[prod:ecologie:major] release(ecospheres): prod 20260120-1 #1033

release(ecospheres): prod 20260120-1

Author: abulte

.github/workflows/create-deploy-release.yml

@@ -7,10 +7,10 @@ on:
       site:
         description: 'Site to deploy on preprod or prod'
         required: true
-        default: 'ecospheres'
+        default: 'ecologie'
         type: choice
         options: # Can't use vars here because this is a workflow dispatch input
-          - ecospheres
+          - ecologie
           - meteo-france
           - logistique
           - defis
@@ -103,7 +103,7 @@ jobs:
         shell: bash
         run: |
           git clone --quiet --depth 1 -b ${{ env.REPO_CURRENT_BRANCH }} ${{ env.REPO_SSH_URL }}
-          git clone --quiet --depth 1 $SCAFFOLD_REPO_SSH_URL ${{ env.SCAFFOLD_DIR }}
+          git clone --quiet --depth 1 -b pnpm-ufk $SCAFFOLD_REPO_SSH_URL ${{ env.SCAFFOLD_DIR }}
 
       - name: Parse commit message and set deployment variables
         if: (github.event_name == 'push' && startsWith(github.ref, 'refs/heads/') && startsWith(github.event.head_commit.message, '['))

.github/workflows/deploy-review-from-comment.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Get PR branch
         if: steps.parse.outputs.should_deploy == 'true'
         id: get_pr
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
@@ -53,7 +53,7 @@ jobs:
 
       - name: React to comment
         if: steps.parse.outputs.should_deploy == 'true'
-        uses: peter-evans/create-or-update-comment@v4.0.0
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           comment-id: ${{ github.event.comment.id }}
@@ -65,7 +65,7 @@ jobs:
     if: needs.check_comment.outputs.should_deploy == 'true'
     steps:
       - name: Trigger review app workflow
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/review-app.yml

@@ -49,7 +49,7 @@ jobs:
       - name: Check if review app exists
         id: check_app
         continue-on-error: true
-        uses: appleboy/ssh-action@v1.2.2
+        uses: appleboy/ssh-action@823bd89e131d8d508129f9443cad5855e9ba96f0 # v1.2.4
         with:
           host: ${{ secrets.REVIEW_APP_SSH_HOST }}
           username: dokku
@@ -126,13 +126,13 @@ jobs:
 
       - name: Cloning repo
         if: env.SHOULD_DEPLOY == 'true'
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
 
       - name: Start deployment
         if: env.SHOULD_DEPLOY == 'true'
-        uses: chrnorm/deployment-action@v2
+        uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7
         id: deployment
         with:
           token: ${{ github.token }}
@@ -142,7 +142,7 @@ jobs:
 
       - name: Create the review app
         if: env.SHOULD_CREATE == 'true'
-        uses: dokku/github-action@master
+        uses: dokku/github-action@823c08b33e974704528c7c7f3d3d8002426e7634 # v1.9.0
         with:
           command: review-apps:create
           git_remote_url: ${{ secrets.REVIEW_APP_SSH_URL }}
@@ -153,7 +153,7 @@ jobs:
 
       - name: Set site id as build arg
         if: env.SHOULD_DEPLOY == 'true'
-        uses: appleboy/ssh-action@v1.2.2
+        uses: appleboy/ssh-action@823bd89e131d8d508129f9443cad5855e9ba96f0 # v1.2.4
         with:
           host: ${{ secrets.REVIEW_APP_SSH_HOST }}
           username: dokku
@@ -164,7 +164,7 @@ jobs:
 
       - name: Push to dokku
         if: env.SHOULD_DEPLOY == 'true'
-        uses: dokku/github-action@v1.0.0
+        uses: dokku/github-action@823c08b33e974704528c7c7f3d3d8002426e7634 # v1.9.0
         with:
           git_remote_url: ${{ secrets.REVIEW_APP_SSH_URL }}
           review_app_name: deploy-preview-${{ env.PR_NUMBER }}--${{ env.SITE }}
@@ -174,7 +174,7 @@ jobs:
 
