Skip to content

fix(ci): commit package-lock.json so CI can install npm deps#5

Merged
jansroka merged 3 commits into
mainfrom
fix-ci-lockfile
Jul 8, 2026
Merged

fix(ci): commit package-lock.json so CI can install npm deps#5
jansroka merged 3 commits into
mainfrom
fix-ci-lockfile

Conversation

@jansroka

@jansroka jansroka commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Fixes the CI failure introduced in #4.

Root cause: the CI job failed at actions/setup-node with Dependencies lock file is not found. package-lock.json is matched by a global gitignore rule (~/.gitignore_global), so it was never committed to the repo. Both the cache: npm setting and npm ci require a committed lockfile.

Fix: force-add package-lock.json. Verified locally that npm ci installs cleanly against it (12 packages, lockfile in sync with package.json).

Once this merges, CI on subsequent PRs should get past the Node setup step and actually run the build + html-proofer + rubocop + prettier checks.

🤖 Generated with Claude Code

jansroka and others added 2 commits July 8, 2026 20:31
The CI workflow failed on `actions/setup-node` with "Dependencies lock file
is not found" because package-lock.json is matched by a global gitignore and
was never committed. Both `cache: npm` and `npm ci` require a committed
lockfile. Force-add it (verified `npm ci` installs cleanly against it).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Implements three modernization recommendations. The three changes were
developed in parallel by separate subagents against non-overlapping files;
shared files (package.json, ci.yml, _config.yml, lockfile) were integrated
here.

Security headers + security.txt (rec #5):
- Add a strict Content-Security-Policy and Referrer-Policy via <meta> tags in
  head.html (GitHub Pages cannot set HTTP headers). Policy is default-src
  'self' with same-origin CSS/img/font, object-src 'none', frame-ancestors
  'none'. style-src keeps 'unsafe-inline' because several Webflow-exported
  pages use inline style= attributes; a CSP that breaks styling is worse than
  none. X-Content-Type-Options / X-Frame-Options are intentionally NOT emitted
  as meta tags (header-only directives) — documented inline.
- Add /.well-known/security.txt (RFC 9116). Requires the .well-known dir in
  the _config.yml include list, since Jekyll excludes dot-dirs by default
  (verified against Jekyll 4.4.1 EntryFilter source).

PurgeCSS (rec #1):
- Add purgecss.config.js + scripts/purge-css.js and a "Purge unused CSS" CI
  step that runs after the Jekyll build and rewrites only the CSS in _site/
  (source assets/css/ is untouched). Conservative safelist covers Webflow
  runtime/state classes and the checkbox-toggled mobile nav. Fixture test
  showed the 127 KB inog-website.webflow.css dropping sharply; real per-page
  reduction will be validated by the first CI run.

Accessibility audit (rec #4):
- Add .pa11yci.json (WCAG2AA, axe + htmlcs runners) and a test-a11y script
  that serves _site via http-server and runs pa11y-ci over all 8 pages.
- The CI step is NON-BLOCKING (continue-on-error) for now: a real run against
  the built site showed 0/8 pages passing, with pre-existing errors including
  missing <title>/<html lang> on some Webflow-exported pages, an image-only
  link missing alt text, and untested iframes. Gating on these would make CI
  red on merge. The check reports the debt on every PR; remove
  continue-on-error once the baseline is fixed in a follow-up.

Verification: prettier, YAML, JSON, and JS-config parsing all pass locally.
The Jekyll build, PurgeCSS, and pa11y runs were exercised against real built
output during development; a full local build is not possible in the commit
environment (offline), so the build itself is confirmed by CI on this PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add CSP + security.txt, PurgeCSS, and accessibility CI audit
@jansroka jansroka merged commit b791e11 into main Jul 8, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant