0c982de7e6
UI8 closes the migration cycle started by UI0. The four legacy global
classes (.surface-card, .surface-muted, .badge, .input-shell) are
removed from web/src/app/globals.css and the CI ratchet now enforces
zero new occurrences across three of the four drift categories.
Changes:
1. Audit regex precision (scripts/ui-drift-audit.sh, scripts/ui-drift-ratchet.sh)
The previous pattern 'className="[^"]*(badge|surface-card|surface-muted|input-shell)'
matched the literal token anywhere inside className, which caused 21
false positives against Tailwind arbitrary values like
'bg-[color:var(--nl-surface-muted)]' where the legacy name appears
inside a 'var(--nl-...)' reference.
New pattern requires the legacy class to be a whole class token —
either at the start of className, or preceded by a space, and
followed by a space or closing quote. Result: 21 false positives
eliminated; the ratchet now reports an honest 0 for the legacy
category.
2. globals.css cleanup (web/src/app/globals.css)
Removed .surface-card, .surface-muted, .badge, .input-shell rules.
Only truly global utilities remain (typography, focus-visible,
sr-only, skip-link, motion preferences, layout grids). A header
comment documents that re-introductions should be solved at the
call-site with a primitive, not by restoring the global rule.
3. Ratchet baseline (scripts/ui-drift-baseline.json)
Final counts after UI5–UI8 across the session:
raw interactive controls 14 (was 38 at start)
legacy global surface classes 0 (was 92 at start)
hardcoded color literals 0 (no change, was already 0)
direct @bytelyst/ui imports 0 (no change, was already 0)
The 14 remaining raw controls are intentional and tracked:
NoteEditor toolbar buttons (10)
ArtifactPanel hidden file input (1)
search/page radio inputs (2)
NoteVersionsPanel disclosure button (1)
4. CI gate (.github/workflows/ci.yml release-guards job)
Documented that the ratchet is the canonical gate post-UI8: because
legacy/colors/imports baselines are 0, any new occurrence in those
three categories now fails CI. The strict-audit script is kept as
a local diagnostic tool but not wired as a gate (would fail on the
14 intentional raw controls).
5. Roadmap (docs/UI_UX_PLATFORM_CORE_ROADMAP.md)
Marked UI5, UI6, UI7, UI8 all complete with per-phase commit hashes
and explicit deliverables.
Cumulative migration impact (from initial baseline):
raw interactive controls 38 → 14 (-24, -63%)
legacy global surface classes 92 → 0 (-92, -100%)
Verified:
- pnpm run verify: backend 380/380, web 96/96, mobile 97/97
- bash scripts/ui-drift-ratchet.sh: all four categories at baseline
- bash scripts/ui-drift-audit.sh: only "Raw interactive controls"
category has matches (intentional, tracked above)
- Live Docker stack at http://localhost:3050 still serves 200,
backend health 200
392 lines
12 KiB
YAML
392 lines
12 KiB
YAML
name: CI — NoteLett
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
release-guards:
|
|
name: Release guards — secrets + token/color drift
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout common-plat guard scripts
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: saravanakumardb1/learning_ai_common_plat
|
|
path: learning_ai_common_plat
|
|
token: ${{ secrets.GH_PAT }}
|
|
|
|
- name: Link common-platform workspace path
|
|
run: |
|
|
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai_common_plat
|
|
|
|
- name: Install audit tools
|
|
run: sudo apt-get update && sudo apt-get install -y ripgrep
|
|
|
|
- name: Run release guard audit
|
|
run: COMMON_PLAT="$GITHUB_WORKSPACE/learning_ai_common_plat" bash scripts/release-guard-audit.sh
|
|
|
|
- name: Run UI drift ratchet (one-way gate vs scripts/ui-drift-baseline.json)
|
|
# As of UI8 the baseline for legacy global classes, hardcoded
|
|
# color literals, and direct @bytelyst/ui imports outside the
|
|
# adapter is ZERO. Any new occurrence in any of those three
|
|
# categories fails the ratchet. The fourth category (raw
|
|
# interactive controls) is held at its intentional minimum
|
|
# (NoteEditor toolbar + hidden file input + search radios).
|
|
run: bash scripts/ui-drift-ratchet.sh
|
|
|
|
- name: Run UI drift audit (report mode, prints current matches)
