MokoCLI/docs/workflows/README.md

[![MokoStandards](https://img.shields.io/badge/MokoStandards-04.06.00-orange)](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)

# GitHub Workflow Templates Documentation

**Status**: Active | **Version**: 04.00.04 | **Effective**: 2026-01-07

## Overview
> **Important (v2):** All workflows MUST be in `.gitea/workflows/` only. Gitea Actions does not run workflows from `.github/workflows/`. Having files in `.github/workflows/` creates ghost queued runs that block the runner. Releases use stream-based git tags (`stable`, `release-candidate`, `beta`, `alpha`, `development`). See [Release System](./release-system.md) for cascade logic, SHA-256 rules, and auto-detection.

This document provides comprehensive documentation for MokoStandards workflow templates. These templates provide standardized CI/CD configurations that ensure consistency, security, and compliance across all Moko Consulting repositories.

### Workflow Documentation

- [Workflow Architecture](./workflow-architecture.md) - Workflow hierarchy and design patterns
- [Workflow Inventory](./workflow-inventory.md) - Complete inventory of workflows
- [Reusable Workflows](./reusable-workflows.md) - Documentation for reusable GitHub Actions workflows
- [Standards Compliance](./standards-compliance.md) - **NEW**: Comprehensive standards validation workflow
- [Bulk Repository Sync](./bulk-repo-sync.md) - Automated standards deployment across organization repositories
- [Release System](./release-system.md) - Unified release system documentation
- [Changelog Management](./changelog-management.md) - Changelog management workflows and scripts
- [Dev Branch Tracking and Issue Coordination](./dev-branch-tracking.md) - Automated dev branch and PR tracking system
- [Dev Deployment](./dev-deployment.md) - Development deployment workflows
- [Reserve Dolibarr Module ID](./reserve-dolibarr-module-id.md) - Automated Dolibarr module ID reservation workflow

### Workflow Template Locations

MokoStandards provides workflow templates in two locations:

1. **`templates/workflows/`** - **Public workflow templates** for community adoption
   - `build.yml.template` - Universal build workflow with automatic project detection
   - `release-cycle.yml.template` - Automated release management workflow (v2.0 with auto-detect & manual modes)
   - `generic/codeql-analysis.yml` - Security scanning with CodeQL
   - `generic/dependency-review.yml.template` - Dependency vulnerability scanning
   - `standards-compliance.yml.template` - MokoStandards compliance validation
   - `flush-actions-cache.yml.template` - GitHub Actions cache management workflow

2. **`templates/workflows/`** - Platform-specific workflow examples
   - `joomla/` - Joomla extension workflows
   - `dolibarr/` - Dolibarr module workflows
   - `generic/` - Generic project workflows

### Quick Start

To adopt MokoStandards workflows in your repository:

```bash
# Copy universal build workflow
cp templates/workflows/build.yml.template .gitea/workflows/build.yml

# Copy release management workflow
cp templates/workflows/release-cycle.yml.template .gitea/workflows/release.yml

# Copy security scanning workflows
cp templates/workflows/generic/codeql-analysis.yml .gitea/workflows/
cp templates/workflows/generic/dependency-review.yml.template .gitea/workflows/dependency-review.yml

# Copy standards compliance workflow
cp templates/workflows/standards-compliance.yml.template .gitea/workflows/standards-compliance.yml

# Optional: Copy cache management workflow
cp templates/workflows/flush-actions-cache.yml.template .gitea/workflows/flush-actions-cache.yml
```

Then customize the workflows for your project as needed.

## Public Workflow Templates (`templates/workflows/`)

### 1. Build Universal (`build.yml.template`)

**Location**: `templates/workflows/build.yml.template`

Universal build workflow with automatic project type detection and Makefile precedence system.

**Features**:
- **Automatic project detection** - Detects Joomla, Dolibarr, or Generic projects
- **Makefile precedence system** - Repository Makefile → MokoStandards Makefile → Default builds
- **Multi-language support** - PHP, Node.js, and mixed projects
- **Build artifacts** - Automatic artifact upload
- **Customizable** - Extensive inline documentation for customization

**Trigger Patterns**:
```yaml
on:
  push:
    branches: [main, dev/**, rc/**, version/**]
  pull_request:
    branches: [main, dev/**, rc/**]
  workflow_dispatch:
```

**Usage**: Copy to `.gitea/workflows/build.yml` and customize as needed.

See [Build System Documentation](../build-system/README.md) for details on the Makefile precedence system.

### 2. Release Cycle (`release-cycle.yml.template`)

**Location**: `templates/workflows/release-cycle.yml.template`

**Version 02.00.00** - Merged unified-release and release-cycle workflows with auto-detection and manual dispatch modes

Automated release management workflow implementing the MokoStandards release cycle: main → dev → rc → version → main.

**Features**:
- **Auto-detection** - Detects version changes from CITATION.cff, pyproject.toml, package.json, CHANGELOG.md
- **Manual dispatch** - Full control over release actions
- **Semantic versioning** - Automatic validation of version format
- **Branch management** - Automated branch creation and merging
- **Release actions** - start-release, create-rc, finalize-release, hotfix, simple-release
- **Release notes** - Automated generation from commits
- **GitHub releases** - Automatic creation with artifacts

**Actions**:
- `start-release` - Create development branch and update version
- `create-rc` - Create release candidate from dev branch
- `finalize-release` - Create version branch, merge to main, create release
- `hotfix` - Create hotfix branch for emergency fixes

**Trigger Pattern**:
```yaml
on:
  workflow_dispatch:
    inputs:
      action:
        type: choice
        options: [start-release, create-rc, finalize-release, hotfix]
      version:
        type: string
        required: true
```

**Usage**: Copy to `.gitea/workflows/release.yml` for automated release management.

See [Release Management Documentation](../release-management/README.md) for complete release procedures.

### 3. Dependency Review (`dependency-review.yml.template`)

**Location**: `templates/workflows/generic/dependency-review.yml.template`

Comprehensive dependency vulnerability scanning for pull requests.

**Features**:
- **GitHub Dependency Review** - Scans dependencies in PRs
- **npm audit** - Node.js dependency security checks
- **Composer audit** - PHP dependency security checks
- **Python Safety** - Python dependency vulnerability scanning
- **License compliance** - Validates dependency licenses

**Trigger Pattern**:
```yaml
on:
  pull_request:
    branches: [main, dev/**, rc/**]
```

**Usage**: Copy to `.gitea/workflows/dependency-review.yml` to enable dependency scanning on PRs.

### 4. Standards Compliance (`standards-compliance.yml.template`)

**Location**: `templates/workflows/standards-compliance.yml.template`

MokoStandards compliance validation workflow.

**Features**:
- **Repository structure** - Validates required directories and files
- **Documentation quality** - Checks README, CHANGELOG, and other docs
- **Coding standards** - Tab detection, encoding, line endings
- **License compliance** - SPDX header validation
- **Git hygiene** - .gitignore, large files, etc.
- **Workflow validation** - YAML syntax and required workflows

**Trigger Pattern**:
```yaml
on:
  push:
    branches: [main, dev/**, rc/**]
  pull_request:
    branches: [main, dev/**, rc/**]
  workflow_dispatch:
```

**Usage**: Copy to `.gitea/workflows/standards-compliance.yml` to enable compliance checks.

### 5. Flush Actions Cache (`flush-actions-cache.yml.template`)

**Location**: `templates/workflows/flush-actions-cache.yml.template`

Cache management workflow for flushing GitHub Actions caches on demand.

**Features**:
- **Manual trigger** - Run from Actions tab when needed
- **Filter by branch** - Target specific branch caches
- **Filter by key pattern** - Target specific dependency caches (composer, node)
- **Dry-run mode** - Preview deletions before executing
- **Comprehensive reporting** - Shows cache details before deletion
- **Automatic script download** - Downloads latest flush script from MokoStandards

**Trigger Pattern**:
```yaml
on:
  workflow_dispatch:
    inputs:
      branch:
        description: 'Branch to filter caches (leave empty for all branches)'
      key-pattern:
        description: 'Key pattern to filter caches (e.g., composer, node)'
      dry-run:
        description: 'Dry run mode (show what would be deleted without deleting)'
        type: boolean
```

**Common Use Cases**:
- Clear all caches when corrupted
- Clear branch-specific caches after branch deletion
- Clear dependency caches after major updates (Composer, npm)
- Preview cache usage with dry-run mode

**Usage**: Copy to `.gitea/workflows/flush-actions-cache.yml` to enable cache management.

See [flush_actions_cache.py documentation](/docs/api/maintenance/flush-actions-cache-py.md) for detailed script usage.

