refactor(ci): composite actions instead of reusable workflows (Forgejo 11)
All checks were successful
CI / preflight (push) Successful in 5s
CI / typecheck (push) Successful in 15s
ecosystem-selftest / semantic-release-bumptest (push) Successful in 13s
ecosystem-selftest / eslint-gate (push) Successful in 3s
ecosystem-selftest / yamllint-gate (push) Successful in 3s
pulumi-preview / preview (push) Successful in 16s

Forgejo 11.0.15 does NOT support reusable workflows (job-level `uses:` /
`workflow_call`): the call is silently dropped and no run is scheduled (verified
live — a same-repo and a cross-repo reusable call both produced zero runs, while
an equivalent inline job ran green). The working cross-repo reuse primitive here
is the COMPOSITE ACTION referenced by FULL URL (a short-form
`uses: olsitec/foundation/...@master` resolves against the runner's
DEFAULT_ACTIONS_URL = data.forgejo.org, not the local instance, and 404s; the
full-URL form `uses: https://forge.olsitec.net/olsitec/foundation/actions/<x>@master`
was verified green).

- Replace the four reusable-*.yml with composite actions under actions/:
  node-build, docker-build, lint, semantic-release-version (same logic + inputs).
- actions/README.md documents the pattern, the Forgejo-11 limitation, and the
  999_testing candidate coverage (C2/C3/C4 self-contained; C1/C5 blocked on the
  not-yet-published @olsitec package registry).
- ecosystem-selftest paths filter: actions/** (was reusable-*.yml).

The capabilities that need no external repo (semantic-release bump sequence,
eslint/yamllint gates) keep running green via ecosystem-selftest's inline jobs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-07-01 01:14:51 +02:00
parent 67157a0de0
commit 35dc008759
12 changed files with 335 additions and 277 deletions

View file

@ -13,7 +13,7 @@ on:
paths:
- "ci/**"
- ".forgejo/workflows/ecosystem-selftest.yml"
- ".forgejo/workflows/reusable-*.yml"
- "actions/**"
workflow_dispatch:
jobs:

View file

@ -1,67 +0,0 @@
# reusable-docker-build — build a Docker image (999_testing candidates C1/C5).
#
# A REUSABLE workflow (on: workflow_call) downstream repos call:
# jobs:
# image:
# uses: olsitec/foundation/.forgejo/workflows/reusable-docker-build.yml@master
# with: { image: "olsitec/seaspots-homepage:ci", push: false }
#
# Builds against the HOST Docker daemon via the mounted socket (the foundation-ci
# image ships the docker CLI; the runner's valid_volumes allows the mount). NOTE
# (R5): the host socket is root-equivalent on the forge VM — this is acceptable
# ONLY for trusted first-party repos until the runner is fenced to its own VM.
#
# Candidates C1 (seaspots-homepage) and C5 (token-service) depend on @olsitec
# packages from a private registry that is not published yet (Stage-2). Their real
# builds need a registry / npmrc; this workflow proves the docker-build path and
# accepts a `build-args`/`npmrc` hook for when the registry exists.
name: reusable-docker-build
on:
workflow_call:
inputs:
context:
type: string
default: "."
dockerfile:
type: string
default: "Dockerfile"
image:
description: "image ref to tag, e.g. name:tag"
type: string
required: true
build-args:
description: "newline-separated KEY=VALUE docker --build-arg pairs"
type: string
default: ""
push:
description: "push to the foundation registry after build (registry must exist)"
type: boolean
default: false
jobs:
image:
runs-on: docker
container:
image: foundation-ci:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
steps:
- uses: actions/checkout@v4
- name: Docker build
run: |
args=""
if [ -n "${{ inputs.build-args }}" ]; then
while IFS= read -r kv; do
[ -z "$kv" ] && continue
args="$args --build-arg $kv"
done <<'EOF'
${{ inputs.build-args }}
EOF
fi
echo "+ docker build -f ${{ inputs.dockerfile }} -t ${{ inputs.image }} $args ${{ inputs.context }}"
docker build -f "${{ inputs.dockerfile }}" -t "${{ inputs.image }}" $args "${{ inputs.context }}"
- name: Push
if: ${{ inputs.push }}
run: docker push "${{ inputs.image }}"

View file

@ -1,63 +0,0 @@
# reusable-lint — eslint + yamllint gate (999_testing "linter testing").
#
# A REUSABLE workflow (on: workflow_call). Either linter finding an error makes
# the job exit non-zero (the acceptance criterion). Prefers the project's own
# pinned eslint (node_modules/.bin) for config/plugin fidelity, falling back to
# the foundation-ci image's global eslint; yamllint comes from the image.
#
# jobs:
# lint:
# uses: olsitec/foundation/.forgejo/workflows/reusable-lint.yml@master
# with: { eslint-paths: ".", yamllint-paths: "." }
name: reusable-lint
on:
workflow_call:
inputs:
eslint:
type: boolean
default: true
yamllint:
type: boolean
default: true
eslint-paths:
type: string
default: "."
yamllint-paths:
type: string
default: "."
package-manager:
description: "bun | npm | none — to install project-local eslint config/plugins"
type: string
default: bun
jobs:
lint:
runs-on: docker
container:
image: foundation-ci:latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies (project-local eslint config/plugins)
if: ${{ inputs.eslint }}
run: |
case "${{ inputs.package-manager }}" in
bun) bun install --frozen-lockfile || bun install || true ;;
npm) npm ci || npm install || true ;;
none) echo "skip install" ;;
esac
- name: eslint
if: ${{ inputs.eslint }}
run: |
if [ -x node_modules/.bin/eslint ]; then
echo "+ project eslint"; node_modules/.bin/eslint ${{ inputs.eslint-paths }}
else
echo "+ image eslint"; eslint ${{ inputs.eslint-paths }}
fi
- name: yamllint
if: ${{ inputs.yamllint }}
run: |
echo "+ yamllint ${{ inputs.yamllint-paths }}"
yamllint ${{ inputs.yamllint-paths }}

