ci: add daily rgaa review (#2874)

gary-van-woerkens · web-flow · commit eed5e493445d · 2026-03-03T12:50:11.000+01:00
diff --git a/.github/workflows/rgaa-audit.yaml b/.github/workflows/rgaa-audit.yaml
@@ -0,0 +1,203 @@
+name: "♿ RGAA Daily Audit"
+
+on:
+  schedule:
+    # Every weekday at 06:00 UTC (08:00 Paris time)
+    - cron: "0 6 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      site_url:
+        description: "URL to audit (leave empty for alpha deployment)"
+        required: false
+        type: string
+
+concurrency:
+  group: rgaa-audit
+  cancel-in-progress: true
+
+jobs:
+  scan:
+    name: "axe-core scan"
+    runs-on: ubuntu-latest
+    outputs:
+      site_url: ${{ steps.url.outputs.site_url }}
+      audit_date: ${{ steps.date.outputs.today }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: alpha
+
+      - name: Get current date
+        id: date
+        run: echo "today=$(date -u +%Y-%m-%d)" >> "$GITHUB_OUTPUT"
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Install Playwright browsers
+        run: pnpm playwright:install
+
+      - name: Compute alpha deployment URL
+        if: ${{ !inputs.site_url }}
+        id: env
+        uses: socialgouv/kontinuous/.github/actions/env@v1
+        with:
+          branch: alpha
+
+      - name: Set site URL
+        id: url
+        env:
+          INPUT_SITE_URL: ${{ inputs.site_url }}
+          SUBDOMAIN: ${{ steps.env.outputs.subdomain }}
+        run: |
+          if [ -n "$INPUT_SITE_URL" ]; then
+            echo "site_url=$INPUT_SITE_URL" >> "$GITHUB_OUTPUT"
+          else
+            echo "site_url=https://${SUBDOMAIN}.ovh.fabrique.social.gouv.fr" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Wait for app to be ready
+        env:
+          SITE_URL: ${{ steps.url.outputs.site_url }}
+        run: |
+          for i in $(seq 1 10); do
+            HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "$SITE_URL" 2>/dev/null || echo "000")
+            if [ "$HTTP_CODE" = "200" ]; then
+              echo "App is ready!"
+              exit 0
+            fi
+            echo "Health check returned $HTTP_CODE (attempt $i/10). Waiting 10s..."
+            sleep 10
+          done
+          echo "::error::App not ready after 100 seconds"
+          exit 1
+
+      - name: Run RGAA audit
+        run: pnpm test:rgaa
+        env:
+          SITE_URL: ${{ steps.url.outputs.site_url }}
+          PLAYWRIGHT_BASE_URL: ${{ steps.url.outputs.site_url }}
+          CI: "true"
+
+      - name: Upload axe-core results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: rgaa-results
+          path: packages/app/rgaa-results.json
+          retention-days: 30
+
+  report:
+    name: "Claude report & wiki publish"
+    needs: scan
+    if: always() && needs.scan.result != 'cancelled'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: alpha
+
+      - name: Download axe-core results
+        uses: actions/download-artifact@v4
+        with:
+          name: rgaa-results
+          path: .
+
+      - name: Run Claude Code — Generate report & publish to wiki
+        id: claude
+        uses: anthropics/claude-code-action@9d86c9b0c946914e9c71ac5ee1c008959cbfa9af # v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          show_full_output: true
+          direct_prompt: |
+            Tu es un expert accessibilité RGAA. Tu dois rédiger un rapport d'audit RGAA à partir des résultats axe-core ci-dessous, puis le publier sur le wiki GitHub.
+
+            ## Données
+
+            - URL auditée : ${{ needs.scan.outputs.site_url }}
+            - Commit : ${{ github.sha }}
+            - Date : ${{ needs.scan.outputs.audit_date }}
+            - Fichier de résultats : `rgaa-results.json` (à la racine du repo)
+
+            ## Instructions
+
+            1. **Lis le fichier `rgaa-results.json`** qui contient les résultats axe-core pour chaque page auditée.
