deploy: pin nas-deploy image by digest

deploy: use prebaked nas-deploy image; remove apt-get step
ci: lock deploy workflow to nas-deploy runner
2026-02-28 20:22:17 +01:00 · 2026-02-28 19:49:25 +01:00 · 2026-02-28 17:43:19 +01:00 · 2026-02-28 15:54:48 +01:00 · 2026-02-28 15:50:48 +01:00 · 2026-02-28 15:29:35 +01:00
6 changed files with 24 additions and 60 deletions
--- a/.gitea/workflows/anno-apply-pr.yml
+++ b/.gitea/workflows/anno-apply-pr.yml
@@ -22,7 +22,7 @@ concurrency:

 jobs:
  apply-approved:
-    runs-on: ubuntu-latest
+    runs-on: mac-ci
    container:
      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm

@@ -136,16 +136,8 @@ jobs:
            -H "Accept: application/json" \
            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER")"

-          # ✅ Robust: write JSON to file (avoid argv/stdi n "-" issue)
-          printf '%s' "$ISSUE_JSON" > /tmp/issue.json
-
-          node --input-type=module - /tmp/issue.json >> /tmp/anno.env <<'NODE'
-          import fs from "node:fs";
-
-          const fp = process.argv[2] || "";
-          const raw = fp ? fs.readFileSync(fp, "utf8") : "{}";
-          const issue = JSON.parse(raw || "{}");
-
+          node --input-type=module - <<'NODE' "$ISSUE_JSON" >> /tmp/anno.env
+          const issue = JSON.parse(process.argv[1] || "{}");
          const title = String(issue.title || "");
          const body = String(issue.body || "").replace(/\r\n/g, "\n");

@@ -193,11 +185,12 @@ jobs:
          source /tmp/anno.env || true

          [[ "${SKIP:-0}" == "1" ]] || exit 0
-          [[ "${LABEL_NAME:-}" == "state/approved" || "${LABEL_NAME:-}" == "workflow_dispatch" ]] || exit 0
-          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
+          [[ "$LABEL_NAME" == "state/approved" || "$LABEL_NAME" == "workflow_dispatch" ]] || exit 0

+          # message différent si Proposer
          REASON="${SKIP_REASON:-}"
          TYPE="${ISSUE_TYPE:-}"
+          TITLE="${ISSUE_TITLE:-}"

          if [[ "$REASON" == proposer_type:* ]]; then
            MSG="ℹ️ Ticket #${ISSUE_NUMBER} détecté comme **Proposer** (${TYPE}).\n\n- Ce type est **traité manuellement par les editors** (correction/fact-check + cat/*).\n- Le bot n'applique **jamais** Proposer et n'ajoute **jamais** state/approved automatiquement.\n\n✅ Action : traitement éditorial manuel."
@@ -252,7 +245,7 @@ jobs:
          source /tmp/anno.env
          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }

-          npm run build:clean
+          npm run build

          test -f dist/para-index.json || {
            echo "❌ missing dist/para-index.json after build"
@@ -327,8 +320,6 @@ jobs:
            exit 0
          fi

-          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
-
          if [[ -f /tmp/apply.log ]]; then
            BODY="$(tail -n 160 /tmp/apply.log | sed 's/\r$//')"
          else
@@ -356,8 +347,6 @@ jobs:
          [[ "${APPLY_RC:-0}" == "0" ]] || exit 0
          [[ "${NOOP:-0}" == "1" ]] || exit 0

-          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
-
          MSG="ℹ️ Ticket #${ISSUE_NUMBER} : rien à appliquer (déjà présent / dédupliqué)."
          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"

@@ -379,10 +368,6 @@ jobs:
          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip push"; exit 0; }
          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip push"; exit 0; }

-          test -d .git || { echo "ℹ️ no git repo -> skip push"; exit 0; }
-          test -n "${BRANCH:-}" || { echo "ℹ️ missing BRANCH -> skip push"; exit 0; }
-          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip push"; exit 0; }
-
          AUTH_URL="$(node --input-type=module -e '
            const [clone, tok] = process.argv.slice(1);
            const u = new URL(clone);
@@ -406,10 +391,6 @@ jobs:
          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip PR"; exit 0; }
          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip PR"; exit 0; }

-          test -n "${BRANCH:-}" || { echo "ℹ️ missing BRANCH -> skip PR"; exit 0; }
-          test -n "${END_SHA:-}" || { echo "ℹ️ missing END_SHA -> skip PR"; exit 0; }
-          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip PR"; exit 0; }
-
          PR_TITLE="anno: apply ticket #${ISSUE_NUMBER}"
          PR_BODY="PR auto depuis ticket #${ISSUE_NUMBER} (state/approved).\n\n- Branche: ${BRANCH}\n- Commit: ${END_SHA}\n\nMerge si CI OK."

--- a/.gitea/workflows/anno-reject.yml
+++ b/.gitea/workflows/anno-reject.yml
@@ -22,7 +22,7 @@ concurrency:

 jobs:
  reject:
-    runs-on: ubuntu-latest
+    runs-on: mac-ci
    container:
      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm

@@ -131,23 +131,12 @@ jobs:
            -H "Accept: application/json" \
            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER")"

-          # ✅ Robust: write JSON to file (avoid argv/stdi n "-" issue)
-          printf '%s' "$ISSUE_JSON" > /tmp/issue.json
-
-          node --input-type=module - /tmp/issue.json > /tmp/reject.flags <<'NODE'
-          import fs from "node:fs";
-
-          const fp = process.argv[2] || "";
-          const raw = fp ? fs.readFileSync(fp, "utf8") : "{}";
-          const issue = JSON.parse(raw || "{}");
-
-          const labels = Array.isArray(issue.labels)
-            ? issue.labels.map(l => String(l.name || "")).filter(Boolean)
-            : [];
-
+          # conflict guard: approved + rejected => do nothing, comment warning
+          node --input-type=module - <<'NODE' "$ISSUE_JSON" > /tmp/reject.flags
+          const issue = JSON.parse(process.argv[1] || "{}");
+          const labels = Array.isArray(issue.labels) ? issue.labels.map(l => String(l.name || "")).filter(Boolean) : [];
          const hasApproved = labels.includes("state/approved");
          const hasRejected = labels.includes("state/rejected");
-
          process.stdout.write(`HAS_APPROVED=${hasApproved ? "1":"0"}\nHAS_REJECTED=${hasRejected ? "1":"0"}\n`);
          NODE

@@ -165,6 +154,7 @@ jobs:
            exit 0
          fi

+          # comment reject
          MSG="❌ Ticket #${ISSUE_NUMBER} refusé (label state/rejected)."
          PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"

@@ -174,6 +164,7 @@ jobs:
            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
            --data-binary "$PAYLOAD"

+          # close issue
          curl -fsS -X PATCH \
            -H "Authorization: token $FORGE_TOKEN" \
            -H "Content-Type: application/json" \
--- a/.gitea/workflows/auto-label-issues.yml
+++ b/.gitea/workflows/auto-label-issues.yml
@@ -6,7 +6,7 @@ on:

 jobs:
  label:
-    runs-on: ubuntu-latest
+    runs-on: mac-ci
    steps:
      - name: Apply labels from Type/State/Category
        env:
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -3,7 +3,7 @@ name: CI
 on:
  push:
  pull_request:
-    branches: [master]
+    branches: [main]
  workflow_dispatch:

 env:
@@ -15,7 +15,7 @@ defaults:

 jobs:
  build-and-anchors:
-    runs-on: ubuntu-latest
+    runs-on: mac-ci
    container:
      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm

--- a/.gitea/workflows/deploy-staging-live.yml
+++ b/.gitea/workflows/deploy-staging-live.yml
@@ -26,9 +26,9 @@ concurrency:

 jobs:
  deploy:
-    runs-on: ubuntu-latest
+    runs-on: nas-deploy
    container:
-      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
+      image: localhost:5000/archicratie/nas-deploy-node22@sha256:fefa8bb307005cebec07796661ab25528dc319c33a8f1e480e1d66f90cd5cff6

    steps:
      - name: Tools sanity
@@ -127,25 +127,17 @@ jobs:
            echo "ℹ️ no annotations/media change -> skip deploy"
          fi

