ci: add Forgejo Actions pipeline + gitleaks secret-scan (#2)

2026-06-15 12:01:31 +02:00 · 2026-06-15 12:01:31 +02:00 · 822fdc1bc4
commit 822fdc1bc4
parent 971ce0c7d0
2 changed files with 115 additions and 0 deletions
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -0,0 +1,84 @@
+name: CI
+# CI Wakdo - Forgejo Actions (runner stark-wakdo, label `docker`).
+# Strategie solo dev : PR obligatoire + auto-merge sur CI verte (voir SECURITY.md).
+#
+# Etat des jobs selon la phase projet :
+#   - secret-scan : fonctionnel des maintenant (gitleaks scanne tout le depot)
+#   - php-lint    : fonctionnel sur les fichiers PHP presents (stubs P1, code P2+)
+#   - static-tests: PHPStan + PHPUnit GARDES - s'activent quand P2 ajoute
+#                   composer.json / phpstan.neon / tests + phpunit.xml
+
+on:
+  pull_request:
+    branches: [dev, main]
+  push:
+    # dev/main : porte de merge. feat|fix|ci|refactor : feedback avant la PR.
+    branches: [dev, main, 'feat/**', 'fix/**', 'ci/**', 'refactor/**']
+
+jobs:
+  secret-scan:
+    runs-on: docker
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install tools
+        run: |
+          apt-get update -qq
+          apt-get install -y -qq curl ca-certificates tar >/dev/null
+      - name: Install gitleaks
+        run: |
+          VER=8.21.2
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_x64.tar.gz" -o /tmp/gl.tgz
+          tar -xzf /tmp/gl.tgz -C /usr/local/bin gitleaks
+          gitleaks version
+      - name: Scan for secrets
+        run: gitleaks detect --config .gitleaks.toml --redact --no-banner --verbose
+
+  php-lint:
+    runs-on: docker
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install PHP CLI
+        run: |
+          apt-get update -qq
+          apt-get install -y -qq php-cli >/dev/null
+          php --version
+      - name: Lint all PHP files
+        run: |
+          set -eu
+          files=$(find . -path ./node_modules -prune -o -name '*.php' -print)
+          if [ -z "$files" ]; then echo "No PHP files yet - skip"; exit 0; fi
+          echo "$files" | while IFS= read -r f; do
+            [ -z "$f" ] && continue
+            php -l "$f"
+          done
+
+  static-tests:
+    runs-on: docker
+    steps:
+      - uses: actions/checkout@v4
+      - name: PHPStan (guarded)
+        run: |
+          if [ -f composer.json ] && [ -f phpstan.neon ]; then
+            echo "phpstan config detected - running"
+            apt-get update -qq && apt-get install -y -qq php-cli unzip git >/dev/null
+            curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
+            composer install --no-interaction --no-progress
+            vendor/bin/phpstan analyse --no-progress
+          else
+            echo "PHPStan skipped: no composer.json/phpstan.neon yet (activates in P2)"
+          fi
+      - name: PHPUnit (guarded)
+        run: |
+          if [ -d tests ] && [ -f phpunit.xml ]; then
+            echo "phpunit config detected - running"
+            apt-get update -qq && apt-get install -y -qq php-cli >/dev/null
+            if [ -f vendor/bin/phpunit ]; then vendor/bin/phpunit; \
+            elif [ -f phpunit.phar ]; then php phpunit.phar; \
+            else echo "phpunit binary missing despite config" && exit 1; fi
+          else
+            echo "PHPUnit skipped: no tests/ + phpunit.xml yet (activates in P2)"
+          fi
+
+# (CI pipeline validee le 2026-06-15 - test auto-merge)
--- a/.gitleaks.toml
+++ b/.gitleaks.toml
@ -0,0 +1,31 @@
+# Wakdo - configuration gitleaks (secret-scan)
+#
+# Utilise par :
+#   - le hook pre-commit local (defense en profondeur)
+#   - le job CI Forgejo Actions (.forgejo/workflows/, lot D) sur chaque PR -> dev
+#
+# Principe : etendre le jeu de regles par defaut de gitleaks, puis ne tolerer
+# QUE les faux positifs explicitement justifies ci-dessous (placeholders de doc).
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Faux positifs documentes - placeholders de configuration, jamais des secrets reels"
+
+# Fichiers de template / doc : ne contiennent que des placeholders RFC 2606 / change_me.
+paths = [
+  '''\.env\.example$''',
+  '''\.gitleaks\.toml$''',
+  '''docs/.*\.md$''',
+]
+
+# Valeurs placeholder explicites tolerees ou qu'elles apparaissent.
+regexes = [
+  '''change_me_strong_password''',
+  '''change_me_root_password''',
+  '''example\.com''',
+]
+
+# Note : le vrai .env est gitignore et ne doit jamais etre commite. Ce scan est
+# une defense en profondeur, pas un substitut a l'hygiene .gitignore.