name: CI # CI Wakdo - Forgejo Actions (runner stark-wakdo, label `docker`). # Strategie solo dev : PR obligatoire + auto-merge sur CI verte (voir SECURITY.md). # # Etat des jobs selon la phase projet : # - secret-scan : fonctionnel des maintenant (gitleaks scanne tout le depot) # - php-lint : fonctionnel sur les fichiers PHP presents (stubs P1, code P2+) # - static-tests: PHPStan + PHPUnit GARDES - s'activent quand P2 ajoute # composer.json / phpstan.neon / tests + phpunit.xml on: pull_request: branches: [dev, main] # `labeled` : permet au job auto-merge de s'evaluer quand on pose le label. types: [opened, synchronize, reopened, labeled] push: # dev/main : porte de merge. feat|fix|ci|refactor : feedback avant la PR. branches: [dev, main, 'feat/**', 'fix/**', 'ci/**', 'refactor/**'] jobs: secret-scan: runs-on: docker steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install tools run: | apt-get update -qq apt-get install -y -qq curl ca-certificates tar >/dev/null - name: Install gitleaks run: | VER=8.21.2 curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_x64.tar.gz" -o /tmp/gl.tgz tar -xzf /tmp/gl.tgz -C /usr/local/bin gitleaks gitleaks version - name: Scan for secrets run: gitleaks detect --config .gitleaks.toml --redact --no-banner --verbose php-lint: runs-on: docker steps: - uses: actions/checkout@v4 - name: Install PHP CLI run: | apt-get update -qq apt-get install -y -qq php-cli >/dev/null php --version - name: Lint all PHP files run: | set -eu files=$(find . -path ./node_modules -prune -o -name '*.php' -print) if [ -z "$files" ]; then echo "No PHP files yet - skip"; exit 0; fi echo "$files" | while IFS= read -r f; do [ -z "$f" ] && continue php -l "$f" done static-tests: runs-on: docker steps: - uses: actions/checkout@v4 - name: PHPStan (guarded) run: | if [ -f composer.json ] && [ -f phpstan.neon ]; then echo "phpstan config detected - running" apt-get update -qq && apt-get install -y -qq php-cli unzip git >/dev/null curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer composer install --no-interaction --no-progress vendor/bin/phpstan analyse --no-progress else echo "PHPStan skipped: no composer.json/phpstan.neon yet (activates in P2)" fi - name: PHPUnit (guarded) run: | if [ -d tests ] && [ -f phpunit.xml ]; then echo "phpunit config detected - running" apt-get update -qq && apt-get install -y -qq php-cli >/dev/null if [ -f vendor/bin/phpunit ]; then vendor/bin/phpunit; \ elif [ -f phpunit.phar ]; then php phpunit.phar; \ else echo "phpunit binary missing despite config" && exit 1; fi else echo "PHPUnit skipped: no tests/ + phpunit.xml yet (activates in P2)" fi auto-merge: # Fusion automatique OPT-IN : poser le label `auto-merge` sur la PR. # Ne s'execute que si les 3 checks passent (needs) ET si le label est present. # Plus fiable que le merge_when_checks_succeed natif de Forgejo (qui ne se # declenche pas toujours au passage au vert). Fusionne via l'API REST. needs: [secret-scan, php-lint, static-tests] if: github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'auto-merge') runs-on: docker steps: - name: Install curl run: apt-get update -qq && apt-get install -y -qq curl ca-certificates >/dev/null - name: Merge PR (squash) once CI is green run: | API="${{ github.server_url }}/api/v1/repos/${{ github.repository }}" PR="${{ github.event.pull_request.number }}" code=$(curl -s -o /tmp/resp -w "%{http_code}" -X POST \ -H "Authorization: token ${{ secrets.FORGEJO_TOKEN }}" \ -H "Content-Type: application/json" \ -d '{"Do":"squash","delete_branch_after_merge":true}' \ "$API/pulls/$PR/merge") echo "merge HTTP $code"; cat /tmp/resp || true; echo [ "$code" = "200" ] || { echo "auto-merge failed (HTTP $code)"; exit 1; } echo "PR #$PR merged."