-      - name: Install docker client + docker compose plugin (v2) + python yaml
+      - name: Toolchain sanity + resolve COMPOSE_PROJECT_NAME
        run: |
          set -euo pipefail
          source /tmp/deploy.env
          [[ "${GO:-0}" == "1" ]] || { echo "ℹ️ skipped"; exit 0; }

-          apt-get -o Acquire::Retries=5 -o Acquire::ForceIPv4=true update
-          apt-get install -y --no-install-recommends ca-certificates curl docker.io python3 python3-yaml
-          rm -rf /var/lib/apt/lists/*
-
-          mkdir -p /usr/local/lib/docker/cli-plugins
-          curl -fsSL \
-            "https://github.com/docker/compose/releases/download/v${COMPOSE_VERSION}/docker-compose-linux-x86_64" \
-            -o /usr/local/lib/docker/cli-plugins/docker-compose
-          chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
-
+          # tools are prebaked in the image
+          git --version
          docker version
          docker compose version
-          python3 --version
+          python3 -c 'import yaml; print("PyYAML OK")'

          # Reuse existing compose project name if containers already exist
          PROJ="$(docker inspect archicratie-web-blue --format '{{ index .Config.Labels "com.docker.compose.project" }}' 2>/dev/null || true)"
--- a/.gitea/workflows/smoke.yml
+++ b/.gitea/workflows/smoke.yml
@@ -3,7 +3,7 @@ on: [push, workflow_dispatch]

 jobs:
  smoke:
-    runs-on: ubuntu-latest
+    runs-on: mac-ci
    steps:
      - run: node -v && npm -v
      - run: echo "runner OK"
Author	SHA1	Message	Date
Archicratia	43e2862c89	deploy: pin nas-deploy image by digest All checks were successful SMOKE / smoke (push) Successful in 6s Details CI / build-and-anchors (push) Successful in 39s Details CI / build-and-anchors (pull_request) Successful in 37s Details	2026-02-28 20:22:17 +01:00
Archicratia	a81d206aba	deploy: use prebaked nas-deploy image; remove apt-get step All checks were successful SMOKE / smoke (push) Successful in 3s Details CI / build-and-anchors (push) Successful in 39s Details CI / build-and-anchors (pull_request) Successful in 36s Details	2026-02-28 19:49:25 +01:00
Archicratia	c11189fe11	ci: lock deploy workflow to nas-deploy runner All checks were successful SMOKE / smoke (push) Successful in 7s Details CI / build-and-anchors (push) Successful in 44s Details CI / build-and-anchors (pull_request) Successful in 40s Details	2026-02-28 17:43:19 +01:00
Archicratia	b47edb24cf	Merge pull request 'ci: fix YAML newlines after runs-on (mac-ci)' (#156 ) from chore/fix-yaml-runs-on-newlines into main Some checks failed CI / build-and-anchors (push) Successful in 41s Details SMOKE / smoke (push) Successful in 3s Details Deploy staging+live (annotations) / deploy (push) Has been cancelled Details Reviewed-on: #156	2026-02-28 15:54:48 +01:00
Archicratia	be191b09a0	ci: fix YAML newlines after runs-on (mac-ci) All checks were successful SMOKE / smoke (push) Successful in 25s Details CI / build-and-anchors (push) Successful in 1m6s Details CI / build-and-anchors (pull_request) Successful in 37s Details	2026-02-28 15:50:48 +01:00
Archicratia	e06587478d	Merge pull request 'ci: route CI/bots to mac runner; keep deploy on NAS' (#155 ) from chore/route-ci-to-mac-runner into main All checks were successful Deploy staging+live (annotations) / deploy (push) Successful in 1m58s Details Reviewed-on: #155	2026-02-28 15:29:35 +01:00
Archicratia	402ffb04cd	ci: route CI/bots to mac runner; keep deploy on NAS	2026-02-28 15:28:49 +01:00
Archicratia	1cbfc02670	Merge pull request 'ci: harden anno-reject (dispatch + conflict guard) and keep deploy concurrency safe' (#153 ) from chore/fix-anno-reject-close-guard into main All checks were successful CI / build-and-anchors (push) Successful in 2m49s Details Deploy staging+live (annotations) / deploy (push) Successful in 3m7s Details SMOKE / smoke (push) Successful in 19s Details Reviewed-on: #153	2026-02-28 10:05:26 +01:00