ci: fix anno workflows JSON parsing (node stdin argv) + harden guards

ci: harden anno-reject (dispatch + conflict guard) and keep deploy concurrency safe
Merge pull request 'ci: anno-apply gate on supported types (skip proposer)' (#149 ) from chore/fix-anno-apply-gate-types into main
2026-02-28 10:33:43 +01:00 · 2026-02-28 09:55:37 +01:00 · 2026-02-27 20:06:57 +01:00 · 2026-02-27 20:03:16 +01:00 · 2026-02-27 15:49:11 +01:00 · 2026-02-27 15:48:28 +01:00
5 changed files with 244 additions and 22 deletions
--- a/.gitea/workflows/anno-apply-pr.yml
+++ b/.gitea/workflows/anno-apply-pr.yml
@@ -16,6 +16,10 @@ defaults:
  run:
    shell: bash

+concurrency:
+  group: anno-apply-${{ github.event.issue.number || inputs.issue || 'manual' }}
+  cancel-in-progress: true
+
 jobs:
  apply-approved:
    runs-on: ubuntu-latest
@@ -29,7 +33,6 @@ jobs:
          git --version
          node --version
          npm --version
-          npm ping --registry=https://registry.npmjs.org

      - name: Derive context (event.json / workflow_dispatch)
        env:
@@ -110,6 +113,7 @@ jobs:
        run: |
          set -euo pipefail
          source /tmp/anno.env
+
          if [[ "$LABEL_NAME" != "state/approved" && "$LABEL_NAME" != "workflow_dispatch" ]]; then
            echo "ℹ️ label=$LABEL_NAME => skip"
            echo "SKIP=1" >> /tmp/anno.env
@@ -117,6 +121,100 @@ jobs:
          fi
          echo "✅ proceed (issue=$ISSUE_NUMBER)"

+      - name: Fetch issue + gate on Type (skip Proposer)
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+
+          test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
+
+          ISSUE_JSON="$(curl -fsS \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Accept: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER")"
+
+          # ✅ Robust: write JSON to file (avoid argv/stdi n "-" issue)
+          printf '%s' "$ISSUE_JSON" > /tmp/issue.json
+
+          node --input-type=module - /tmp/issue.json >> /tmp/anno.env <<'NODE'
+          import fs from "node:fs";
+
+          const fp = process.argv[2] || "";
+          const raw = fp ? fs.readFileSync(fp, "utf8") : "{}";
+          const issue = JSON.parse(raw || "{}");
+
+          const title = String(issue.title || "");
+          const body = String(issue.body || "").replace(/\r\n/g, "\n");
+
+          function pickLine(key) {
+            const re = new RegExp(`^\\s*${key}\\s*:\\s*([^\\n\\r]+)`, "mi");
+            const m = body.match(re);
+            return m ? m[1].trim() : "";
+          }
+
+          const typeRaw = pickLine("Type");
+          const type = String(typeRaw || "").trim().toLowerCase();
+
+          const allowed = new Set(["type/media","type/reference","type/comment"]);
+          const proposer = new Set(["type/correction","type/fact-check"]);
+
+          const out = [];
+          out.push(`ISSUE_TITLE=${JSON.stringify(title)}`);
+          out.push(`ISSUE_TYPE=${JSON.stringify(type)}`);
+
+          if (!type) {
+            out.push(`SKIP=1`);
+            out.push(`SKIP_REASON=${JSON.stringify("missing_type")}`);
+          } else if (allowed.has(type)) {
+            // proceed
+          } else if (proposer.has(type)) {
+            out.push(`SKIP=1`);
+            out.push(`SKIP_REASON=${JSON.stringify("proposer_type:"+type)}`);
+          } else {
+            out.push(`SKIP=1`);
+            out.push(`SKIP_REASON=${JSON.stringify("unsupported_type:"+type)}`);
+          }
+
+          process.stdout.write(out.join("\n") + "\n");
+          NODE
+
+          echo "✅ issue type gating:"
+          grep -E '^(ISSUE_TYPE|SKIP|SKIP_REASON)=' /tmp/anno.env || true
+
+      - name: Comment issue if skipped (Proposer / unsupported / missing Type)
+        if: ${{ always() }}
+        env:
+          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env || true
+
+          [[ "${SKIP:-0}" == "1" ]] || exit 0
+          [[ "${LABEL_NAME:-}" == "state/approved" || "${LABEL_NAME:-}" == "workflow_dispatch" ]] || exit 0
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
+
+          REASON="${SKIP_REASON:-}"
+          TYPE="${ISSUE_TYPE:-}"
+
+          if [[ "$REASON" == proposer_type:* ]]; then
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} détecté comme **Proposer** (${TYPE}).\n\n- Ce type est **traité manuellement par les editors** (correction/fact-check + cat/*).\n- Le bot n'applique **jamais** Proposer et n'ajoute **jamais** state/approved automatiquement.\n\n✅ Action : traitement éditorial manuel."
+          elif [[ "$REASON" == unsupported_type:* ]]; then
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : Type non supporté par le bot (${TYPE}).\n\nTypes supportés : type/media, type/reference, type/comment.\n✅ Action : traitement manuel si nécessaire."
+          else
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : champ 'Type:' manquant ou illisible.\n\n✅ Action : corriger le ticket (ajouter 'Type: type/media|type/reference|type/comment') ou traiter manuellement."
+          fi
+
+          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
+
+          curl -fsS -X POST \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+            --data-binary "$PAYLOAD"
+
      - name: Checkout default branch
        run: |
          set -euo pipefail
@@ -135,7 +233,7 @@ jobs:
          set -euo pipefail
          source /tmp/anno.env
          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
-          npm ci
+          npm ci --no-audit --no-fund

