gitleaks/gitleaks-action@v2 has a license-key check that fails on some
Gitea runners. Switch to downloading and running the gitleaks binary
directly — same scan, no action wrapper, no license dependency.
Runtime config (src/lib/config.ts, src/api/client.ts, src/lib/ws.ts,
index.html, Dockerfile, nginx.conf, docker/):
- New typed getConfig() helper reads window.__APP_CONFIG__ at runtime
with import.meta.env.VITE_API_URL as a dev-only fallback.
- index.html loads <script src="/config.js"> synchronously before the
bundle. /config.js is rendered at container start via envsubst on
docker/config.js.template, populated from the API_URL env var
(docker/40-render-config.sh runs as part of the official nginx:alpine
/docker-entrypoint.d sequence).
- Dockerfile drops the VITE_API_URL build arg — one image works across
all environments now.
- nginx.conf adds Cache-Control: no-store on /config.js so browsers and
CDNs don't pin stale config.
Pipeline (.gitea/workflows/ci.yml):
- lint, typecheck, gitleaks, semgrep, Trivy fs+image scans, buildx
build with gha cache, Harbor push gated on `main` or v* tags
- Image tags via metadata-action: :latest (main only), :sha-<full>,
semver-derived :1.2.3 / :1.2 / :1 from v* tags
- Secrets: HARBOR_HOST, MOVIELOOP_USERNAME, MOVIELOOP_PASSWORD
Versioning (package.json, .versionrc.json):
- Bumped to 1.0.0 baseline
- Added commit-and-tag-version devDep + release scripts. Conventional
Commits drive bumps; CHANGELOG hides chore/ci/etc.
Scan configs:
- .gitleaks.toml allows .env.example
- .semgrepignore excludes node_modules/, dist/, coverage/, public/
- .trivyignore placeholder with format docs
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
TehRiehlDeal