NX_BASE / NX_HEAD for `nx affected`. Replaces
|
|
# nrwl/nx-set-shas@v4, which is GitHub-only (it queries the GitHub
|
|
# API to find the last successful workflow run, returning 404 on
|
|
# Gitea). HEAD~1 is a reasonable approximation for push events on
|
|
# a squash-merge trunk; pull_request uses the merge-base with the
|
|
# target branch.
|
|
- name: Derive Nx affected base and head
|
|
shell: bash
|
|
run: |
|
|
# `actions/checkout@v4` with fetch-depth: 0 already pulls every
|
|
# branch and tag, so origin/<base_ref> is present locally — no
|
|
# extra `git fetch` is needed (and `--depth=0` is invalid: git
|
|
# requires a positive integer).
|
|
if [ "${{ github.event_name }}" = "pull_request" ]; then
|
|
echo "NX_BASE=$(git merge-base HEAD origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
|
|
else
|
|
echo "NX_BASE=HEAD~1" >> "$GITHUB_ENV"
|
|
fi
|
|
echo "NX_HEAD=HEAD" >> "$GITHUB_ENV"
|
|
- uses: pnpm/action-setup@v3
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: pnpm ci:check
|
|
|
|
scan:
|
|
runs-on: [self-hosted, on-prem]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: pnpm/action-setup@v3
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: pnpm ci:audit
|
|
# Dependency vulnerability scan (binary tool, invoked via official
|
|
# action — Trivy is a Go binary, not an npm package, so it cannot
|
|
# live in package.json scripts as cleanly as audit/lint do).
|
|
- uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: fs
|
|
ignore-unfixed: true
|
|
skip-dirs: node_modules
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH'
|
|
# Secret scan, same reasoning (gitleaks is a Go binary).
|
|
- uses: gitleaks/gitleaks-action@v2
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
commits:
|
|
if: github.event_name == 'pull_request'
|
|
runs-on: [self-hosted, on-prem]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- uses: pnpm/action-setup@v3
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: COMMIT_LINT_FROM=origin/main pnpm ci:commits
|
|
|
|
perf:
|
|
runs-on: [self-hosted, on-prem]
|
|
# Lighthouse CI drives a real Chrome instance; the default act runner
|
|
# image (catthehacker/ubuntu:act-22.04) ships without one. The :full
|
|
# variant adds Chrome, Firefox, and the GUI-test toolchain — pinned
|
|
# to the same Ubuntu 22.04 base as the default labels for parity.
|
|
container:
|
|
image: catthehacker/ubuntu:full-22.04
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: pnpm/action-setup@v3
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
- run: pnpm ci:perf
|
|
- uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: lighthouseci-report
|
|
path: .lighthouseci/
|
|
retention-days: 30
|
|
|
|
a11y:
|
|
runs-on: [self-hosted, on-prem]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: pnpm/action-setup@v3
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: 'pnpm'
|
|
- run: pnpm install --frozen-lockfile
|
|
# Placeholder until the e2e a11y suite (axe-core via Playwright,
|
|
# per ADR-0016) is wired with the first real screens. The job
|
|
# exists so branch protection can require it from day one - it
|
|
# currently no-ops with a clear message.
|
|
- run: echo "a11y gate placeholder - axe-core via Playwright wires up with the first real screens (ADR-0016)."
|