      - name: Check apply script exists
        run: |
@@ -220,7 +318,7 @@ jobs:
          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
        run: |
          set -euo pipefail
-          source /tmp/anno.env
+          source /tmp/anno.env || true
          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }

          RC="${APPLY_RC:-0}"
@@ -229,9 +327,15 @@ jobs:
            exit 0
          fi

-          BODY="$(tail -n 160 /tmp/apply.log | sed 's/\r$//')"
-          MSG="❌ apply-annotation-ticket a échoué (rc=${RC}).\n\n\`\`\`\n${BODY}\n\`\`\`\n"
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }

+          if [[ -f /tmp/apply.log ]]; then
+            BODY="$(tail -n 160 /tmp/apply.log | sed 's/\r$//')"
+          else
+            BODY="(no apply log found)"
+          fi
+
+          MSG="❌ apply-annotation-ticket a échoué (rc=${RC}).\n\n\`\`\`\n${BODY}\n\`\`\`\n"
          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"

          curl -fsS -X POST \
@@ -246,12 +350,14 @@ jobs:
          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
        run: |
          set -euo pipefail
-          source /tmp/anno.env
+          source /tmp/anno.env || true
          [[ "${SKIP:-0}" != "1" ]] || exit 0

          [[ "${APPLY_RC:-0}" == "0" ]] || exit 0
          [[ "${NOOP:-0}" == "1" ]] || exit 0

+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
+
          MSG="ℹ️ Ticket #${ISSUE_NUMBER} : rien à appliquer (déjà présent / dédupliqué)."
          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"

@@ -267,12 +373,16 @@ jobs:
          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
        run: |
          set -euo pipefail
-          source /tmp/anno.env
+          source /tmp/anno.env || true
          [[ "${SKIP:-0}" != "1" ]] || exit 0

          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip push"; exit 0; }
          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip push"; exit 0; }

+          test -d .git || { echo "ℹ️ no git repo -> skip push"; exit 0; }
+          test -n "${BRANCH:-}" || { echo "ℹ️ missing BRANCH -> skip push"; exit 0; }
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip push"; exit 0; }
+
          AUTH_URL="$(node --input-type=module -e '
            const [clone, tok] = process.argv.slice(1);
            const u = new URL(clone);
@@ -290,12 +400,16 @@ jobs:
          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
        run: |
          set -euo pipefail
-          source /tmp/anno.env
+          source /tmp/anno.env || true
          [[ "${SKIP:-0}" != "1" ]] || exit 0

          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip PR"; exit 0; }
          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip PR"; exit 0; }

+          test -n "${BRANCH:-}" || { echo "ℹ️ missing BRANCH -> skip PR"; exit 0; }
+          test -n "${END_SHA:-}" || { echo "ℹ️ missing END_SHA -> skip PR"; exit 0; }
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip PR"; exit 0; }
+
          PR_TITLE="anno: apply ticket #${ISSUE_NUMBER}"
          PR_BODY="PR auto depuis ticket #${ISSUE_NUMBER} (state/approved).\n\n- Branche: ${BRANCH}\n- Commit: ${END_SHA}\n\nMerge si CI OK."

@@ -333,6 +447,7 @@ jobs:
        run: |
          set -euo pipefail
          source /tmp/anno.env || true
+
          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }

          RC="${APPLY_RC:-0}"
--- a/.gitea/workflows/anno-reject.yml
+++ b/.gitea/workflows/anno-reject.yml
@@ -1,8 +1,13 @@
-name: Anno Reject
+name: Anno Reject (close issue)

 on:
  issues:
    types: [labeled]
+  workflow_dispatch:
+    inputs:
+      issue:
+        description: "Issue number to reject/close"
+        required: true

 env:
  NODE_OPTIONS: --dns-result-order=ipv4first
@@ -11,6 +16,10 @@ defaults:
  run:
    shell: bash

+concurrency:
+  group: anno-reject-${{ github.event.issue.number || inputs.issue || 'manual' }}
+  cancel-in-progress: true
+
 jobs:
  reject:
    runs-on: ubuntu-latest
@@ -18,7 +27,15 @@ jobs:
      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm

    steps:
-      - name: Derive context
+      - name: Tools sanity
+        run: |
+          set -euo pipefail
+          node --version
+
+      - name: Derive context (event.json / workflow_dispatch)
+        env:
+          INPUT_ISSUE: ${{ inputs.issue }}
+          FORGE_API: ${{ vars.FORGE_API || vars.FORGE_BASE }}
        run: |
          set -euo pipefail
          export EVENT_JSON="/var/run/act/workflow/event.json"
@@ -29,58 +46,124 @@ jobs:

          const ev = JSON.parse(fs.readFileSync(process.env.EVENT_JSON, "utf8"));
          const repoObj = ev?.repository || {};
+
          const cloneUrl =
            repoObj?.clone_url ||
            (repoObj?.html_url ? (repoObj.html_url.replace(/\/$/,"") + ".git") : "");
-          if (!cloneUrl) throw new Error("No repository url");

          let owner =
            repoObj?.owner?.login ||
            repoObj?.owner?.username ||
            (repoObj?.full_name ? repoObj.full_name.split("/")[0] : "");
+
          let repo =
            repoObj?.name ||
            (repoObj?.full_name ? repoObj.full_name.split("/")[1] : "");

-          if (!owner || !repo) {
+          if ((!owner || !repo) && cloneUrl) {
            const m = cloneUrl.match(/[:/](?<o>[^/]+)\/(?<r>[^/]+?)(?:\.git)?$/);
            if (m?.groups) { owner = owner || m.groups.o; repo = repo || m.groups.r; }
          }
          if (!owner || !repo) throw new Error("Cannot infer owner/repo");

-          const issueNumber = ev?.issue?.number || ev?.issue?.index;
-          if (!issueNumber) throw new Error("No issue number");
+          const issueNumber =
+            ev?.issue?.number ||
+            ev?.issue?.index ||
+            (process.env.INPUT_ISSUE ? Number(process.env.INPUT_ISSUE) : 0);

-          const labelName = ev?.label?.name || ev?.label || "";
-          const u = new URL(cloneUrl);
+          if (!issueNumber || !Number.isFinite(Number(issueNumber))) {
+            throw new Error("No issue number in event.json or workflow_dispatch input");
+          }
+
+          const labelName =
+            ev?.label?.name ||
+            ev?.label ||
+            "workflow_dispatch";
+
+          let apiBase = "";
+          if (process.env.FORGE_API && String(process.env.FORGE_API).trim()) {
+            apiBase = String(process.env.FORGE_API).trim().replace(/\/+$/,"");
+          } else if (cloneUrl) {
+            apiBase = new URL(cloneUrl).origin;
+          } else {
+            apiBase = "";
+          }

          function sh(s){ return JSON.stringify(String(s)); }
+
          process.stdout.write([
            `OWNER=${sh(owner)}`,
            `REPO=${sh(repo)}`,
            `ISSUE_NUMBER=${sh(issueNumber)}`,
            `LABEL_NAME=${sh(labelName)}`,
-            `API_BASE=${sh(u.origin)}`
+            `API_BASE=${sh(apiBase)}`
          ].join("\n") + "\n");
          NODE

