refactor(ci): composite actions instead of reusable workflows (Forgejo 11)
All checks were successful
CI / preflight (push) Successful in 5s
CI / typecheck (push) Successful in 15s
ecosystem-selftest / semantic-release-bumptest (push) Successful in 13s
ecosystem-selftest / eslint-gate (push) Successful in 3s
ecosystem-selftest / yamllint-gate (push) Successful in 3s
pulumi-preview / preview (push) Successful in 16s

Forgejo 11.0.15 does NOT support reusable workflows (job-level `uses:` /
`workflow_call`): the call is silently dropped and no run is scheduled (verified
live — a same-repo and a cross-repo reusable call both produced zero runs, while
an equivalent inline job ran green). The working cross-repo reuse primitive here
is the COMPOSITE ACTION referenced by FULL URL (a short-form
`uses: olsitec/foundation/...@master` resolves against the runner's
DEFAULT_ACTIONS_URL = data.forgejo.org, not the local instance, and 404s; the
full-URL form `uses: https://forge.olsitec.net/olsitec/foundation/actions/<x>@master`
was verified green).

- Replace the four reusable-*.yml with composite actions under actions/:
  node-build, docker-build, lint, semantic-release-version (same logic + inputs).
- actions/README.md documents the pattern, the Forgejo-11 limitation, and the
  999_testing candidate coverage (C2/C3/C4 self-contained; C1/C5 blocked on the
  not-yet-published @olsitec package registry).
- ecosystem-selftest paths filter: actions/** (was reusable-*.yml).

The capabilities that need no external repo (semantic-release bump sequence,
eslint/yamllint gates) keep running green via ecosystem-selftest's inline jobs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-07-01 01:14:51 +02:00
parent 67157a0de0
commit 35dc008759
12 changed files with 335 additions and 277 deletions

61
actions/README.md Normal file
View file

@ -0,0 +1,61 @@
# Ecosystem CI — reusable composite actions
These are the shared CI building blocks for Olsitec projects on the foundation
forge (`documentation/999_testing.md`). Downstream repos reference them at **step
level** with a **full URL**:
```yaml
# .forgejo/workflows/ci.yml in any project repo
name: ci
on: [push]
jobs:
build:
runs-on: docker
container: { image: foundation-ci:latest }
steps:
- uses: actions/checkout@v4
- uses: https://forge.olsitec.net/olsitec/foundation/actions/node-build@master
with: { package-manager: bun, build: "bun run build" }
```
## Why composite actions, not reusable workflows
The original plan was **reusable workflows** (`uses: olsitec/foundation/.forgejo/
workflows/x.yml@master`, `on: workflow_call`). **Forgejo 11.0.15 does not support
reusable workflows** — a job-level `uses:` (or `workflow_call`) is silently dropped
and **no run is scheduled** (verified live: a same-repo and cross-repo reusable call
both produced zero runs, while an equivalent inline job ran green). The working
cross-repo reuse primitive on this Forgejo is the **composite action**, referenced by
**full URL** (a short-form `uses: olsitec/foundation/...@master` resolves against the
runner's `DEFAULT_ACTIONS_URL` = `data.forgejo.org`, not the local instance, and 404s).
If the forge is later upgraded to a Forgejo with reusable-workflow support, these can
be re-expressed as `workflow_call` workflows; until then, composite actions are the
contract.
## Actions
| Action | Purpose | Key inputs |
|--------|---------|------------|
| `node-build` | install + build an npm/bun/none project | `package-manager`, `build`, `workdir` |
| `docker-build` | `docker build` via the host socket (caller mounts it) | `image`, `dockerfile`, `context`, `build-args`, `push` |
| `lint` | eslint + yamllint gate (error → non-zero) | `eslint-paths`, `yamllint-paths`, `package-manager` |
| `semantic-release-version` | dry-run next-version probe (conventionalcommits) | `branch` → output `version` |
All run in the baked `foundation-ci:latest` image (the caller sets
`container.image`). The caller must `actions/checkout@v4` first; `docker-build`
callers must also mount `/var/run/docker.sock`; `semantic-release-version` callers
must checkout with `fetch-depth: 0`.
## Candidate coverage (999_testing)
| Candidate | Shape | Action | Status |
|-----------|-------|--------|--------|
| olsicrypto | npm package (tsc) | `node-build` (npm) | self-contained ✓ |
| document-engine | bun package (tsc) | `node-build` (bun) | self-contained ✓ |
| olsitrack/api | no-artifact / versioned | `node-build` (empty build) | self-contained ✓ |
| seaspots-homepage | docker, dep `@olsitec/svelte-common` | `docker-build` | blocked on the package registry (Stage-2) |
| token-service | docker, dep `@olsitec/olsicrypto` | `docker-build` | blocked on the package registry (Stage-2) |
The semantic-release bump sequence and the eslint/yamllint gates are continuously
proven by `.forgejo/workflows/ecosystem-selftest.yml` on the foundation's own runner.