From c120a5c5718e2024f83e0e5fb7163e7d826ab781 Mon Sep 17 00:00:00 2001 From: PAMulligan Date: Sun, 31 May 2026 02:38:53 -0400 Subject: [PATCH 1/6] ci: replace non-allowlisted actions to fix workflow startup_failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The repo's Actions policy is "Allow select actions" with only actions/*, shivammathur/setup-php@*, and dorny/paths-filter@* permitted. Six workflows used other marketplace actions, so GitHub rejected them at startup (startup_failure, zero jobs) — Pipeline Tests, Security Audit, commitlint, Init Wizard, Lighthouse CI, and visual-regression never actually ran. Swap the disallowed actions for GitHub-owned / already-vendored equivalents: - pnpm/action-setup@v4 → Corepack (`corepack enable`; pnpm version comes from the root package.json `packageManager` field) in pipeline-tests, security-audit, init-wizard, visual-regression, lighthouse-ci. - wagoid/commitlint-github-action@v6 → the repo's own @commitlint/cli (`pnpm exec commitlint --from --to `). - treosh/lighthouse-ci-action@v12 → the already-vendored @lhci/cli (`pnpm exec lhci autorun --upload.target=temporary-public-storage`). This unblocks the InDesign pipeline tests + fixture test so they actually execute in CI (epic #61's "exercised in CI" criterion). release-please.yml still uses googleapis/release-please-action@v4 — left as-is rather than hand-rewriting release automation; allowlist that one official action in repo Settings → Actions, or convert it in a dedicated change. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/commitlint.yml | 18 ++++++++++++++---- .github/workflows/init-wizard.yml | 6 +++--- .github/workflows/lighthouse-ci.yml | 16 ++++++---------- .github/workflows/pipeline-tests.yml | 7 ++++--- .github/workflows/security-audit.yml | 7 +++---- .github/workflows/visual-regression.yml | 8 +++----- 6 files changed, 33 insertions(+), 29 deletions(-) diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 9a44fad..36756c9 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -18,8 +18,18 @@ jobs: with: fetch-depth: 0 - - name: Lint commits with commitlint - uses: wagoid/commitlint-github-action@v6 + # pnpm via Corepack + the repo's own @commitlint/cli, instead of the + # wagoid marketplace action, which isn't on the allowed-actions list. + - name: Enable Corepack (pnpm) + run: corepack enable + + - uses: actions/setup-node@v4 with: - configFile: .commitlintrc.json - failOnWarnings: false + node-version: 20 + cache: pnpm + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Lint commits with commitlint + run: pnpm exec commitlint --config .commitlintrc.json --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/init-wizard.yml b/.github/workflows/init-wizard.yml index 5e4e91d..37ea02d 100644 --- a/.github/workflows/init-wizard.yml +++ b/.github/workflows/init-wizard.yml @@ -26,9 +26,9 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 - with: - version: 9 + # pnpm via Corepack — pnpm/action-setup isn't on the allowed-actions list. + - name: Enable Corepack (pnpm) + run: corepack enable - uses: actions/setup-node@v4 with: diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml index f3958b1..f7f70d0 100644 --- a/.github/workflows/lighthouse-ci.yml +++ b/.github/workflows/lighthouse-ci.yml @@ -44,11 +44,9 @@ jobs: with: node-version: "20" - - name: Set up pnpm - uses: pnpm/action-setup@v4 - with: - version: "9.15.0" - run_install: false + # pnpm via Corepack — pnpm/action-setup isn't on the allowed-actions list. + - name: Enable Corepack (pnpm) + run: corepack enable - name: Restore pnpm store uses: actions/cache@v4 @@ -83,13 +81,11 @@ jobs: - name: Seed deterministic content run: bash tests/visual/seed.sh + # lhci CLI (already a devDependency) instead of the treosh marketplace + # action, which isn't on this repo's allowed-actions list. - name: Run Lighthouse CI id: lhci - uses: treosh/lighthouse-ci-action@v12 - with: - configPath: ./lighthouserc.json - uploadArtifacts: true - temporaryPublicStorage: true + run: pnpm exec lhci autorun --config=./lighthouserc.json --upload.target=temporary-public-storage - name: Annotate failing budgets if: always() diff --git a/.github/workflows/pipeline-tests.yml b/.github/workflows/pipeline-tests.yml index 92aebc0..41fc1b1 100644 --- a/.github/workflows/pipeline-tests.yml +++ b/.github/workflows/pipeline-tests.yml @@ -64,9 +64,10 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 - with: - version: 9.15.0 + # pnpm via Corepack (bundled with Node) — the pnpm/action-setup + # marketplace action isn't on this repo's allowed-actions list. + - name: Enable Corepack (pnpm) + run: corepack enable - uses: actions/setup-node@v4 with: diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index fe899ef..63200de 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -45,10 +45,9 @@ jobs: with: node-version: '20' - - name: Setup pnpm - uses: pnpm/action-setup@v4 - with: - version: 9 + # pnpm via Corepack — pnpm/action-setup isn't on the allowed-actions list. + - name: Enable Corepack (pnpm) + run: corepack enable - name: Install Composer dependencies run: composer install --no-interaction --prefer-dist --quiet diff --git a/.github/workflows/visual-regression.yml b/.github/workflows/visual-regression.yml index de9087f..6be9e12 100644 --- a/.github/workflows/visual-regression.yml +++ b/.github/workflows/visual-regression.yml @@ -53,11 +53,9 @@ jobs: with: node-version: "20" - - name: Set up pnpm - uses: pnpm/action-setup@v4 - with: - version: "9.15.0" - run_install: false + # pnpm via Corepack — pnpm/action-setup isn't on the allowed-actions list. + - name: Enable Corepack (pnpm) + run: corepack enable - name: Restore pnpm store uses: actions/cache@v4 From 0205b5398bfb2824e1430cfa8822c926c91b768a Mon Sep 17 00:00:00 2001 From: PAMulligan Date: Sun, 31 May 2026 02:39:47 -0400 Subject: [PATCH 2/6] ci: run pipeline tests when the workflow itself changes --- .github/workflows/pipeline-tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline-tests.yml b/.github/workflows/pipeline-tests.yml index 41fc1b1..514800e 100644 --- a/.github/workflows/pipeline-tests.yml +++ b/.github/workflows/pipeline-tests.yml @@ -28,6 +28,7 @@ jobs: - 'bin/flavian.mjs' - 'scripts/indesign-fse/**' - 'tests/fixtures/indesign/**' + - '.github/workflows/pipeline-tests.yml' test: needs: check-paths From c7c05ebe1f98b437f165158e35396719439f6709 Mon Sep 17 00:00:00 2001 From: PAMulligan Date: Sun, 31 May 2026 02:52:08 -0400 Subject: [PATCH 3/6] ci: make node --test runner Node 20-compatible MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now that the workflows actually start, the test step ran for the first time and failed: `node --test ""` needs Node 21+ (test-runner glob support), but pipeline CI runs Node 20, so zero tests executed. - packages/pipeline test script → `node --test` (no-args auto-discovery), which works on Node 20 and 24 alike and keeps the Node-20 floor meaningful (the directory form is broken on Node 24; only no-args/explicit work on both). - init-wizard CI → Node 22 (its test:init script keeps the node-glob form, which needs ≥21; the init wizard has no Node-20 pin, unlike the pipeline). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/init-wizard.yml | 5 ++++- packages/pipeline/package.json | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/init-wizard.yml b/.github/workflows/init-wizard.yml index 37ea02d..07a01b4 100644 --- a/.github/workflows/init-wizard.yml +++ b/.github/workflows/init-wizard.yml @@ -32,7 +32,10 @@ jobs: - uses: actions/setup-node@v4 with: - node-version: 20 + # 22, not 20: the test:init script uses `node --test ""`, and + # test-runner glob support landed in Node 21. (The init wizard has no + # Node-20 floor — only the pipeline package pins to 20.) + node-version: 22 cache: pnpm - name: Install dependencies diff --git a/packages/pipeline/package.json b/packages/pipeline/package.json index 268ce8d..7c59f75 100644 --- a/packages/pipeline/package.json +++ b/packages/pipeline/package.json @@ -15,7 +15,7 @@ "flavian-generate-theme": "./bin/generate-theme.mjs" }, "scripts": { - "test": "node --test \"tests/**/*.test.mjs\"" + "test": "node --test" }, "dependencies": { "fast-xml-parser": "^5.7.0", From 8becc608795f403ff50a1a34696823fc7b50efcb Mon Sep 17 00:00:00 2001 From: PAMulligan Date: Sun, 31 May 2026 03:12:10 -0400 Subject: [PATCH 4/6] =?UTF-8?q?fix(docker):=20libzip4=20=E2=86=92=20libzip?= =?UTF-8?q?5=20for=20Debian=20trixie=20base?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The floating wordpress:php8.3-apache base moved to Debian 13 (trixie), where the libzip soname bumped to .so.5, so `apt-get install libzip4` in the production stage failed ("Unable to locate package libzip4") and the whole image build — and thus every docker-booting workflow (lighthouse-ci, visual-regression) and local `wordpress-local.sh build` — broke. Verified against the trixie base: libzip's runtime package is now libzip5 (libzip-dev depends on it); the other runtime libs (libpng16-16, libjpeg62-turbo, libfreetype6, libwebp7) kept their names. Full multi-stage `docker build --target production` now completes locally. Co-Authored-By: Claude Opus 4.8 (1M context) --- Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e7235bf..20ac1a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,11 +56,14 @@ COPY --from=php-extensions /usr/local/etc/php/conf.d/ /usr/local/etc/php/conf.d/ COPY --from=wp-cli-builder /wp-cli.phar /usr/local/bin/wp RUN chmod +x /usr/local/bin/wp -# Install runtime dependencies only (smaller than build dependencies) +# Install runtime dependencies only (smaller than build dependencies). +# Note: libzip5 (not libzip4) — the libzip soname bumped to .so.5 in Debian 13 +# (trixie), the base of wordpress:php8.3-apache. The other runtime libs kept +# their names across bookworm→trixie. RUN apt-get update && apt-get install -y --no-install-recommends \ less \ mariadb-client \ - libzip4 \ + libzip5 \ libpng16-16 \ libjpeg62-turbo \ libfreetype6 \ From b2d94f01e614b6abd2164903382df2027a7c39d1 Mon Sep 17 00:00:00 2001 From: PAMulligan Date: Sun, 31 May 2026 03:33:48 -0400 Subject: [PATCH 5/6] ci: install WordPress core before WooCommerce in docker workflows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The lighthouse-ci and visual-regression workflows booted the WordPress stack and waited for an HTTP 200, then ran the WooCommerce installer — which bailed with "WordPress is not installed yet". A fresh container answers 200 with the *install wizard*, so "responding" ≠ "installed", and the compose stack has no core-install step (locally that's `wordpress-local.sh install`). Add an idempotent "Install WordPress core" step (the same `wp core install` the host script runs, guarded by `wp core is-installed ||`) before the WooCommerce step in both workflows. Verified locally end-to-end: build → boot → wp core install → WooCommerce installer now proceeds ("Installed 1 of 1 plugins", pages created) instead of erroring. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/lighthouse-ci.yml | 14 ++++++++++++++ .github/workflows/visual-regression.yml | 14 ++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml index f7f70d0..cb1c425 100644 --- a/.github/workflows/lighthouse-ci.yml +++ b/.github/workflows/lighthouse-ci.yml @@ -73,6 +73,20 @@ jobs: sleep 2 done + # A responding container only means the install wizard is up — WordPress + # core still has to be installed before WooCommerce can be bootstrapped. + - name: Install WordPress core + run: | + docker compose exec -T wordpress wp core is-installed --allow-root 2>/dev/null \ + || docker compose exec -T wordpress wp core install \ + --url="http://localhost:8080" \ + --title="Flavian CI" \ + --admin_user=admin \ + --admin_password=admin \ + --admin_email=admin@example.com \ + --skip-email \ + --allow-root + - name: Install WooCommerce (no sample data) env: WC_INSTALL_SAMPLE_DATA: "false" diff --git a/.github/workflows/visual-regression.yml b/.github/workflows/visual-regression.yml index 6be9e12..164d32b 100644 --- a/.github/workflows/visual-regression.yml +++ b/.github/workflows/visual-regression.yml @@ -85,6 +85,20 @@ jobs: sleep 2 done + # A responding container only means the install wizard is up — WordPress + # core still has to be installed before WooCommerce can be bootstrapped. + - name: Install WordPress core + run: | + docker compose exec -T wordpress wp core is-installed --allow-root 2>/dev/null \ + || docker compose exec -T wordpress wp core install \ + --url="http://localhost:8080" \ + --title="Flavian CI" \ + --admin_user=admin \ + --admin_password=admin \ + --admin_email=admin@example.com \ + --skip-email \ + --allow-root + - name: Install WooCommerce (no sample data) env: WC_INSTALL_SAMPLE_DATA: "false" From b0c37363caeeab24b2e1961bd6ce08fec81d44f3 Mon Sep 17 00:00:00 2001 From: PAMulligan Date: Sun, 31 May 2026 03:49:20 -0400 Subject: [PATCH 6/6] ci(lighthouse): drop budget meta-audit assertions (not emitted by LH12) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `lhci autorun` failed every run with: `"timing-budget" is not a known audit` (and the same for performance-budget). Lighthouse 12 — the version bundled with @lhci/cli 0.14 — doesn't emit the performance-budget/timing-budget meta-audits, so asserting on them fails unconditionally on `auditRan`. This was never caught because the workflow had never actually run (it was in startup_failure). Remove those two assertions. The real perf gates remain and were already passing in CI: categories:performance (≥0.70), categories:accessibility (≥0.90), and cumulative-layout-shift (≤0.1). budgets.json stays — Lighthouse still consumes it for the report — and a comment notes how to re-add budget assertions in a LH12-compatible way. With this, the lhci assert step passes (only the non-failing best-practices/seo warnings remain), so lighthouse-ci is green end to end. Co-Authored-By: Claude Opus 4.8 (1M context) --- lighthouserc.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lighthouserc.json b/lighthouserc.json index 7bdcfce..815002b 100644 --- a/lighthouserc.json +++ b/lighthouserc.json @@ -1,5 +1,5 @@ { - "$comment": "Lighthouse CI config. See https://github.com/GoogleChrome/lighthouse-ci/blob/main/docs/configuration.md. Mobile preset is the Lighthouse default — keeping it implicit. Resource budgets live in tests/lighthouse/budgets.json so they can be tuned without touching CI config.", + "$comment": "Lighthouse CI config. See https://github.com/GoogleChrome/lighthouse-ci/blob/main/docs/configuration.md. Mobile preset is the Lighthouse default — keeping it implicit. Resource budgets live in tests/lighthouse/budgets.json; Lighthouse still consumes them for the report. NOTE: the `performance-budget`/`timing-budget` *audit* assertions were dropped — those meta-audits aren't emitted by Lighthouse 12 (the bundled version), so asserting on them fails unconditionally with 'not a known audit'. Budget regressions are caught via the category + CLS assertions below; re-add budget assertions only with a LH12-compatible mechanism.", "ci": { "collect": { "url": [ @@ -16,8 +16,6 @@ }, "assert": { "assertions": { - "performance-budget": ["error", { "maxLength": 0 }], - "timing-budget": ["error", { "maxLength": 0 }], "categories:performance": ["error", { "minScore": 0.70 }], "categories:accessibility": ["error", { "minScore": 0.90 }], "categories:best-practices": ["warn", { "minScore": 0.90 }],