### 6. CodeQL Analysis (`codeql-analysis.yml`)

**Location**: `templates/workflows/generic/codeql-analysis.yml`

Security scanning with GitHub's CodeQL engine (also available in `.gitea/workflows/`).

See section below for complete details.

## Platform-Specific Workflow Templates (`templates/workflows/`)

The following templates are organized by platform in `templates/workflows/`.

### 1. CI Template (`ci.yml`)

**Location**: `.gitea/workflows/ci.yml` (MokoStandards root)

Continuous Integration workflow that enforces repository standards through automated validation.

**Features**:
- **Manifest validation** - Validates project manifests (Joomla XML, Dolibarr descriptors)
- **XML well-formedness** - Ensures all XML files are properly formatted
- **PHP syntax validation** - Checks PHP code across multiple versions
- **CHANGELOG structure** - Validates changelog formatting and completeness
- **License headers** - Verifies SPDX headers in all source files
- **Version alignment** - Ensures version numbers are consistent across files
- **Path separator checks** - Validates file paths
- **Tab detection** - Enforces space-over-tabs policy
- **Secret scanning** - Prevents accidental secret commits

**Trigger Patterns**:
```yaml
on:
  push:
    branches: [main, dev/**, rc/**, version/**]
  pull_request:
    branches: [main, dev/**, rc/**, version/**]
```

**Usage**: Copy from MokoStandards `.gitea/workflows/ci.yml` to your repository.

### 2. CodeQL Analysis Template (`codeql-analysis.yml`)

**Location**: `.gitea/workflows/codeql-analysis.yml` (MokoStandards root)

Security scanning workflow using GitHub's CodeQL engine for vulnerability detection.

**Features**:
- **Multi-language support** - Analyzes Python, JavaScript, PHP, Go, etc.
- **Security-extended queries** - Uses comprehensive security query packs
- **Quality analysis** - Includes code quality checks
- **Scheduled scans** - Weekly automated security scans (Monday 6:00 AM UTC)
- **PR integration** - Scans all pull requests automatically

**Trigger Patterns**:
```yaml
on:
  push:
    branches: [main, dev/**, rc/**]
  pull_request:
    branches: [main, dev/**, rc/**]
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday 6:00 AM UTC
  workflow_dispatch:
```

**Usage**: Copy from MokoStandards `.gitea/workflows/codeql-analysis.yml` to your repository.

### 3. Dependency Review

**Purpose**: Automated dependency vulnerability scanning

Dependency scanning in MokoStandards repositories is handled through:
- **Dependabot configuration** - `.github/dependabot.yml` (configure for your project)
- **CodeQL analysis** - Includes dependency checks
- **Generic code quality workflow** - `templates/workflows/generic/code-quality.yml`

**Recommended Approach**:
1. Enable Dependabot in repository settings
2. Create `.github/dependabot.yml` configuration
3. Use CodeQL for comprehensive security analysis

### 4. Standards Compliance Template (`repo_health.yml`)

**Location**: `templates/workflows/generic/repo_health.yml`

Repository health and governance validation workflow that enforces MokoStandards compliance.

**Features**:
- **Admin-only execution** - Requires admin permissions
- **Release configuration checks** - Validates SFTP deployment variables
- **SFTP connectivity testing** - Tests remote server access
- **Scripts governance** - Validates script directory structure
- **Repository artifacts** - Checks required files (README, LICENSE, CONTRIBUTING, etc.)
- **Content heuristics** - Validates document content and structure
- **Extended checks** (optional):
  - CODEOWNERS presence
  - Workflow action version pinning
  - Documentation link integrity
  - ShellCheck validation
  - SPDX header compliance
  - Git hygiene (stale branches)

**Profiles**:
- `all` - Run all checks (default)
- `release` - Release configuration only
- `scripts` - Scripts governance only
- `repo` - Repository health only

**Trigger Pattern**:
```yaml
on:
  workflow_dispatch:
    inputs:
      profile:
        type: choice
        options: [all, release, scripts, repo]
```