       - name: Enable SSL with Let's Encrypt
         if: env.SHOULD_CREATE == 'true'
-        uses: appleboy/ssh-action@v1.2.2
+        uses: appleboy/ssh-action@823bd89e131d8d508129f9443cad5855e9ba96f0 # v1.2.4
         with:
           host: ${{ secrets.REVIEW_APP_SSH_HOST }}
           username: dokku
@@ -185,7 +185,7 @@ jobs:
 
       - name: Destroy the review app
         if: github.event.action == 'closed' && env.SHOULD_DESTROY == 'true'
-        uses: dokku/github-action@master
+        uses: dokku/github-action@823c08b33e974704528c7c7f3d3d8002426e7634 # v1.9.0
         with:
           command: review-apps:destroy
           git_remote_url: ${{ secrets.REVIEW_APP_SSH_URL }}
@@ -194,7 +194,7 @@ jobs:
 
       - name: Update deployment status
         if: env.SHOULD_DEPLOY == 'true'
-        uses: chrnorm/deployment-status@v2
+        uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3
         with:
           token: ${{ github.token }}
           environment-url: https://deploy-preview-${{ env.PR_NUMBER }}--${{ env.SITE }}.sandbox.data.developpement-durable.gouv.fr

.github/workflows/robots.yml

@@ -13,29 +13,33 @@ jobs:
     name: Lint and type check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Install pnpm
+        uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - run: npm run type-check
-      - run: npm run lint
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm run type-check
+      - run: pnpm run lint
 
   unit-tests:
     name: Unit tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Install pnpm
+        uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - run: npm run build --if-present
-      - run: npm run test:single
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm run build
+      - run: pnpm run test:single
 
   e2e-tests:
     name: End-to-end Tests
@@ -53,12 +57,14 @@ jobs:
             culture
           ]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Install pnpm
+        uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20.x
-          cache: 'npm'
-      - run: npm ci
-      - run: VITE_SITE_ID=${{ matrix.site_id }} npm run build --if-present -- --mode test
-      - run: VITE_SITE_ID=${{ matrix.site_id }} npm run test:e2e:for_production_build
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: VITE_SITE_ID=${{ matrix.site_id }} pnpm run build -- --mode test
+      - run: VITE_SITE_ID=${{ matrix.site_id }} pnpm run test:e2e:for_production_build

.github/workflows/tests.yml

@@ -1 +1 @@
-npx lint-staged
+pnpm exec lint-staged

.husky/pre-commit

@@ -0,0 +1,16 @@
+# Cypress compatibility - disable pnpm's side effects cache
+side-effects-cache=false
+
+# Don't fail on peer dependency warnings (common in Vue ecosystem)
+strict-peer-dependencies=false
+
+# Use npm-like flat node_modules structure instead of pnpm's symlinks
+# Required for Vite optimizeDeps and TypeScript to work correctly
+node-linker=hoisted
+
+# Security: Only install packages released at least 4 days ago
+# Protects against supply-chain attacks by giving community time to detect malicious releases
+minimum-release-age=5760
+
+# Enforce pnpm usage - fail if npm or yarn is used
+engine-strict=true

.npmrc

@@ -1,7 +1,16 @@
 FROM node:22 AS builder
 
+# Install pnpm
+RUN corepack enable && corepack prepare pnpm@latest-10 --activate
+
 WORKDIR /app
 
+# Copy package files first for better layer caching
+COPY package.json pnpm-lock.yaml .npmrc ./
+
+RUN pnpm install
+
+# Copy source files
 COPY ./ /app
 
 ENV NODE_OPTIONS=--openssl-legacy-provider
@@ -10,10 +19,9 @@ ARG VITE_SITE_ID
 # only set the environment variable if the build arg was provided
 ENV VITE_SITE_ID=${VITE_SITE_ID:-}
 
-RUN npm ci
 RUN echo "$(date)" && \
     export $(cat /app/*.env | xargs) && \
-    npm run build
+    pnpm run build
 
 FROM nginx:alpine-slim