docs(session): correct ecosystem-CI architecture to reusable workflows
All checks were successful
CI / preflight (push) Successful in 5s
CI / typecheck (push) Successful in 13s
pulumi-preview / preview (push) Successful in 17s

The composite-action pivot was based on a false negative — reusable workflows
DO work on Forgejo 11 (caller needs `runs-on`; short cross-repo ref). Correct the
SESSION_002 + HANDOVER ecosystem-CI sections, the next-steps Forgejo-upgrade note,
and point the required-reads at .forgejo/workflows/README.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-07-01 01:50:59 +02:00
parent 290f48ba18
commit 786e1d2e53
2 changed files with 24 additions and 21 deletions

View file

@ -45,24 +45,23 @@ real hardening for when UNTRUSTED workflows run.
semantic-release@24.2.3 with the **conventionalcommits preset** + `@semantic-release/
git`+`changelog` (the plugin set Olsitec's GitLab release template uses). Pinned in
VERSIONS (NOT in preflight's up-gating set — job tools, not deploy tools).
- **ARCHITECTURE PIVOT — Forgejo 11.0.15 does NOT support reusable workflows.** A
job-level `uses:`/`workflow_call` is silently dropped → **zero runs** (verified live,
both same-repo and cross-repo; an equivalent inline job ran green). The working
cross-repo reuse primitive is the **COMPOSITE ACTION referenced by FULL URL**:
`uses: https://forge.olsitec.net/olsitec/foundation/actions/<x>@master` (short-form
resolves against the runner's `DEFAULT_ACTIONS_URL`=data.forgejo.org and 404s).
Replaced the (dead) `reusable-*.yml` with composite actions.
- **`actions/`** (composite, + README): `node-build` (npm/bun/none install+build),
`docker-build` (host-socket build; caller mounts the socket), `lint` (eslint+yamllint
gate), `semantic-release-version` (conventionalcommits dry-run version probe).
- **Reuse architecture: reusable workflows (`on: workflow_call`).** `.forgejo/workflows/
reusable-{node-build,docker-build,lint,semantic-release}.yml`, called as
`uses: olsitec/foundation/.forgejo/workflows/<x>.yml@master`. **Forgejo-11 quirk
(verified live):** the pre-v15 "limited" reusable-workflow impl REQUIRES `runs-on` on
the *calling* job — omit it (standard GitHub syntax) and Forgejo silently schedules
**zero runs** (this was an initial false-negative that briefly sent me to composite
actions; reverted). Cross-repo refs use the **short** form (full URL fails — that is
the composite-*action* form). A future Forgejo **v15** upgrade removes both quirks
(omit `runs-on` → workflow expansion). Documented in `.forgejo/workflows/README.md`.
- **`.forgejo/workflows/ecosystem-selftest.yml`** + `ci/semantic-release-bumptest.sh`:
self-contained proof on the runner of the 999 criteria that need no external repo —
the **semantic-release bump sequence** `1.0.0→1.1.0→1.1.1→2.0.0→3.0.0` (Olsitec's exact
releaseRules; `--dry-run --no-ci --tag-format '${version}'` + grep, like the GitLab
`generate-release-version` job) and the **eslint/yamllint non-zero-exit gates**. **All GREEN.**
- **Candidate validation:** `node-build` ran **green on the runner** against a real bun
build (throwaway `citest-node`, since deleted). Real candidate code built in the
foundation-ci image: **C2 olsicrypto** (npm/tsc → dist) and **C3 document-engine**
- **Candidate validation:** `reusable-node-build` ran **green on the runner** (short
cross-repo ref + `runs-on`) against a real bun build (throwaway `citest-node`, since
deleted). Real candidate code built in the foundation-ci image: **C2 olsicrypto** (npm/tsc → dist) and **C3 document-engine**
(bun/tsc → dist). **C4 olsitrack/api** is no-build (install-only path). **C1
seaspots-homepage** and **C5 token-service** are blocked on the not-yet-published
`@olsitec` package registry (svelte-common / olsicrypto) — Stage-2; documented.
@ -71,7 +70,8 @@ real hardening for when UNTRUSTED workflows run.
- Repo `~/work/olsitec-foundation/foundation`, branch `master`, origin = Forgejo,
working tree clean. Commits this session (pushed): `fix(ci-image): pulumi 3.243`,
`feat(ci): T14 pipelines`, `feat(ci-image): ecosystem toolchain`, `feat(ci): reusable
workflows + selftest`, `refactor(ci): composite actions (Forgejo 11)` (+ a probe commit).
workflows + selftest`, `refactor(ci): composite actions` → `revert(ci): reusable
workflows after all` (the composite pivot was a false-negative, reverted; + a probe commit).
- Foundation's own CI green on master (preflight, typecheck, preview, semantic-release-
bumptest, eslint-gate, yamllint-gate). `pulumi-preview` + `backup-verify` green.
- `cd bootstrap && ./run.sh up` idempotent; it now also publishes state to RustFS.
@ -85,8 +85,9 @@ real hardening for when UNTRUSTED workflows run.
Forgejo package registry populated (publish `olsicrypto`, `svelte-common`, …). Then
`docker-build` for seaspots-homepage / token-service can be validated end-to-end
(npmrc via `build-args`).
- **Forgejo upgrade** — reusable workflows need a newer Forgejo; until then composite
actions are the contract (`actions/README.md`).
- **Forgejo upgrade (v15)** — reusable workflows already work on v11 with the caller
`runs-on` + short-ref quirks; a v15 upgrade (LTS, Apr 2026) removes both (omit `runs-on`
→ workflow expansion + separate logs). See `.forgejo/workflows/README.md`.
- **T15**`index.ts` phase marker still `T10-runner`; Gate A/B comments;
`docs/DAY-ZERO-TIMELINE.md`.
- **Hardening** — pin floating refs (`IMAGE_REGISTRY` PIN_DIGEST, `IMAGE_RUSTFS` latest,