Skip to content

chore: fix CI, harden security, rewrite README; hermetic test fixture#2

Merged
oto-macenauer-absa merged 1 commit into
masterfrom
chore/oss-ci-docs-hardening
Jun 30, 2026
Merged

chore: fix CI, harden security, rewrite README; hermetic test fixture#2
oto-macenauer-absa merged 1 commit into
masterfrom
chore/oss-ci-docs-hardening

Conversation

@oto-macenauer-absa

Copy link
Copy Markdown
Collaborator

Follow-up to the merged web-fragment test suite. The prior feat: add CI commit shipped workflows that never ran (triggered on main; default branch is master) and were internally contradictory. This makes CI functional + hermetic, hardens security, and corrects the docs. All changes verified locally (embedded 21/21, standalone 14/14, build hermetic, audit clean).

🔴 QA / CI — ci.yml

  • Trigger on master (was main → CI never ran, incl. on PR test: self-contained web-fragment E2E suite #1).
  • Hermetic build + tests: vendored tests/fixtures/docs-example.dist.tar.gz; apps.json + setup-test-apps.mjs point at it → no GITHUB_TOKEN, network, or sibling repo. Resolves the apps.json (local prebuilt) vs CI (GitHub fetch) contradiction.
  • Run the real web-fragment harness (npm test) + a fixed standalone layer.
  • playwright.config.ci.jstests/fragment-server.mjs (nginx-mirror) instead of astro preview, whose configurePreviewServer rewrite never runs for static output (the /__wf asset route 404'd → the standalone asset test could never pass).
  • Exclude standalone.spec.js from the embedded config (wrong baseURL otherwise); fix stale example slug → user-guide; url-update test now waits on waitForURL (was a networkidle flake).
  • typecheck (astro check) is non-blocking — it OOMs on standard runners (pre-existing); the build job is the hard compile gate.

🟠 Security

  • permissions: contents: read on both workflows; all actions SHA-pinned; npm audit gate (currently 0 prod vulns).
  • .github/dependabot.yml (npm + github-actions); SECURITY.md; .dockerignore (shrinks build context, avoids leaking source/secrets into the image).
  • LICENSE (Apache-2.0), CONTRIBUTING.md.

🟠 validate-doc-app.yml (was fully broken)

  • Fix the ESM heredocs (node --input-type=module) + install ajv transiently — they ran as CommonJS and threw on import.
  • Schema URL mainmaster; SHA-pin actions; add permissions.
  • De-ABSA the token check (--color-kb-500); fix the /apps//knowledge-base/ mount-path message.

🟡 Docs / app

  • Rewrite README to match reality: Node 24, correct /knowledge-base/{slug}/ mount path, real scripts + project tree, the test harness + both Playwright configs, generalized web-fragment embedding (the included tests/host/server.mjs as a reference host), pinned action SHAs, @master.
  • Base.astro: add data-astro-transition-persist to the font link (mirrors transform.js) to reduce #297 head accumulation on the landing page.

Verify locally

npm run build:headless                                  # hermetic, ~4s
npm test                                                # embedded 21/21
npx playwright test --config=playwright.config.ci.js    # standalone 14/14

🤖 Generated with Claude Code

The prior "feat: add CI" commit shipped workflows that never ran and were
internally contradictory. This makes CI functional and hermetic, hardens the
security posture, and corrects the documentation.

CI / QA (.github/workflows/ci.yml):
- Trigger on master (was `main` → default branch is master → CI never ran).
- Vendor the docs-example dist as tests/fixtures/docs-example.dist.tar.gz and
  point apps.json + setup-test-apps.mjs at it, so build + E2E are fully hermetic
  (no GITHUB_TOKEN, network, or sibling repo). Resolves the apps.json (local
  prebuilt) vs CI (GitHub fetch) contradiction.
- Run the real web-fragment harness (npm test) plus a fixed standalone layer.
- Point playwright.config.ci.js at tests/fragment-server.mjs (nginx-mirror)
  instead of `astro preview`, whose configurePreviewServer rewrite never runs
  for static output (the /__wf asset route would 404).
- Add least-privilege permissions, SHA-pin all actions, add an npm audit gate.
- typecheck (astro check) is non-blocking — it OOMs on standard runners; the
  build job is the hard compile gate.
- exclude standalone.spec.js from the embedded config (wrong baseURL otherwise);
  fix stale `example` slug → user-guide and the false astro-preview claims;
  make the URL-update test wait on waitForURL (was a networkidle flake).

Security:
- .github/dependabot.yml (npm + github-actions, weekly).
- SECURITY.md, .dockerignore (shrinks build context, avoids leaking source).
- LICENSE (Apache-2.0), CONTRIBUTING.md.

validate-doc-app.yml:
- Fix the ESM heredocs (node --input-type=module) and install ajv transiently —
  they previously ran as CommonJS and threw on `import`.
- Schema URL main → master; SHA-pin actions; add permissions.
- De-ABSA the token check (--color-kb-500) and fix the /apps/ → /knowledge-base/
  mount-path message.

Docs / app:
- Rewrite README to match reality: Node 24, correct /knowledge-base/{slug}/ mount
  path, real scripts + project tree, the test harness + both Playwright configs,
  generalized web-fragment embedding (the included host server as reference),
  pinned action SHAs, @master.
- Base.astro: add data-astro-transition-persist to the font link (mirrors
  transform.js) to reduce #297 head accumulation on the landing page.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@oto-macenauer-absa oto-macenauer-absa merged commit ef89972 into master Jun 30, 2026
4 checks passed
@oto-macenauer-absa oto-macenauer-absa deleted the chore/oss-ci-docs-hardening branch June 30, 2026 23:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant