docs(session): correct ecosystem-CI architecture to reusable workflows
The composite-action pivot was based on a false negative — reusable workflows DO work on Forgejo 11 (caller needs `runs-on`; short cross-repo ref). Correct the SESSION_002 + HANDOVER ecosystem-CI sections, the next-steps Forgejo-upgrade note, and point the required-reads at .forgejo/workflows/README.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
290f48ba18
commit
786e1d2e53
2 changed files with 24 additions and 21 deletions
|
|
@ -45,24 +45,23 @@ real hardening for when UNTRUSTED workflows run.
|
|||
semantic-release@24.2.3 with the **conventionalcommits preset** + `@semantic-release/
|
||||
git`+`changelog` (the plugin set Olsitec's GitLab release template uses). Pinned in
|
||||
VERSIONS (NOT in preflight's up-gating set — job tools, not deploy tools).
|
||||
- **ARCHITECTURE PIVOT — Forgejo 11.0.15 does NOT support reusable workflows.** A
|
||||
job-level `uses:`/`workflow_call` is silently dropped → **zero runs** (verified live,
|
||||
both same-repo and cross-repo; an equivalent inline job ran green). The working
|
||||
cross-repo reuse primitive is the **COMPOSITE ACTION referenced by FULL URL**:
|
||||
`uses: https://forge.olsitec.net/olsitec/foundation/actions/<x>@master` (short-form
|
||||
resolves against the runner's `DEFAULT_ACTIONS_URL`=data.forgejo.org and 404s).
|
||||
Replaced the (dead) `reusable-*.yml` with composite actions.
|
||||
- **`actions/`** (composite, + README): `node-build` (npm/bun/none install+build),
|
||||
`docker-build` (host-socket build; caller mounts the socket), `lint` (eslint+yamllint
|
||||
gate), `semantic-release-version` (conventionalcommits dry-run version probe).
|
||||
- **Reuse architecture: reusable workflows (`on: workflow_call`).** `.forgejo/workflows/
|
||||
reusable-{node-build,docker-build,lint,semantic-release}.yml`, called as
|
||||
`uses: olsitec/foundation/.forgejo/workflows/<x>.yml@master`. **Forgejo-11 quirk
|
||||
(verified live):** the pre-v15 "limited" reusable-workflow impl REQUIRES `runs-on` on
|
||||
the *calling* job — omit it (standard GitHub syntax) and Forgejo silently schedules
|
||||
**zero runs** (this was an initial false-negative that briefly sent me to composite
|
||||
actions; reverted). Cross-repo refs use the **short** form (full URL fails — that is
|
||||
the composite-*action* form). A future Forgejo **v15** upgrade removes both quirks
|
||||
(omit `runs-on` → workflow expansion). Documented in `.forgejo/workflows/README.md`.
|
||||
- **`.forgejo/workflows/ecosystem-selftest.yml`** + `ci/semantic-release-bumptest.sh`:
|
||||
self-contained proof on the runner of the 999 criteria that need no external repo —
|
||||
the **semantic-release bump sequence** `1.0.0→1.1.0→1.1.1→2.0.0→3.0.0` (Olsitec's exact
|
||||
releaseRules; `--dry-run --no-ci --tag-format '${version}'` + grep, like the GitLab
|
||||
`generate-release-version` job) and the **eslint/yamllint non-zero-exit gates**. **All GREEN.**
|
||||
- **Candidate validation:** `node-build` ran **green on the runner** against a real bun
|
||||
build (throwaway `citest-node`, since deleted). Real candidate code built in the
|
||||
foundation-ci image: **C2 olsicrypto** (npm/tsc → dist) and **C3 document-engine**
|
||||
- **Candidate validation:** `reusable-node-build` ran **green on the runner** (short
|
||||
cross-repo ref + `runs-on`) against a real bun build (throwaway `citest-node`, since
|
||||
deleted). Real candidate code built in the foundation-ci image: **C2 olsicrypto** (npm/tsc → dist) and **C3 document-engine**
|
||||
(bun/tsc → dist). **C4 olsitrack/api** is no-build (install-only path). **C1
|
||||
seaspots-homepage** and **C5 token-service** are blocked on the not-yet-published
|
||||
`@olsitec` package registry (svelte-common / olsicrypto) — Stage-2; documented.
|
||||
|
|
@ -71,7 +70,8 @@ real hardening for when UNTRUSTED workflows run.
|
|||
- Repo `~/work/olsitec-foundation/foundation`, branch `master`, origin = Forgejo,
|
||||
working tree clean. Commits this session (pushed): `fix(ci-image): pulumi 3.243`,
|
||||
`feat(ci): T14 pipelines`, `feat(ci-image): ecosystem toolchain`, `feat(ci): reusable
|
||||
workflows + selftest`, `refactor(ci): composite actions (Forgejo 11)` (+ a probe commit).
|
||||
workflows + selftest`, `refactor(ci): composite actions` → `revert(ci): reusable
|
||||
workflows after all` (the composite pivot was a false-negative, reverted; + a probe commit).
|
||||
- Foundation's own CI green on master (preflight, typecheck, preview, semantic-release-
|
||||
bumptest, eslint-gate, yamllint-gate). `pulumi-preview` + `backup-verify` green.
|
||||
- `cd bootstrap && ./run.sh up` idempotent; it now also publishes state to RustFS.
|
||||
|
|
@ -85,8 +85,9 @@ real hardening for when UNTRUSTED workflows run.
|
|||
Forgejo package registry populated (publish `olsicrypto`, `svelte-common`, …). Then
|
||||
`docker-build` for seaspots-homepage / token-service can be validated end-to-end
|
||||
(npmrc via `build-args`).
|
||||
- **Forgejo upgrade** — reusable workflows need a newer Forgejo; until then composite
|
||||
actions are the contract (`actions/README.md`).
|
||||
- **Forgejo upgrade (v15)** — reusable workflows already work on v11 with the caller
|
||||
`runs-on` + short-ref quirks; a v15 upgrade (LTS, Apr 2026) removes both (omit `runs-on`
|
||||
→ workflow expansion + separate logs). See `.forgejo/workflows/README.md`.
|
||||
- **T15** — `index.ts` phase marker still `T10-runner`; Gate A/B comments;
|
||||
`docs/DAY-ZERO-TIMELINE.md`.
|
||||
- **Hardening** — pin floating refs (`IMAGE_REGISTRY` PIN_DIGEST, `IMAGE_RUSTFS` latest,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue