Refactor release build process: Updated README.md to clarify branch usage and workflow for development and production. Enhanced Gitea and GitHub workflows to automate merging from dev to main, ensuring consistent obfuscation and asset management during releases. Improved commit messages and streamlined the build process for better clarity and efficiency.

Enhance obfuscation workflow and asset processing: Updated the Gitea workflow to skip CI for specific commit messages, improving efficiency. Refactored the obfuscation script to include better asset handling, validation, and cleanup processes, ensuring only valid files are processed. Introduced temporary directories for intermediate files during obfuscation, enhancing reliability and reducing errors.
2026-06-02 08:28:43 +00:00 · 2026-05-28 17:42:06 +02:00 · 2026-05-28 17:32:21 +02:00
5 changed files with 238 additions and 58 deletions
--- a/.gitea/workflows/obfuscate-main.yml
+++ b/.gitea/workflows/obfuscate-main.yml
@@ -1,9 +1,9 @@
-name: Obfuscate Main Build
+name: Release Build (dev → main)

 on:
  push:
    branches:
-      - main
+      - dev
  workflow_dispatch:

 env:
@@ -11,18 +11,34 @@ env:
  REPO_PATH: smueller/HexaHost-Frontend

 jobs:
-  obfuscate:
-    # Kein erneuter Lauf nach dem Bot-Commit
+  release-build:
    if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
    runs-on: ubuntu-latest

    steps:
-      - name: Checkout
+      - name: Checkout (volle History)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          # Gitea liefert intern oft eine IP; Zertifikat gilt für git.hexahost.dev
          repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
+          ref: dev
+
+      - name: Merge dev in CI-Workspace (Basis main)
+        env:
+          GITEA_TOKEN: ${{ github.token }}
+        run: |
+          git config user.name "gitea-actions"
+          git config user.email "actions@local"
+          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main dev
+
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            git checkout -B main origin/main
+            git merge origin/dev -X theirs --no-edit -m "ci: merge dev for release build"
+          else
+            echo "main branch missing, initializing from dev"
+            git checkout -B main origin/dev
+          fi

      - name: Setup Python
        uses: actions/setup-python@v5
@@ -37,7 +53,7 @@ jobs:
      - name: Run release obfuscation
        run: python scripts/obfuscate_release.py --root . --hash-assets

-      - name: Commit obfuscated build
+      - name: Publish release to main
        env:
          GITEA_TOKEN: ${{ github.token }}
        run: |
@@ -46,8 +62,8 @@ jobs:
          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
          git add -A
          if git diff --cached --quiet; then
-            echo "No build changes to commit."
+            echo "No release changes to publish."
            exit 0
          fi
          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
-          git push origin HEAD:main
+          git push origin main
--- a/.github/workflows/obfuscate-main.yml
+++ b/.github/workflows/obfuscate-main.yml
@@ -1,44 +1,70 @@
-name: Obfuscate Main Build
+# Hinweis: Gitea nutzt .gitea/workflows/obfuscate-main.yml (identischer Ablauf).
+name: Release Build (dev → main)

 on:
  push:
    branches:
-      - main
+      - dev
  workflow_dispatch:

-permissions:
-  contents: write
+env:
+  GITEA_HOST: git.hexahost.dev
+  REPO_PATH: smueller/HexaHost-Frontend

 jobs:
-  obfuscate:
-    if: github.actor != 'github-actions[bot]'
+  release-build:
+    if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
    runs-on: ubuntu-latest

    steps:
-      - name: Checkout
+      - name: Checkout (volle History)
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
+          repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend
+          ref: dev
+
+      - name: Merge dev in CI-Workspace (Basis main)
+        env:
+          GITEA_TOKEN: ${{ github.token }}
+        run: |
+          git config user.name "gitea-actions"
+          git config user.email "actions@local"
+          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
+          git fetch origin main dev
+
+          if git show-ref --verify --quiet refs/remotes/origin/main; then
+            git checkout -B main origin/main
+            git merge origin/dev -X theirs --no-edit -m "ci: merge dev for release build"
+          else
+            echo "main branch missing, initializing from dev"
+            git checkout -B main origin/dev
+          fi

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
-          python-version: '3.12'
+          python-version: "3.12"

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
-          node-version: '20'
+          node-version: "20"

      - name: Run release obfuscation
        run: python scripts/obfuscate_release.py --root . --hash-assets

-      - name: Commit obfuscated build
+      - name: Publish release to main
+        env:
+          GITEA_TOKEN: ${{ github.token }}
        run: |
+          git config user.name "gitea-actions"
+          git config user.email "actions@local"
+          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
          git add -A
          if git diff --cached --quiet; then
-            echo "No build changes to commit."
+            echo "No release changes to publish."
            exit 0
          fi
          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
-          git push
+          git push origin main
--- a/README.md
+++ b/README.md
@@ -166,9 +166,21 @@ Für den Produktivbetrieb `public/` als Webroot konfigurieren.

