refactor(ci): composite actions instead of reusable workflows (Forgejo 11)
All checks were successful
CI / preflight (push) Successful in 5s
CI / typecheck (push) Successful in 15s
ecosystem-selftest / semantic-release-bumptest (push) Successful in 13s
ecosystem-selftest / eslint-gate (push) Successful in 3s
ecosystem-selftest / yamllint-gate (push) Successful in 3s
pulumi-preview / preview (push) Successful in 16s

Forgejo 11.0.15 does NOT support reusable workflows (job-level `uses:` /
`workflow_call`): the call is silently dropped and no run is scheduled (verified
live — a same-repo and a cross-repo reusable call both produced zero runs, while
an equivalent inline job ran green). The working cross-repo reuse primitive here
is the COMPOSITE ACTION referenced by FULL URL (a short-form
`uses: olsitec/foundation/...@master` resolves against the runner's
DEFAULT_ACTIONS_URL = data.forgejo.org, not the local instance, and 404s; the
full-URL form `uses: https://forge.olsitec.net/olsitec/foundation/actions/<x>@master`
was verified green).

- Replace the four reusable-*.yml with composite actions under actions/:
  node-build, docker-build, lint, semantic-release-version (same logic + inputs).
- actions/README.md documents the pattern, the Forgejo-11 limitation, and the
  999_testing candidate coverage (C2/C3/C4 self-contained; C1/C5 blocked on the
  not-yet-published @olsitec package registry).
- ecosystem-selftest paths filter: actions/** (was reusable-*.yml).

The capabilities that need no external repo (semantic-release bump sequence,
eslint/yamllint gates) keep running green via ecosystem-selftest's inline jobs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-07-01 01:14:51 +02:00
parent 67157a0de0
commit 35dc008759
12 changed files with 335 additions and 277 deletions

View file

@ -13,7 +13,7 @@ on:
paths:
- "ci/**"
- ".forgejo/workflows/ecosystem-selftest.yml"
- ".forgejo/workflows/reusable-*.yml"
- "actions/**"
workflow_dispatch:
jobs:

View file

@ -1,67 +0,0 @@
# reusable-docker-build — build a Docker image (999_testing candidates C1/C5).
#
# A REUSABLE workflow (on: workflow_call) downstream repos call:
# jobs:
# image:
# uses: olsitec/foundation/.forgejo/workflows/reusable-docker-build.yml@master
# with: { image: "olsitec/seaspots-homepage:ci", push: false }
#
# Builds against the HOST Docker daemon via the mounted socket (the foundation-ci
# image ships the docker CLI; the runner's valid_volumes allows the mount). NOTE
# (R5): the host socket is root-equivalent on the forge VM — this is acceptable
# ONLY for trusted first-party repos until the runner is fenced to its own VM.
#
# Candidates C1 (seaspots-homepage) and C5 (token-service) depend on @olsitec
# packages from a private registry that is not published yet (Stage-2). Their real
# builds need a registry / npmrc; this workflow proves the docker-build path and
# accepts a `build-args`/`npmrc` hook for when the registry exists.
name: reusable-docker-build
on:
workflow_call:
inputs:
context:
type: string
default: "."
dockerfile:
type: string
default: "Dockerfile"
image:
description: "image ref to tag, e.g. name:tag"
type: string
required: true
build-args:
description: "newline-separated KEY=VALUE docker --build-arg pairs"
type: string
default: ""
push:
description: "push to the foundation registry after build (registry must exist)"
type: boolean
default: false
jobs:
image:
runs-on: docker
container:
image: foundation-ci:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
steps:
- uses: actions/checkout@v4
- name: Docker build
run: |
args=""
if [ -n "${{ inputs.build-args }}" ]; then
while IFS= read -r kv; do
[ -z "$kv" ] && continue
args="$args --build-arg $kv"
done <<'EOF'
${{ inputs.build-args }}
EOF
fi
echo "+ docker build -f ${{ inputs.dockerfile }} -t ${{ inputs.image }} $args ${{ inputs.context }}"
docker build -f "${{ inputs.dockerfile }}" -t "${{ inputs.image }}" $args "${{ inputs.context }}"
- name: Push
if: ${{ inputs.push }}
run: docker push "${{ inputs.image }}"