|
|
# Informational only — does not gate. The ratchet step above
|
|
# is the actual gate.
|
|
run: bash scripts/ui-drift-audit.sh || true
|
|
|
|
backend:
|
|
name: Backend — typecheck + test + build
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout common-plat (for @bytelyst/* packages)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: saravanakumardb1/learning_ai_common_plat
|
|
path: learning_ai_common_plat
|
|
token: ${{ secrets.GH_PAT }}
|
|
|
|
- name: Link common-platform workspace path
|
|
run: |
|
|
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai_common_plat
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
|
|
- name: Enable pnpm
|
|
run: corepack enable
|
|
|
|
- name: Build @bytelyst/* packages
|
|
working-directory: learning_ai_common_plat
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
pnpm build
|
|
|
|
- name: Install workspace dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Backend lint
|
|
run: pnpm --filter @notelett/backend run lint
|
|
|
|
- name: Backend typecheck
|
|
run: pnpm --filter @notelett/backend run typecheck
|
|
|
|
- name: Backend tests
|
|
run: pnpm --filter @notelett/backend run test
|
|
env:
|
|
DB_PROVIDER: memory
|
|
JWT_SECRET: ci-test-secret-at-least-32-characters-long
|
|
|
|
- name: Backend build
|
|
run: pnpm --filter @notelett/backend run build
|
|
|
|
backend-cosmos:
|
|
# Cosmos-emulator smoke — exercises partition-key paths that the
|
|
# in-memory provider cannot detect. Runs only the *.cosmos.test.ts
|
|
# suite via vitest.cosmos.config.ts. See backend/src/cosmos.smoke.cosmos.test.ts
|
|
# for the contract.
|
|
name: Backend — Cosmos emulator smoke (partition keys)
|
|
runs-on: ubuntu-latest
|
|
needs: backend
|
|
services:
|
|
cosmos:
|
|
image: mcr.microsoft.com/cosmosdb/linux/azure-cosmos-emulator:latest
|
|
ports:
|
|
- 8081:8081
|
|
- 10251:10251
|
|
- 10252:10252
|
|
- 10253:10253
|
|
- 10254:10254
|
|
env:
|
|
AZURE_COSMOS_EMULATOR_PARTITION_COUNT: 4
|
|
AZURE_COSMOS_EMULATOR_ENABLE_DATA_PERSISTENCE: false
|
|
options: >-
|
|
--memory 3g
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout common-plat (for @bytelyst/* packages)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: saravanakumardb1/learning_ai_common_plat
|
|
path: learning_ai_common_plat
|
|
token: ${{ secrets.GH_PAT }}
|
|
|
|
- name: Link common-platform workspace path
|
|
run: |
|
|
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai_common_plat
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
|
|
- name: Enable pnpm
|
|
run: corepack enable
|
|
|
|
- name: Build @bytelyst/* packages
|
|
working-directory: learning_ai_common_plat
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
pnpm build
|
|
|
|
- name: Install workspace dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Wait for Cosmos emulator to be ready
|
|
run: |
|
|
for i in {1..60}; do
|
|
if curl -ks --max-time 5 https://localhost:8081/_explorer/emulator.pem >/dev/null 2>&1; then
|
|
echo "Cosmos emulator is ready (after ${i}s)"
|
|
exit 0
|
|
fi
|
|
echo "Waiting for Cosmos emulator... ($i/60)"
|
|
sleep 5
|
|
done
|
|
echo "Cosmos emulator failed to become ready in 5 minutes" >&2
|
|
exit 1
|
|
|
|
- name: Run Cosmos smoke suite
|
|
run: pnpm --filter @notelett/backend run test:cosmos
|
|
env:
