diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml new file mode 100644 index 0000000..63f73b2 --- /dev/null +++ b/.forgejo/workflows/ci.yml @@ -0,0 +1,82 @@ +name: CI +# CI Wakdo - Forgejo Actions (runner stark-wakdo, label `docker`). +# Strategie solo dev : PR obligatoire + auto-merge sur CI verte (voir SECURITY.md). +# +# Etat des jobs selon la phase projet : +# - secret-scan : fonctionnel des maintenant (gitleaks scanne tout le depot) +# - php-lint : fonctionnel sur les fichiers PHP presents (stubs P1, code P2+) +# - static-tests: PHPStan + PHPUnit GARDES - s'activent quand P2 ajoute +# composer.json / phpstan.neon / tests + phpunit.xml + +on: + pull_request: + branches: [dev, main] + push: + # dev/main : porte de merge. feat|fix|ci|refactor : feedback avant la PR. + branches: [dev, main, 'feat/**', 'fix/**', 'ci/**', 'refactor/**'] + +jobs: + secret-scan: + runs-on: docker + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Install tools + run: | + apt-get update -qq + apt-get install -y -qq curl ca-certificates tar >/dev/null + - name: Install gitleaks + run: | + VER=8.21.2 + curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_x64.tar.gz" -o /tmp/gl.tgz + tar -xzf /tmp/gl.tgz -C /usr/local/bin gitleaks + gitleaks version + - name: Scan for secrets + run: gitleaks detect --config .gitleaks.toml --redact --no-banner --verbose + + php-lint: + runs-on: docker + steps: + - uses: actions/checkout@v4 + - name: Install PHP CLI + run: | + apt-get update -qq + apt-get install -y -qq php-cli >/dev/null + php --version + - name: Lint all PHP files + run: | + set -eu + files=$(find . -path ./node_modules -prune -o -name '*.php' -print) + if [ -z "$files" ]; then echo "No PHP files yet - skip"; exit 0; fi + echo "$files" | while IFS= read -r f; do + [ -z "$f" ] && continue + php -l "$f" + done + + static-tests: + runs-on: docker + steps: + - uses: actions/checkout@v4 + - name: PHPStan (guarded) + run: | + if [ -f composer.json ] && [ -f phpstan.neon ]; then + echo "phpstan config detected - running" + apt-get update -qq && apt-get install -y -qq php-cli unzip git >/dev/null + curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer + composer install --no-interaction --no-progress + vendor/bin/phpstan analyse --no-progress + else + echo "PHPStan skipped: no composer.json/phpstan.neon yet (activates in P2)" + fi + - name: PHPUnit (guarded) + run: | + if [ -d tests ] && [ -f phpunit.xml ]; then + echo "phpunit config detected - running" + apt-get update -qq && apt-get install -y -qq php-cli >/dev/null + if [ -f vendor/bin/phpunit ]; then vendor/bin/phpunit; \ + elif [ -f phpunit.phar ]; then php phpunit.phar; \ + else echo "phpunit binary missing despite config" && exit 1; fi + else + echo "PHPUnit skipped: no tests/ + phpunit.xml yet (activates in P2)" + fi diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..211c793 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,31 @@ +# Wakdo - configuration gitleaks (secret-scan) +# +# Utilise par : +# - le hook pre-commit local (defense en profondeur) +# - le job CI Forgejo Actions (.forgejo/workflows/, lot D) sur chaque PR -> dev +# +# Principe : etendre le jeu de regles par defaut de gitleaks, puis ne tolerer +# QUE les faux positifs explicitement justifies ci-dessous (placeholders de doc). + +[extend] +useDefault = true + +[allowlist] +description = "Faux positifs documentes - placeholders de configuration, jamais des secrets reels" + +# Fichiers de template / doc : ne contiennent que des placeholders RFC 2606 / change_me. +paths = [ + '''\.env\.example$''', + '''\.gitleaks\.toml$''', + '''docs/.*\.md$''', +] + +# Valeurs placeholder explicites tolerees ou qu'elles apparaissent. +regexes = [ + '''change_me_strong_password''', + '''change_me_root_password''', + '''example\.com''', +] + +# Note : le vrai .env est gitignore et ne doit jamais etre commite. Ce scan est +# une defense en profondeur, pas un substitut a l'hygiene .gitignore.