ci: fix anno workflows JSON parsing (node stdin argv) + harden guards

.gitea/workflows/anno-apply-pr.yml

@@ -22,9 +22,7 @@ concurrency:
 
 jobs:
   apply-approved:
-    # ✅ Job ne démarre QUE si state/approved (ou workflow_dispatch)
+    runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.label.name == 'state/approved' }}
-    runs-on: mac-ci
     container:
       image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
 
@@ -35,7 +33,6 @@ jobs:
           git --version
           node --version
           npm --version
-          curl --version | head -n 1
 
       - name: Derive context (event.json / workflow_dispatch)
         env:
@@ -98,7 +95,6 @@ jobs:
 
           function sh(s){ return JSON.stringify(String(s)); }
 
-          // ✅ defaults antifragiles (empêchent les steps "always" de faire n'importe quoi)
           process.stdout.write([
             `CLONE_URL=${sh(cloneUrl)}`,
             `OWNER=${sh(owner)}`,
@@ -106,16 +102,24 @@ jobs:
             `DEFAULT_BRANCH=${sh(defaultBranch)}`,
             `ISSUE_NUMBER=${sh(issueNumber)}`,
             `LABEL_NAME=${sh(labelName)}`,
-            `API_BASE=${sh(apiBase)}`,
+            `API_BASE=${sh(apiBase)}`
-            `SKIP=${sh("0")}`,
-            `SKIP_REASON=${sh("")}`,
-            `APPLY_RC=${sh("999")}`,
-            `NOOP=${sh("1")}`
           ].join("\n") + "\n");
           NODE
 
           echo "✅ context:"
-          sed -n '1,160p' /tmp/anno.env
+          sed -n '1,120p' /tmp/anno.env
+
+      - name: Gate on label state/approved
+        run: |
+          set -euo pipefail
+          source /tmp/anno.env
+
+          if [[ "$LABEL_NAME" != "state/approved" && "$LABEL_NAME" != "workflow_dispatch" ]]; then
+            echo "ℹ️ label=$LABEL_NAME => skip"
+            echo "SKIP=1" >> /tmp/anno.env
+            exit 0
+          fi
+          echo "✅ proceed (issue=$ISSUE_NUMBER)"
 
       - name: Fetch issue + gate on Type (skip Proposer)
         env:
@@ -123,19 +127,25 @@ jobs:
         run: |
           set -euo pipefail
           source /tmp/anno.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
           test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
 
-          # ✅ on écrit le JSON dans un fichier (FINI JSON.parse('-'))
+          ISSUE_JSON="$(curl -fsS \
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Accept: application/json" \
-            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER")"
-            -o /tmp/issue.json
+
+          # ✅ Robust: write JSON to file (avoid argv/stdi n "-" issue)
+          printf '%s' "$ISSUE_JSON" > /tmp/issue.json
 
           node --input-type=module - /tmp/issue.json >> /tmp/anno.env <<'NODE'
           import fs from "node:fs";
-          const issue = JSON.parse(fs.readFileSync(process.argv[2], "utf8"));
+
+          const fp = process.argv[2] || "";
+          const raw = fp ? fs.readFileSync(fp, "utf8") : "{}";
+          const issue = JSON.parse(raw || "{}");
+
           const title = String(issue.title || "");
           const body = String(issue.body || "").replace(/\r\n/g, "\n");
 
@@ -183,25 +193,23 @@ jobs:
           source /tmp/anno.env || true
 
           [[ "${SKIP:-0}" == "1" ]] || exit 0
-
+          [[ "${LABEL_NAME:-}" == "state/approved" || "${LABEL_NAME:-}" == "workflow_dispatch" ]] || exit 0
-          test -n "${FORGE_TOKEN:-}" || exit 0
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
-          test -n "${API_BASE:-}" || exit 0
 
