# CI-WORKFLOW — snapshot de .gitea/workflows/ci.yml name: CI on: push: pull_request: branches: ["master"] env: NODE_OPTIONS: --dns-result-order=ipv4first defaults: run: shell: bash jobs: build-and-anchors: runs-on: ubuntu-latest container: image: mcr.microsoft.com/devcontainers/javascript-node:22-bookworm steps: - name: Tools sanity run: | set -euo pipefail git --version node --version npm --version npm ping --registry=https://registry.npmjs.org # Checkout SANS action externe (pas de github.com) - name: Checkout (from event.json, no external actions) run: | set -euo pipefail EVENT_JSON="/var/run/act/workflow/event.json" if [ ! -f "$EVENT_JSON" ]; then echo "ERROR: missing $EVENT_JSON" ls -la /var/run/act/workflow || true exit 1 fi # 1) Récupère l'URL du repo depuis event.json REPO_URL="$(node -e ' const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); let url = ev.repository?.clone_url || ev.repository?.html_url || ""; if (!url) process.exit(2); if (!url.endsWith(".git")) url += ".git"; process.stdout.write(url); ' "$EVENT_JSON")" # 2) Récupère le SHA (push -> after, PR -> pull_request.head.sha) SHA="$(node -e ' const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); const sha = ev.after || ev.pull_request?.head?.sha || ev.head_commit?.id || ""; process.stdout.write(sha); ' "$EVENT_JSON")" if [ -z "$SHA" ]; then echo "ERROR: cannot find SHA in event.json" node -e 'const ev=require(process.argv[1]); console.log(Object.keys(ev));' "$EVENT_JSON" || true exit 1 fi echo "Repo URL: $REPO_URL" echo "SHA: $SHA" # 3) Ajoute token si disponible (NE PAS afficher le token) AUTH_URL="$REPO_URL" if [ -n "${GITHUB_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITHUB_TOKEN}@}" elif [ -n "${GITEA_TOKEN:-}" ] && [[ "$REPO_URL" == https://* ]]; then AUTH_URL="${REPO_URL/https:\/\//https:\/\/oauth2:${GITEA_TOKEN}@}" fi # 4) Clone minimal + checkout exact du SHA rm -rf .git || true git init . # Optionnel si ton Gitea a un TLS “non standard” (certificat) : # git config --global http.sslVerify false git remote add origin "$AUTH_URL" git fetch --depth=1 origin "$SHA" git checkout -q FETCH_HEAD git log -1 --oneline - name: Anchor aliases schema run: node scripts/check-anchor-aliases.mjs - name: NPM harden run: | set -euo pipefail npm config set fetch-retries 5 npm config set fetch-retry-mintimeout 20000 npm config set fetch-retry-maxtimeout 120000 npm config set registry https://registry.npmjs.org npm config get registry - name: Install deps run: npm ci - name: Inline scripts syntax check run: node scripts/check-inline-js.mjs - name: Build run: npm run build - name: Verify anchor aliases injected run: node scripts/verify-anchor-aliases-in-dist.mjs - name: Anchors contract run: npm run test:anchors _________________________________________________ Dernière mise à jour : 2026-01-29 Ce document complète `CI-BASELINE.md` et décrit l’intention : - ne pas casser les ancres - garantir un dist propre - garder le pipeline simple et déterministe --- ## 1) Principe Le CI doit exécuter exactement ce que le dev exécute : - `npm ci` - `npm test` Pas de magie, pas de step “inventée”. --- ## 2) Points critiques ### A) Build via npm (pas via astro direct) Toujours en bash : npm run build pour exécuter postbuild : injection aliases génération pagefind ### B) Dist “HTML only” L’audit dist ignore scripts/styles pour détecter les vrais IDs HTML. ## 3) Runner Synology / réseau En contexte DSM (Docker), si le runner build des images : activer BuildKit si besoin, build en network host (comme en prod NAS) Voir : DEPLOY_PROD_SYNOLOGY_DS220.md OPS_COCKPIT.md