mirror of
https://github.com/tiennm99/loto.git
synced 2026-05-14 08:58:34 +00:00
tiennm99
558d0c75b2
SvelteKit emits one inline bootstrap <script> in build/index.html and the CSP in static/_headers is relaxed to `script-src 'unsafe-inline'` to admit it. If a SvelteKit upgrade adds another inline block, the relaxation no longer matches reality and the new block could ship unhashed. `npm run verify:build` reads build/index.html, counts inline scripts (no `src=`), and fails when count > EXPECTED_INLINE (1). New GH Actions workflow runs test + build + verify on push/PR to main. Mutation-tested locally: setting EXPECTED_INLINE=0 fails as expected, restored to 1 passes.