2026-04-15 02:35:30 +00:00
<!--
Copyright (C) 2026 Moko Consulting <hello@mokoconsulting .tech>
SPDX-License-Identifier: GPL-3.0-or-later
# FILE INFORMATION
DEFGROUP: MokoStandards.Documentation
INGROUP: MokoStandards.Workflows
2026-04-16 22:21:59 -05:00
REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
2026-04-15 02:35:30 +00:00
PATH: /docs/workflows/workflow-inventory.md
VERSION: 04.06.00
BRIEF: Complete inventory of GitHub Actions workflows for migration planning
-->
2026-04-16 22:21:59 -05:00
[](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)
2026-04-15 02:35:30 +00:00
# GitHub Actions Workflow Inventory
## Overview
This document provides a complete inventory of all GitHub Actions workflows in the MokoStandards repository, prepared for migration to `.github-private` repository.
### Repository Architecture
Moko Consulting maintains a dual-repository strategy:
- **`MokoStandards` ** - **Public Central Repository**
- Public standards, templates, and documentation
- Community-accessible workflow templates
- Open-source best practices
- **`.github-private` ** - **Private and Secure Centralization**
- Proprietary workflow implementations
- Organization-specific CI/CD pipelines
- Sensitive automation and deployment logic
This inventory identifies which workflows stay in the public `MokoStandards` repository and which migrate to the private `.github-private` repository for secure centralization.
## Workflow Summary
| # | Workflow | LOC | Complexity | Secrets Used | Migration Decision |
|---|----------|-----|------------|--------------|-------------------|
| 1 | php_quality.yml | TBD | Medium | Org Secrets | **Centralize to .github-private** |
| 2 | release_pipeline.yml | TBD | High | Org Secrets | **Centralize to .github-private** |
| 3 | deploy_staging.yml | TBD | High | Org Secrets | **Centralize to .github-private** |
| 4 | joomla_testing.yml | TBD | Medium | Org Secrets | **Centralize to .github-private** |
| 5 | ci.yml | 98 | Low | None | **Keep Local** |
| 6 | repo_health.yml | 651 | High | GH_PAT | **Keep Local** |
| 7 | version_branch.yml | TBD | Medium | GH_PAT | **Keep Local** |
| 8 | codeql-analysis.yml | 93 | Low | None | Keep Local (security) |
| 9 | changelog_update.yml | 76 | Medium | GH_PAT | Evaluate |
| 10 | version_release.yml | 169 | High | GH_PAT | Evaluate |
| 11 | rebuild_docs_indexes.yml | 92 | Medium | GH_PAT | Evaluate |
| 12 | setup_project_v2.yml | 72 | Medium | GH_PAT | Evaluate |
| 13 | sync_docs_to_project.yml | 225 | High | GH_PAT | Evaluate |
**Decision Summary:**
- **Centralize (4):** php_quality.yml, release_pipeline.yml, deploy_staging.yml, joomla_testing.yml
- **Keep Local (3):** ci.yml, repo_health.yml, version_branch.yml
- **Other (7):** Existing workflows to evaluate separately
## Shared Scripts
The following Python scripts will be shared across repositories via `.github-private` :
| Script | Purpose | Current Location | Target Location |
|--------|---------|------------------|-----------------|
| `extension_utils.py` | Joomla extension utilities | Repository-specific | `.github-private/scripts/` |
| `common.py` | Common helper functions | Repository-specific | `.github-private/scripts/` |
These scripts will be:
- Versioned and maintained centrally
- Imported via GitHub Actions checkout from `.github-private`
- Available to all workflows with organization access
- Documented with clear API contracts
## Secret Configuration
All secrets are configured at **organization level** with inheritance:
| Secret Type | Scope | Usage |
|-------------|-------|-------|
| Deployment Keys | Organization | All deployment workflows |
| API Tokens | Organization | Release and quality workflows |
| Registry Credentials | Organization | Docker/package publishing |
| Service Accounts | Organization | External integrations |
**Inheritance Pattern:**
```yaml
jobs :
deploy :
2026-04-26 19:30:30 -05:00
uses : mokoconsulting-tech/.github-private/.gitea/workflows/reusable/deploy-staging.yml@main
2026-04-15 02:35:30 +00:00
secrets : inherit # All org secrets automatically available
```
## Detailed Workflow Analysis
### Workflows to Centralize to .github-private
### 1. php_quality.yml - PHP Code Quality Analysis
**Purpose:** Automated PHP code quality checks including linting, static analysis, and coding standards validation
**Current Status:** To be migrated to `.github-private`
**Triggers:**
- `push` to main and development branches (`dev/**` , `rc/**` )
- `pull_request` to main branch
- `workflow_dispatch` for manual execution
**Jobs:**
1. **syntax-check**
- Validates PHP syntax across all PHP files
- Runs `php -l` (lint) on changed files
- Fails fast if syntax errors found
2. **phpcs** (PHP_CodeSniffer)
- Checks coding standards compliance
- Standard: PSR-12 (configurable)
- Reports: Summary with error count, detailed report artifact
- Error threshold: 0 errors, 10 warnings maximum
3. **phpstan** (Static Analysis)
- Type checking and bug detection
- Level: 6 (out of 9)
- Memory limit: 1GB
- Cache enabled for faster subsequent runs
4. **psalm** (Static Analysis)
- Additional type checking with different heuristics
- Error level: 3
- Shows info about inferred types
- Integrates with PHPUnit for test assertions
5. **phpmd** (Mess Detector)
- Code complexity and design analysis
- Rules: codesize, controversial, design, naming, unusedcode
- Cyclomatic complexity threshold: 10
- NPath complexity threshold: 200
**Matrix Strategy:**
```yaml
strategy :
matrix :
php : [ '7.4' , '8.0' , '8.1' , '8.2' ]