           REASON="${SKIP_REASON:-}"
           TYPE="${ISSUE_TYPE:-}"
 
           if [[ "$REASON" == proposer_type:* ]]; then
-            MSG="ℹ️ Ticket #${ISSUE_NUMBER} détecté comme **Proposer** (${TYPE}).\n\n- Ce type est **traité manuellement par les editors** (correction/fact-check + cat/*).\n- Le bot n'applique **jamais** Proposer.\n\n✅ Action : traitement éditorial manuel."
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} détecté comme **Proposer** (${TYPE}).\n\n- Ce type est **traité manuellement par les editors** (correction/fact-check + cat/*).\n- Le bot n'applique **jamais** Proposer et n'ajoute **jamais** state/approved automatiquement.\n\n✅ Action : traitement éditorial manuel."
           elif [[ "$REASON" == unsupported_type:* ]]; then
             MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : Type non supporté par le bot (${TYPE}).\n\nTypes supportés : type/media, type/reference, type/comment.\n✅ Action : traitement manuel si nécessaire."
           else
-            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : champ 'Type:' manquant ou illisible.\n\n✅ Action : corriger le ticket (Type: type/media|type/reference|type/comment) ou traiter manuellement."
+            MSG="ℹ️ Ticket #${ISSUE_NUMBER} ignoré : champ 'Type:' manquant ou illisible.\n\n✅ Action : corriger le ticket (ajouter 'Type: type/media|type/reference|type/comment') ou traiter manuellement."
           fi
 
           PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          curl -fsS -X POST \
-            -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
@@ -244,7 +252,8 @@ jobs:
           source /tmp/anno.env
           [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
-          npm run build
+          npm run build:clean
+
           test -f dist/para-index.json || {
             echo "❌ missing dist/para-index.json after build"
             ls -la dist | sed -n '1,200p' || true
@@ -292,7 +301,7 @@ jobs:
           END_SHA="$(git rev-parse HEAD)"
 
           if [[ "$RC" -ne 0 ]]; then
-            echo "NOOP=1" >> /tmp/anno.env
+            echo "NOOP=0" >> /tmp/anno.env
             exit 0
           fi
 
@@ -310,13 +319,15 @@ jobs:
         run: |
           set -euo pipefail
           source /tmp/anno.env || true
-          [[ "${SKIP:-0}" != "1" ]] || exit 0
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
-          RC="${APPLY_RC:-999}"
+          RC="${APPLY_RC:-0}"
-          [[ "$RC" != "0" ]] || { echo "ℹ️ no failure detected"; exit 0; }
+          if [[ "$RC" == "0" ]]; then
+            echo "ℹ️ no failure detected"
+            exit 0
+          fi
 
-          test -n "${FORGE_TOKEN:-}" || exit 0
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
-          test -n "${API_BASE:-}" || exit 0
 
           if [[ -f /tmp/apply.log ]]; then
             BODY="$(tail -n 160 /tmp/apply.log | sed 's/\r$//')"
@@ -327,8 +338,7 @@ jobs:
           MSG="❌ apply-annotation-ticket a échoué (rc=${RC}).\n\n\`\`\`\n${BODY}\n\`\`\`\n"
           PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          curl -fsS -X POST \
-            -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
@@ -343,17 +353,15 @@ jobs:
           source /tmp/anno.env || true
           [[ "${SKIP:-0}" != "1" ]] || exit 0
 
-          [[ "${APPLY_RC:-999}" == "0" ]] || exit 0
+          [[ "${APPLY_RC:-0}" == "0" ]] || exit 0
-          [[ "${NOOP:-1}" == "1" ]] || exit 0
+          [[ "${NOOP:-0}" == "1" ]] || exit 0
 
-          test -n "${FORGE_TOKEN:-}" || exit 0
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip comment"; exit 0; }
-          test -n "${API_BASE:-}" || exit 0
 
           MSG="ℹ️ Ticket #${ISSUE_NUMBER} : rien à appliquer (déjà présent / dédupliqué)."
           PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          curl -fsS -X POST \
-            -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
@@ -368,9 +376,12 @@ jobs:
           source /tmp/anno.env || true
           [[ "${SKIP:-0}" != "1" ]] || exit 0
 
-          [[ "${APPLY_RC:-999}" == "0" ]] || { echo "ℹ️ apply not ok -> skip push"; exit 0; }
+          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip push"; exit 0; }
-          [[ "${NOOP:-1}" == "0" ]] || { echo "ℹ️ no-op -> skip push"; exit 0; }
+          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip push"; exit 0; }
-          test -n "${BRANCH:-}" || { echo "ℹ️ no BRANCH -> skip push"; exit 0; }
+
+          test -d .git || { echo "ℹ️ no git repo -> skip push"; exit 0; }
+          test -n "${BRANCH:-}" || { echo "ℹ️ missing BRANCH -> skip push"; exit 0; }
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip push"; exit 0; }
 
