From 1380672c031b74021a361ad09f818540643fc7b5 Mon Sep 17 00:00:00 2001
From: knacky <knckydev@gmail.com>
Date: Fri, 22 May 2026 19:42:23 +0200
Subject: [PATCH] ci(gitea): add CI workflow + transient smoke validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two workflows under .gitea/workflows/:

- ci.yml — runs on push:main and every PR. Two parallel jobs:
  * backend (python:3.12-slim-bookworm): apt deps for psycopg + WeasyPrint,
    pip install -e backend[dev], ruff check + ruff format --check + mypy
    --strict src + pytest tests/unit. Postgres 16 service for any
    integration-style test, env wired via service hostname.
    FERNET_KEY_TEST sourced from Gitea repo secret (no plain value in CI).
  * frontend (node:22-alpine): npm ci, ESLint, TypeScript typecheck,
    Vitest, Vite build.
  Runner label: linux (matches gitea-runner registration).
  Out of scope sprint 0: testcontainers Postgres integration tests
  (Docker-in-Docker rootless setup deferred to nightly job) and
  Playwright E2E (deferred to sprint 1+).

- smoke.yml — transient. Triggers only on push to this branch
  (chore/podman-and-ci) and on workflow_dispatch. Validates that the
  newly registered gitea-runner picks up jobs with the "linux" label.
  Removed in a follow-up commit on this branch once green.
---
 .gitea/workflows/ci.yml    | 97 ++++++++++++++++++++++++++++++++++++++
 .gitea/workflows/smoke.yml | 22 +++++++++
 2 files changed, 119 insertions(+)
 create mode 100644 .gitea/workflows/ci.yml
 create mode 100644 .gitea/workflows/smoke.yml

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
new file mode 100644
index 0000000..86bbd5e
--- /dev/null
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,97 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  backend:
+    name: backend (lint + typecheck + unit tests)
+    runs-on: linux
+    container:
+      image: python:3.12-slim-bookworm
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          POSTGRES_DB: mimic_test
+          POSTGRES_USER: mimic_test
+          POSTGRES_PASSWORD: mimic_test_password
+        # Healthcheck so Gitea Actions waits for Postgres readiness.
+        options: >-
+          --health-cmd "pg_isready -U mimic_test -d mimic_test"
+          --health-interval 5s
+          --health-timeout 3s
+          --health-retries 10
+    env:
+      MIMIC_ENV: test
+      MIMIC_DATABASE_URL: postgresql+psycopg://mimic_test:mimic_test_password@postgres:5432/mimic_test
+      MIMIC_DATABASE_AUDIT_URL: postgresql+psycopg://mimic_test:mimic_test_password@postgres:5432/mimic_test
+      MIMIC_SECRET_KEY: ci-not-secret
+      MIMIC_FERNET_KEY: ${{ secrets.FERNET_KEY_TEST }}
+      MIMIC_BLOB_ROOT: /tmp/mimic-blobs
+      MIMIC_EVIDENCE_ROOT: /tmp/mimic-evidence
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: System deps (psycopg + WeasyPrint runtime)
+        run: |
+          apt-get update -qq
+          apt-get install -y --no-install-recommends \
+            build-essential libpq-dev \
+            libpango-1.0-0 libpangoft2-1.0-0 libcairo2 libffi-dev
+          rm -rf /var/lib/apt/lists/*
+
+      - name: Install backend
+        working-directory: backend
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+
+      - name: Ruff lint
+        working-directory: backend
+        run: ruff check src tests
+
+      - name: Ruff format check
+        working-directory: backend
+        run: ruff format --check src tests
+
+      - name: Mypy strict
+        working-directory: backend
+        run: mypy --strict src
+
+      - name: Pytest unit
+        working-directory: backend
+        run: pytest tests/unit -q
+
+  frontend:
+    name: frontend (lint + typecheck + build + unit tests)
+    runs-on: linux
+    container:
+      image: node:22-alpine
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install
+        working-directory: frontend
+        run: npm ci
+
+      - name: ESLint
+        working-directory: frontend
+        run: npm run lint
+
+      - name: TypeScript typecheck
+        working-directory: frontend
+        run: npm run typecheck
+
+      - name: Vitest
+        working-directory: frontend
+        run: npm test
+
+      - name: Vite build
+        working-directory: frontend
+        run: npm run build
diff --git a/.gitea/workflows/smoke.yml b/.gitea/workflows/smoke.yml
new file mode 100644
index 0000000..4d91c86
--- /dev/null
+++ b/.gitea/workflows/smoke.yml
@@ -0,0 +1,22 @@
+name: smoke
+# Trivial workflow to validate the Gitea Actions runner pickup.
+# Removed in a follow-up commit once green on chore/podman-and-ci.
+
+on:
+  push:
+    branches:
+      - chore/podman-and-ci
+  workflow_dispatch:
+
+jobs:
+  hello:
+    runs-on: linux
+    steps:
+      - name: kernel + identity
+        run: |
+          echo "host: $(uname -a)"
+          id
+          cat /etc/os-release | head -3
+      - name: container runtime visible from job
+        run: |
+          which podman || which docker || echo "(no runtime visible — expected for nested rootless DooD)"