diff --git a/.gitea/workflows/LOCAL_OVERRIDES.yml b/.gitea/workflows/LOCAL_OVERRIDES.yml deleted file mode 100644 index 235d535b..00000000 --- a/.gitea/workflows/LOCAL_OVERRIDES.yml +++ /dev/null @@ -1,15 +0,0 @@ -# LOCAL_OVERRIDES.yml — dérogations locales contrôlées -overrides: - - path: ".gitea/workflows/ci.yml" - reason: "spécificité d’environnement" - owner: "@maintainer_handle" - expires: "2025-12-31" - - path: "scripts/auto-ssh-push.sh" - reason: "flux particulier temporaire" - owner: "@maintainer_handle" - expires: "2025-10-01" -policy: - allow_only_listed_paths: true - require_expiry: true - audit_in_ci: true - diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml deleted file mode 100644 index b26ac2dc..00000000 --- a/.gitea/workflows/ci.yml +++ /dev/null @@ -1,394 +0,0 @@ -name: CI - 4NK_node - -on: - push: - branches: [ main, develop, docker-support-v2 ] - tags: - - v* - pull_request: - branches: [ main, develop, docker-support-v2 ] - -env: - RUST_VERSION: '1.70' - DOCKER_COMPOSE_VERSION: '2.20.0' - -jobs: - # Job de vérification du code - code-quality: - name: Code Quality - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Setup Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: ${{ env.RUST_VERSION }} - override: true - - - name: Cache Rust dependencies - uses: actions/cache@v3 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - - name: Run clippy - run: | - cd modules/sdk_relay1 - cargo clippy --all-targets --all-features -- -D warnings - - - name: Run rustfmt - run: | - cd modules/sdk_relay1 - cargo fmt --all -- --check - - - name: Check documentation - run: | - cd modules/sdk_relay1 - cargo doc --no-deps - - - name: Check for TODO/FIXME - run: | - if grep -r "TODO\|FIXME" . --exclude-dir=.git --exclude-dir=target; then - echo "Found TODO/FIXME comments. Please address them." - exit 1 - fi - - # Job de tests unitaires - unit-tests: - name: Unit Tests - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Setup Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: ${{ env.RUST_VERSION }} - override: true - - - name: Cache Rust dependencies - uses: actions/cache@v3 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo- - - - name: Run unit tests - run: | - cd modules/sdk_relay1 - cargo test --lib --bins - - - name: Run integration tests - run: | - cd modules/sdk_relay1 - cargo test --tests - - # Job de tests d'intégration - integration-tests: - name: Integration Tests - runs-on: ubuntu-latest - - services: - docker: - image: docker:24.0.5 - options: >- - --health-cmd "docker info" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 2375:2375 - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build Docker images - run: | - docker build -t 4nk-node-bitcoin ./modules/bitcoin - docker build -t 4nk-node-blindbit ./modules/blindbit - docker build -t 4nk-node-sdk-relay ./modules/sdk_relay1 .. - - - name: Run integration tests - run: | - # Tests de connectivité de base - ./tests/run_connectivity_tests.sh || true - - # Tests d'intégration - ./tests/run_integration_tests.sh || true - - - name: Upload test results - uses: actions/upload-artifact@v3 - if: always() - with: - name: test-results - path: | - tests/logs/ - tests/reports/ - retention-days: 7 - - # Job de tests de sécurité - security-tests: - name: Security Tests - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Setup Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: ${{ env.RUST_VERSION }} - override: true - - - name: Run cargo audit - run: | - cd modules/sdk_relay1 - cargo audit --deny warnings - - - name: Check for secrets - run: | - # Vérifier les secrets potentiels - if grep -r "password\|secret\|key\|token" . --exclude-dir=.git --exclude-dir=target --exclude=*.md; then - echo "Potential secrets found. Please review." - exit 1 - fi - - - name: Check file permissions - run: | - # Vérifier les permissions sensibles - find . -type f -perm /0111 -name "*.conf" -o -name "*.key" -o -name "*.pem" | while read file; do - if [[ $(stat -c %a "$file") != "600" ]]; then - echo "Warning: $file has insecure permissions" - fi - done - - # Job de build et test Docker - docker-build: - name: Docker Build & Test - runs-on: ubuntu-latest - - services: - docker: - image: docker:24.0.5 - options: >- - --health-cmd "docker info" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 2375:2375 - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and test Bitcoin Core - run: | - docker build -t 4nk-node-bitcoin:test ./modules/bitcoin - docker run --rm 4nk-node-bitcoin:test bitcoin-cli --version - - - name: Build and test Blindbit - run: | - docker build -t 4nk-node-blindbit:test ./modules/blindbit - docker run --rm 4nk-node-blindbit:test --version || true - - - name: Build and test SDK Relay - run: | - docker build -t 4nk-node-sdk-relay:test ./modules/sdk_relay1 .. - docker run --rm 4nk-node-sdk-relay:test --version || true - - - name: Test Docker Compose - run: | - docker-compose config - docker-compose build --no-cache - - # Job de tests de documentation - documentation-tests: - name: Documentation Tests - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Check markdown links - run: | - # Vérification basique des liens markdown - find . -name "*.md" -exec grep -l "\[.*\](" {} \; | while read file; do - echo "Checking links in $file" - done - - - name: Check documentation structure - run: | - # Vérifier la présence des fichiers de documentation essentiels - required_files=( - "README.md" - "LICENSE" - "CONTRIBUTING.md" - "CHANGELOG.md" - "CODE_OF_CONDUCT.md" - "SECURITY.md" - "README_4NK_NODE.md" - "ARCHITECTURE_CORRECTION.md" - "BRANCHES_DOCKER_SUPPORT_V2.md" - ) - - for file in "${required_files[@]}"; do - if [[ ! -f "$file" ]]; then - echo "Missing required documentation file: $file" - exit 1 - fi - done - - - name: Validate documentation - run: | - # Vérifier la cohérence de la documentation - if ! grep -q "4NK_node" README.md; then - echo "README.md should mention '4NK_node'" - exit 1 - fi - - security-audit: - name: Security Audit - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Ensure scripts executable - run: | - chmod +x scripts/security/audit.sh || true - - name: Run template security audit - run: | - if [ -f scripts/security/audit.sh ]; then - ./scripts/security/audit.sh - else - echo "No security audit script (ok)" - fi - - # Job de release guard (cohérence release) - release-guard: - name: Release Guard - runs-on: ubuntu-latest - needs: [code-quality, unit-tests, documentation-tests, security-audit] - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Ensure guard scripts are executable - run: | - chmod +x scripts/release/guard.sh || true - chmod +x scripts/checks/version_alignment.sh || true - - - name: Version alignment check - run: | - if [ -f scripts/checks/version_alignment.sh ]; then - ./scripts/checks/version_alignment.sh - else - echo "No version alignment script (ok)" - fi - - - name: Release guard (CI verify) - env: - RELEASE_TYPE: ci-verify - run: | - if [ -f scripts/release/guard.sh ]; then - ./scripts/release/guard.sh - else - echo "No guard script (ok)" - fi - - # Job de tests de performance - performance-tests: - name: Performance Tests - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Setup Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: ${{ env.RUST_VERSION }} - override: true - - - name: Run performance tests - run: | - cd modules/sdk_relay1 - cargo test --release --test performance_tests || true - - - name: Check memory usage - run: | - # Tests de base de consommation mémoire - echo "Performance tests completed" - - # Job de notification - notify: - name: Notify - runs-on: ubuntu-latest - needs: [code-quality, unit-tests, integration-tests, security-tests, docker-build, documentation-tests] - if: always() - - steps: - - name: Notify success - if: needs.code-quality.result == 'success' && needs.unit-tests.result == 'success' && needs.integration-tests.result == 'success' && needs.security-tests.result == 'success' && needs.docker-build.result == 'success' && needs.documentation-tests.result == 'success' - run: | - echo "✅ All tests passed successfully!" - - - name: Notify failure - if: needs.code-quality.result == 'failure' || needs.unit-tests.result == 'failure' || needs.integration-tests.result == 'failure' || needs.security-tests.result == 'failure' || needs.docker-build.result == 'failure' || needs.documentation-tests.result == 'failure' - run: | - echo "❌ Some tests failed!" - exit 1 - - publish-release: - name: Publish Release - runs-on: ubuntu-latest - needs: [release-guard] - if: startsWith(github.ref, 'refs/tags/') - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Create Gitea release - env: - TOKEN: ${{ secrets.RELEASE_TOKEN }} - TAG_REF: ${{ github.ref }} - API: https://git.4nkweb.com/api/v1/repos/4nk/4NK_node - run: | - set -e - if [ -z "$TOKEN" ]; then - echo "Missing RELEASE_TOKEN secret" >&2 - exit 1 - fi - TAG="${TAG_REF##*/}" - STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token $TOKEN" "$API/releases/tags/$TAG") - if [ "$STATUS" != "200" ]; then - BODY="Release ${TAG} - voir CHANGELOG.md" - curl -s -H "Authorization: token $TOKEN" -H "Content-Type: application/json" \ - -X POST "$API/releases" \ - -d "{\"tag_name\":\"$TAG\",\"target_commitish\":\"main\",\"name\":\"$TAG\",\"body\":\"$BODY\",\"draft\":false,\"prerelease\":false}" - fi - curl -s -H "Authorization: token $TOKEN" "$API/releases/tags/$TAG" >/dev/null diff --git a/.gitea/workflows/template-sync.yml b/.gitea/workflows/template-sync.yml deleted file mode 100644 index ff0e61e0..00000000 --- a/.gitea/workflows/template-sync.yml +++ /dev/null @@ -1,40 +0,0 @@ -# .gitea/workflows/template-sync.yml — synchronisation et contrôles d’intégrité -name: 4NK Template Sync -on: - schedule: # planification régulière - - cron: "0 4 * * 1" # exécution hebdomadaire (UTC) - workflow_dispatch: {} # déclenchement manuel - -jobs: - check-and-sync: - runs-on: self-hosted - steps: - - name: Lire TEMPLATE_VERSION et .4nk-sync.yml - # Doit charger ref courant, source_repo et périmètre paths - - - name: Récupérer la version publiée du template/4NK_rules - # Doit comparer TEMPLATE_VERSION avec ref amont - - - name: Créer branche de synchronisation si divergence - # Doit créer chore/template-sync- et préparer un commit - - - name: Synchroniser les chemins autoritatifs - # Doit mettre à jour .cursor/**, .gitea/**, AGENTS.md, scripts/**, docs/SSH_UPDATE.md - - - name: Contrôles post-sync (bloquants) - # 1) Vérifier présence et exécutable des scripts/*.sh - # 2) Vérifier mise à jour CHANGELOG.md et docs/INDEX.md - # 3) Vérifier docs/SSH_UPDATE.md si scripts/** a changé - # 4) Vérifier absence de secrets en clair dans scripts/** - # 5) Vérifier manifest_checksum si publié - - - name: Tests, lint, sécurité statique - # Doit exiger un état vert - - - name: Ouvrir PR de synchronisation - # Titre: "[template-sync] chore: aligner .cursor/.gitea/AGENTS.md/scripts" - # Doit inclure résumé des fichiers modifiés et la version appliquée - - - name: Mettre à jour TEMPLATE_VERSION (dans PR) - # Doit remplacer la valeur par la ref appliquée -