View file

@ -1,63 +0,0 @@
# reusable-lint — eslint + yamllint gate (999_testing "linter testing").
#
# A REUSABLE workflow (on: workflow_call). Either linter finding an error makes
# the job exit non-zero (the acceptance criterion). Prefers the project's own
# pinned eslint (node_modules/.bin) for config/plugin fidelity, falling back to
# the foundation-ci image's global eslint; yamllint comes from the image.
#
# jobs:
# lint:
# uses: olsitec/foundation/.forgejo/workflows/reusable-lint.yml@master
# with: { eslint-paths: ".", yamllint-paths: "." }
name: reusable-lint
on:
workflow_call:
inputs:
eslint:
type: boolean
default: true
yamllint:
type: boolean
default: true
eslint-paths:
type: string
default: "."
yamllint-paths:
type: string
default: "."
package-manager:
description: "bun | npm | none — to install project-local eslint config/plugins"
type: string
default: bun
jobs:
lint:
runs-on: docker
container:
image: foundation-ci:latest
steps:
- uses: actions/checkout@v4
- name: Install dependencies (project-local eslint config/plugins)
if: ${{ inputs.eslint }}
run: |
case "${{ inputs.package-manager }}" in
bun) bun install --frozen-lockfile || bun install || true ;;
npm) npm ci || npm install || true ;;
none) echo "skip install" ;;
esac
- name: eslint
if: ${{ inputs.eslint }}
run: |
if [ -x node_modules/.bin/eslint ]; then
echo "+ project eslint"; node_modules/.bin/eslint ${{ inputs.eslint-paths }}
else
echo "+ image eslint"; eslint ${{ inputs.eslint-paths }}
fi
- name: yamllint
if: ${{ inputs.yamllint }}
run: |
echo "+ yamllint ${{ inputs.yamllint-paths }}"
yamllint ${{ inputs.yamllint-paths }}

View file

@ -1,58 +0,0 @@
# reusable-node-build — build/test an npm- or bun-based project (999_testing).
#
# A REUSABLE workflow (on: workflow_call) downstream repos call:
# jobs:
# build:
# uses: olsitec/foundation/.forgejo/workflows/reusable-node-build.yml@master
# with: { package-manager: bun, build: "bun run build" }
#
# Runs in the baked foundation-ci image (bun + node present). Covers the
# non-Docker candidate shapes: npm package built with npm (olsicrypto), bun
# package built with bun (document-engine), and the no-build / versioned-only
# utility (olsitrack/api) via an empty `build`.
name: reusable-node-build
on:
workflow_call:
inputs:
package-manager:
description: "bun | npm | none (none = skip install)"
type: string
default: bun
build:
description: "build command to run verbatim (empty = skip, e.g. no-artifact repos)"
type: string
default: ""
workdir:
description: "working directory for install + build"
type: string
default: "."
jobs:
build:
runs-on: docker
container:
image: foundation-ci:latest
defaults:
run:
working-directory: ${{ inputs.workdir }}
steps:
- uses: actions/checkout@v4
- name: Install dependencies (${{ inputs.package-manager }})
run: |
case "${{ inputs.package-manager }}" in
bun) bun install --frozen-lockfile || bun install ;;
npm) npm ci || npm install ;;
none) echo "package-manager=none → skipping install" ;;
*) echo "unknown package-manager '${{ inputs.package-manager }}'" >&2; exit 1 ;;
esac
- name: Build
run: |
cmd='${{ inputs.build }}'
if [ -z "$cmd" ]; then
echo "no build command (non-artifact / versioned-only repo) — install-only check passed"
exit 0
fi
echo "+ $cmd"
eval "$cmd"