|
|
DB_PROVIDER: cosmos
|
|
COSMOS_ENDPOINT: https://localhost:8081
|
|
# Well-known emulator dev key. NOT a secret.
|
|
# https://learn.microsoft.com/en-us/azure/cosmos-db/local-emulator
|
|
COSMOS_KEY: C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==
|
|
COSMOS_DATABASE: notelett_test
|
|
NODE_TLS_REJECT_UNAUTHORIZED: 0
|
|
JWT_SECRET: ci-test-secret-at-least-32-characters-long
|
|
|
|
web:
|
|
name: Web — typecheck + test + build
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout common-plat (for @bytelyst/* packages)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: saravanakumardb1/learning_ai_common_plat
|
|
path: learning_ai_common_plat
|
|
token: ${{ secrets.GH_PAT }}
|
|
|
|
- name: Link common-platform workspace path
|
|
run: |
|
|
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai_common_plat
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
|
|
- name: Enable pnpm
|
|
run: corepack enable
|
|
|
|
- name: Build @bytelyst/* packages
|
|
working-directory: learning_ai_common_plat
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
pnpm build
|
|
|
|
- name: Install workspace dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Web lint
|
|
run: pnpm --filter @notelett/web run lint
|
|
|
|
- name: Web typecheck
|
|
run: pnpm --filter @notelett/web run typecheck
|
|
|
|
- name: Web tests
|
|
run: pnpm --filter @notelett/web run test
|
|
|
|
- name: Web build
|
|
run: pnpm --filter @notelett/web run build
|
|
|
|
web-e2e:
|
|
name: Web E2E — Playwright
|
|
runs-on: ubuntu-latest
|
|
needs: web
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout common-plat (for @bytelyst/* packages)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: saravanakumardb1/learning_ai_common_plat
|
|
path: learning_ai_common_plat
|
|
token: ${{ secrets.GH_PAT }}
|
|
|
|
- name: Link common-platform workspace path
|
|
run: |
|
|
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai_common_plat
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
|
|
- name: Enable pnpm
|
|
run: corepack enable
|
|
|
|
- name: Build @bytelyst/* packages
|
|
working-directory: learning_ai_common_plat
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
pnpm build
|
|
|
|
- name: Install workspace dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Cache Playwright browsers
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.cache/ms-playwright
|
|
key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-playwright-
|
|
|
|
- name: Install Playwright Chromium
|
|
run: pnpm --filter @notelett/web exec playwright install --with-deps chromium
|
|
|
|
- name: Web Playwright E2E
|
|
run: pnpm --filter @notelett/web run test:e2e -- --reporter=list
|
|
|
|
- name: Upload Playwright report
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: web-playwright-report
|
|
path: |
|
|
web/playwright-report
|
|
web/test-results
|
|
if-no-files-found: ignore
|
|
|
|
docker-build:
|
|
name: Docker — backend + web images
|
|
runs-on: ubuntu-latest
|
|
needs: [backend, web]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout common-plat (for @bytelyst/* packages)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: saravanakumardb1/learning_ai_common_plat
|
|
path: learning_ai_common_plat
|
|
token: ${{ secrets.GH_PAT }}
|
|
|
|
- name: Link common-platform workspace path
|
|
run: |
|
|
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai_common_plat
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
|
|
- name: Enable pnpm
|
|
run: corepack enable
|
|
|
|
- name: Install common-platform dependencies
|
|
working-directory: learning_ai_common_plat
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Prepare Docker tarball dependencies
|
|
run: COMMON_PLAT="$GITHUB_WORKSPACE/learning_ai_common_plat" bash scripts/docker-prep.sh
|
|
|
|
- name: Build backend image
|
|
env:
|
|
GITEA_NPM_TOKEN: ${{ secrets.GITEA_NPM_TOKEN }}
|
|
run: |
|
|
printf '%s' "${GITEA_NPM_TOKEN:-}" > /tmp/gitea_npm_token
|
|
DOCKER_BUILDKIT=1 docker build \
|
|
--secret id=gitea_npm_token,src=/tmp/gitea_npm_token \
|
|
-f backend/Dockerfile \
|
|
-t notelett-backend:ci \
|
|
.
|
|
|
|
- name: Build web image
|
|
env:
|
|
GITEA_NPM_TOKEN: ${{ secrets.GITEA_NPM_TOKEN }}
|
|
run: |
|
|
printf '%s' "${GITEA_NPM_TOKEN:-}" > /tmp/gitea_npm_token
|
|
DOCKER_BUILDKIT=1 docker build \
|
|
--secret id=gitea_npm_token,src=/tmp/gitea_npm_token \
|
|
--build-arg NEXT_PUBLIC_NOTES_API_URL=http://localhost:4016/api \
|
|
--build-arg NEXT_PUBLIC_PLATFORM_SERVICE_URL=http://localhost:4003/api \
|
|
-f web/Dockerfile \
|
|
-t notelett-web:ci \
|
|
.
|
|
|
|
- name: Restore Docker prep changes
|
|
if: always()
|
|
run: bash scripts/docker-prep.sh --restore
|
|
|
|
mobile:
|
|
name: Mobile — lint + typecheck + test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Checkout common-plat (for @bytelyst/* packages)
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: saravanakumardb1/learning_ai_common_plat
|
|
path: learning_ai_common_plat
|
|
token: ${{ secrets.GH_PAT }}
|
|
|
|
- name: Link common-platform workspace path
|
|
run: |
|
|
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai_common_plat
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: pnpm
|
|
cache-dependency-path: pnpm-lock.yaml
|
|
|
|
- name: Enable pnpm
|
|
run: corepack enable
|
|
|
|
- name: Build @bytelyst/* packages
|
|
working-directory: learning_ai_common_plat
|
|
run: |
|
|
pnpm install --frozen-lockfile
|
|
pnpm build
|
|
|
|
- name: Install workspace dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Mobile lint
|
|
run: pnpm --filter @notelett/mobile run lint
|
|
|
|
- name: Mobile typecheck
|
|
run: pnpm --filter @notelett/mobile run typecheck
|
|
|
|
- name: Mobile tests
|
|
run: pnpm --filter @notelett/mobile run test
|