diff --git a/.gitea/workflows/audit.yml b/.gitea/workflows/audit.yml new file mode 100644 index 0000000..4e73fd0 --- /dev/null +++ b/.gitea/workflows/audit.yml @@ -0,0 +1,27 @@ +name: Security · npm audit + +on: + schedule: + # Each Monday at 07:00 UTC + - cron: '0 7 * * 1' + workflow_dispatch: + +jobs: + audit: + name: npm audit + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Run audit (fail on high/critical) + run: npm audit --audit-level=high diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml new file mode 100644 index 0000000..9486d2d --- /dev/null +++ b/.gitea/workflows/ci.yml @@ -0,0 +1,77 @@ +name: CI · Test & Deploy + +on: + push: + branches: [main] + +jobs: + # ───────────────────────────────────────────── + # JOB 1: Playwright tests + # ───────────────────────────────────────────── + test: + name: Playwright tests + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'npm' + + - name: Install dependencies + run: npm ci --omit=dev + + - name: Install Playwright browsers + run: npx playwright install chromium --with-deps + + - name: Start app (static HTTP server) + run: | + npm install --save-dev http-server + npx http-server . -p 9090 & + sleep 2 + + - name: Run Playwright tests + run: npx playwright test --reporter=list + env: + APP_URL: http://localhost:9090 + + # ───────────────────────────────────────────── + # JOB 2: Deploy to VPS (only if tests pass) + # ───────────────────────────────────────────── + deploy: + name: Deploy to VPS + runs-on: ubuntu-latest + needs: test + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup SSH key + run: | + mkdir -p ~/.ssh + echo "${{ secrets.VPS_SSH_KEY }}" > ~/.ssh/id_ed25519 + chmod 600 ~/.ssh/id_ed25519 + ssh-keyscan -H 80.225.185.50 >> ~/.ssh/known_hosts + + - name: Upload static files + run: | + scp -i ~/.ssh/id_ed25519 index.html comarca-paths.js \ + ubuntu@80.225.185.50:/srv/docker/data/comarques/public/ + + - name: Upload server files & rebuild + run: | + ssh -i ~/.ssh/id_ed25519 ubuntu@80.225.185.50 "mkdir -p /srv/docker/builds/comarques" + scp -i ~/.ssh/id_ed25519 server.js package.json Dockerfile \ + ubuntu@80.225.185.50:/srv/docker/builds/comarques/ + ssh -i ~/.ssh/id_ed25519 ubuntu@80.225.185.50 \ + "cd /srv/docker/builds/comarques && docker build -t comarques-de-catalunya:latest . \ + && cd /srv/docker/compose && docker compose up -d comarques" + + - name: Health check + run: | + sleep 5 + curl -fs https://comarques.jaumegar.work/api/health \ + || (echo "❌ Health check failed after deploy" && exit 1)