blocked 4

.gitea/workflows/console-ci.yml

@@ -0,0 +1,83 @@
+name: Console CI
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'src/UI/**'
+      - '.gitea/workflows/console-ci.yml'
+      - 'docs/modules/devops/console-ci-contract.md'
+  pull_request:
+    branches: [ main, develop ]
+    paths:
+      - 'src/UI/**'
+      - '.gitea/workflows/console-ci.yml'
+      - 'docs/modules/devops/console-ci-contract.md'
+
+jobs:
+  console-ci:
+    runs-on: ubuntu-22.04
+    env:
+      PNPM_HOME: ~/.pnpm
+      PLAYWRIGHT_BROWSERS_PATH: ./.playwright
+      SOURCE_DATE_EPOCH: ${{ github.run_id }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Enable pnpm
+        run: |
+          corepack enable
+          corepack prepare pnpm@9 --activate
+
+      - name: Cache pnpm store & node_modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.pnpm-store
+            node_modules
+            ./.pnpm-store
+            ./.playwright
+          key: console-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}
+
+      - name: Install dependencies (offline-first)
+        env:
+          PNPM_FETCH_RETRIES: 0
+          PNPM_OFFLINE: 1
+        run: |
+          pnpm install --frozen-lockfile || PNPM_OFFLINE=0 pnpm install --frozen-lockfile --prefer-offline
+
+      - name: Lint / Types
+        run: pnpm lint && pnpm format:check && pnpm typecheck
+
+      - name: Unit tests
+        run: pnpm test -- --runInBand --reporter=junit --outputFile=.artifacts/junit.xml
+
+      - name: Storybook a11y
+        run: |
+          pnpm storybook:build
+          pnpm storybook:a11y --ci --output .artifacts/storybook-a11y.json
+
+      - name: Playwright smoke
+        run: pnpm playwright test --config=playwright.config.ci.ts --reporter=list,junit=.artifacts/playwright.xml
+
+      - name: Lighthouse (CI budgets)
+        run: |
+          pnpm serve --port 4173 &
+          pnpm lhci autorun --config=lighthouserc.ci.js --upload.target=filesystem --upload.outputDir=.artifacts/lhci
+
+      - name: SBOM
+        run: pnpm exec syft packages dir:dist --output=spdx-json=.artifacts/console.spdx.json
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: console-ci-artifacts
+          path: .artifacts

.gitea/workflows/mirror-sign.yml

@@ -0,0 +1,44 @@
+name: Mirror Thin Bundle Sign & Verify
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 6 * * *'
+
+jobs:
+  mirror-sign:
+    runs-on: ubuntu-22.04
+    env:
+      MIRROR_SIGN_KEY_B64: ${{ secrets.MIRROR_SIGN_KEY_B64 }}
+      REQUIRE_PROD_SIGNING: 1
+      OCI: 1
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.100-rc.1.25451.107
+          include-prerelease: true
+
+      - name: Run mirror signing
+        run: |
+          set -euo pipefail
+          scripts/mirror/check_signing_prereqs.sh
+          scripts/mirror/ci-sign.sh
+
+      - name: Upload signed artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: mirror-thin-v1-signed
+          path: |
+            out/mirror/thin/mirror-thin-v1.tar.gz
+            out/mirror/thin/mirror-thin-v1.manifest.json
+            out/mirror/thin/mirror-thin-v1.manifest.dsse.json
+            out/mirror/thin/tuf/
+            out/mirror/thin/oci/
+          if-no-files-found: error
+          retention-days: 14