 ### Production-Build & Veröffentlichung

-Der Quellcode bleibt auf `dev`, der veröffentlichte Stand liegt auf `main`.
+| Branch | Zweck |
+|--------|--------|
+| **`dev`** | Entwicklung (lesbarer Code, Kommentare) |
+| **`main`** | Release/Produktion (obfuskiert, gehashte Assets) |

-Bei jedem Push/Merge auf `main` läuft die GitHub Action `.github/workflows/obfuscate-main.yml` automatisch und führt aus:
+**Workflow:** Nur auf `dev` entwickeln und pushen — **nicht** `dev` manuell nach `main` mergen.
+
+Bei jedem Push auf `dev` startet `.gitea/workflows/obfuscate-main.yml`:
+
+1. Checkout in temporärem Runner-Workspace
+2. `dev` in CI mit `main` mergen (`-X theirs`, dev-Inhalte bei Konflikten)
+3. Obfuscation-Build (`scripts/obfuscate_release.py --hash-assets`)
+4. Ergebnis nach `main` pushen (Bot-Commit mit `[skip ci]`)
+
+Der Build führt aus:

 - Entfernen von Kommentaren (inkl. Block-Kommentaren) in PHP/JS/CSS
 - Minify + Obfuscate für JavaScript
@@ -176,7 +188,7 @@ Bei jedem Push/Merge auf `main` läuft die GitHub Action `.github/workflows/obfu
 - Kein Source-Map-Output
 - Hashing von JS/CSS-Dateinamen + automatische Referenz-Anpassung