-      - name: Gate on label state/rejected
+          echo "✅ context:"
+          sed -n '1,120p' /tmp/reject.env
+
+      - name: Gate on label state/rejected only
        run: |
          set -euo pipefail
          source /tmp/reject.env
-          if [[ "$LABEL_NAME" != "state/rejected" ]]; then
+
+          if [[ "$LABEL_NAME" != "state/rejected" && "$LABEL_NAME" != "workflow_dispatch" ]]; then
            echo "ℹ️ label=$LABEL_NAME => skip"
+            echo "SKIP=1" >> /tmp/reject.env
            exit 0
          fi
-          echo "✅ reject issue=$ISSUE_NUMBER"
+          echo "✅ proceed (issue=$ISSUE_NUMBER)"

-      - name: Comment + close issue
+      - name: Comment + close (only if not conflicting with state/approved)
        env:
          FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
        run: |
          set -euo pipefail
          source /tmp/reject.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
+
          test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
+          test -n "${API_BASE:-}" || { echo "❌ Missing API_BASE"; exit 1; }
+
+          ISSUE_JSON="$(curl -fsS \
+            -H "Authorization: token $FORGE_TOKEN" \
+            -H "Accept: application/json" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER")"
+
+          # ✅ Robust: write JSON to file (avoid argv/stdi n "-" issue)
+          printf '%s' "$ISSUE_JSON" > /tmp/issue.json
+
+          node --input-type=module - /tmp/issue.json > /tmp/reject.flags <<'NODE'
+          import fs from "node:fs";
+
+          const fp = process.argv[2] || "";
+          const raw = fp ? fs.readFileSync(fp, "utf8") : "{}";
+          const issue = JSON.parse(raw || "{}");
+
+          const labels = Array.isArray(issue.labels)
+            ? issue.labels.map(l => String(l.name || "")).filter(Boolean)
+            : [];
+
+          const hasApproved = labels.includes("state/approved");
+          const hasRejected = labels.includes("state/rejected");
+
+          process.stdout.write(`HAS_APPROVED=${hasApproved ? "1":"0"}\nHAS_REJECTED=${hasRejected ? "1":"0"}\n`);
+          NODE
+
+          source /tmp/reject.flags
+
+          if [[ "${HAS_APPROVED:-0}" == "1" && "${HAS_REJECTED:-0}" == "1" ]]; then
+            MSG="⚠️ Conflit d'état sur le ticket #${ISSUE_NUMBER} : labels **state/approved** et **state/rejected** présents.\n\n➡️ Action manuelle requise : retirer l'un des deux labels avant relance."
+            PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
+            curl -fsS -X POST \
+              -H "Authorization: token $FORGE_TOKEN" \
+              -H "Content-Type: application/json" \
+              "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
+              --data-binary "$PAYLOAD"
+            echo "ℹ️ conflict => stop"
+            exit 0
+          fi

          MSG="❌ Ticket #${ISSUE_NUMBER} refusé (label state/rejected)."
          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
@@ -95,4 +178,6 @@ jobs:
            -H "Authorization: token $FORGE_TOKEN" \
            -H "Content-Type: application/json" \
            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
-            --data-binary '{"state":"closed"}'
+            --data-binary '{"state":"closed"}'
+
+          echo "✅ rejected+closed"
--- a/public/media/archicrat-ia/chapitre-3/p-0-ace27175/Capture_d_e_cran_2025-05-05_a_19.20.40.png
+++ b/public/media/archicrat-ia/chapitre-3/p-0-ace27175/Capture_d_e_cran_2025-05-05_a_19.20.40.png
--- a/src/annotations/archicrat-ia/chapitre-1/p-0-8d27a7f5.yml
+++ b/src/annotations/archicrat-ia/chapitre-1/p-0-8d27a7f5.yml
@@ -0,0 +1,10 @@
+schema: 1
+page: archicrat-ia/chapitre-1
+paras:
+  p-0-8d27a7f5:
+    refs:
+      - url: https://auth.archicratie.trans-hands.synology.me/authenticated
+        label: Lien web
+        kind: (livre / article / vidéo / site / autre) Site
+        ts: 2026-02-27T12:34:31.704Z
+        fromIssue: 142
--- a/src/annotations/archicrat-ia/chapitre-3/p-0-ace27175.yml
+++ b/src/annotations/archicrat-ia/chapitre-3/p-0-ace27175.yml
@@ -0,0 +1,12 @@
+schema: 1
+page: archicrat-ia/chapitre-3
+paras:
+  p-0-ace27175:
+    media:
+      - type: image
+        src: /media/archicrat-ia/chapitre-3/p-0-ace27175/Capture_d_e_cran_2025-05-05_a_19.20.40.png
+        caption: "[Media] p-0-ace27175 — Chapitre 3 — Philosophies du pouvoir et
+          archicration"
+        credit: ""
+        ts: 2026-02-27T12:43:14.259Z
+        fromIssue: 144
Author	SHA1	Message	Date
Archicratia	6f81f572cd	ci: fix anno workflows JSON parsing (node stdin argv) + harden guards All checks were successful SMOKE / smoke (push) Successful in 40s Details CI / build-and-anchors (push) Successful in 2m13s Details	2026-02-28 10:33:43 +01:00
Archicratia	28d2fbbd2f	ci: harden anno-reject (dispatch + conflict guard) and keep deploy concurrency safe All checks were successful CI / build-and-anchors (push) Successful in 2m21s Details SMOKE / smoke (push) Successful in 19s Details	2026-02-28 09:55:37 +01:00
Archicratia	225368a952	Merge pull request 'ci: anno-apply gate on supported types (skip proposer)' (#149 ) from chore/fix-anno-apply-gate-types into main All checks were successful Deploy staging+live (annotations) / deploy (push) Successful in 2m12s Details CI / build-and-anchors (push) Successful in 1m45s Details SMOKE / smoke (push) Successful in 17s Details Reviewed-on: #149	2026-02-27 20:06:57 +01:00
Archicratia	3574695041	ci: anno-apply gate on supported types (skip proposer) All checks were successful CI / build-and-anchors (push) Successful in 1m52s Details SMOKE / smoke (push) Successful in 15s Details	2026-02-27 20:03:16 +01:00
Archicratia	ea68025a1d	Merge pull request 'anno: apply ticket #144 ' (#148 ) from bot/anno-144-20260227-124313 into main All checks were successful CI / build-and-anchors (push) Successful in 2m5s Details Deploy staging+live (annotations) / deploy (push) Successful in 2m8s Details SMOKE / smoke (push) Successful in 13s Details Reviewed-on: #148	2026-02-27 15:49:11 +01:00
Archicratia	3a08698003	Merge pull request 'anno: apply ticket #143 ' (#147 ) from bot/anno-143-20260227-124037 into main Some checks failed CI / build-and-anchors (push) Has been cancelled Details Deploy staging+live (annotations) / deploy (push) Has been cancelled Details SMOKE / smoke (push) Has been cancelled Details Reviewed-on: #147	2026-02-27 15:48:28 +01:00
Archicratia	3d583608c2	Merge pull request 'anno: apply ticket #142 ' (#146 ) from bot/anno-142-20260227-123430 into main Some checks failed CI / build-and-anchors (push) Has been cancelled Details Deploy staging+live (annotations) / deploy (push) Has been cancelled Details SMOKE / smoke (push) Successful in 21s Details Reviewed-on: #146	2026-02-27 15:47:44 +01:00
archicratie-bot	01ae95ab43	anno: apply ticket #144 (archicrat-ia/chapitre-3#p-0-ace27175 type/media) All checks were successful CI / build-and-anchors (push) Successful in 2m0s Details SMOKE / smoke (push) Successful in 18s Details	2026-02-27 12:43:16 +00:00
archicratie-bot	2bcea39558	anno: apply ticket #142 (archicrat-ia/chapitre-1#p-0-8d27a7f5 type/reference) All checks were successful CI / build-and-anchors (push) Successful in 1m53s Details SMOKE / smoke (push) Successful in 14s Details	2026-02-27 12:34:32 +00:00