tools : [ 'phpcs' , 'phpstan' , 'psalm' , 'phpmd' ]
fail-fast : false
```
**Dependencies:**
- PHP 7.4-8.2 (multi-version testing)
- Composer for dependency management
- Quality tools installed via composer:
- `squizlabs/php_codesniffer:^3.7`
- `phpstan/phpstan:^1.10`
- `vimeo/psalm:^5.0`
- `phpmd/phpmd:^2.13`
- `extension_utils.py` for Joomla-specific validation
- `common.py` for reporting utilities
**Environment Variables:**
```yaml
env :
COMPOSER_AUTH : ${{ secrets.COMPOSER_AUTH }} # For private packages
PHPSTAN_MEMORY_LIMIT : 1G
PHPCS_COLORS : 1
```
**Outputs:**
- Quality scores (per tool, aggregated)
- Error/warning counts
- Detailed reports as artifacts
- PR comments with summary
**Migration Type:** Convert to reusable workflow in `.github-private`
2026-04-26 19:30:30 -05:00
**Proposed Location:** `.github-private/.gitea/workflows/reusable/php-quality.yml`
2026-04-15 02:35:30 +00:00
**Migration Complexity:** ⭐⭐⭐ Medium
- Requires PHP tool setup and configuration
- Matrix testing adds complexity
- Integration with `extension_utils.py` needs testing
- Multiple output formats to support
**Estimated LOC:** ~250 lines (including all jobs and steps)
**Secrets Required:**
```yaml
secrets :
COMPOSER_AUTH : # Organization-level, for private Packagist/Composer repos
CODECOV_TOKEN : # Organization-level, optional for coverage upload
SONAR_TOKEN : # Organization-level, optional for SonarQube integration
```
**Shared Scripts Used:**
- `extension_utils.py` - Joomla manifest validation, custom rule checks
- `common.py` - Report formatting, PR comment generation
**Reusable Workflow Interface:**
```yaml
on :
workflow_call :
inputs :
php-versions :
description : 'JSON array of PHP versions to test'
required : false
type : string
default : '["7.4", "8.0", "8.1", "8.2"]'
tools :
description : 'Quality tools to run'
required : false
type : string
default : '["phpcs", "phpstan", "psalm", "phpmd"]'
phpcs-standard :
description : 'PHP_CodeSniffer standard'
required : false
type : string
default : 'PSR12'
phpstan-level :
description : 'PHPStan analysis level (0-9)'
required : false
type : string
default : '6'
working-directory :
description : 'Working directory for checks'
required : false
type : string
default : '.'
fail-on-error :
description : 'Fail workflow if errors found'
required : false
type : boolean
default : true
upload-artifacts :
description : 'Upload detailed reports as artifacts'
required : false
type : boolean
default : true
outputs :
quality-score :
description : 'Overall quality score (0-100)'
value : ${{ jobs.aggregate.outputs.score }}
error-count :
description : 'Total number of errors found'
value : ${{ jobs.aggregate.outputs.errors }}
secrets :
COMPOSER_AUTH :
required : false
CODECOV_TOKEN :
required : false
SONAR_TOKEN :
required : false
```
**Success Criteria:**
- All syntax checks pass
- PHPCS: 0 errors, ≤10 warnings
- PHPStan: Level 6 with 0 errors
- Psalm: Error level 3 with 0 errors
- PHPMD: No violations of critical rules
**Performance Optimizations:**
- Cache Composer dependencies (saves ~30 seconds)
- Cache PHPStan result cache (saves ~15 seconds)
- Parallel tool execution where possible
- Skip tools for unchanged file types
**Known Issues:**
- PHPStan can be memory-intensive on large codebases (1GB limit set)
- PHPCS can be slow on monorepos (use path filters)
- Psalm may have false positives with complex types (configure baseline)
**Example Usage After Migration:**
```yaml
name : PHP Quality
on :
push :
branches : [ main, dev/**]
pull_request :
branches : [ main]
jobs :
quality :
2026-04-26 19:30:30 -05:00
uses : mokoconsulting-tech/.github-private/.gitea/workflows/reusable/php-quality.yml@main
2026-04-15 02:35:30 +00:00
with :
php-versions : '["7.4", "8.0", "8.1", "8.2"]'
tools : '["phpcs", "phpstan", "psalm"]'
phpcs-standard : 'PSR12'
phpstan-level : '6'
secrets : inherit
```
---
### 2. release_pipeline.yml - Automated Release Management
**Purpose:** Complete release automation including building, testing, packaging, and publishing to GitHub Releases and external marketplaces
**Current Status:** To be migrated to `.github-private`
**Triggers:**
- `workflow_dispatch` with manual inputs:
- `version` (required): Semver version string (e.g., "1.2.3")
- `platform` (required): Target platform (joomla, dolibarr, generic)
- `publish-to-marketplace` (optional): Whether to publish to JED/Dolistore
- `pre-release` (optional): Mark as pre-release
- `push` with tag matching pattern `v*.*.*`
**Jobs:**
1. **validate-version**
- Validates semver format (X.Y.Z)
- Checks version doesn't already exist
- Verifies version is newer than latest release
- Validates CHANGELOG.md has entry for version
- Duration: ~30 seconds
2. **build-joomla** (conditional: platform == 'joomla')
- Builds Joomla extension package
- Steps:
- Install PHP dependencies (Composer)
- Install JS dependencies (npm/yarn)
- Compile SCSS to CSS
- Minify JavaScript
- Run webpack/build scripts
- Copy files to staging directory
- Update manifest XML with version
- Create ZIP package
- Uses: `extension_utils.py` for manifest updates
- Artifacts: `{extension-name}-{version}.zip`
- Duration: ~2-3 minutes
3. **build-dolibarr** (conditional: platform == 'dolibarr')
- Builds Dolibarr module package
- Similar to Joomla but different structure
- Updates module descriptor
- Creates module archive
- Duration: ~2 minutes
4. **build-generic** (conditional: platform == 'generic')
- Generic build process
- Configurable build command
