# Ecosystem CI — reusable composite actions These are the shared CI building blocks for Olsitec projects on the foundation forge (`documentation/999_testing.md`). Downstream repos reference them at **step level** with a **full URL**: ```yaml # .forgejo/workflows/ci.yml in any project repo name: ci on: [push] jobs: build: runs-on: docker container: { image: foundation-ci:latest } steps: - uses: actions/checkout@v4 - uses: https://forge.olsitec.net/olsitec/foundation/actions/node-build@master with: { package-manager: bun, build: "bun run build" } ``` ## Why composite actions, not reusable workflows The original plan was **reusable workflows** (`uses: olsitec/foundation/.forgejo/ workflows/x.yml@master`, `on: workflow_call`). **Forgejo 11.0.15 does not support reusable workflows** — a job-level `uses:` (or `workflow_call`) is silently dropped and **no run is scheduled** (verified live: a same-repo and cross-repo reusable call both produced zero runs, while an equivalent inline job ran green). The working cross-repo reuse primitive on this Forgejo is the **composite action**, referenced by **full URL** (a short-form `uses: olsitec/foundation/...@master` resolves against the runner's `DEFAULT_ACTIONS_URL` = `data.forgejo.org`, not the local instance, and 404s). If the forge is later upgraded to a Forgejo with reusable-workflow support, these can be re-expressed as `workflow_call` workflows; until then, composite actions are the contract. ## Actions | Action | Purpose | Key inputs | |--------|---------|------------| | `node-build` | install + build an npm/bun/none project | `package-manager`, `build`, `workdir` | | `docker-build` | `docker build` via the host socket (caller mounts it) | `image`, `dockerfile`, `context`, `build-args`, `push` | | `lint` | eslint + yamllint gate (error → non-zero) | `eslint-paths`, `yamllint-paths`, `package-manager` | | `semantic-release-version` | dry-run next-version probe (conventionalcommits) | `branch` → output `version` | All run in the baked `foundation-ci:latest` image (the caller sets `container.image`). The caller must `actions/checkout@v4` first; `docker-build` callers must also mount `/var/run/docker.sock`; `semantic-release-version` callers must checkout with `fetch-depth: 0`. ## Candidate coverage (999_testing) | Candidate | Shape | Action | Status | |-----------|-------|--------|--------| | olsicrypto | npm package (tsc) | `node-build` (npm) | self-contained ✓ | | document-engine | bun package (tsc) | `node-build` (bun) | self-contained ✓ | | olsitrack/api | no-artifact / versioned | `node-build` (empty build) | self-contained ✓ | | seaspots-homepage | docker, dep `@olsitec/svelte-common` | `docker-build` | blocked on the package registry (Stage-2) | | token-service | docker, dep `@olsitec/olsicrypto` | `docker-build` | blocked on the package registry (Stage-2) | The semantic-release bump sequence and the eslint/yamllint gates are continuously proven by `.forgejo/workflows/ecosystem-selftest.yml` on the foundation's own runner.