View file

@ -1,58 +0,0 @@
# reusable-node-build — build/test an npm- or bun-based project (999_testing).
#
# A REUSABLE workflow (on: workflow_call) downstream repos call:
# jobs:
# build:
# uses: olsitec/foundation/.forgejo/workflows/reusable-node-build.yml@master
# with: { package-manager: bun, build: "bun run build" }
#
# Runs in the baked foundation-ci image (bun + node present). Covers the
# non-Docker candidate shapes: npm package built with npm (olsicrypto), bun
# package built with bun (document-engine), and the no-build / versioned-only
# utility (olsitrack/api) via an empty `build`.
name: reusable-node-build
on:
workflow_call:
inputs:
package-manager:
description: "bun | npm | none (none = skip install)"
type: string
default: bun
build:
description: "build command to run verbatim (empty = skip, e.g. no-artifact repos)"
type: string
default: ""
workdir:
description: "working directory for install + build"
type: string
default: "."
jobs:
build:
runs-on: docker
container:
image: foundation-ci:latest
defaults:
run:
working-directory: ${{ inputs.workdir }}
steps:
- uses: actions/checkout@v4
- name: Install dependencies (${{ inputs.package-manager }})
run: |
case "${{ inputs.package-manager }}" in
bun) bun install --frozen-lockfile || bun install ;;
npm) npm ci || npm install ;;
none) echo "package-manager=none → skipping install" ;;
*) echo "unknown package-manager '${{ inputs.package-manager }}'" >&2; exit 1 ;;
esac
- name: Build
run: |
cmd='${{ inputs.build }}'
if [ -z "$cmd" ]; then
echo "no build command (non-artifact / versioned-only repo) — install-only check passed"
exit 0
fi
echo "+ $cmd"
eval "$cmd"

View file

@ -1,81 +0,0 @@
# reusable-semantic-release — compute the next semver from conventional commits
# (999_testing "semantic-release testing"). Mirrors the canonical GitLab template
# (olsitec/gitlab ci_templates/release-automation/semantic-release.yaml): the
# conventionalcommits preset + Olsitec's releaseRules, run as a `--dry-run --no-ci
# --tag-format '${version}'` version probe. Exposes the computed version as an output.
#
# jobs:
# version:
# uses: olsitec/foundation/.forgejo/workflows/reusable-semantic-release.yml@master
# build:
# needs: version
# runs-on: docker
# steps: [ run: echo "releasing ${{ needs.version.outputs.version }}" ]
#
# NOTE: dry-run only — it computes/prints the next version (the part exercised by
# 999_testing and the GitLab `generate-release-version` job). Actually PUBLISHING a
# release to Forgejo (tag + release + changelog) needs a Forgejo-side publish step
# and a token; that is deferred until the package/release flow is wired (the GitLab
# template publishes via @semantic-release/gitlab, which has no Forgejo analogue yet).
name: reusable-semantic-release
on:
workflow_call:
inputs:
branch:
type: string
default: master
outputs:
version:
description: "next release version (empty if the commits warrant no release)"
value: ${{ jobs.version.outputs.version }}
jobs:
version:
runs-on: docker
container:
image: foundation-ci:latest
outputs:
version: ${{ steps.compute.outputs.version }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # semantic-release needs full history + tags
- name: Write .releaserc.yaml (Olsitec conventionalcommits ruleset)
run: |
cat > .releaserc.yaml <<'EOF'
branches:
- name: ${{ inputs.branch }}
tagFormat: "${version}"
plugins:
- - "@semantic-release/commit-analyzer"
- preset: conventionalcommits
releaseRules:
- { breaking: true, release: major }
- { type: breaking, release: major }
- { type: feature, release: minor }
- { type: feat, release: minor }
- { type: fix, release: patch }
- { type: build, release: patch }
- { type: chore, release: patch }
- { type: ci, release: patch }
- { type: docs, release: patch }
- { type: perf, release: patch }
- { type: refactor, release: patch }
- { type: style, release: patch }
- { type: test, release: patch }
parserOpts:
noteKeywords: [ "BREAKING CHANGE", "BREAKING CHANGES" ]
- "@semantic-release/release-notes-generator"
EOF
- name: Compute next version (dry-run)
id: compute
run: |
out=$(semantic-release --dry-run --no-ci --tag-format '${version}' --branches "${{ inputs.branch }}" 2>&1 || true)
printf '%s\n' "$out"
ver=$(printf '%s\n' "$out" \
| grep -oiE 'next release version is [0-9]+\.[0-9]+\.[0-9]+' \
| grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | tail -1)
echo "computed next version: ${ver:-<none>}"
echo "version=$ver" >> "$GITHUB_OUTPUT"