Port .gitea/workflows/ci.yml job-by-job to GitLab CI per ADR-0028
section Migration sequence Phase 2. Architectural principles from
ADR-0015 preserved verbatim (thin YAML, gates as package.json
scripts, defense-in-depth on conventional commits).
Job parity:
- check / commits / perf / a11y -> 1:1 port; Gitea variable names
rewritten to GitLab equivalents.
- scan -> sast + secret_detection (built-in GitLab includes) + audit
(pnpm audit kept for npm-advisory defense in depth). The manual
Trivy + gitleaks install plus the two paywalled-action workarounds
documented in the Gitea workflow go away per ADR-0028 section
What changes.
Notable adaptations: explicit cache block keyed on pnpm-lock.yaml,
no default:image (would override analyzer images), Playwright image
for perf to dovetail with the upcoming ADR-0016 axe-core e2e.
Phase 2 keeps both pipelines green for ~1 calendar week per
ADR-0028 section Confirmation. Phase 3 deletes .gitea/workflows
and tightens the push rule to main only.