fix: post-audit CI and governance cleanup #6
@@ -21,13 +21,18 @@ jobs:
|
||||
- name: Install
|
||||
run: npm ci
|
||||
|
||||
- name: Typecheck (non-blocking — repo has known debt)
|
||||
continue-on-error: true
|
||||
- name: Typecheck
|
||||
run: npm run typecheck
|
||||
|
||||
- name: Build
|
||||
run: npm run build
|
||||
|
||||
- name: Tracking check
|
||||
run: npm run tracking:check
|
||||
|
||||
- name: Image budget
|
||||
run: npm run image:budget
|
||||
|
||||
- name: Notify ntfy on failure
|
||||
if: failure()
|
||||
run: |
|
||||
|
||||
@@ -1,83 +0,0 @@
|
||||
name: Deploy to Tower
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
concurrency:
|
||||
group: deploy-production
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
build-and-deploy:
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
PUBLIC_SITE_URL: https://www.lelectronrare.fr/
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Setup Node
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 22
|
||||
cache: npm
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
- name: Build site
|
||||
run: npm run build
|
||||
|
||||
- name: Deploy to Tower
|
||||
uses: appleboy/scp-action@v0.1.7
|
||||
with:
|
||||
host: ${{ secrets.TOWER_HOST }}
|
||||
username: ${{ secrets.TOWER_USER }}
|
||||
key: ${{ secrets.TOWER_SSH_KEY }}
|
||||
source: "dist/"
|
||||
target: "/home/clems/electron-rare-site/"
|
||||
overwrite: true
|
||||
rm: true
|
||||
|
||||
- name: Restart site container
|
||||
uses: appleboy/ssh-action@v1.0.3
|
||||
with:
|
||||
host: ${{ secrets.TOWER_HOST }}
|
||||
username: ${{ secrets.TOWER_USER }}
|
||||
key: ${{ secrets.TOWER_SSH_KEY }}
|
||||
script: |
|
||||
cd /home/clems/electron-rare-site
|
||||
docker rm -f electron-rare-site 2>/dev/null || true
|
||||
docker run -d \
|
||||
--name electron-rare-site \
|
||||
--network mascarade-frontend \
|
||||
-v /home/clems/electron-rare-site/dist:/app/dist \
|
||||
-v /home/clems/electron-rare-site/node_modules:/app/node_modules \
|
||||
-w /app \
|
||||
-p 4321:4321 \
|
||||
-e HOST=0.0.0.0 \
|
||||
-e PORT=4321 \
|
||||
--restart unless-stopped \
|
||||
node:22-alpine \
|
||||
node dist/server/entry.mjs
|
||||
|
||||
- name: Verify deployment
|
||||
uses: appleboy/ssh-action@v1.0.3
|
||||
with:
|
||||
host: ${{ secrets.TOWER_HOST }}
|
||||
username: ${{ secrets.TOWER_USER }}
|
||||
key: ${{ secrets.TOWER_SSH_KEY }}
|
||||
script: |
|
||||
sleep 5
|
||||
STATUS=$(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:4321/)
|
||||
if [ "$STATUS" != "200" ]; then
|
||||
echo "Site returned $STATUS instead of 200"
|
||||
exit 1
|
||||
fi
|
||||
echo "Site is live (HTTP 200)"
|
||||
@@ -41,14 +41,16 @@ jobs:
|
||||
fi
|
||||
done
|
||||
|
||||
CHECK_STATE="unknown"
|
||||
REQUIRED_CHECKS_LIST="(unknown)"
|
||||
if [ "$PROTECTION_HTTP_CODE" = "200" ]; then
|
||||
REQ_CHECK_CHECKS=$(echo "$PROTECTION_JSON" | jq -r '.required_status_checks.checks[]?.context // empty' | grep -Fx 'Cross-stack coherence' || true)
|
||||
REQ_CHECK_CONTEXTS=$(echo "$PROTECTION_JSON" | jq -r '.required_status_checks.contexts[]? // empty' | grep -Fx 'Cross-stack coherence' || true)
|
||||
if [ -n "$REQ_CHECK_CHECKS" ] || [ -n "$REQ_CHECK_CONTEXTS" ]; then
|
||||
CHECK_STATE="required"
|
||||
else
|
||||
CHECK_STATE="not-required"
|
||||
REQUIRED_CHECKS_LIST="$(echo "$PROTECTION_JSON" | jq -r '
|
||||
[
|
||||
(.required_status_checks.contexts // [])[],
|
||||
(.required_status_checks.checks // [])[].context
|
||||
] | unique | .[]
|
||||
' 2>/dev/null || true)"
|
||||
if [ -z "$REQUIRED_CHECKS_LIST" ]; then
|
||||
REQUIRED_CHECKS_LIST="(none)"
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -58,10 +60,15 @@ jobs:
|
||||
echo "Generated: $NOW_UTC"
|
||||
echo "Repository: $GH_REPO"
|
||||
|
|
||||
echo
|
||||
echo "## Branch Protection (main)"
|
||||
echo "- Cross-stack coherence: $CHECK_STATE"
|
||||
if [ "$CHECK_STATE" = "unknown" ]; then
|
||||
echo "## Branch Protection (main) — Required Status Checks"
|
||||
if [ "$PROTECTION_HTTP_CODE" != "200" ]; then
|
||||
echo "- Note: branch protection endpoint not readable with current token (HTTP $PROTECTION_HTTP_CODE)."
|
||||
elif [ "$REQUIRED_CHECKS_LIST" = "(none)" ]; then
|
||||
echo "- No required status checks configured."
|
||||
else
|
||||
echo "$REQUIRED_CHECKS_LIST" | while IFS= read -r ctx; do
|
||||
[ -n "$ctx" ] && echo "- $ctx"
|
||||
done
|
||||
fi
|
||||
echo
|
||||
echo "## Expected Labels"
|
||||
|
||||
Reference in New Issue
Block a user
The jq extraction can emit
nullentries (e.g., when a check object lacks.context), which then get rendered as a bullet like- null. Also, because jq errors are swallowed (2>/dev/null || true), a parse/API shape failure will be reported as “(none)” rather than “(unknown)”, which can make the governance report inaccurate. Consider filtering out null/empty contexts and preserving an explicit “unknown/parse-error” state when jq fails.