View file

@ -1,81 +0,0 @@
# reusable-semantic-release — compute the next semver from conventional commits
# (999_testing "semantic-release testing"). Mirrors the canonical GitLab template
# (olsitec/gitlab ci_templates/release-automation/semantic-release.yaml): the
# conventionalcommits preset + Olsitec's releaseRules, run as a `--dry-run --no-ci
# --tag-format '${version}'` version probe. Exposes the computed version as an output.
#
# jobs:
# version:
# uses: olsitec/foundation/.forgejo/workflows/reusable-semantic-release.yml@master
# build:
# needs: version
# runs-on: docker
# steps: [ run: echo "releasing ${{ needs.version.outputs.version }}" ]
#
# NOTE: dry-run only — it computes/prints the next version (the part exercised by
# 999_testing and the GitLab `generate-release-version` job). Actually PUBLISHING a
# release to Forgejo (tag + release + changelog) needs a Forgejo-side publish step
# and a token; that is deferred until the package/release flow is wired (the GitLab
# template publishes via @semantic-release/gitlab, which has no Forgejo analogue yet).
name: reusable-semantic-release
on:
workflow_call:
inputs:
branch:
type: string
default: master
outputs:
version:
description: "next release version (empty if the commits warrant no release)"
value: ${{ jobs.version.outputs.version }}
jobs:
version:
runs-on: docker
container:
image: foundation-ci:latest
outputs:
version: ${{ steps.compute.outputs.version }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # semantic-release needs full history + tags
- name: Write .releaserc.yaml (Olsitec conventionalcommits ruleset)
run: |
cat > .releaserc.yaml <<'EOF'
branches:
- name: ${{ inputs.branch }}
tagFormat: "${version}"
plugins:
- - "@semantic-release/commit-analyzer"
- preset: conventionalcommits
releaseRules:
- { breaking: true, release: major }
- { type: breaking, release: major }
- { type: feature, release: minor }
- { type: feat, release: minor }
- { type: fix, release: patch }
- { type: build, release: patch }
- { type: chore, release: patch }
- { type: ci, release: patch }
- { type: docs, release: patch }
- { type: perf, release: patch }
- { type: refactor, release: patch }
- { type: style, release: patch }
- { type: test, release: patch }
parserOpts:
noteKeywords: [ "BREAKING CHANGE", "BREAKING CHANGES" ]
- "@semantic-release/release-notes-generator"
EOF
- name: Compute next version (dry-run)
id: compute
run: |
out=$(semantic-release --dry-run --no-ci --tag-format '${version}' --branches "${{ inputs.branch }}" 2>&1 || true)
printf '%s\n' "$out"
ver=$(printf '%s\n' "$out" \
| grep -oiE 'next release version is [0-9]+\.[0-9]+\.[0-9]+' \
| grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | tail -1)
echo "computed next version: ${ver:-<none>}"
echo "version=$ver" >> "$GITHUB_OUTPUT"

61
actions/README.md Normal file
View file

@ -0,0 +1,61 @@
# Ecosystem CI — reusable composite actions
These are the shared CI building blocks for Olsitec projects on the foundation
forge (`documentation/999_testing.md`). Downstream repos reference them at **step
level** with a **full URL**:
```yaml
# .forgejo/workflows/ci.yml in any project repo
name: ci
on: [push]
jobs:
build:
runs-on: docker
container: { image: foundation-ci:latest }
steps:
- uses: actions/checkout@v4
- uses: https://forge.olsitec.net/olsitec/foundation/actions/node-build@master
with: { package-manager: bun, build: "bun run build" }
```
## Why composite actions, not reusable workflows
The original plan was **reusable workflows** (`uses: olsitec/foundation/.forgejo/
workflows/x.yml@master`, `on: workflow_call`). **Forgejo 11.0.15 does not support
reusable workflows** — a job-level `uses:` (or `workflow_call`) is silently dropped
and **no run is scheduled** (verified live: a same-repo and cross-repo reusable call
both produced zero runs, while an equivalent inline job ran green). The working
cross-repo reuse primitive on this Forgejo is the **composite action**, referenced by
**full URL** (a short-form `uses: olsitec/foundation/...@master` resolves against the
runner's `DEFAULT_ACTIONS_URL` = `data.forgejo.org`, not the local instance, and 404s).
If the forge is later upgraded to a Forgejo with reusable-workflow support, these can
be re-expressed as `workflow_call` workflows; until then, composite actions are the
contract.
## Actions
| Action | Purpose | Key inputs |
|--------|---------|------------|
| `node-build` | install + build an npm/bun/none project | `package-manager`, `build`, `workdir` |
| `docker-build` | `docker build` via the host socket (caller mounts it) | `image`, `dockerfile`, `context`, `build-args`, `push` |
| `lint` | eslint + yamllint gate (error → non-zero) | `eslint-paths`, `yamllint-paths`, `package-manager` |
| `semantic-release-version` | dry-run next-version probe (conventionalcommits) | `branch` → output `version` |
All run in the baked `foundation-ci:latest` image (the caller sets
`container.image`). The caller must `actions/checkout@v4` first; `docker-build`
callers must also mount `/var/run/docker.sock`; `semantic-release-version` callers
must checkout with `fetch-depth: 0`.
## Candidate coverage (999_testing)
| Candidate | Shape | Action | Status |
|-----------|-------|--------|--------|
| olsicrypto | npm package (tsc) | `node-build` (npm) | self-contained ✓ |
| document-engine | bun package (tsc) | `node-build` (bun) | self-contained ✓ |
| olsitrack/api | no-artifact / versioned | `node-build` (empty build) | self-contained ✓ |
| seaspots-homepage | docker, dep `@olsitec/svelte-common` | `docker-build` | blocked on the package registry (Stage-2) |
| token-service | docker, dep `@olsitec/olsicrypto` | `docker-build` | blocked on the package registry (Stage-2) |
The semantic-release bump sequence and the eslint/yamllint gates are continuously
proven by `.forgejo/workflows/ecosystem-selftest.yml` on the foundation's own runner.

View file

@ -0,0 +1,56 @@
# docker-build — build a Docker image (999_testing candidates C1/C5). Composite
# action (see actions/node-build). Builds against the HOST Docker daemon via the
# mounted socket, so the CALLER's job MUST mount it:
#
# jobs:
# image:
# runs-on: docker
# container:
# image: foundation-ci:latest
# volumes: [ /var/run/docker.sock:/var/run/docker.sock ]
# steps:
# - uses: actions/checkout@v4
# - uses: https://forge.olsitec.net/olsitec/foundation/actions/docker-build@master
# with: { image: "olsitec/token-service:ci" }
#
# R5: the host socket is root-equivalent on the forge VM — trusted first-party repos
# only until the runner is fenced. Candidates C1 (seaspots-homepage) and C5
# (token-service) also need @olsitec packages from a registry that is not published
# yet (Stage-2); their real builds need an npmrc via `build-args` once it exists.
name: docker-build
description: Build (optionally push) a Docker image via the host daemon.
inputs:
context:
default: "."
dockerfile:
default: "Dockerfile"
image:
description: "image ref to tag, e.g. name:tag"
required: true
build-args:
description: "newline-separated KEY=VALUE docker --build-arg pairs"
default: ""
push:
description: "push after build (true/false; registry must exist)"
default: "false"
runs:
using: composite
steps:
- name: Docker build
shell: bash
run: |
args=""
if [ -n "${{ inputs.build-args }}" ]; then
while IFS= read -r kv; do
[ -z "$kv" ] && continue
args="$args --build-arg $kv"
done <<'EOF'
${{ inputs.build-args }}
EOF
fi
echo "+ docker build -f ${{ inputs.dockerfile }} -t ${{ inputs.image }} $args ${{ inputs.context }}"
docker build -f "${{ inputs.dockerfile }}" -t "${{ inputs.image }}" $args "${{ inputs.context }}"
- name: Push
if: ${{ inputs.push == 'true' }}
shell: bash
run: docker push "${{ inputs.image }}"

View file

@ -1,7 +0,0 @@
name: hello
description: smoke-test composite action (local-instance reuse probe)
runs:
using: composite
steps:
- shell: bash
run: echo "composite action from olsitec/foundation OK"

47
actions/lint/action.yml Normal file
View file

@ -0,0 +1,47 @@
# lint — eslint + yamllint gate (999_testing "linter testing"). Composite action
# (see actions/node-build for why composite, not reusable workflow). Either linter
# finding an error makes the step (hence the job) exit non-zero.
#
# steps:
# - uses: actions/checkout@v4
# - uses: https://forge.olsitec.net/olsitec/foundation/actions/lint@master
# with: { eslint-paths: ".", yamllint-paths: "." }
name: lint
description: Run eslint and yamllint; any error fails the job.
inputs:
eslint:
description: "run eslint (true/false)"
default: "true"
yamllint:
description: "run yamllint (true/false)"
default: "true"
eslint-paths:
default: "."
yamllint-paths:
default: "."
package-manager:
description: "bun | npm | none — to install project-local eslint config/plugins"
default: bun
runs:
using: composite
steps:
- name: eslint
if: ${{ inputs.eslint == 'true' }}
shell: bash
run: |
case "${{ inputs.package-manager }}" in
bun) bun install --frozen-lockfile || bun install || true ;;
npm) npm ci || npm install || true ;;
none) echo "skip install" ;;
esac
if [ -x node_modules/.bin/eslint ]; then
echo "+ project eslint"; node_modules/.bin/eslint ${{ inputs.eslint-paths }}
else
echo "+ image eslint"; eslint ${{ inputs.eslint-paths }}
fi
- name: yamllint
if: ${{ inputs.yamllint == 'true' }}
shell: bash
run: |
echo "+ yamllint ${{ inputs.yamllint-paths }}"
yamllint ${{ inputs.yamllint-paths }}

View file

@ -0,0 +1,54 @@
# node-build — install + build an npm/bun project (999_testing).
#
# A COMPOSITE ACTION (not a reusable workflow — Forgejo 11 does not support
# job-level `uses:`/workflow_call; composite actions referenced by full URL are
# the working cross-repo reuse mechanism). Downstream repos call it at STEP level:
#
# jobs:
# build:
# runs-on: docker
# container: { image: foundation-ci:latest }
# steps:
# - uses: actions/checkout@v4
# - uses: https://forge.olsitec.net/olsitec/foundation/actions/node-build@master
# with: { package-manager: bun, build: "bun run build" }
#
# Covers the non-Docker candidate shapes: npm package built with npm (olsicrypto),
# bun package built with bun (document-engine), no-artifact/versioned (olsitrack/api,
# empty `build`). The caller must `actions/checkout` first and run in foundation-ci.
name: node-build
description: Install dependencies and build an npm- or bun-based project.
inputs:
package-manager:
description: "bun | npm | none (none skips install)"
default: bun
build:
description: "build command run verbatim (empty = skip, e.g. no-artifact repos)"
default: ""
workdir:
description: "working directory for install + build"
default: "."
runs:
using: composite
steps:
- name: Install dependencies (${{ inputs.package-manager }})
shell: bash
working-directory: ${{ inputs.workdir }}
run: |
case "${{ inputs.package-manager }}" in
bun) bun install --frozen-lockfile || bun install ;;
npm) npm ci || npm install ;;
none) echo "package-manager=none → skipping install" ;;
*) echo "unknown package-manager '${{ inputs.package-manager }}'" >&2; exit 1 ;;
esac
- name: Build
shell: bash
working-directory: ${{ inputs.workdir }}
run: |
cmd='${{ inputs.build }}'
if [ -z "$cmd" ]; then
echo "no build command (non-artifact / versioned-only repo) — install-only check passed"
exit 0
fi
echo "+ $cmd"
eval "$cmd"