- Creates distributable artifacts
- Duration: varies
5. **generate-checksums**
- Generates SHA256 checksums for all artifacts
- Creates CHECKSUMS.txt file
- Signs checksums with GPG (optional)
- Duration: ~10 seconds
6. **run-tests**
- Runs test suite on built packages
- Installs package in test environment
- Runs smoke tests
- Validates package integrity
- Duration: ~5 minutes
7. **create-github-release**
- Creates GitHub Release via API
- Release notes from CHANGELOG.md
- Uploads all artifacts
- Tags commit with version
- Duration: ~30 seconds
8. **publish-to-jed** (conditional: platform == 'joomla' && publish-to-marketplace)
- Publishes to Joomla Extensions Directory
- Uses JED API
- Updates extension listing
- Duration: ~1 minute
9. **publish-to-dolistore** (conditional: platform == 'dolibarr' && publish-to-marketplace)
- Publishes to Dolibarr Store
- Uses Dolistore API
- Updates module listing
- Duration: ~1 minute
10. **notify**
- Sends notifications (Slack, email)
- Updates project management tools
- Triggers documentation rebuild
- Duration: ~20 seconds
**Workflow Orchestration:**
```yaml
jobs :
validate-version :
runs-on : ubuntu-latest
build :
needs : validate-version
strategy :
matrix :
include :
- platform : joomla
artifact : extension
- platform : dolibarr
artifact : module
checksums :
needs : build
test :
needs : checksums
release :
needs : test
if : success()
publish :
needs : release
if : inputs.publish-to-marketplace
notify :
needs : [ release, publish]
if : always()
```
**Dependencies:**
- PHP 7.4+ for Joomla/Dolibarr
- Node.js 18+ for frontend builds
- zip/tar utilities
- GitHub CLI (`gh` )
- `extension_utils.py` for package creation
- `common.py` for notification utilities
**Environment Variables:**
```yaml
env :
VERSION : ${{ inputs.version }}
PLATFORM : ${{ inputs.platform }}
BUILD_DIR : build/
DIST_DIR : dist/
```
**Secrets Required:**
```yaml
secrets :
GH_PAT : # GitHub Personal Access Token for release creation
MARKETPLACE_TOKEN : # JED API token
JED_API_KEY : # Joomla Extensions Directory API key
DOLISTORE_API_KEY : # Dolibarr Store API key
RELEASE_SIGNING_KEY : # GPG key for signing (optional)
SLACK_WEBHOOK : # Notification webhook
COMPOSER_AUTH : # For private dependencies (optional)
```
**Outputs:**
```yaml
outputs :
release-url :
description : 'URL of created GitHub Release'
artifact-urls :
description : 'JSON array of artifact download URLs'
marketplace-url :
description : 'URL of marketplace listing'
```
**Migration Type:** Convert to reusable workflow in `.github-private`
2026-04-26 19:30:30 -05:00
**Proposed Location:** `.github-private/.gitea/workflows/reusable/release-pipeline.yml`
2026-04-15 02:35:30 +00:00
**Migration Complexity:** ⭐⭐⭐⭐⭐ Very High
- Complex multi-stage process
- Multiple platform support
- External API integrations
- Rollback complexity
- Error handling critical
**Estimated LOC:** ~450 lines (all jobs, error handling, rollback)
**Shared Scripts Used:**
- `extension_utils.py` - Package creation, manifest updates, ZIP generation
- `common.py` - API client utilities, notification sending, error handling
**Reusable Workflow Interface:**
```yaml
on :
workflow_call :
inputs :
version :
description : 'Release version (semver format)'
required : true
type : string
platform :
description : 'Target platform'
required : true
type: string # enum : joomla, dolibarr, generic
publish-to-marketplace :
description : 'Publish to external marketplace'
required : false
type : boolean
default : false
create-github-release :
description : 'Create GitHub release'
required : false
type : boolean
default : true
pre-release :
description : 'Mark as pre-release'
required : false
type : boolean
default : false
draft :
description : 'Create as draft release'
required : false
type : boolean
default : false
run-tests :
description : 'Run tests before release'
required : false
type : boolean
default : true
outputs :
release-url :
description : 'GitHub Release URL'
value : ${{ jobs.release.outputs.url }}
artifact-urls :
description : 'Artifact download URLs (JSON array)'
value : ${{ jobs.release.outputs.artifacts }}
```
**Rollback Strategy:**
```yaml
- name : Rollback on failure
if : failure()
run : |
# Delete GitHub release if created
gh release delete ${{ inputs.version }} --yes || true
# Delete Git tag
git push --delete origin v${{ inputs.version }} || true
# Unpublish from marketplace (if published)
if [ "${{ inputs.publish-to-marketplace }}" = "true" ]; then
curl -X DELETE "$JED_API_URL/extensions/$EXTENSION_ID/versions/$VERSION" \
-H "Authorization: Bearer ${{ secrets.JED_API_KEY }}"
fi
# Notify team of rollback
curl -X POST ${{ secrets.SLACK_WEBHOOK }} \
-d '{"text":"Release ${{ inputs.version }} rolled back due to failure"}'
```
**Success Criteria:**
- Version validation passes
- All builds succeed
- Tests pass on built artifacts
- GitHub Release created
- Marketplace publishing succeeds (if enabled)
- Notifications sent
**Performance Optimizations:**
- Cache build dependencies (Composer, npm)
- Parallel builds for multiple platforms
- Reuse test environments between runs
**Known Issues:**
- JED API can be rate-limited (implement retry with exponential backoff)
- Large extension ZIPs can timeout on upload (increase timeout to 30 min)
- Dolistore API occasionally returns 500 (implement retry logic)
**Example Usage After Migration:**
```yaml
name : Release
on :
workflow_dispatch :
inputs :
version :
required : true
publish :
type : boolean
default : false
jobs :
release :
2026-04-26 19:30:30 -05:00
uses : mokoconsulting-tech/.github-private/.gitea/workflows/reusable/release-pipeline.yml@main
2026-04-15 02:35:30 +00:00
with :
version : ${{ inputs.version }}
platform : 'joomla'
publish-to-marketplace : ${{ inputs.publish }}
pre-release : false
secrets : inherit
```
**Additional Notes:**
- Integrates with version_release.yml for version bumping
- Can trigger deploy workflows after successful release
- Supports multi-package releases (component + modules + plugins)
- Maintains release history in RELEASES.md
---
### 3. deploy_staging.yml - Staging Environment Deployment
**Purpose:** Automated deployment to staging environments for testing before production release
**Current Status:** To be migrated to `.github-private`
**Triggers:**
- `push` to develop branch
- `workflow_dispatch` for manual deployment with inputs:
- `environment` (default: 'staging'): Target environment
- `version` (optional): Specific version to deploy
- `skip-tests` (optional): Skip smoke tests
- Successful completion of `php_quality.yml` workflow
**Jobs:**
1. **pre-deploy-checks**
- Validates deployment configuration
- Checks target environment health
- Verifies required secrets are available
- Confirms no ongoing deployments
- Duration: ~30 seconds
2. **build-deployment-package**
- Creates deployment artifact
- Includes only necessary files
- Excludes development files (.git, tests, etc.)
- Compresses package
- Duration: ~1-2 minutes
3. **backup-current**
- Creates backup of current staging environment
- Backs up database
- Backs up files
- Stores backup with timestamp
- Duration: ~2-3 minutes
4. **deploy-to-staging**
- SSHs to staging server
- Uploads deployment package
- Extracts files to correct location
- Sets proper permissions
- Runs database migrations
- Clears caches
- Duration: ~3-5 minutes
5. **smoke-tests**
- Waits for application to stabilize (30 seconds)
- Runs HTTP health checks
- Validates critical endpoints
- Checks database connectivity
- Verifies file permissions
- Duration: ~2 minutes
6. **integration-tests** (optional)
- Runs Selenium/Playwright tests
- Tests critical user flows
- Validates API endpoints
- Duration: ~5-10 minutes
7. **notify-success**
- Sends deployment success notification
- Updates deployment tracking system
- Posts to Slack/Teams
- Duration: ~10 seconds
8. **rollback** (on failure)
- Automatically triggered if any step fails
- Restores from backup
- Rolls back database
- Restores files
- Clears caches
- Notifies team of rollback
- Duration: ~3-5 minutes
**Workflow Orchestration:**
```yaml
jobs :
pre-deploy-checks :
runs-on : ubuntu-latest
backup :
needs : pre-deploy-checks
runs-on : ubuntu-latest
deploy :
needs : backup
runs-on : ubuntu-latest
environment :
name : staging
url : https://staging.example.com
smoke-tests :
needs : deploy
runs-on : ubuntu-latest
integration-tests :
needs : smoke-tests
if : inputs.skip-tests == false
runs-on : ubuntu-latest
notify :
needs : [ deploy, smoke-tests, integration-tests]
if : always()
runs-on : ubuntu-latest
```
**Dependencies:**
- SSH client
- rsync for file transfer
- MySQL client for database operations
- curl for HTTP checks
- `common.py` for deployment utilities
**Environment Variables:**
```yaml
env :
STAGING_HOST : ${{ secrets.STAGING_HOST }}
STAGING_USER : ${{ secrets.STAGING_USER }}
STAGING_PATH : /var/www/staging
BACKUP_PATH : /var/backups/staging
DATABASE_NAME : staging_db
```
**Secrets Required:**
```yaml
secrets :
STAGING_SSH_KEY : # SSH private key for staging server access
STAGING_HOST : # Staging server hostname/IP
STAGING_USER : # SSH username
STAGING_DB_PASSWORD : # Database password for migrations
SLACK_WEBHOOK : # Notification webhook
HEALTH_CHECK_TOKEN : # Token for health check endpoints (optional)
```
**Outputs:**
```yaml
outputs :
deployment-url :
description : 'URL of deployed application'
deployment-time :
description : 'Deployment timestamp'
backup-id :
description : 'Backup identifier for rollback'
```
**Migration Type:** Convert to reusable workflow in `.github-private`
2026-04-26 19:30:30 -05:00
**Proposed Location:** `.github-private/.gitea/workflows/reusable/deploy-staging.yml`
2026-04-15 02:35:30 +00:00
**Migration Complexity:** ⭐⭐⭐⭐ High
- Requires secure credential handling
- Complex deployment logic with rollback
- Environment-specific configurations
- Critical failure handling needed
**Estimated LOC:** ~350 lines (including rollback logic)
**Shared Scripts Used:**
- `common.py` - SSH utilities, health checks, notification sending
**Reusable Workflow Interface:**
```yaml
on :
workflow_call :
inputs :
environment :
description : 'Target environment (staging, qa, demo)'
required : false
type : string
default : 'staging'
version :
description: 'Version to deploy (default : latest)'
required : false
type : string
skip-tests :
description : 'Skip smoke and integration tests'
required : false
type : boolean
default : false
health-check-url :
description : 'URL for health check'
required : true
type : string
rollback-on-failure :
description : 'Automatically rollback on failure'
required : false
type : boolean
default : true
outputs :
deployment-url :
description : 'Deployed application URL'
value : ${{ jobs.deploy.outputs.url }}
backup-id :
description : 'Backup ID (for manual rollback)'
value : ${{ jobs.backup.outputs.backup-id }}
```
**Rollback Strategy:**
```yaml
- name : Automatic Rollback
if : failure() && inputs.rollback-on-failure
run : |
echo "Deployment failed, rolling back to previous version..."
# Restore files from backup
ssh $STAGING_USER@$STAGING_HOST "cd $BACKUP_PATH && ./restore.sh $BACKUP_ID"
# Restore database
ssh $STAGING_USER@$STAGING_HOST "mysql -u$DB_USER -p$DB_PASS $DATABASE_NAME < $BACKUP_PATH/$BACKUP_ID/database.sql"
# Clear caches
ssh $STAGING_USER@$STAGING_HOST "cd $STAGING_PATH && php artisan cache:clear"
# Verify rollback successful
curl -f ${{ inputs.health-check-url }} || echo "⚠️ Health check failed after rollback"
# Notify team
curl -X POST $SLACK_WEBHOOK \
-d '{"text":"🔴 Staging deployment failed and was rolled back. Backup ID: '"$BACKUP_ID"'"}'
```
**Health Check Implementation:**
```yaml
- name : Run Health Checks
run : |
MAX_RETRIES=10
RETRY_DELAY=5
for i in $(seq 1 $MAX_RETRIES); do
echo "Health check attempt $i/$MAX_RETRIES..."
# Check HTTP 200 response
if curl -f -s -o /dev/null -w "%{http_code}" ${{ inputs.health-check-url }} | grep -q "200"; then
echo "✅ Health check passed"
exit 0
fi
echo "❌ Health check failed, retrying in ${RETRY_DELAY}s..."
sleep $RETRY_DELAY
done
echo "❌ Health check failed after $MAX_RETRIES attempts"
exit 1
```
**Success Criteria:**
- Pre-deploy checks pass
- Backup created successfully
- Files deployed without errors
- Database migrations succeed
- Health checks return 200 OK
- Smoke tests pass
**Performance Optimizations:**
- Use rsync with compression for faster file transfer
- Parallel backup of files and database
- Skip unchanged files during deployment
- Cache SSH connections
**Known Issues:**
- SSH connection can timeout on slow networks (increase timeout to 600s)
- Large database backups can be slow (implement incremental backups)
- Simultaneous deployments can cause conflicts (use deployment locks)
**Example Usage After Migration:**
```yaml
name : Deploy to Staging
on :
push :
branches : [ develop]
jobs :
deploy :
2026-04-26 19:30:30 -05:00
uses : mokoconsulting-tech/.github-private/.gitea/workflows/reusable/deploy-staging.yml@main
2026-04-15 02:35:30 +00:00
with :
environment : staging
health-check-url : 'https://staging.example.com/health'
skip-tests : false
secrets : inherit
```
**Additional Notes:**
- Integrates with monitoring tools (Datadog, New Relic)
- Supports blue-green deployments (future enhancement)
- Can trigger load testing after deployment
- Maintains deployment history and audit logs
---
### 4. joomla_testing.yml - Joomla Extension Testing
**Purpose:** Comprehensive testing for Joomla extensions across multiple PHP and Joomla versions with integration tests
**Current Status:** To be migrated to `.github-private`
**Triggers:**
- `push` to main and development branches
- `pull_request` to main
- `schedule` : Nightly at 2:00 AM UTC
- `workflow_dispatch` with manual inputs:
- `php-versions` (optional): PHP versions to test
- `joomla-versions` (optional): Joomla versions to test
- `coverage` (optional): Enable code coverage
**Jobs:**
1. **unit-tests**
- Runs PHPUnit tests without Joomla
- Fast feedback on core logic
- No database required
- Duration: ~1-2 minutes per PHP version
2. **integration-tests**
- Sets up full Joomla installation
- Installs extension
- Runs integration tests
- Tests database interactions
- Duration: ~5-10 minutes per matrix combination
3. **code-coverage**
- Collects coverage from all test runs
- Generates HTML/XML reports
- Uploads to Codecov/Coveralls
- Enforces minimum coverage threshold (80%)
- Duration: ~2 minutes
4. **compatibility-check**
- Validates extension compatibility
- Checks manifest requirements
- Verifies update server
- Tests installation/uninstallation
- Duration: ~3 minutes
5. **browser-tests** (optional)
- Selenium/Playwright E2E tests
- Tests admin interface
- Tests frontend functionality
- Screenshots on failure
- Duration: ~10-15 minutes
**Matrix Strategy:**
```yaml
strategy :
matrix :
php : [ '7.4' , '8.0' , '8.1' , '8.2' ]
joomla : [ '4.4' , '5.0' , '5.1' ]
include :
# Test PHP 8.3 with latest Joomla only
- php : '8.3'
joomla : '5.1'
exclude :
# Joomla 4.4 doesn't support PHP 8.2+
- php : '8.2'
joomla : '4.4'
- php : '8.3'
joomla : '4.4'
fail-fast : false # Continue testing other combinations
max-parallel : 4 # Limit concurrent jobs
```
**Dependencies:**
- PHP 7.4-8.3 with extensions: `mysqli` , `gd` , `zip` , `xml` , `mbstring`
- MySQL/MariaDB 5.7+
- Joomla CMS 4.4-5.1
- PHPUnit 9.5+
- Composer
- Node.js (for frontend builds)
- `extension_utils.py` for installation testing
**Environment Variables:**
```yaml
env :
JOOMLA_DB_HOST : 127.0.0.1
JOOMLA_DB_USER : root
JOOMLA_DB_PASS : root
JOOMLA_DB_NAME : joomla_test
JOOMLA_ADMIN_USER : admin
JOOMLA_ADMIN_PASS : admin123!