+
+            2. **Rédige un rapport Markdown** avec cette structure :
+
+               ```
+               # Rapport RGAA — Egapro
+
+               > Dernier audit : YYYY-MM-DD | Commit : SHA | URL : ... | Pages : N
+
+               ## Résumé
+
+               | Sévérité | Violations |
+               |----------|-----------|
+               | 🔴 Critique | N |
+               | 🟠 Sérieuse | N |
+               | 🟡 Modérée  | N |
+               | 🔵 Mineure  | N |
+               | **Total** | **N** |
+
+               ## Actions prioritaires
+
+               Liste numérotée des violations les plus impactantes, regroupées quand la même violation apparaît sur plusieurs pages. Pour chaque action :
+               - Sévérité et règle axe-core
+               - Pages concernées
+               - Éléments CSS ciblés
+               - **Suggestion de correction concrète** en utilisant les composants et classes DSFR (utilise le MCP dsfr pour vérifier)
+
+               ## Détail par page
+
+               ### Nom de la page (chemin)
+               ✅ N règles passées | ⚠️ N incomplètes | ❌ N violations
+
+               | Règle | Sévérité | WCAG | Élément | Description | Correction suggérée |
+               |-------|----------|------|---------|-------------|-------------------|
+               ```
+
+            3. Pour le mapping WCAG → RGAA, utilise ces correspondances principales :
+               - WCAG 1.1.1 → RGAA 1 (Images)
+               - WCAG 1.3.x → RGAA 9 (Structure)
+               - WCAG 1.4.x → RGAA 3 (Couleurs) et 10 (Présentation)
+               - WCAG 2.1.x → RGAA 7 (Scripts) et 12 (Navigation)
+               - WCAG 2.4.x → RGAA 12 (Navigation)
+               - WCAG 3.1.x → RGAA 8 (Éléments obligatoires)
+               - WCAG 4.1.x → RGAA 7 (Scripts)
+
+            4. **Utilise le MCP `dsfr`** pour chercher les composants et classes appropriés dans tes suggestions de correction.
+
+            5. **Publie le rapport sur le wiki GitHub** :
+               ```bash
+               git config --global user.name "github-actions[bot]"
+               git config --global user.email "github-actions[bot]@users.noreply.github.com"
+               git clone "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.wiki.git" /tmp/wiki
+               # Écris le rapport dans /tmp/wiki/RGAA-Audit-Report.md
+               cd /tmp/wiki
+               git add RGAA-Audit-Report.md
+               git diff --cached --quiet || git commit -m "Update RGAA audit report — ${{ needs.scan.outputs.audit_date }}"
+               git push
+               ```
+
+            6. Ta réponse finale doit confirmer la publication et inclure un résumé des violations trouvées.
+          claude_args: >-
+            --max-turns 15
+            --mcp-config '{"mcpServers":{"dsfr":{"command":"npx","args":["-y","dsfr-mcp"]}}}'
+            --allowedTools "Read,Bash(git *),Bash(cat *),mcp__dsfr__list_components,mcp__dsfr__get_component_doc,mcp__dsfr__search_components,mcp__dsfr__search_icons,mcp__dsfr__get_color_tokens"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/package.json b/package.json
@@ -32,6 +32,7 @@
 		"db:push": "pnpm --filter app run db:push",
 		"db:studio": "pnpm --filter app run db:studio",
 		"test:e2e": "PLAYWRIGHT_BASE_URL=${SITE_URL:-http://localhost:3000} pnpm --filter app run test:e2e",
+		"test:rgaa": "PLAYWRIGHT_BASE_URL=${SITE_URL:-http://localhost:3000} pnpm --filter app run test:rgaa",
 		"playwright:install": "pnpm --filter app exec playwright install --with-deps chromium",
 		"test:lighthouse": "pnpm --filter app run test:lighthouse",
 		"release": "semantic-release"
diff --git a/packages/app/package.json b/packages/app/package.json
@@ -24,6 +24,7 @@
 		"test:coverage": "vitest run --coverage",
 		"test:e2e": "playwright test",
 		"test:e2e:ui": "playwright test --ui",
+		"test:rgaa": "playwright test --config playwright.rgaa.config.ts",
 		"test:lighthouse": "lhci collect --url=${LIGHTHOUSE_URL:-http://localhost:3000} && lhci upload && lhci assert",
 		"typecheck": "tsc --noEmit"
 	},
@@ -48,6 +49,7 @@
 		"zod": "^4.3.6"
 	},
 	"devDependencies": {
+		"@axe-core/playwright": "^4.11.1",
 		"@biomejs/biome": "^2.4.2",
 		"@lhci/cli": "^0.15.1",
 		"@playwright/test": "^1.58.2",
diff --git a/packages/app/playwright.rgaa.config.ts b/packages/app/playwright.rgaa.config.ts
@@ -0,0 +1,34 @@
+import { defineConfig, devices } from "@playwright/test";
+