           AUTH_URL="$(node --input-type=module -e '
             const [clone, tok] = process.argv.slice(1);
@@ -392,10 +403,12 @@ jobs:
           source /tmp/anno.env || true
           [[ "${SKIP:-0}" != "1" ]] || exit 0
 
-          [[ "${APPLY_RC:-999}" == "0" ]] || { echo "ℹ️ apply not ok -> skip PR"; exit 0; }
+          [[ "${APPLY_RC:-0}" == "0" ]] || { echo "ℹ️ apply failed -> skip PR"; exit 0; }
-          [[ "${NOOP:-1}" == "0" ]] || { echo "ℹ️ no-op -> skip PR"; exit 0; }
+          [[ "${NOOP:-0}" == "0" ]] || { echo "ℹ️ no-op -> skip PR"; exit 0; }
-          test -n "${BRANCH:-}" || { echo "ℹ️ no BRANCH -> skip PR"; exit 0; }
+
-          test -n "${END_SHA:-}" || { echo "ℹ️ no END_SHA -> skip PR"; exit 0; }
+          test -n "${BRANCH:-}" || { echo "ℹ️ missing BRANCH -> skip PR"; exit 0; }
+          test -n "${END_SHA:-}" || { echo "ℹ️ missing END_SHA -> skip PR"; exit 0; }
+          test -n "${FORGE_TOKEN:-}" || { echo "ℹ️ missing FORGE_TOKEN -> skip PR"; exit 0; }
 
           PR_TITLE="anno: apply ticket #${ISSUE_NUMBER}"
           PR_BODY="PR auto depuis ticket #${ISSUE_NUMBER} (state/approved).\n\n- Branche: ${BRANCH}\n- Commit: ${END_SHA}\n\nMerge si CI OK."
@@ -405,8 +418,7 @@ jobs:
             console.log(JSON.stringify({ title, body, base, head, allow_maintainer_edit: true }));
           ' "$PR_TITLE" "$PR_BODY" "$DEFAULT_BRANCH" "${OWNER}:${BRANCH}")"
 
-          PR_JSON="$(curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          PR_JSON="$(curl -fsS -X POST \
-            -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/pulls" \
@@ -422,13 +434,14 @@ jobs:
           MSG="✅ PR créée pour ticket #${ISSUE_NUMBER} : ${PR_URL}"
           C_PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          curl -fsS -X POST \
-            -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
             --data-binary "$C_PAYLOAD"
 
+          echo "✅ PR: $PR_URL"
+
       - name: Finalize (fail job if apply failed)
         if: ${{ always() }}
         run: |
@@ -437,7 +450,7 @@ jobs:
 
           [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
-          RC="${APPLY_RC:-999}"
+          RC="${APPLY_RC:-0}"
           if [[ "$RC" != "0" ]]; then
             echo "❌ apply failed (rc=$RC)"
             exit "$RC"

.gitea/workflows/anno-reject.yml

@@ -22,9 +22,7 @@ concurrency:
 
 jobs:
   reject:
-    # ✅ Job ne démarre QUE si state/rejected (ou workflow_dispatch)
+    runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.label.name == 'state/rejected' }}
-    runs-on: mac-ci
     container:
       image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
 
@@ -33,7 +31,6 @@ jobs:
         run: |
           set -euo pipefail
           node --version
-          curl --version | head -n 1
 
       - name: Derive context (event.json / workflow_dispatch)
         env:
@@ -83,9 +80,14 @@ jobs:
             ev?.label ||
             "workflow_dispatch";
 
-          const apiBase = (process.env.FORGE_API && String(process.env.FORGE_API).trim())
+          let apiBase = "";
-            ? String(process.env.FORGE_API).trim().replace(/\/+$/,"")
+          if (process.env.FORGE_API && String(process.env.FORGE_API).trim()) {
-            : (cloneUrl ? new URL(cloneUrl).origin : "");
+            apiBase = String(process.env.FORGE_API).trim().replace(/\/+$/,"");
+          } else if (cloneUrl) {
+            apiBase = new URL(cloneUrl).origin;
+          } else {
+            apiBase = "";
+          }
 
           function sh(s){ return JSON.stringify(String(s)); }
 
@@ -101,29 +103,51 @@ jobs:
           echo "✅ context:"
           sed -n '1,120p' /tmp/reject.env
 
+      - name: Gate on label state/rejected only
+        run: |
+          set -euo pipefail
+          source /tmp/reject.env
+
+          if [[ "$LABEL_NAME" != "state/rejected" && "$LABEL_NAME" != "workflow_dispatch" ]]; then
+            echo "ℹ️ label=$LABEL_NAME => skip"
+            echo "SKIP=1" >> /tmp/reject.env
+            exit 0
+          fi
+          echo "✅ proceed (issue=$ISSUE_NUMBER)"
+
       - name: Comment + close (only if not conflicting with state/approved)
         env:
           FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
         run: |
           set -euo pipefail
           source /tmp/reject.env
+          [[ "${SKIP:-0}" != "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
           test -n "${FORGE_TOKEN:-}" || { echo "❌ Missing secret FORGE_TOKEN"; exit 1; }
           test -n "${API_BASE:-}" || { echo "❌ Missing API_BASE"; exit 1; }
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          ISSUE_JSON="$(curl -fsS \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Accept: application/json" \
-            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \
+            "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER")"
-            -o /tmp/reject.issue.json
 
-          # conflict guard: approved + rejected => do nothing, comment warning
+          # ✅ Robust: write JSON to file (avoid argv/stdi n "-" issue)
-          node --input-type=module - /tmp/reject.issue.json > /tmp/reject.flags <<'NODE'
+          printf '%s' "$ISSUE_JSON" > /tmp/issue.json
+
+          node --input-type=module - /tmp/issue.json > /tmp/reject.flags <<'NODE'
           import fs from "node:fs";
-          const issue = JSON.parse(fs.readFileSync(process.argv[2], "utf8"));
+
-          const labels = Array.isArray(issue.labels) ? issue.labels.map(l => String(l.name || "")).filter(Boolean) : [];
+          const fp = process.argv[2] || "";
+          const raw = fp ? fs.readFileSync(fp, "utf8") : "{}";
+          const issue = JSON.parse(raw || "{}");
+
+          const labels = Array.isArray(issue.labels)
+            ? issue.labels.map(l => String(l.name || "")).filter(Boolean)
+            : [];
+
           const hasApproved = labels.includes("state/approved");
           const hasRejected = labels.includes("state/rejected");
+
           process.stdout.write(`HAS_APPROVED=${hasApproved ? "1":"0"}\nHAS_REJECTED=${hasRejected ? "1":"0"}\n`);
           NODE
 
@@ -132,8 +156,7 @@ jobs:
           if [[ "${HAS_APPROVED:-0}" == "1" && "${HAS_REJECTED:-0}" == "1" ]]; then
             MSG="⚠️ Conflit d'état sur le ticket #${ISSUE_NUMBER} : labels **state/approved** et **state/rejected** présents.\n\n➡️ Action manuelle requise : retirer l'un des deux labels avant relance."
             PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
-            curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+            curl -fsS -X POST \
-              -X POST \
               -H "Authorization: token $FORGE_TOKEN" \
               -H "Content-Type: application/json" \
               "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
@@ -142,20 +165,16 @@ jobs:
             exit 0
           fi
 
-          # comment reject
           MSG="❌ Ticket #${ISSUE_NUMBER} refusé (label state/rejected)."
           PAYLOAD="$(node --input-type=module -e 'console.log(JSON.stringify({body: process.argv[1]||""}))' "$MSG")"
 
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
+          curl -fsS -X POST \
-            -X POST \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER/comments" \
             --data-binary "$PAYLOAD"
 
-          # close issue
+          curl -fsS -X PATCH \
-          curl -fsS --retry 3 --retry-delay 2 --retry-all-errors --max-time 30 \
-            -X PATCH \
             -H "Authorization: token $FORGE_TOKEN" \
             -H "Content-Type: application/json" \
             "$API_BASE/api/v1/repos/$OWNER/$REPO/issues/$ISSUE_NUMBER" \

.gitea/workflows/auto-label-issues.yml

@@ -4,37 +4,22 @@ on:
   issues:
     types: [opened, edited]
 
-concurrency:
-  group: auto-label-${{ github.event.issue.number || github.event.issue.index || 'manual' }}
-  cancel-in-progress: true
-
 jobs:
   label:
-    runs-on: mac-ci
+    runs-on: ubuntu-latest
-    container:
-      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
-
     steps:
       - name: Apply labels from Type/State/Category
         env:
-          # IMPORTANT: préfère FORGE_BASE (LAN) si défini, sinon FORGE_API
+          FORGE_BASE: ${{ vars.FORGE_API || vars.FORGE_BASE }}
-          FORGE_BASE: ${{ vars.FORGE_BASE || vars.FORGE_API || vars.FORGE_API_BASE }}
           FORGE_TOKEN: ${{ secrets.FORGE_TOKEN }}
           REPO_FULL: ${{ gitea.repository }}
           EVENT_PATH: ${{ github.event_path }}
-          NODE_OPTIONS: --dns-result-order=ipv4first
         run: |
           python3 - <<'PY'
-          import json, os, re, time, urllib.request, urllib.error, socket
+          import json, os, re, urllib.request, urllib.error
-
-          forge = (os.environ.get("FORGE_BASE") or "").rstrip("/")
-          if not forge:
-              raise SystemExit("Missing FORGE_BASE/FORGE_API repo variable (e.g. http://192.168.1.20:3000)")
-
-          token = os.environ.get("FORGE_TOKEN") or ""
-          if not token:
-              raise SystemExit("Missing secret FORGE_TOKEN")
 
+          forge = os.environ["FORGE_BASE"].rstrip("/")
+          token = os.environ["FORGE_TOKEN"]
           owner, repo = os.environ["REPO_FULL"].split("/", 1)
           event_path = os.environ["EVENT_PATH"]
 
@@ -61,9 +46,12 @@ jobs:
           print("PARSED:", {"Type": t, "State": s, "Category": c})
 
           # 1) explicite depuis le body
-          if t: desired.add(t)
+          if t:
-          if s: desired.add(s)
+              desired.add(t)
-          if c: desired.add(c)
+          if s:
+              desired.add(s)
+          if c:
+              desired.add(c)
 
           # 2) fallback depuis le titre si Type absent
           if not t:
@@ -88,56 +76,42 @@ jobs:
               "Authorization": f"token {token}",
               "Accept": "application/json",
               "Content-Type": "application/json",
-              "User-Agent": "archicratie-auto-label/1.1",
+              "User-Agent": "archicratie-auto-label/1.0",
           }
 
-          def jreq(method, url, payload=None, timeout=60, retries=4, backoff=2.0):
+          def jreq(method, url, payload=None):
               data = None if payload is None else json.dumps(payload).encode("utf-8")
-              last_err = None
+              req = urllib.request.Request(url, data=data, headers=headers, method=method)
-              for i in range(retries):
+              try:
-                  req = urllib.request.Request(url, data=data, headers=headers, method=method)
+                  with urllib.request.urlopen(req, timeout=20) as r:
-                  try:
+                      b = r.read()
-                      with urllib.request.urlopen(req, timeout=timeout) as r:
+                      return json.loads(b.decode("utf-8")) if b else None
-                          b = r.read()
+              except urllib.error.HTTPError as e:
-                          return json.loads(b.decode("utf-8")) if b else None
+                  b = e.read().decode("utf-8", errors="replace")
-                  except urllib.error.HTTPError as e:
+                  raise RuntimeError(f"HTTP {e.code} {method} {url}\n{b}") from e
-                      b = e.read().decode("utf-8", errors="replace")
-                      raise RuntimeError(f"HTTP {e.code} {method} {url}\n{b}") from e
-                  except (TimeoutError, socket.timeout, urllib.error.URLError) as e:
-                      last_err = e
-                      # retry only on network/timeout
-                      time.sleep(backoff * (i + 1))
-              raise RuntimeError(f"Network/timeout after retries: {method} {url}\n{last_err}")
 
           # labels repo
-          labels = jreq("GET", f"{api}/repos/{owner}/{repo}/labels?limit=1000", timeout=60) or []
+          labels = jreq("GET", f"{api}/repos/{owner}/{repo}/labels?limit=1000") or []
           name_to_id = {x.get("name"): x.get("id") for x in labels}
 
           missing = [x for x in desired if x not in name_to_id]
           if missing:
               raise SystemExit("Missing labels in repo: " + ", ".join(sorted(missing)))
 
