ci(gitlab): land .gitlab-ci.yml alongside gitea workflow (ADR-0028 phase 2) #241

Merged
julien merged 1 commits from ci/gitlab-pipeline-phase2 into main 2026-05-27 17:53:40 +02:00
Owner

Summary

Bump the existing tmp security override from >=0.2.4 to >=0.2.6 to cover GHSA-ph9p-34f9-6g65 — a path-traversal vulnerability via unsanitized prefix/postfix in tmp@<0.2.6. Surfaced by pnpm ci:audit on the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this.

Why this isn't an upstream upgrade

tmp is a transitive dependency. The two consuming paths today:

Path Latest available
.>nx>tmp nx@22.7.4 still declares tmp@^0.2.4
.>@lhci/cli>tmp @lhci/cli@0.15.1 (latest) still declares tmp@^0.1.0

Upgrading nx or @lhci/cli does not move tmp to 0.2.6. The pre-existing pnpm.overrides entry was already pinning tmp@<0.2.4>=0.2.4 against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line.

What lands

File Change
package.json "tmp@<0.2.4": ">=0.2.4""tmp@<0.2.6": ">=0.2.6" (one line).
pnpm-lock.yaml tmp@0.2.4tmp@0.2.6 resolved; @scalar/nestjs-api-reference@1.1.16 → 1.1.19 picked up as a natural transitive resolution during pnpm install (no semver-major, both are within the existing ^1.1.14 range and match Renovate's "patch + auto-merge" policy).

Risk

Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible.

Test plan

  • pnpm audit --audit-level=moderate returns No known vulnerabilities found (exit 0).
  • pnpm why tmp shows tmp@0.2.6 as the single resolved version (no duplicate).
  • CI green on Gitea (check + scan jobs).
  • Once merged, rebase ci/gitlab-pipeline-phase2 on top and retry the GitLab audit job — expected green.

Related

## Summary Bump the existing `tmp` security override from `>=0.2.4` to `>=0.2.6` to cover [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — a path-traversal vulnerability via unsanitized prefix/postfix in `tmp@<0.2.6`. Surfaced by `pnpm ci:audit` on the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this. ## Why this isn't an upstream upgrade `tmp` is a transitive dependency. The two consuming paths today: | Path | Latest available | | --- | --- | | `.>nx>tmp` | `nx@22.7.4` still declares `tmp@^0.2.4` | | `.>@lhci/cli>tmp` | `@lhci/cli@0.15.1` (latest) still declares `tmp@^0.1.0` | Upgrading `nx` or `@lhci/cli` does not move `tmp` to 0.2.6. The pre-existing `pnpm.overrides` entry was already pinning `tmp@<0.2.4` → `>=0.2.4` against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line. ## What lands | File | Change | | --- | --- | | `package.json` | `"tmp@<0.2.4": ">=0.2.4"` → `"tmp@<0.2.6": ">=0.2.6"` (one line). | | `pnpm-lock.yaml` | `tmp@0.2.4` → `tmp@0.2.6` resolved; `@scalar/nestjs-api-reference@1.1.16 → 1.1.19` picked up as a natural transitive resolution during `pnpm install` (no semver-major, both are within the existing `^1.1.14` range and match Renovate's "patch + auto-merge" policy). | ## Risk Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible. ## Test plan - [x] `pnpm audit --audit-level=moderate` returns `No known vulnerabilities found` (exit 0). - [x] `pnpm why tmp` shows `tmp@0.2.6` as the single resolved version (no duplicate). - [ ] CI green on Gitea (`check` + `scan` jobs). - [ ] Once merged, rebase `ci/gitlab-pipeline-phase2` on top and retry the GitLab `audit` job — expected green. ## Related - [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — the advisory. - Unblocks [ADR-0028](../docs/decisions/0028-migrate-cicd-and-git-hosting-to-gitlab.md) Phase 2 pipeline parity validation (see `ci/gitlab-pipeline-phase2` branch).
julien added 1 commit 2026-05-27 17:53:25 +02:00
ci(gitlab): land .gitlab-ci.yml alongside gitea workflow (ADR-0028 phase 2)
CI / scan (pull_request) Successful in 2m39s
CI / commits (pull_request) Successful in 2m38s
CI / check (pull_request) Successful in 2m51s
CI / a11y (pull_request) Successful in 2m28s
CI / perf (pull_request) Successful in 6m37s
b25d4fb944
Port .gitea/workflows/ci.yml job-by-job to GitLab CI per ADR-0028
section Migration sequence Phase 2. Architectural principles from
ADR-0015 preserved verbatim (thin YAML, gates as package.json
scripts, defense-in-depth on conventional commits).

Job parity:
- check / commits / perf / a11y -> 1:1 port; Gitea variable names
  rewritten to GitLab equivalents.
- scan -> sast + secret_detection (built-in GitLab includes) + audit
  (pnpm audit kept for npm-advisory defense in depth). The manual
  Trivy + gitleaks install plus the two paywalled-action workarounds
  documented in the Gitea workflow go away per ADR-0028 section
  What changes.

Notable adaptations: explicit cache block keyed on pnpm-lock.yaml,
no default:image (would override analyzer images), Playwright image
for perf to dovetail with the upcoming ADR-0016 axe-core e2e.

Phase 2 keeps both pipelines green for ~1 calendar week per
ADR-0028 section Confirmation. Phase 3 deletes .gitea/workflows
and tightens the push rule to main only.
julien merged commit c24795f1d6 into main 2026-05-27 17:53:40 +02:00
julien deleted branch ci/gitlab-pipeline-phase2 2026-05-27 17:53:42 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#241