-Lokal ausführbar:
+Lokal testen (nur in Kopie, nicht committen):

 ```bash
 python scripts/obfuscate_release.py --root . --hash-assets
--- a/scripts/pycache/obfuscate_release.cpython-314.pyc
+++ b/scripts/pycache/obfuscate_release.cpython-314.pyc
--- a/scripts/obfuscate_release.py
+++ b/scripts/obfuscate_release.py
@@ -3,15 +3,17 @@ from __future__ import annotations

 import argparse
 import hashlib
-import os
 import re
 import shutil
 import subprocess
 import sys
+import tempfile
+from collections import defaultdict
 from pathlib import Path


 TEXT_EXTENSIONS = {".php", ".html", ".htm", ".xml", ".txt", ".js", ".css"}
+HASH_SUFFIX_RE = re.compile(r"\.[a-f0-9]{12}$", re.I)


 def strip_comments_keep_strings(text: str) -> str:
@@ -174,42 +176,124 @@ def minify_js_fallback(text: str) -> str:
    return text.strip()


-def run_cmd(command: list[str], cwd: Path, input_text: str | None = None) -> str:
+def canonical_asset_base(stem: str) -> str:
+    name = stem
+    while HASH_SUFFIX_RE.search(name):
+        name = HASH_SUFFIX_RE.sub("", name)
+    return name
+
+
+def is_skipped_asset(path: Path) -> bool:
+    lowered = path.as_posix().lower()
+    if ".min." in path.name or ".obf." in path.name or ".deob." in path.name:
+        return True
+    if "deobfuscated" in lowered:
+        return True
+    return False
+
+
+def is_valid_source_content(content: str) -> bool:
+    if "[javascript-obfuscator-cli]" in content:
+        return False
+    return len(content.strip()) >= 20
+
+
+def collect_asset_groups(asset_root: Path) -> dict[tuple[Path, str, str], list[Path]]:
+    groups: dict[tuple[Path, str, str], list[Path]] = defaultdict(list)
+    for ext in (".js", ".css"):
+        for file_path in sorted(asset_root.rglob(f"*{ext}")):
+            if is_skipped_asset(file_path):
+                continue
+            base = canonical_asset_base(file_path.stem)
+            key = (file_path.parent, base, ext)
+            groups[key].append(file_path)
+    return groups
+
+
+def pick_source_file(paths: list[Path], base: str, ext: str) -> Path | None:
+    if not paths:
+        return None
+
+    parent = paths[0].parent
+    plain = parent / f"{base}{ext}"
+    ordered: list[Path] = []
+    if plain in paths:
+        ordered.append(plain)
+    for candidate in sorted(paths, key=lambda p: len(p.name)):
+        if candidate not in ordered:
+            ordered.append(candidate)
+
+    for candidate in ordered:
+        try:
+            content = candidate.read_text(encoding="utf-8")
+        except (OSError, UnicodeDecodeError):
+            continue
+        if is_valid_source_content(content):
+            return candidate
+    return None
+
+
+def cleanup_invalid_siblings(paths: list[Path], source: Path) -> None:
+    for path in paths:
+        if path == source or not path.exists():
+            continue
+        try:
+            content = path.read_text(encoding="utf-8")
+        except (OSError, UnicodeDecodeError):
+            content = ""
+        if not is_valid_source_content(content):
+            path.unlink()
+
+
+def run_cmd(command: list[str], cwd: Path) -> None:
    proc = subprocess.run(
        command,
        cwd=str(cwd),
-        input=input_text,
        text=True,
        capture_output=True,
        check=False,
    )
    if proc.returncode != 0:
-        raise RuntimeError(proc.stderr.strip() or "command failed")
-    return proc.stdout
+        raise RuntimeError(proc.stderr.strip() or proc.stdout.strip() or "command failed")


 def process_js(path: Path, cwd: Path) -> None:
    original = path.read_text(encoding="utf-8")
+    if not is_valid_source_content(original):
+        raise ValueError(
+            f"invalid or corrupted JS source: {path} "
+            f"(restore e.g. 'git checkout dev -- {path.as_posix()}')"
+        )
+
    if shutil.which("npx"):
+        tmpdir = Path(tempfile.mkdtemp())
        try:
-            minified = run_cmd(
+            src = tmpdir / "input.js"
+            out = tmpdir / "output.js"
+            src.write_text(original, encoding="utf-8")
+            run_cmd(
                [
                    "npx",
                    "--yes",
                    "terser",
+                    str(src),
+                    "-o",
+                    str(src),
                    "--compress",
                    "--mangle",
                    "--comments",
                    "false",
                ],
                cwd,
-                input_text=original,
            )
-            obfuscated = run_cmd(
+            run_cmd(
                [
                    "npx",
                    "--yes",
                    "javascript-obfuscator",
+                    str(src),
+                    "--output",
+                    str(out),
                    "--compact",
                    "true",
                    "--control-flow-flattening",
@@ -224,38 +308,51 @@ def process_js(path: Path, cwd: Path) -> None:
                    "browser-no-eval",
                    "--source-map",
                    "false",
-                    "--output",
-                    "stdout",
                ],
                cwd,
-                input_text=minified,
            )
-            path.write_text(obfuscated.strip() + "\n", encoding="utf-8")
+            if not out.exists():
+                raise RuntimeError("obfuscator produced no output file")
+            result = out.read_text(encoding="utf-8")
+            if not is_valid_source_content(result):
+                raise RuntimeError("obfuscator output looks invalid")
+            path.write_text(result.strip() + "\n", encoding="utf-8")
            return
        except Exception:
            pass
+        finally:
+            shutil.rmtree(tmpdir, ignore_errors=True)
+
    path.write_text(minify_js_fallback(original) + "\n", encoding="utf-8")


 def process_css(path: Path, cwd: Path) -> None:
    original = path.read_text(encoding="utf-8")
    if shutil.which("npx"):
+        tmpdir = Path(tempfile.mkdtemp())
        try:
-            minified = run_cmd(
+            src = tmpdir / "input.css"
+            out = tmpdir / "output.css"
+            src.write_text(original, encoding="utf-8")
+            run_cmd(
                [
                    "npx",
                    "--yes",
                    "clean-css-cli",
+                    str(src),
+                    "-o",
+                    str(out),
                    "--skip-rebase",
                    "-O2",
                ],
                cwd,
-                input_text=original,
            )
-            path.write_text(minified.strip() + "\n", encoding="utf-8")
+            path.write_text(out.read_text(encoding="utf-8").strip() + "\n", encoding="utf-8")
            return
        except Exception:
            pass
+        finally:
+            shutil.rmtree(tmpdir, ignore_errors=True)
    path.write_text(minify_css_fallback(original) + "\n", encoding="utf-8")


@@ -266,8 +363,7 @@ def process_php(path: Path) -> None:


 def hash_file(path: Path) -> str:
-    digest = hashlib.sha256(path.read_bytes()).hexdigest()[:12]
-    return digest
+    return hashlib.sha256(path.read_bytes()).hexdigest()[:12]


 def replace_references(root: Path, mapping: dict[str, str]) -> None:
@@ -279,7 +375,7 @@ def replace_references(root: Path, mapping: dict[str, str]) -> None:
        except UnicodeDecodeError:
            continue
        updated = content
-        for src, dst in mapping.items():
+        for src, dst in sorted(mapping.items(), key=lambda item: len(item[0]), reverse=True):
            updated = updated.replace(src, dst)
            updated = updated.replace("/" + src, "/" + dst)
        if updated != content:
@@ -289,17 +385,32 @@ def replace_references(root: Path, mapping: dict[str, str]) -> None:
 def build_hash_mapping(public_root: Path) -> dict[str, str]:
    mapping: dict[str, str] = {}
    asset_root = public_root / "assets"
-    for ext in (".js", ".css"):
-        for file_path in sorted(asset_root.rglob(f"*{ext}")):
-            if ".min." in file_path.name or ".obf." in file_path.name:
-                continue
-            digest = hash_file(file_path)
-            new_name = f"{file_path.stem}.{digest}{file_path.suffix}"
-            new_path = file_path.with_name(new_name)
-            file_path.rename(new_path)
-            rel_old = file_path.relative_to(public_root).as_posix()
-            rel_new = new_path.relative_to(public_root).as_posix()
-            mapping[rel_old] = rel_new
+    if not asset_root.exists():
+        return mapping
+
+    groups = collect_asset_groups(asset_root)
+    for (parent, base, ext), paths in groups.items():
+        source = pick_source_file(paths, base, ext)
+        if source is None:
+            continue
+        digest = hash_file(source)
+        target = parent / f"{base}.{digest}{ext}"
+        rel_new = target.relative_to(public_root).as_posix()
+
+        for old in paths:
+            rel_old = old.relative_to(public_root).as_posix()
+            if rel_old != rel_new:
+                mapping[rel_old] = rel_new
+
+        if source != target:
+            if target.exists():
+                target.unlink()
+            source.replace(target)
+
+        for old in paths:
+            if old != target and old.exists():
+                old.unlink()
+
    return mapping


@@ -316,11 +427,26 @@ def main() -> int:
        print("public directory not found", file=sys.stderr)
        return 1

-    for js in sorted(public_root.rglob("*.js")):
-        process_js(js, repo_root)
-    for css in sorted(public_root.rglob("*.css")):
-        process_css(css, repo_root)
-    for php in sorted((repo_root / "public").rglob("*.php")):
+    asset_root = public_root / "assets"
+    if asset_root.exists():
+        groups = collect_asset_groups(asset_root)
+        for (parent, base, ext), paths in sorted(groups.items()):
+            source = pick_source_file(paths, base, ext)
+            if source is None:
+                rel = (parent / f"{base}{ext}").relative_to(public_root)
+                print(
+                    f"ERROR: No valid source for {rel}. "
+                    f"Restore from dev, e.g.: git checkout dev -- {rel}",
+                    file=sys.stderr,
+                )
+                return 1
+            cleanup_invalid_siblings(paths, source)
+            if ext == ".js":
+                process_js(source, repo_root)
+            else:
+                process_css(source, repo_root)
+
+    for php in sorted(public_root.rglob("*.php")):
        process_php(php)
    for php in sorted((repo_root / "backend").rglob("*.php")):
        process_php(php)
Author	SHA1	Message	Date
smueller	e9d5b55459	Refactor release build process: Updated README.md to clarify branch usage and workflow for development and production. Enhanced Gitea and GitHub workflows to automate merging from `dev` to `main`, ensuring consistent obfuscation and asset management during releases. Improved commit messages and streamlined the build process for better clarity and efficiency.	2026-05-28 17:42:06 +02:00
smueller	8f985da61f	Enhance obfuscation workflow and asset processing: Updated the Gitea workflow to skip CI for specific commit messages, improving efficiency. Refactored the obfuscation script to include better asset handling, validation, and cleanup processes, ensuring only valid files are processed. Introduced temporary directories for intermediate files during obfuscation, enhancing reliability and reducing errors.	2026-05-28 17:32:21 +02:00