- .gitea/workflows/deploy.yml: the bot user on the new prod host has
fish as its login shell, which rejects bash syntax (set -e, VAR=...,
$(...), trap, process substitution). Wrap the entire deploy script
in `bash -c '...'` so fish only spawns a bash subprocess and the
script itself is parsed by bash.
- Forward DEPLOY_PATH alongside VAULT_PASS through appleboy/ssh-action
envs: so the bash subprocess inherits both, instead of interpolating
the secret directly into the rendered script (where masking would
collide with the cd argument).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .gitea/workflows/deploy.yml: stop interpolating ANSIBLE_VAULT_PASSWORD
directly into the remote script (the runner masks the secret with ***
which broke the <(echo '...') process substitution at runtime)
- inject the password as VAULT_PASS through appleboy/ssh-action's
envs: forwarding so it never appears in the rendered script
- on the remote, write it to a mktemp file with chmod 600 and remove
the file via trap on EXIT, then point ansible-playbook
--vault-password-file at that temp file
- use printf '%s' instead of echo to avoid adding a stray newline to
the vault password
- add set -e so the script fails fast if any step errors
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .gitea/workflows/deploy.yml: replace manual ssh key setup + raw ssh
command with the appleboy/ssh-action@v1.0.0 action
- host, user, key and deploy path are now read from Gitea secrets
(SSH_HOST, SSH_USER, SSH_PRIVATE_KEY, DEPLOY_PATH) instead of being
hard-coded in the workflow
- ansible-playbook command and vault password file (process substitution
fed by ANSIBLE_VAULT_PASSWORD) are kept identical, only the transport
changes
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- .env, .env.test, ansible/env.local.j2: point SONARQUBE_URL to https://sn.e-cosplay.fr
- ansible/vault.yml, .env: rotate sonarqube_badge_token to new value
- .gitea/workflows/ci.yml, sonarqube.yml: remove OWASP Dependency-Check steps and force sonar.host.url via CLI args
- sonar-project.properties: drop dependencyCheck report paths
- .gitea/workflows/deploy.yml: switch SSH target from 34.90.187.4 to 152.228.222.133
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add responsive breakpoints (sm/md) to event_detail.html.twig: adaptive titles, stacked ticket layout on mobile, reduced padding/spacing
- Add responsive breakpoints to order templates (guest, summary, public, payment, success): adaptive typography, padding, and layouts
- Fix BreadcrumbList JSON-LD: escape names with json_encode, remove item URL from last breadcrumb
- Update deploy.yml cron schedule from 3h/13h/19h/23h to 1h/22h
- Add <title> tags to rgpd_deletion.html.twig and rgpd_access.html.twig
- Add scope attributes to all <th> tags in rgpd_access.html.twig
- Replace deprecated width/cellpadding/cellspacing HTML attributes with CSS in scan_force_notification email
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add sonar.dependencyCheck.jsonReportPath and htmlReportPath to sonar-project.properties
- Add Dependency-Check action scanning composer.lock and package.json
- Generate JSON and HTML reports for SonarQube analysis
- Add to ci.yml sonarqube job and sonarqube.yml workflow
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add sonar.eslint.reportPaths and sonar.docker.hadolint.reportPaths
- Generate ESLint JSON report in CI frontend and sonarqube jobs
- Generate Hadolint JSON reports for dev and prod Dockerfiles
- Add reports to ci.yml and sonarqube.yml workflows
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add sonar.php.phpstan.reportPaths to sonar-project.properties
- Generate phpstan-report.json in CI php job, sonarqube job, and sonarqube.yml workflow
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Admin panel (/admin, ROLE_ROOT):
- Dashboard with CA HT Global/Commission cards and Meilisearch sync button
- Buyers page with search (Meilisearch), create form, pagination (KnpPaginator)
- Buyer actions: resend verification, force verify, reset password, delete
- Organizers page with tabs (pending/approved), approve/reject with emails
- Neo-brutalist design matching main site theme
- Vite admin entry point with dedicated SCSS
- CSP-compatible confirm dialogs via data-confirm attributes
Meilisearch integration:
- Auto-index buyers on email verification
- Remove from index on buyer deletion
- Manual sync button on dashboard
- Search bar on buyers page
- Add Meilisearch service to CI/SonarQube workflows
- Add MEILISEARCH env vars to .env.test
- Fix MeilisearchMessageHandler infinite loop: use request() directly instead
of service methods that re-dispatch messages
Email templates:
- Redesign base email template to neo-brutalist style (borders, shadows, yellow footer)
- Add E-Cosplay logo, "E-Ticket solution proposee par e-cosplay.fr"
- Add admin_reset_password, organizer_approved, organizer_rejected templates
Other:
- Install knplabs/knp-paginator-bundle
- Add ^/admin access_control for ROLE_ROOT in security.yaml
- Update site footer with E-Ticket branding
- 18 admin tests, updated MeilisearchMessageHandler tests
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add Node.js and Bun setup steps to the sonarqube job
- Install JS dependencies and run bun test:coverage before SonarQube scan
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Extract mobile-menu.js and tabs.js from app.js
- Add Vitest tests with happy-dom and v8 coverage (100% on modules)
- Add JS test step to CI frontend and SonarQube workflows
- SonarQube: add JS lcov coverage report path
- SitemapController: extract URLSET_TEMPLATE constant, deduplicate methods
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Manual trigger only (workflow_dispatch)
- Full pipeline: bun install, bun build, PHPUnit with coverage
- Force SonarQube to re-analyze all files (forceReloadAll)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Create 13 missing Twig templates (account, security, legal, unsubscribe, pages)
- CI: add PostgreSQL and Redis service containers for php and sonarqube jobs
- CI: create database schema before running tests
- Use null mailer in test environment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Merge lint, quality-php, security, test into single php job
- Merge quality-frontend and build into single frontend job
- SonarQube: generate coverage.xml before scan
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fuse deploy-caddy.yml and cloudflare.yml into deploy.yml
- Add env.local.j2 template for production secrets
- Vault: add all production secrets
- Workflow: single deploy.yml playbook
- MailerService: rewrite with S/MIME signing, email tracking, unsubscribe
- ngrok-sync: run as root for .env.local write access
- Fix domain references to ticket.e-cosplay.fr
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Makefile: add install_dev, install_prod, migrations, clear_prod, maintenance commands
- Playbook: full deploy flow (maintenance, stop, install, start, migrate, clear, caddy, messenger)
- Supervisor config for 2 messenger instances
- Workflow: SSH key setup with server IP
- hosts.ini: use IP instead of domain, sudo without password
- README: full documentation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
