fix: post-audit CI and governance cleanup #6

Merged
electron-rare merged 3 commits from fix/post-audit-cleanup into main 2026-05-18 20:23:44 +00:00
3 changed files with 24 additions and 95 deletions
+7 -2
View File
@@ -21,13 +21,18 @@ jobs:
- name: Install
run: npm ci
- name: Typecheck (non-blocking — repo has known debt)
continue-on-error: true
- name: Typecheck
run: npm run typecheck
- name: Build
run: npm run build
- name: Tracking check
run: npm run tracking:check
- name: Image budget
run: npm run image:budget
- name: Notify ntfy on failure
if: failure()
run: |
-83
View File
@@ -1,83 +0,0 @@
name: Deploy to Tower
on:
push:
branches: [main]
workflow_dispatch:
permissions:
contents: read
concurrency:
group: deploy-production
cancel-in-progress: true
jobs:
build-and-deploy:
runs-on: ubuntu-latest
env:
PUBLIC_SITE_URL: https://www.lelectronrare.fr/
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
- name: Install dependencies
run: npm ci
- name: Build site
run: npm run build
- name: Deploy to Tower
uses: appleboy/scp-action@v0.1.7
with:
host: ${{ secrets.TOWER_HOST }}
username: ${{ secrets.TOWER_USER }}
key: ${{ secrets.TOWER_SSH_KEY }}
source: "dist/"
target: "/home/clems/electron-rare-site/"
overwrite: true
rm: true
- name: Restart site container
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.TOWER_HOST }}
username: ${{ secrets.TOWER_USER }}
key: ${{ secrets.TOWER_SSH_KEY }}
script: |
cd /home/clems/electron-rare-site
docker rm -f electron-rare-site 2>/dev/null || true
docker run -d \
--name electron-rare-site \
--network mascarade-frontend \
-v /home/clems/electron-rare-site/dist:/app/dist \
-v /home/clems/electron-rare-site/node_modules:/app/node_modules \
-w /app \
-p 4321:4321 \
-e HOST=0.0.0.0 \
-e PORT=4321 \
--restart unless-stopped \
node:22-alpine \
node dist/server/entry.mjs
- name: Verify deployment
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.TOWER_HOST }}
username: ${{ secrets.TOWER_USER }}
key: ${{ secrets.TOWER_SSH_KEY }}
script: |
sleep 5
STATUS=$(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:4321/)
if [ "$STATUS" != "200" ]; then
echo "Site returned $STATUS instead of 200"
exit 1
fi
echo "Site is live (HTTP 200)"
@@ -41,14 +41,16 @@ jobs:
fi
done
CHECK_STATE="unknown"
REQUIRED_CHECKS_LIST="(unknown)"
if [ "$PROTECTION_HTTP_CODE" = "200" ]; then
REQ_CHECK_CHECKS=$(echo "$PROTECTION_JSON" | jq -r '.required_status_checks.checks[]?.context // empty' | grep -Fx 'Cross-stack coherence' || true)
REQ_CHECK_CONTEXTS=$(echo "$PROTECTION_JSON" | jq -r '.required_status_checks.contexts[]? // empty' | grep -Fx 'Cross-stack coherence' || true)
if [ -n "$REQ_CHECK_CHECKS" ] || [ -n "$REQ_CHECK_CONTEXTS" ]; then
CHECK_STATE="required"
else
CHECK_STATE="not-required"
REQUIRED_CHECKS_LIST="$(echo "$PROTECTION_JSON" | jq -r '
[
(.required_status_checks.contexts // [])[],
(.required_status_checks.checks // [])[].context
] | unique | .[]
' 2>/dev/null || true)"
if [ -z "$REQUIRED_CHECKS_LIST" ]; then
REQUIRED_CHECKS_LIST="(none)"
fi
fi
@@ -58,10 +60,15 @@ jobs:
echo "Generated: $NOW_UTC"
echo "Repository: $GH_REPO"
copilot-pull-request-reviewer[bot] commented 2026-05-18 20:18:27 +00:00 (Migrated from github.com)
Review

The jq extraction can emit null entries (e.g., when a check object lacks .context), which then get rendered as a bullet like - null. Also, because jq errors are swallowed (2>/dev/null || true), a parse/API shape failure will be reported as “(none)” rather than “(unknown)”, which can make the governance report inaccurate. Consider filtering out null/empty contexts and preserving an explicit “unknown/parse-error” state when jq fails.

The jq extraction can emit `null` entries (e.g., when a check object lacks `.context`), which then get rendered as a bullet like `- null`. Also, because jq errors are swallowed (`2>/dev/null || true`), a parse/API shape failure will be reported as “(none)” rather than “(unknown)”, which can make the governance report inaccurate. Consider filtering out null/empty contexts and preserving an explicit “unknown/parse-error” state when jq fails.
echo
echo "## Branch Protection (main)"
echo "- Cross-stack coherence: $CHECK_STATE"
if [ "$CHECK_STATE" = "unknown" ]; then
echo "## Branch Protection (main) — Required Status Checks"
if [ "$PROTECTION_HTTP_CODE" != "200" ]; then
echo "- Note: branch protection endpoint not readable with current token (HTTP $PROTECTION_HTTP_CODE)."
elif [ "$REQUIRED_CHECKS_LIST" = "(none)" ]; then
echo "- No required status checks configured."
else
echo "$REQUIRED_CHECKS_LIST" | while IFS= read -r ctx; do
[ -n "$ctx" ] && echo "- $ctx"
done
fi
echo
echo "## Expected Labels"