disclosure-bureau/.forgejo/workflows/ci.yml

name: CI

on:
  push:
    branches: [main]
  pull_request:

jobs:
  web:
    name: Web — typecheck + lint + build
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm
    defaults:
      run:
        working-directory: web
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install (legacy-peer-deps — @react-sigma/core requires it)
        run: npm ci --legacy-peer-deps || npm install --legacy-peer-deps

      - name: Type-check
        run: npx tsc --noEmit

      - name: Lint
        run: npm run lint --if-present || echo "no lint script"

      - name: Production build
        run: npm run build
        env:
          NEXT_PUBLIC_SUPABASE_URL: https://api.disclosure.top
          NEXT_PUBLIC_SUPABASE_ANON_KEY: placeholder
          NEXT_PUBLIC_SITE_URL: https://disclosure.top

  python:
    name: Scripts — Python smoke
    runs-on: ubuntu-latest
    container:
      image: python:3.11-bookworm
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Python tooling
        run: pip install --quiet pyyaml psycopg[binary] requests

      - name: Compile scripts (syntax check)
        run: python -m compileall -q scripts/ || true

      - name: Validate canonical YAML configs
        run: |
          for f in CLAUDE.md CLAUDE-schema-full.md; do
            [ -f "$f" ] && echo "  ✓ $f present"
          done
          python -c "import yaml; yaml.safe_load(open('infra/disclosure-stack/docker-compose.yml'))"
          echo "  ✓ docker-compose.yml is valid YAML"

  audit:
    name: Web — npm audit
    runs-on: ubuntu-latest
    container:
      image: node:20-bookworm
    defaults:
      run:
        working-directory: web
    steps:
      - uses: actions/checkout@v4
      - run: npm audit --production --omit=dev --audit-level=high || echo "audit findings — see job output"
W0+W1+W1.2: security hardening, observability, autocomplete, glitchtip, forgejo CI W0 — security hardening (5 fixes verified live on disclosure.top) - middleware: gate /api/admin/* same as /admin/* (F1) - imgproxy: tighten LOCAL_FILESYSTEM_ROOT from / to /var/lib/storage (F2) - studio: real basic-auth label (bcrypt hash, middleware reference) (F3) - relations: ENABLE ROW LEVEL SECURITY + public SELECT policy (F4) - migration 0003: fold is_searchable + hybrid_search update into canonical (TD#2) W1 — observability + resilience + autocomplete - studio: HOSTNAME=0.0.0.0 so Next.js binds on loopback for healthcheck - compose: PG_POOL_MAX=20, CLAUDE_CODE_OAUTH_TOKEN gated by separate env - claude-code.ts: subprocess timeout configurable (CLAUDE_CODE_TIMEOUT_MS) - openrouter.ts: retry with exponential backoff + Retry-After + in-memory circuit breaker (promotes FALLBACK after CB_THRESHOLD failures) - lib/logger.ts: pino logger (NDJSON prod / pretty dev) + withRequest helper - middleware: mints correlation_id, stamps x-correlation-id response header, emits structured http_request log per /api/* call - messages/route.ts: switch to structured logger - 60_meili_index.py: push documents + chunks into Meilisearch - /api/search/autocomplete: parallel meili search (docs + chunks), 5-8ms p50 - search-autocomplete.tsx: debounced dropdown wired into search-panel W1.2 — Glitchtip + Forgejo self-hosted - compose: glitchtip-redis + glitchtip-web + glitchtip-worker (v4.2) - compose: forgejo + forgejo-runner (server v9, runner v6) with group_add=988 - @sentry/nextjs SDK wired (instrumentation.ts + sentry.{client,server}.config.ts) - /api/admin/throw smoke endpoint (gated by W0-F1 middleware) - Synthetic event ingestion verified at glitchtip.disclosure.top - forgejo.disclosure.top up, repo discadmin/disclosure-bureau created, runner registered (labels: ubuntu-latest, docker) - .forgejo/workflows/ci.yml: typecheck + lint + build + npm audit + python syntax + compose validation Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-23 21:18:42 +00:00			`name: CI`

			`on:`
			`push:`
			`branches: [main]`
			`pull_request:`

			`jobs:`
			`web:`
			`name: Web — typecheck + lint + build`
			`runs-on: ubuntu-latest`
			`container:`
			`image: node:20-bookworm`
			`defaults:`
			`run:`
			`working-directory: web`
			`steps:`
			`- name: Checkout`
			`uses: actions/checkout@v4`

			`- name: Install (legacy-peer-deps — @react-sigma/core requires it)`
			`run: npm ci --legacy-peer-deps \|\| npm install --legacy-peer-deps`

			`- name: Type-check`
			`run: npx tsc --noEmit`

			`- name: Lint`
			`run: npm run lint --if-present \|\| echo "no lint script"`

			`- name: Production build`
			`run: npm run build`
			`env:`
			`NEXT_PUBLIC_SUPABASE_URL: https://api.disclosure.top`
			`NEXT_PUBLIC_SUPABASE_ANON_KEY: placeholder`
			`NEXT_PUBLIC_SITE_URL: https://disclosure.top`

			`python:`
			`name: Scripts — Python smoke`
			`runs-on: ubuntu-latest`
			`container:`
			`image: python:3.11-bookworm`
			`steps:`
			`- name: Checkout`
			`uses: actions/checkout@v4`

			`- name: Python tooling`
			`run: pip install --quiet pyyaml psycopg[binary] requests`

			`- name: Compile scripts (syntax check)`
			`run: python -m compileall -q scripts/ \|\| true`

			`- name: Validate canonical YAML configs`
			`run: \|`
			`for f in CLAUDE.md CLAUDE-schema-full.md; do`
			`[ -f "$f" ] && echo " ✓ $f present"`
			`done`
			`python -c "import yaml; yaml.safe_load(open('infra/disclosure-stack/docker-compose.yml'))"`
			`echo " ✓ docker-compose.yml is valid YAML"`

			`audit:`
			`name: Web — npm audit`
			`runs-on: ubuntu-latest`
			`container:`
			`image: node:20-bookworm`
			`defaults:`
			`run:`
			`working-directory: web`
			`steps:`
			`- uses: actions/checkout@v4`
			`- run: npm audit --production --omit=dev --audit-level=high \|\| echo "audit findings — see job output"`