Seed from NAS prod snapshot 20260130-190531

2026-01-31 10:51:38 +00:00
commit 60d88939b0
142 changed files with 33443 additions and 0 deletions
--- a/docs/CI-WORKFLOW.md
+++ b/docs/CI-WORKFLOW.md
@@ -0,0 +1,173 @@
+# CI-WORKFLOW — snapshot de .gitea/workflows/ci.yml
+
+name: CI
+
+on:
+  push:
+  pull_request:
+    branches: ["master"]
+
+env:
+  NODE_OPTIONS: --dns-result-order=ipv4first
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-and-anchors:
+    runs-on: ubuntu-latest
+    container:
+      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
+
+    steps:
+      - name: Tools sanity
+        run: |
+          set -euo pipefail
+          git --version
+          node --version
+          npm --version
+          npm ping --registry=https://registry.npmjs.org
+
+      # Checkout SANS action externe (pas de github.com)
+      - name: Checkout (from event.json, no external actions)
+        run: |
+          set -euo pipefail
+
+          EVENT_JSON="/var/run/act/workflow/event.json"
+          if [ ! -f "$EVENT_JSON" ]; then
+            echo "ERROR: missing $EVENT_JSON"
+            ls -la /var/run/act/workflow || true
+            exit 1
+          fi
+
+          # 1) Récupère l'URL du repo depuis event.json
+          REPO_URL="$(node -e '
+            const fs=require("fs");
+            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
+            let url = ev.repository?.clone_url || ev.repository?.html_url || "";
+            if (!url) process.exit(2);
+            if (!url.endsWith(".git")) url += ".git";
+            process.stdout.write(url);
+          ' "$EVENT_JSON")"
+
+          # 2) Récupère le SHA (push -> after, PR -> pull_request.head.sha)
+          SHA="$(node -e '
+            const fs=require("fs");
+            const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
+            const sha =
+              ev.after ||
+              ev.pull_request?.head?.sha ||
+              ev.head_commit?.id ||
+              "";
+            process.stdout.write(sha);
+          ' "$EVENT_JSON")"
+
+          if [ -z "$SHA" ]; then
+            echo "ERROR: cannot find SHA in event.json"
+            node -e 'const ev=require(process.argv[1]); console.log(Object.keys(ev));' "$EVENT_JSON" || true
+            exit 1
+          fi
+
+          echo "Repo URL: $REPO_URL"
+          echo "SHA: $SHA"
+
+          # 3) Ajoute token si disponible (NE PAS afficher le token)
+          AUTH_URL="$REPO_URL"
+          if [ -n "${GITHUB_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
+            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITHUB_TOKEN}@}"
+          elif [ -n "${GITEA_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
+            AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITEA_TOKEN}@}"
+          fi
+
+          # 4) Clone minimal + checkout exact du SHA
+          rm -rf .git || true
+          git init .
+
+          # Optionnel si ton Gitea a un TLS “non standard” (certificat) :
+          # git config --global http.sslVerify false
+
+          git remote add origin "$AUTH_URL"
+          git fetch --depth=1 origin "$SHA"
+          git checkout -q FETCH_HEAD
+
+          git log -1 --oneline
+      
+      - name: Anchor aliases schema
+        run: node scripts/check-anchor-aliases.mjs
+
+      - name: NPM harden
+        run: |
+          set -euo pipefail
+          npm config set fetch-retries 5
+          npm config set fetch-retry-mintimeout 20000
+          npm config set fetch-retry-maxtimeout 120000
+          npm config set registry https://registry.npmjs.org
+          npm config get registry
+
+      - name: Install deps
+        run: npm ci
+
+      - name: Inline scripts syntax check
+        run: node scripts/check-inline-js.mjs
+
+      - name: Build
+        run: npm run build
+
+      - name: Verify anchor aliases injected
+        run: node scripts/verify-anchor-aliases-in-dist.mjs
+
+      - name: Anchors contract
+        run: npm run test:anchors
+
+_________________________________________________
+
+Dernière mise à jour : 2026-01-29
+
+Ce document complète `CI-BASELINE.md` et décrit l’intention :
+- ne pas casser les ancres
+- garantir un dist propre
+- garder le pipeline simple et déterministe
+
+---
+
+## 1) Principe
+
+Le CI doit exécuter exactement ce que le dev exécute :
+- `npm ci`
+- `npm test`
+
+Pas de magie, pas de step “inventée”.
+
+---
+
+## 2) Points critiques
+
+### A) Build via npm (pas via astro direct)
+Toujours en bash :
+
+npm run build
+
+pour exécuter postbuild :
+
+injection aliases
+
+génération pagefind
+
+### B) Dist “HTML only”
+
+L’audit dist ignore scripts/styles pour détecter les vrais IDs HTML.
+
+## 3) Runner Synology / réseau
+
+En contexte DSM (Docker), si le runner build des images :
+
+activer BuildKit
+
+si besoin, build en network host (comme en prod NAS)
+
+Voir :
+
+DEPLOY_PROD_SYNOLOGY_DS220.md
+
+OPS_COCKPIT.md