View file

@ -0,0 +1,71 @@
# semantic-release-version — compute the next semver from conventional commits
# (999_testing "semantic-release testing"). Composite action (see actions/node-build).
# Mirrors the canonical GitLab template (olsitec/gitlab ci_templates/release-automation/
# semantic-release.yaml): conventionalcommits preset + Olsitec's releaseRules, run as a
# `--dry-run --no-ci --tag-format '${version}'` probe. Outputs the computed version.
#
# jobs:
# version:
# runs-on: docker
# container: { image: foundation-ci:latest }
# outputs: { version: "${{ steps.sr.outputs.version }}" }
# steps:
# - uses: actions/checkout@v4
# with: { fetch-depth: 0 } # REQUIRED: full history + tags
# - id: sr
# uses: https://forge.olsitec.net/olsitec/foundation/actions/semantic-release-version@master
#
# NOTE: dry-run version compute only (the part 999_testing checks + the GitLab
# `generate-release-version` job). Publishing a Forgejo release is deferred (no
# @semantic-release/forgejo analogue yet).
name: semantic-release-version
description: Compute the next semantic-release version (dry-run) from conventional commits.
inputs:
branch:
default: master
outputs:
version:
description: "next release version (empty if the commits warrant no release)"
value: ${{ steps.compute.outputs.version }}
runs:
using: composite
steps:
- name: Write .releaserc.yaml (Olsitec conventionalcommits ruleset)
shell: bash
run: |
cat > .releaserc.yaml <<'EOF'
branches:
- name: ${{ inputs.branch }}
tagFormat: "${version}"
plugins:
- - "@semantic-release/commit-analyzer"
- preset: conventionalcommits
releaseRules:
- { breaking: true, release: major }
- { type: breaking, release: major }
- { type: feature, release: minor }
- { type: feat, release: minor }
- { type: fix, release: patch }
- { type: build, release: patch }
- { type: chore, release: patch }
- { type: ci, release: patch }
- { type: docs, release: patch }
- { type: perf, release: patch }
- { type: refactor, release: patch }
- { type: style, release: patch }
- { type: test, release: patch }
parserOpts:
noteKeywords: [ "BREAKING CHANGE", "BREAKING CHANGES" ]
- "@semantic-release/release-notes-generator"
EOF
- name: Compute next version (dry-run)
id: compute
shell: bash
run: |
out=$(semantic-release --dry-run --no-ci --tag-format '${version}' --branches "${{ inputs.branch }}" 2>&1 || true)
printf '%s\n' "$out"
ver=$(printf '%s\n' "$out" \
| grep -oiE 'next release version is [0-9]+\.[0-9]+\.[0-9]+' \
| grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | tail -1)
echo "computed next version: ${ver:-<none>}"
echo "version=$ver" >> "$GITHUB_OUTPUT"

View file

@ -0,0 +1,45 @@
# Testing the new foundation
In order to verify that the new foundation is working, there are several things we should test.
## CI Testing
### Test candidate 1: A docker container with no dependency to npm packages
Candidate: `/Users/andiolsi/work/seaspots/services/seaspots-homepage`
### Test candidate 2: A npm package built with npm
Candidate: `/Users/andiolsi/work/olsitec-nci/lib/olsicrypto`
### Test candidate 3: A npm package built with bun
Candidate: `/Users/andiolsi/work/olsitec-nci/lib/document-engine`
### Test candidate 4: A non-artifact versioned repo
Candidate: `/Users/andiolsi/work/olsitrack2/api`
### Test candidate 5: A docker container with dependency to npm packages
Candidate: `/Users/andiolsi/work/olsitrack2/services/token-service`
Has an (albeit oudated) dependency on olsicrypto (candidate 2).
## semantic-release testing
Create some test git repo, push it to master/main. Expected outcome: 1.0.0
Pull rebase, commit a feat commit. Expected outcome 1.1.0
Pull rebase, commit a fix/chore commit. Expected outcome 1.1.1
Pull rebase, commit a commit with an `!`, such as `feat!`. Expected outcome 2.0.0
Pull rebase, commit a commit with `BRREAKING CHANGE` or `BRREAKING CHANGES`. Expected outcome 3.0.0
## linter testing
Push something with a eslint error in it. Expected outcome: Job exit non-zero
Push something with a yamllint error in it. Expected outcome: Job exit non-zero