+const baseURL = process.env.PLAYWRIGHT_BASE_URL ?? "http://localhost:3000";
+const isRemote = !!process.env.SITE_URL;
+
+export default defineConfig({
+	testDir: "./src/e2e",
+	testMatch: "**/rgaa-audit.spec.ts",
+	fullyParallel: false,
+	forbidOnly: !!process.env.CI,
+	retries: 0,
+	workers: 1,
+	reporter: [["json", { outputFile: "rgaa-results.json" }], ["list"]],
+	use: {
+		baseURL,
+		trace: "off",
+	},
+	projects: [
+		{
+			name: "rgaa-audit",
+			use: { ...devices["Desktop Chrome"] },
+		},
+	],
+	...(isRemote
+		? {}
+		: {
+				webServer: {
+					command: "pnpm dev",
+					url: baseURL,
+					reuseExistingServer: true,
+					timeout: 120_000,
+				},
+			}),
+});
diff --git a/packages/app/src/e2e/helpers/axe-scan.ts b/packages/app/src/e2e/helpers/axe-scan.ts
@@ -0,0 +1,49 @@
+import AxeBuilder from "@axe-core/playwright";
+import type { Page } from "@playwright/test";
+
+/** Axe-core violation result for a single page. */
+export type PageAuditResult = {
+	url: string;
+	label: string;
+	violations: Array<{
+		id: string;
+		impact: string;
+		description: string;
+		helpUrl: string;
+		wcagTags: string[];
+		nodes: Array<{
+			target: string[];
+			failureSummary: string;
+		}>;
+	}>;
+	passesCount: number;
+	incompleteCount: number;
+};
+
+/** Run axe-core WCAG 2.1 AA audit on the current page. */
+export async function scanPage(
+	page: Page,
+	label: string,
+): Promise<PageAuditResult> {
+	const results = await new AxeBuilder({ page })
+		.withTags(["wcag2a", "wcag2aa", "wcag21a", "wcag21aa", "best-practice"])
+		.analyze();
+
+	return {
+		url: page.url(),
+		label,
+		violations: results.violations.map((v) => ({
+			id: v.id,
+			impact: v.impact ?? "unknown",
+			description: v.description,
+			helpUrl: v.helpUrl,
+			wcagTags: v.tags.filter((t) => t.startsWith("wcag")),
+			nodes: v.nodes.map((n) => ({
+				target: n.target.map(String),
+				failureSummary: n.failureSummary ?? "",
+			})),
+		})),
+		passesCount: results.passes.length,
+		incompleteCount: results.incomplete.length,
+	};
+}
diff --git a/packages/app/src/e2e/rgaa-audit.spec.ts b/packages/app/src/e2e/rgaa-audit.spec.ts
@@ -0,0 +1,62 @@
+import { type Page, test } from "@playwright/test";
+
+import { scanPage } from "./helpers/axe-scan";
+import { loginWithProConnect } from "./helpers/login";
+
+/** Scan a page with axe-core and attach results to the test report (no assertion). */
+async function auditPage(page: Page, path: string, label: string) {
+	await page.goto(path);
+	await page.waitForLoadState("networkidle");
+	const result = await scanPage(page, label);
+
+	await test.info().attach("axe-results", {
+		body: JSON.stringify(result, null, 2),
+		contentType: "application/json",
+	});
+}
+
+// -- Public pages --
+
+test.describe("RGAA audit — public pages", () => {
+	test("Accueil (/)", async ({ page }) => {
+		await auditPage(page, "/", "Accueil");
+	});
+
+	test("Connexion (/login)", async ({ page }) => {
+		await auditPage(page, "/login", "Connexion");
+	});
+
+	test("404", async ({ page }) => {
+		await auditPage(page, "/page-inexistante", "404 Not Found");
+	});
+});
+
+// -- Authenticated pages --
+
+test.describe("RGAA audit — authenticated pages", () => {
+	test.beforeEach(async ({ page }) => {
+		await loginWithProConnect(page);
+	});
+
+	test("Déclaration — Introduction", async ({ page }) => {
+		await auditPage(
+			page,
+			"/declaration-remuneration",
+			"Déclaration — Introduction",
+		);
+	});
+
+	for (const step of [1, 2, 3, 4, 5, 6]) {
+		test(`Déclaration — Étape ${step}`, async ({ page }) => {
+			await auditPage(
+				page,
+				`/declaration-remuneration/etape/${step}`,
+				`Déclaration — Étape ${step}`,
+			);
+		});
+	}
+
+	test("Mes entreprises", async ({ page }) => {
+		await auditPage(page, "/mon-espace/mes-entreprises", "Mes entreprises");
+	});
+});
diff --git a/packages/app/vitest.config.ts b/packages/app/vitest.config.ts
@@ -36,14 +36,15 @@ export default defineConfig({
 		globals: true,
 		setupFiles: ["./src/test/setup.ts"],
 		include: ["src/**/*.{test,spec}.{ts,tsx}"],
-		exclude: ["src/**/*.e2e.{ts,tsx}", "node_modules", ".next"],
+		exclude: ["src/**/*.e2e.{ts,tsx}", "src/e2e/**", "node_modules", ".next"],
 		coverage: {
 			provider: "v8",
 			reporter: ["text", "lcov", "html"],
 			exclude: [
 				"node_modules/**",
 				".next/**",
 				"src/test/**",
+				"src/e2e/**",
 				"**/*.config.*",
 				"**/*.d.ts",
 			],
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
