fix(deploy): force-upload Mermaid runtime to S3 + add pre/post-deploy guards

[Copilot]

Articles embedding Mermaid diagrams (e.g. 2026-05-22-committee-reports-en.html) render blank with:

mermaid-init.mjs:56 [mermaid-init] Failed to load Mermaid:
TypeError: Failed to fetch dynamically imported module:
  https://riksdagsmonitor.com/js/lib/mermaid/mermaid.esm.min.mjs

Root cause

Browser attributes the failure to the top-level URL, but the actual 4xx is on the entry module's nested static imports:

URL	Status
/js/lib/mermaid/mermaid.esm.min.mjs (entry)	200
/js/lib/mermaid/chunks/mermaid.esm.min/chunk-*.mjs (~80 files)	403

Verified against deploy run 26294355929: copy-vendor-mermaid.ts stages 82 chunks into js/, cp -r js/* dist/js/ copies them into dist/, minify-dist.ts correctly skips js/lib/mermaid — but scripts/deploy-s3.sh's per-type aws s3 sync --include '*.mjs' --size-only pass uploaded zero .mjs files despite the chunks being absent from S3. The subsequent --delete --size-only orphan pass also uploaded nothing. Reproducing the exact sync decision in the sandbox without AWS creds is non-trivial, so the fix is defensive rather than a filter tweak.

Changes

• scripts/deploy-s3.sh — unconditional aws s3 cp --recursive pass for dist/js/lib/mermaid/*.mjs between per-type sync and orphan cleanup. cp doesn't size-compare, so the chunks are guaranteed to upload regardless of what sync decides. Same application/javascript + public, max-age=31536000, immutable headers as the per-type sync, so cache behavior is unchanged.

  aws s3 cp "$SRC/js/lib/mermaid" "$BUCKET/js/lib/mermaid" \
    --recursive --exclude '*' --include '*.mjs' \
    --no-guess-mime-type --content-type 'application/javascript' \
    --cache-control 'public, max-age=31536000, immutable'

• .github/workflows/deploy-s3.yml — two guards so a recurrence fails the workflow instead of silently shipping:

  • Pre-deploy assert (after cp -r js/* dist/js/): entry exists and chunks dir has ≥50 .mjs files.
  • Post-deploy probe (after CloudFront invalidation): HEAD the entry and the first staged chunk against the S3 bucket URL directly (bypasses CloudFront so a stale cache can't mask a real miss); any non-200 fails the run.

Runtime payload (~2.6 MB, 82 chunks) only changes on Mermaid version bumps, so the always-upload cost is negligible vs. the cost of articles silently rendering without diagrams.

[github-actions]

🏷️ Automatic Labeling Summary

This PR has been automatically labeled based on the files changed and PR metadata.

Applied Labels: workflow,ci-cd,deployment,refactor,size-m

Label Categories

• 🗳️ Content: news, dashboard, visualization, intelligence
• 💻 Technology: html-css, javascript, workflow, security
• 📊 Data: cia-data, riksdag-data, data-pipeline, schema
• 🌍 I18n: i18n, translation, rtl
• 🔒 ISMS: isms, iso-27001, nist-csf, cis-controls
• 🏗️ Infrastructure: ci-cd, deployment, performance, monitoring
• 🔄 Quality: testing, accessibility, documentation, refactor
• 🤖 AI: agent, skill, agentic-workflow

For more information, see .github/labeler.yml.

[github-actions]

🔍 Lighthouse Performance Audit

Category	Score	Status
Performance	85/100	🟡
Accessibility	95/100	🟢
Best Practices	90/100	🟢
SEO	95/100	🟢

📥 Download full Lighthouse report

Budget Compliance: Performance budgets enforced via budget.json

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.