-          wanted_ids = sorted({int(name_to_id[x]) for x in desired})
+          wanted_ids = [name_to_id[x] for x in desired]
 
           # labels actuels de l'issue
-          current = jreq("GET", f"{api}/repos/{owner}/{repo}/issues/{number}/labels", timeout=60) or []
+          current = jreq("GET", f"{api}/repos/{owner}/{repo}/issues/{number}/labels") or []
-          current_ids = {int(x.get("id")) for x in current if x.get("id") is not None}
+          current_ids = {x.get("id") for x in current if x.get("id") is not None}
 
           final_ids = sorted(current_ids.union(wanted_ids))
 
-          # Replace labels = union (n'enlève rien)
+          # set labels = union (n'enlève rien)
           url = f"{api}/repos/{owner}/{repo}/issues/{number}/labels"
-
+          try:
-          # IMPORTANT: on n'envoie JAMAIS une liste brute ici (ça a causé le 422)
+              jreq("PUT", url, {"labels": final_ids})
-          jreq("PUT", url, {"labels": final_ids}, timeout=90, retries=4)
+          except Exception:
-
+              jreq("PUT", url, final_ids)
-          # vérif post-apply (anti "timeout mais appliqué")
-          post = jreq("GET", f"{api}/repos/{owner}/{repo}/issues/{number}/labels", timeout=60) or []
-          post_ids = {int(x.get("id")) for x in post if x.get("id") is not None}
-
-          missing_ids = [i for i in wanted_ids if i not in post_ids]
-          if missing_ids:
-              raise RuntimeError(f"Labels not applied after PUT (missing ids): {missing_ids}")
 
           print(f"OK labels #{number}: {sorted(desired)}")
           PY

.gitea/workflows/ci.yaml

@@ -3,7 +3,7 @@ name: CI
 on:
   push:
   pull_request:
-    branches: [main]
+    branches: [master]
   workflow_dispatch:
 
 env:
@@ -15,7 +15,7 @@ defaults:
 
 jobs:
   build-and-anchors:
-    runs-on: mac-ci
+    runs-on: ubuntu-latest
     container:
       image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
 

.gitea/workflows/deploy-staging-live.yml

@@ -26,9 +26,9 @@ concurrency:
 
 jobs:
   deploy:
-    runs-on: nas-deploy
+    runs-on: ubuntu-latest
     container:
-      image: localhost:5000/archicratie/nas-deploy-node22@sha256:fefa8bb307005cebec07796661ab25528dc319c33a8f1e480e1d66f90cd5cff6
+      image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm
 
     steps:
       - name: Tools sanity
@@ -127,17 +127,25 @@ jobs:
             echo "ℹ️ no annotations/media change -> skip deploy"
           fi
 
-      - name: Toolchain sanity + resolve COMPOSE_PROJECT_NAME
+      - name: Install docker client + docker compose plugin (v2) + python yaml
         run: |
           set -euo pipefail
           source /tmp/deploy.env
           [[ "${GO:-0}" == "1" ]] || { echo "ℹ️ skipped"; exit 0; }
 
-          # tools are prebaked in the image
+          apt-get -o Acquire::Retries=5 -o Acquire::ForceIPv4=true update
-          git --version
+          apt-get install -y --no-install-recommends ca-certificates curl docker.io python3 python3-yaml
+          rm -rf /var/lib/apt/lists/*
+
+          mkdir -p /usr/local/lib/docker/cli-plugins
+          curl -fsSL \
+            "https://github.com/docker/compose/releases/download/v${COMPOSE_VERSION}/docker-compose-linux-x86_64" \
+            -o /usr/local/lib/docker/cli-plugins/docker-compose
+          chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
+
           docker version
           docker compose version
-          python3 -c 'import yaml; print("PyYAML OK")'
+          python3 --version
 
           # Reuse existing compose project name if containers already exist
           PROJ="$(docker inspect archicratie-web-blue --format '{{ index .Config.Labels "com.docker.compose.project" }}' 2>/dev/null || true)"

.gitea/workflows/smoke.yml

@@ -3,7 +3,7 @@ on: [push, workflow_dispatch]
 
 jobs:
   smoke:
-    runs-on: mac-ci
+    runs-on: ubuntu-latest
     steps:
       - run: node -v && npm -v
       - run: echo "runner OK"