**Usage**: Copy from `templates/workflows/generic/repo_health.yml` and customize for your project.

### 5. Platform-Specific Workflows

#### Joomla Workflows (`templates/workflows/joomla/`)

**ci.yml** - Joomla extension CI workflow:
- Joomla manifest validation
- Extension structure checks
- PHP 7.4-8.2 compatibility
- XML schema validation

**test.yml** - Comprehensive Joomla testing:
- PHPUnit tests with Joomla framework
- Code quality (PHPCS, PHPStan, Psalm)
- Matrix testing: PHP 7.4-8.2, Joomla 4.4-5.0
- Code coverage with Codecov

**release.yml** - Automated Joomla package creation:
- Version bumping in manifests
- ZIP package creation with proper structure
- Checksum generation (SHA256, MD5)
- GitHub release creation with changelog
- Release artifact upload

#### Dolibarr Workflows (`templates/workflows/dolibarr/`)

**ci.yml** - Dolibarr module CI workflow:
- Module structure validation
- PHP syntax checking (7.4-8.2)
- Dolibarr API usage validation (16.0-18.0)
- Database schema validation
- Security scanning (SQL injection, XSS, credentials)

**test.yml** - Dolibarr module testing:
- PHPUnit tests with Dolibarr environment
- Automatic Dolibarr installation
- MySQL database integration
- Module linking and installation
- Code coverage reporting

#### Generic Workflows (`templates/workflows/generic/`)

**ci.yml** - Multi-language CI with auto-detection:
- Supports: Node.js, Python, PHP, Go, Ruby, Rust
- Automatic language detection
- Parallel testing across language matrices
- Language-specific linting
- Security scanning with Trivy

**test.yml** - Comprehensive testing framework:
- Unit tests with coverage
- Integration tests (PostgreSQL, Redis)
- End-to-end tests with Playwright
- Codecov integration
- Test result summaries

**deploy.yml** - Multi-environment deployment:
- Automatic environment detection
- Multi-language build support
- Staging and production deployment jobs
- Smoke tests after deployment
- Automatic rollback on failure
- Deployment notifications

**code-quality.yml** - Advanced code analysis:
- Multi-language linting (ESLint, Flake8, PHPCS, golangci-lint, clippy)
- Code formatting validation
- Static analysis (CodeQL, PHPStan, Pylint)
- Dependency security (Snyk, npm audit, pip safety)
- Code complexity analysis

## Platform Detection

Workflows use automatic project type detection based on file presence. See [Project Type Detection](../reference/project-types.md) for complete details.

### Quick Reference

- **Joomla**: Detected by `joomla.xml` manifest file
- **Dolibarr**: Detected by `htdocs/` directory or `core/modules/` structure
- **Generic**: Fallback for all other projects

## Usage Instructions

### For New Projects

1. **Choose appropriate templates**:
   - Joomla → `templates/workflows/joomla/`
   - Dolibarr → `templates/workflows/dolibarr/`
   - Other → `templates/workflows/generic/`

2. **Copy workflow files**:
   ```bash
   mkdir -p .github/workflows
   cp /path/to/MokoStandards/templates/workflows/joomla/ci.yml .gitea/workflows/
   ```

3. **Customize for your project**:
   - Update FILE INFORMATION headers with correct paths
   - Adjust branch patterns if needed
   - Configure environment-specific settings
   - Add/remove validation scripts as appropriate

4. **Commit and enable**:
   ```bash
   git add .gitea/workflows/
   git commit -m "Add MokoStandards workflows"
   git push
   ```

### For Existing Projects

1. Review current workflows against templates
2. Identify gaps or outdated patterns
3. Update workflows incrementally
4. Test on feature branch before merging to main

## Required Workflows

All MokoStandards-governed repositories **MUST** implement:

1. **CI workflow** - For build validation and testing
2. **Security scanning** - CodeQL or equivalent

Recommended workflows:
- Repository health workflow
- Platform-specific test workflows
- Automated release workflows (for libraries/extensions)
- Deployment workflows (for applications)
- Code quality workflows

## Workflow Dependencies

### Common Requirements (All Workflows)

- Git repository with proper branching structure
- Python 3.x for validation scripts
- Proper permissions configured in repository settings

