From 8a5b115ccd326593d8275bdbd1d11acd1b8a0cb6 Mon Sep 17 00:00:00 2001
From: Matthieu <contact@malio.fr>
Date: Mon, 22 Jun 2026 09:07:09 +0200
Subject: [PATCH] ci : add pull request quality gate workflow targeting develop

---
 .gitea/workflows/pull-request.yml | 115 ++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 .gitea/workflows/pull-request.yml

diff --git a/.gitea/workflows/pull-request.yml b/.gitea/workflows/pull-request.yml
new file mode 100644
index 0000000..f0cba23
--- /dev/null
+++ b/.gitea/workflows/pull-request.yml
@@ -0,0 +1,115 @@
+name: Pull Request — Quality gate
+
+# Lance les tests back + le build front sur chaque PR ciblant develop.
+# Deux jobs en parallele (backend / frontend) pour reduire le temps de feedback.
+# Pas d'E2E ici : la quality gate se limite a "le back passe les tests, le front compile".
+
+on:
+  pull_request:
+    branches:
+      - develop
+
+# Annule les runs obsoletes quand on repush sur la meme PR.
+concurrency:
+  group: pr-${{ gitea.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  backend:
+    name: Backend (PHP CS + PHPUnit)
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16-alpine
+        env:
+          # Doivent matcher la DATABASE_URL ci-dessous. Doctrine ajoute le
+          # suffixe `_test` automatiquement en APP_ENV=test (when@test
+          # dbname_suffix) → la base reellement utilisee est `app_test`.
+          POSTGRES_USER: app
+          POSTGRES_PASSWORD: '!ChangeMe!'
+          POSTGRES_DB: app
+        # Pas de `ports:` host mapping : les jobs Gitea Actions tournent en
+        # container sur un reseau Docker dedie, le service est joignable via
+        # son nom (`postgres`), pas via 127.0.0.1.
+        options: >-
+          --health-cmd "pg_isready -U app"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 10
+
+    env:
+      APP_ENV: test
+      APP_SECRET: ci-secret-not-used
+      APP_DEBUG: 0
+      DEFAULT_URI: http://localhost/
+      DATABASE_URL: postgresql://app:!ChangeMe!@postgres:5432/app?serverVersion=16&charset=utf8
+      JWT_SECRET_KEY: '%kernel.project_dir%/config/jwt/private.pem'
+      JWT_PUBLIC_KEY: '%kernel.project_dir%/config/jwt/public.pem'
+      JWT_PASSPHRASE: ci-passphrase
+      # Cle de chiffrement (sodium) des secrets Mail / Integration / CalDav que
+      # les fixtures persistent (ZimbraConfiguration, tokens...). Valeur de test
+      # alignee sur phpunit.dist.xml.
+      ENCRYPTION_KEY: ccd250183ea853179562d458e645585f3d46ddebb0701743236196f60fc1a0b8
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP 8.4
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          # zip + gd requis par phpoffice/phpspreadsheet (export XLSX), sodium par
+          # le chiffrement des secrets, ctype/iconv par le require de composer.json.
+          extensions: pdo, pdo_pgsql, intl, opcache, zip, mbstring, sodium, gd, ctype, iconv
+          coverage: none
+          tools: composer:v2
+
+      - name: Install PHP dependencies
+        run: composer install --no-interaction --no-progress --prefer-dist
+
+      - name: Generate JWT keypair
+        run: php bin/console lexik:jwt:generate-keypair --skip-if-exists --no-interaction
+
+      - name: PHP CS Fixer (dry-run)
+        run: vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.dist.php --allow-risky=yes --dry-run --diff
+
+      - name: Bootstrap test database
+        # Miroir de la cible `db-reset` du makefile (create + migrate + fixtures),
+        # en --env=test. Les fixtures sement les roles systeme (RbacSeeder) ;
+        # sync-permissions complete le catalogue de permissions comme en install reelle.
+        run: |
+          php bin/console doctrine:database:create --env=test --if-not-exists --no-interaction
+          php bin/console doctrine:migrations:migrate --env=test --no-interaction
+          php bin/console doctrine:fixtures:load --env=test --no-interaction
+          php bin/console app:sync-permissions --env=test --no-interaction
+
+      - name: Run PHPUnit
+        run: php -d memory_limit=512M vendor/bin/phpunit
+
+  frontend:
+    name: Frontend (build)
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node 24
+        uses: actions/setup-node@v4
+        with:
+          node-version: '24'
+
+      # `npm ci` declenche le postinstall `nuxt prepare` (genere .nuxt/).
+      - name: Install Node dependencies
+        run: npm ci
+
+      # `nuxt build` (et non `build:dist`/`nuxt generate`) : l'app est en SSR off
+      # (SPA), le prerender n'apporte rien a une quality gate — on valide seulement
+      # que le bundle compile.
+      - name: Build production (nuxt build)
+        run: npm run build