drop SRI + integrity checks, pin assets/styles.css to stable filename, skip Mermaid in minify-dist#2439
Merged
Merged
Conversation
…kip vendored mermaid in minify Agent-Logs-Url: https://github.com/Hack23/riksdagsmonitor/sessions/0222c81a-31f5-4741-89e4-ad791448fa82 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
…inify-dist, simplify deploy Agent-Logs-Url: https://github.com/Hack23/riksdagsmonitor/sessions/42357323-ea71-44ec-861f-027ebcd2c8ab Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
github-actions
Bot
added
documentation
Contributor
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
Contributor
🏷️ Automatic Labeling SummaryThis PR has been automatically labeled based on the files changed and PR metadata. Applied Labels: documentation,dependencies,html-css,javascript,workflow,translation,rtl,ci-cd,deployment,performance,testing,refactor,size-xl,news Label Categories
For more information, see |
Copilot created this pull request from a session on behalf of
pethers
May 12, 2026 21:08
View session
Contributor
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Per user direction: "Need no sha and integrity checks, all code/script/css on s3/cloudfront is trusted" + "Never want strange css filenames, only standard filename. NO strange generated changing suffixes".
This PR removes the
vite-plugin-sri-gen+update-sri.tsintegrity-rewrite pipeline end-to-end, pins the main CSS bundle to a canonical, non-hashed filename (assets/styles.css), and hardens the deploy-time minify pass against the vendored Mermaid chunk graph.Why now
PR #2428 added a deploy-time
purge-css → minify → update-sripipeline that mutates CSS / JS bytes after Vite has already content-hashed filenames and stamped SRI integrity into 4 911 HTML pages. Result:assets/styles-<hash>.cssURL → any browser holding HTML in cache (max-age=3600) has staleintegrity="sha384-OLD"≠ new bytes → SRI blocks the stylesheet → unstyled page until force-reload.https://riksdagsmonitor.com/assets/styles.css404'd for any external consumer (CloudFront fell back to index.html).js/lib/mermaid/were re-minified bycoderaiser/minify(their basenames don't carry.min.), risking subtle breakage of the carefully-rolled chunk graph.Per the repo's "trust S3 / CloudFront" platform classification — already documented in
vite.config.jsandscripts/strip-legacy-chrome-script-tags.ts— first-party assets do not require browser-side SRI; integrity is enforced by TLS + bucket policy + CloudFront WAF.Changes
Phase A — stable CSS URL & no SRI
vite.config.js—assetFileNamespinsstyles.css→assets/styles.css(no content hash).vite-plugin-sri-genremoved from the plugin chain.scripts/vite-plugin-static-pages.js— rewriteshref="styles.css"→assets/styles.css(relative-aware), no longer injectsintegrity/crossoriginon<link rel="stylesheet">tags. Module-script rewrite preserved.scripts/purge-css.ts— targetsdist/styles.css,dist/assets/styles.css(canonical), anddist/assets/styles-*.css(legacy hashed, for back-compat with older fixtures).scripts/deploy-s3.sh— shipsassets/styles.csswithcache-control: public, max-age=3600, must-revalidate(ETag handles updates); legacydist/styles.cssfallback preserved when present.Phase B — Mermaid hardening
scripts/minify-dist.ts— adds path-basedSKIP_SUBPATHS(js/lib/mermaid) so the Mermaid chunk graph (chunk-*.mjs, no.min.marker) is never re-minified.Phase D — remove update-sri end-to-end
scripts/update-sri.ts— deleted (-393 LOC)..github/workflows/deploy-s3.yml—update-sri.tsstep removed; comment updated to point at the new canonical CSS filename.package.json+package-lock.json—vite-plugin-sri-genremoved.Tests
tests/vite-plugin-static-pages.test.ts— full rewrite. Asserts nointegrity/crossoriginon CSS link, stableassets/styles.cssrewrite, legacy hashed-bundle back-compat fallback when stable bundle absent. All script-rewrite regression coverage preserved.tests/css-purge-and-minify.test.ts— covers all 3 purge targets (root + stable + legacy hashed); newminify-disttest assertsjs/lib/mermaid/chunk-*.mjsis byte-identical after the pass; wiring test assertsupdate-sri.tsstep is gone in the workflow YAML; entireupdate-sridescribe block (5 tests, ~230 LOC) removed.tests/dashboard-bundle-integrity.test.ts— assertshref="../assets/styles.css"(stable) and rejects regression to legacy hashed filename.Validation
npx vitest runnpx eslint scripts/ tests/ vite.config.jsnpx tsc -p tsconfig.scripts.json --noEmitnpm run builddist/assets/styles.csspresent, 0integrity=attrs indist/index.htmlminify-dist.tsrun onjs/lib/mermaid/chunk-FAKE.mjsNote on the original Phase C
The original PR plan included a Phase C (
--size-onlyon HTML/metadata sync passes). I deliberately omitted it because mutable HTML can change without size change (translations, retitle, retag), and silently missing same-size content edits is a worse failure mode than re-uploading unchanged HTML. Happy to add if you confirm the trade-off is acceptable.Out of scope
analysis/daily/**/article.mdandpolitical-intelligence_*.htmlfiles appear in the diff becausenpm run buildre-runs prebuild scripts that stampgenerated_at/og:updated_timetimestamps. These are timestamp-only churn — no semantic regression — and were committed by the standardreport_progressflow.