COVERAGE_THRESHOLD : 80
```
**Services:**
```yaml
services :
mysql :
image : mysql:8.0
env :
MYSQL_ROOT_PASSWORD : root
MYSQL_DATABASE : joomla_test
ports :
- 3306 : 3306
options : >-
--health-cmd="mysqladmin ping"
--health-interval=10s
--health-timeout=5s
--health-retries=3
```
**Secrets Required:**
```yaml
secrets :
CODECOV_TOKEN : # Code coverage service token
TEST_DB_PASSWORD : # Test database password (if different from env)
BROWSERSTACK_KEY : # BrowserStack for cross-browser testing (optional)
```
**Outputs:**
```yaml
outputs :
coverage-percentage :
description : 'Code coverage percentage'
test-results :
description : 'Summary of test results (JSON)'
compatibility-matrix :
description : 'Compatibility matrix results (JSON)'
```
**Migration Type:** Convert to reusable workflow in `.github-private`
2026-04-26 19:30:30 -05:00
**Proposed Location:** `.github-private/.gitea/workflows/reusable/joomla-testing.yml`
2026-04-15 02:35:30 +00:00
**Migration Complexity:** ⭐⭐⭐⭐ High
- Complex test matrix (PHP ×
- Full Joomla setup required
- Database service coordination
- Coverage collection from multiple jobs
**Estimated LOC:** ~500 lines (including matrix, setup, all test types)
**Shared Scripts Used:**
- `extension_utils.py` - Extension installation, manifest validation, update server checks
- `common.py` - Test result aggregation, coverage reporting
**Reusable Workflow Interface:**
```yaml
on :
workflow_call :
inputs :
php-versions :
description : 'PHP versions to test (JSON array)'
required : false
type : string
default : '["7.4", "8.0", "8.1", "8.2"]'
joomla-versions :
description : 'Joomla versions to test (JSON array)'
required : false
type : string
default : '["4.4", "5.0", "5.1"]'
coverage :
description : 'Enable code coverage'
required : false
type : boolean
default : true
browser-tests :
description : 'Run browser-based E2E tests'
required : false
type : boolean
default : false
coverage-threshold :
description : 'Minimum coverage percentage required'
required : false
type : number
default : 80
outputs :
coverage-percentage :
description : 'Overall code coverage'
value : ${{ jobs.coverage.outputs.percentage }}
tests-passed :
description : 'All tests passed (true/false)'
value : ${{ jobs.aggregate.outputs.success }}
```
**Test Setup Steps:**
```yaml
- name : Setup Joomla
run : |
# Download Joomla
wget https://downloads.joomla.org/cms/joomla${{ matrix.joomla }}/Joomla_${{ matrix.joomla }}.0-Stable-Full_Package.zip
# Extract
unzip -q Joomla_${{ matrix.joomla }}.0-Stable-Full_Package.zip -d /var/www/html
# Install Joomla via CLI
php /var/www/html/installation/joomla.php install \
--site-name="Test Site" \
--admin-user="$JOOMLA_ADMIN_USER" \
--admin-password="$JOOMLA_ADMIN_PASS" \
--admin-email="admin@example.com" \
--db-type="mysqli" \
--db-host="$JOOMLA_DB_HOST" \
--db-user="$JOOMLA_DB_USER" \
--db-pass="$JOOMLA_DB_PASS" \
--db-name="$JOOMLA_DB_NAME" \
--db-prefix="jos_"
# Remove installation folder
rm -rf /var/www/html/installation
- name : Install Extension
run : |
# Use extension_utils.py to install
python .github-private/scripts/extension_utils.py install \
--joomla-path /var/www/html \
--package dist/*.zip
```
**Success Criteria:**
- All unit tests pass
- All integration tests pass across matrix
- Code coverage ≥ 80%
- Extension installs successfully
- No PHP errors/warnings in logs
- Browser tests pass (if enabled)
**Performance Optimizations:**
- Cache Joomla downloads (saves ~30 seconds)
- Cache Composer/npm dependencies
- Parallel test execution where possible
- Skip browser tests for draft PRs
**Known Issues:**
- Joomla 5.x requires PHP 8.0+ (matrix excludes invalid combinations)
- MySQL 8.0 authentication issues with PHP 7.4 (use legacy auth)
- Browser tests can be flaky (implement retry logic)
- Large test suites can timeout (split into multiple jobs)
**Example Usage After Migration:**
```yaml
name : Test Joomla Extension
on :
push :
branches : [ main, develop]
pull_request :
branches : [ main]
jobs :
test :
2026-04-26 19:30:30 -05:00
uses : mokoconsulting-tech/.github-private/.gitea/workflows/reusable/joomla-testing.yml@main
2026-04-15 02:35:30 +00:00
with :
php-versions : '["7.4", "8.0", "8.1", "8.2"]'
joomla-versions : '["4.4", "5.0", "5.1"]'
coverage : true
browser-tests : false
coverage-threshold : 80
secrets : inherit
```
**Additional Notes:**
- Supports multiple extension types (component, module, plugin, template)
- Can test against Joomla nightly builds
- Integrates with PHPUnit code coverage
- Generates compatibility badge for README
- Saves test artifacts (logs, screenshots) for debugging
---
