ci: no external checkout; no apt; bash + node dns harden

2026-01-22 17:42:36 +01:00
parent 7cee744208
commit 0888d6b424
1 changed files with 59 additions and 7 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,25 +2,77 @@ name: CI

 on:
  push:
-    branches: ["**"]
  pull_request:
    branches: ["master"]

+env:
+  NODE_OPTIONS: --dns-result-order=ipv4first
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  build-and-anchors:
    runs-on: ubuntu-latest
    container:
-      image: node:20-bookworm-slim
+      image: mcr.microsoft.com/devcontainers/javascript-node:20-bookworm

    steps:
-      - name: Install git (needed by checkout)
+      - name: Tools sanity
        run: |
-          apt-get update
-          apt-get install -y --no-install-recommends git ca-certificates
+          set -euo pipefail
          git --version
+          node --version
+          npm --version
+          npm ping --registry=https://registry.npmjs.org

-      - name: Checkout
-        uses: actions/checkout@v4
+      # Checkout SANS action externe (pas de github.com)
+      - name: Checkout (from Gitea, no external actions)
+        run: |
+          set -euo pipefail
+
+          echo "GITEA_SERVER_URL=${GITEA_SERVER_URL:-}"
+          echo "GITEA_REPOSITORY=${GITEA_REPOSITORY:-}"
+          echo "GITEA_SHA=${GITEA_SHA:-}"
+          echo "GITEA_REF=${GITEA_REF:-}"
+
+          # On nettoie l'espace de travail (au cas où)
+          rm -rf .git || true
+
+          # URL du repo
+          REPO_URL="${GITEA_SERVER_URL}/${GITEA_REPOSITORY}.git"
+
+          # Auth via token si présent (Gitea fournit généralement GITEA_TOKEN)
+          if [ -n "${GITEA_TOKEN:-}" ]; then
+            AUTH_URL="$(echo "$REPO_URL" | sed "s#^https://#https://oauth2:${GITEA_TOKEN}@#")"
+          else
+            AUTH_URL="$REPO_URL"
+          fi
+
+          git init .
+          git remote add origin "$AUTH_URL"
+
+          # On récupère exactement le commit du run
+          if [ -n "${GITEA_SHA:-}" ]; then
+            git fetch --depth=1 origin "$GITEA_SHA"
+            git checkout -q FETCH_HEAD
+          else
+            # fallback si SHA absent
+            git fetch --depth=1 origin "${GITEA_REF:-master}"
+            git checkout -q FETCH_HEAD
+          fi
+
+          git log -1 --oneline
+
+      - name: NPM harden
+        run: |
+          set -euo pipefail
+          npm config set fetch-retries 5
+          npm config set fetch-retry-mintimeout 20000
+          npm config set fetch-retry-maxtimeout 120000
+          npm config set registry https://registry.npmjs.org
+          npm config get registry

      - name: Install deps
        run: npm ci