ci: fix step order (build before dist alias verification)
This commit is contained in:
@@ -2,6 +2,7 @@ name: CI
|
|||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
|
branches: ["**"]
|
||||||
pull_request:
|
pull_request:
|
||||||
branches: ["master"]
|
branches: ["master"]
|
||||||
|
|
||||||
@@ -27,75 +28,48 @@ jobs:
|
|||||||
npm --version
|
npm --version
|
||||||
npm ping --registry=https://registry.npmjs.org
|
npm ping --registry=https://registry.npmjs.org
|
||||||
|
|
||||||
# Checkout SANS action externe (pas de github.com)
|
|
||||||
- name: Checkout (from event.json, no external actions)
|
- name: Checkout (from event.json, no external actions)
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
EVENT_JSON="/var/run/act/workflow/event.json"
|
EVENT_JSON="/var/run/act/workflow/event.json"
|
||||||
if [ ! -f "$EVENT_JSON" ]; then
|
test -f "$EVENT_JSON" || (echo "❌ Missing $EVENT_JSON" && exit 1)
|
||||||
echo "ERROR: missing $EVENT_JSON"
|
|
||||||
ls -la /var/run/act/workflow || true
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# 1) Récupère l'URL du repo depuis event.json
|
# Extract repo clone url + sha from event payload (push or pull_request)
|
||||||
REPO_URL="$(node -e '
|
eval "$(node - <<'NODE'
|
||||||
const fs=require("fs");
|
import fs from "node:fs";
|
||||||
const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
|
const ev = JSON.parse(fs.readFileSync("/var/run/act/workflow/event.json","utf8"));
|
||||||
let url = ev.repository?.clone_url || ev.repository?.html_url || "";
|
|
||||||
if (!url) process.exit(2);
|
const repo =
|
||||||
if (!url.endsWith(".git")) url += ".git";
|
ev?.repository?.clone_url ||
|
||||||
process.stdout.write(url);
|
(ev?.repository?.html_url ? (ev.repository.html_url.replace(/\/$/,'') + ".git") : "");
|
||||||
' "$EVENT_JSON")"
|
|
||||||
|
|
||||||
# 2) Récupère le SHA (push -> after, PR -> pull_request.head.sha)
|
|
||||||
SHA="$(node -e '
|
|
||||||
const fs=require("fs");
|
|
||||||
const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8"));
|
|
||||||
const sha =
|
const sha =
|
||||||
ev.after ||
|
ev?.after ||
|
||||||
ev.pull_request?.head?.sha ||
|
ev?.pull_request?.head?.sha ||
|
||||||
ev.head_commit?.id ||
|
ev?.head_commit?.id ||
|
||||||
|
ev?.sha ||
|
||||||
"";
|
"";
|
||||||
process.stdout.write(sha);
|
|
||||||
' "$EVENT_JSON")"
|
|
||||||
|
|
||||||
if [ -z "$SHA" ]; then
|
if (!repo) { console.error("No repository.clone_url/html_url in event.json"); process.exit(1); }
|
||||||
echo "ERROR: cannot find SHA in event.json"
|
if (!sha) { console.error("No sha/after/pull_request.head.sha in event.json"); process.exit(1); }
|
||||||
node -e 'const ev=require(process.argv[1]); console.log(Object.keys(ev));' "$EVENT_JSON" || true
|
|
||||||
exit 1
|
// print shell-safe assignments
|
||||||
fi
|
console.log(`REPO_URL=${JSON.stringify(repo)}`);
|
||||||
|
console.log(`SHA=${JSON.stringify(sha)}`);
|
||||||
|
NODE
|
||||||
|
)"
|
||||||
|
|
||||||
echo "Repo URL: $REPO_URL"
|
echo "Repo URL: $REPO_URL"
|
||||||
echo "SHA: $SHA"
|
echo "SHA: $SHA"
|
||||||
|
|
||||||
# 3) Ajoute token si disponible (NE PAS afficher le token)
|
rm -rf .git
|
||||||
AUTH_URL="$REPO_URL"
|
git init
|
||||||
if [ -n "${GITHUB_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
|
git remote add origin "$REPO_URL"
|
||||||
AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITHUB_TOKEN}@}"
|
git fetch --depth 1 origin "$SHA"
|
||||||
elif [ -n "${GITEA_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then
|
|
||||||
AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITEA_TOKEN}@}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# 4) Clone minimal + checkout exact du SHA
|
|
||||||
rm -rf .git || true
|
|
||||||
git init .
|
|
||||||
|
|
||||||
# Optionnel si ton Gitea a un TLS “non standard” (certificat) :
|
|
||||||
# git config --global http.sslVerify false
|
|
||||||
|
|
||||||
git remote add origin "$AUTH_URL"
|
|
||||||
git fetch --depth=1 origin "$SHA"
|
|
||||||
git checkout -q FETCH_HEAD
|
git checkout -q FETCH_HEAD
|
||||||
|
|
||||||
git log -1 --oneline
|
git log -1 --oneline
|
||||||
|
|
||||||
- name: Anchor aliases schema
|
|
||||||
run: node scripts/check-anchor-aliases.mjs
|
|
||||||
- name: Verify anchor aliases injected in dist
|
|
||||||
run: node scripts/verify-anchor-aliases-in-dist.mjs
|
|
||||||
|
|
||||||
- name: NPM harden
|
- name: NPM harden
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
@@ -106,18 +80,31 @@ jobs:
|
|||||||
npm config get registry
|
npm config get registry
|
||||||
|
|
||||||
- name: Install deps
|
- name: Install deps
|
||||||
run: npm ci
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
npm ci
|
||||||
|
|
||||||
- name: Inline scripts syntax check
|
- name: Inline scripts syntax check
|
||||||
run: node scripts/check-inline-js.mjs
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
node scripts/check-inline-js.mjs
|
||||||
|
|
||||||
- name: Build
|
- name: Build (includes postbuild injection + pagefind)
|
||||||
run: npm run build
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
- name: Verify anchor aliases injected
|
npm run build
|
||||||
run: node scripts/verify-anchor-aliases-in-dist.mjs
|
|
||||||
|
|
||||||
- name: Anchors contract
|
- name: Anchors contract
|
||||||
run: npm run test:anchors
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
npm run test:anchors
|
||||||
|
|
||||||
|
- name: Anchor aliases schema
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
node scripts/check-anchor-aliases.mjs
|
||||||
|
|
||||||
|
- name: Verify anchor aliases injected in dist
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
node scripts/verify-anchor-aliases-in-dist.mjs
|
||||||
|
|||||||
Reference in New Issue
Block a user