### CI Workflows Require

**For Joomla**:
- `api/validate/manifest.sh`
- `api/validate/xml_wellformed.sh`
- Joomla XML manifest file

**For Dolibarr**:
- Module descriptor (`core/modules/modMyModule.class.php`)
- Proper Dolibarr directory structure

**For Generic**:
- Language-specific package managers (npm, pip, composer, etc.)
- Test configurations

### Test Workflows Require

- Test framework configuration (Jest, pytest, PHPUnit, etc.)
- Optional: Database services (configured in workflow)
- Optional: Browser testing tools (Playwright)

### Deployment Workflows Require

- Environment secrets in GitHub repository settings
- Deployment target configuration
- For SFTP deployments: See [SFTP Deployment Guide](../deployment/sftp.md)

## Standards Compliance

All workflows follow MokoStandards requirements:

- ✅ SPDX license headers (GPL-3.0-or-later)
- ✅ Proper error handling and reporting
- ✅ Step summaries for GitHub Actions UI
- ✅ Audit trail generation
- ✅ Secure secret handling
- ✅ Versioned action dependencies

## Best Practices

1. **Pin action versions** - Use `@v4` not `@main`
2. **Test in feature branches** - Never merge untested workflows
3. **Use workflow concurrency** - Prevent duplicate runs
4. **Set appropriate timeouts** - Avoid hanging workflows
5. **Configure secrets properly** - Use GitHub repository secrets
6. **Monitor costs** - Track GitHub Actions minutes usage
7. **Document customizations** - Add comments for deviations
8. **Review step summaries** - Check GitHub Actions UI after runs
9. **Use matrix strategies** - Test across multiple versions
10. **Keep workflows DRY** - Use reusable workflows when possible

## Integration with Health Scoring

These workflows contribute to the [Health Scoring System](../policy/health-scoring.md):

- **CI/CD Status**: 15 points - CI workflow passing
- **Workflows**: 10 points - Required workflows present
- **Security**: 15 points - CodeQL and dependency scanning enabled

## Support and Troubleshooting

### Common Issues

**Workflow fails to find scripts**:
- Ensure scripts exist in expected locations
- Verify script permissions (`chmod +x`)
- Check FILE INFORMATION paths match actual structure

**SFTP connectivity fails**:
- Verify all required secrets are configured
- Test credentials manually
- Check firewall/network access
- See [SFTP Deployment Guide](../deployment/sftp.md)

**CodeQL fails**:
- Ensure language matrix includes project languages
- Remove languages with no code to analyze
- Review CodeQL queries configuration

### Getting Help

1. Review workflow logs in GitHub Actions UI
2. Check step summaries for detailed errors
3. Validate scripts locally before CI
4. Refer to [Project Types Documentation](../reference/project-types.md)
5. Consult [SFTP Deployment Guide](../deployment/sftp.md)

For issues with templates:
- Open issue in MokoStandards repository
- Tag with `workflow-template` label
- Include workflow name and error details

## Metadata

| Field | Value |
|---|---|
| Document | Workflow Templates Documentation |
| Path | /docs/workflows/README.md |
| Repository | https://git.mokoconsulting.tech/MokoConsulting/MokoStandards |
| Owner | Moko Consulting |
| Status | Active |
| Version        | 04.00.04 |
| Effective | 2026-01-07 |

## Version History

| Version | Date | Changes |
|---|---|---|
| 04.00.04 | 2026-02-08 | Consolidated workflow templates: removed duplicate build-universal (use build.yml.template), removed superseded release-cycle-simple (use release-cycle v2.0) |
| 04.00.04 | 2026-01-07 | Added public workflow templates documentation (build-universal, release-cycle, dependency-review, standards-compliance) |
| 01.00.00 | 2026-01-07 | Initial comprehensive workflow documentation |

## See Also

- [Build System Documentation](../build-system/README.md)
- [Release Management Documentation](../release-management/README.md)
- [Health Scoring System](../policy/health-scoring.md)
- [SFTP Deployment Guide](../deployment/sftp.md)
- [Project Type Detection](../reference/project-types.md)
- [Repository Structure Schema](../guide/repository-structure-schema.md)
- [Workflow Templates (Technical)](../../templates/workflows/README.md)
- [Public Workflow Templates](../../templates/workflows/)