### Workflows to Keep Local
### 5. ci.yml - Continuous Integration
**Purpose:** Validate repository standards and run compliance checks
**Triggers:**
- Push to main, dev/**, rc/**, version/** branches
- Pull requests to main, dev/**, rc/**, version/** branches
**Jobs:**
- Repository validation pipeline
- Script executability verification
- Required and optional validations
**Dependencies:**
- Scripts in `api/validate/`
- Python 3.x
- ShellCheck
**Decision:** **Keep Local**
**Rationale:**
- Repository-specific validation rules
- No sensitive proprietary logic in this workflow
- Fast iteration without cross-repo dependencies
- Public transparency for CI process
---
### 6. repo_health.yml - Repository Health & Governance
**Purpose:** Comprehensive repository health checks and governance validation
**Triggers:**
- Manual workflow_dispatch with profile selection
- Push to main (workflows, scripts, docs paths)
- Pull requests to main
**Jobs:**
- Admin-only execution gate
- Scripts governance validation
- Repository artifact validation
- Content heuristics
- Extended health checks
- Audit trail generation
**Dependencies:**
- Python 3.x for JSON processing
- ShellCheck
- Various governance artifacts
**Decision:** **Keep Local**
**Rationale:**
- Repository governance is repo-specific
- Complex proprietary validation logic best maintained locally
- Frequent updates needed for repository-specific rules
- Admin-only execution gate works better locally
**Note:** While this contains proprietary governance logic, keeping it local allows for repository-specific customization and faster iteration.
---
### 7. version_branch.yml - Version Branch Management
**Purpose:** Automated creation and management of version-specific branches
**Triggers:**
- Manual workflow_dispatch with version parameters
- Release creation events
**Jobs:**
- Version branch creation
- Branch protection setup
- Documentation updates
- Changelog initialization
**Dependencies:**
- Git operations
- Branch protection API
- Documentation generator
**Decision:** **Keep Local**
**Rationale:**
- Repository-specific branching strategies
- Different versioning schemes per repository
- Fast iteration on branching logic
- No sensitive deployment credentials
---
### 8. codeql-analysis.yml - Security Code Scanning
**Purpose:** Automated security vulnerability detection using CodeQL
**Triggers:**
- Push to main
- Pull requests to main
- Schedule: Weekly on Mondays
**Jobs:**
- CodeQL analysis for multiple languages
- Security alert generation
**Dependencies:**
- GitHub CodeQL action
- Language detection
**Decision:** **Keep Local** (security best practice)
**Rationale:**
- Standard GitHub security feature
- Public transparency for security scanning
- Best practice to keep in public repositories
- No customization needed
---
### Other Existing Workflows (To Evaluate Separately)
### 9. changelog_update.yml - Changelog Management
**Purpose:** Automated CHANGELOG.md updates and validation
**Triggers:**
- Push to main
- Manual workflow_dispatch
**Jobs:**
- Changelog validation
- Automatic updates
- Commit and push changes
**Dependencies:**
- Python 3.x
- GH_PAT secret
**Decision:** Evaluate - May keep local or integrate with release_pipeline.yml
---
### 10. version_release.yml - Version Management
**Purpose:** Automated version bumping and release creation
**Triggers:**
- Manual workflow_dispatch with version inputs
**Jobs:**
- Version validation
- File updates
- Branch creation
- Changelog updates
- Governance checks
**Dependencies:**
- Python 3.x
- GH_PAT secret
- Multiple governance artifacts
**Decision:** Evaluate - May integrate with release_pipeline.yml or keep local
---
### 11. rebuild_docs_indexes.yml - Documentation Index Generation
**Purpose:** Automatically rebuild documentation index files
**Triggers:**
- Push to main (docs/ and templates/ paths)
- Pull requests to main
- Manual workflow_dispatch
**Jobs:**
- Run Python script to generate indexes
- Commit and push changes
**Dependencies:**
- Python 3.x
- `scripts/docs/rebuild_indexes.py`
- GH_PAT secret
**Decision:** Evaluate - Repository-specific documentation may warrant keeping local
---
### 12. setup_project_v2.yml - GitHub Projects v2 Setup
**Purpose:** Automated GitHub Projects v2 creation and configuration
**Triggers:**
- Manual workflow_dispatch with project parameters
**Jobs:**
- Project creation
- Field configuration
- Item population
**Dependencies:**
- Python 3.x
- GitHub GraphQL API
- GH_PAT secret
- Project setup scripts
**Decision:** Evaluate - Project automation may benefit from centralization
---
### 13. sync_docs_to_project.yml - Documentation Project Sync
**Purpose:** Sync documentation files to GitHub Project items
**Triggers:**
- Push to main (docs/ and templates/ paths)
- Manual workflow_dispatch
**Jobs:**
- Scan documentation files
- Create/update project items
- Set custom fields
- Generate sync report
**Dependencies:**
- Python 3.x
- GitHub GraphQL API
- GH_PAT secret
- `scripts/sync_file_to_project.py`
**Decision:** Evaluate - Project sync may benefit from centralization
---
## Secret Dependencies
### Organization-Level Secrets (Configured)
All secrets are configured at **organization level** with automatic inheritance to workflows:
| Secret Category | Specific Secrets | Used By | Purpose |
|-----------------|------------------|---------|---------|
| **Deployment** | STAGING_SSH_KEY, STAGING_HOST | deploy_staging.yml | Staging deployment |
| **Releases** | MARKETPLACE_TOKEN, JED_API_KEY | release_pipeline.yml | Marketplace publishing |
| **Quality** | CODECOV_TOKEN, SONAR_TOKEN | php_quality.yml, joomla_testing.yml | Code coverage/quality |
| **Testing** | TEST_DB_PASSWORD | joomla_testing.yml | Test database setup |
| **General** | GH_PAT | Various | GitHub API access |
### Inheritance Pattern
Workflows use `secrets: inherit` to access all organization secrets:
```yaml
jobs :
quality :
2026-04-26 19:30:30 -05:00
uses : mokoconsulting-tech/.github-private/.gitea/workflows/reusable/php-quality.yml@main
2026-04-15 02:35:30 +00:00
secrets : inherit # Automatically inherits all org secrets
```
**Benefits:**
- Single source of truth for secrets
- No per-repository secret configuration
- Automatic rotation across all repositories
- Centralized access control
## Script Dependencies
### Shared Scripts (Move to .github-private)
| Script | Used By | Purpose | Target Location |
|--------|---------|---------|-----------------|
| **extension_utils.py** | php_quality.yml, joomla_testing.yml, release_pipeline.yml | Joomla extension operations | `.github-private/scripts/` |
| **common.py** | All centralized workflows | Common utilities | `.github-private/scripts/` |
**Usage Pattern in Workflows:**
```yaml
- name : Checkout shared scripts
uses : actions/checkout@v4
with :
repository : mokoconsulting-tech/.github-private
path : .github-private
token : ${{ secrets.GH_PAT }}
- name : Use shared scripts
run : |
python .github-private/scripts/extension_utils.py
```
### Repository-Specific Scripts (Keep Local)
| Script | Used By | Migration Action |
|--------|---------|------------------|
| `api/validate/*` | ci.yml | Keep in repository (repo-specific) |
| `scripts/docs/rebuild_indexes.py` | rebuild_docs_indexes.yml | Keep in repository |
| `scripts/setup_project_v2.py` | setup_project_v2.yml | Evaluate for centralization |
| `api/automation/sync_file_to_project.py` | sync_docs_to_project.yml | Keep in repository |
## Migration Priority Matrix
### Centralize to .github-private (Priority 1)
1. **php_quality.yml** - PHP code quality analysis with shared scripts
2. **release_pipeline.yml** - Release automation with marketplace integration
3. **deploy_staging.yml** - Staging deployment with sensitive credentials
4. **joomla_testing.yml** - Comprehensive Joomla testing matrix
### Keep Local (Decided)
5. **ci.yml** - Repository-specific validation
6. **repo_health.yml** - Repository governance (proprietary but repo-specific)
7. **version_branch.yml** - Repository-specific branching
8. **codeql-analysis.yml** - Security best practice (keep public)
### Evaluate Later
9. **changelog_update.yml** - May integrate with release_pipeline.yml
10. **version_release.yml** - May integrate with release_pipeline.yml
11. **rebuild_docs_indexes.yml** - Repository-specific documentation
12. **setup_project_v2.yml** - Project automation
13. **sync_docs_to_project.yml** - Project sync
## Reusable Workflow Structure
### Finalized .github-private Layout
```
.github-private/
├── .github/
│ └── workflows/
│ ├── reusable/
│ │ ├── php-quality.yml (php_quality.yml)
│ │ ├── release-pipeline.yml (release_pipeline.yml)
│ │ ├── deploy-staging.yml (deploy_staging.yml)
│ │ └── joomla-testing.yml (joomla_testing.yml)
│ └── templates/
│ ├── php-quality-template.yml
│ ├── release-template.yml
│ ├── deploy-template.yml
│ └── testing-template.yml
├── scripts/
│ ├── extension_utils.py (shared across repos)
│ ├── common.py (shared across repos)
│ └── README.md
└── docs/
├── README.md
├── workflow-usage.md
└── script-api.md
```
## Migration Checklist
### Pre-Migration
- [ ] Create `.github-private` repository
- [ ] Configure repository access
- [ ] Set up organization secrets
- [ ] Document all workflow dependencies
- [ ] Create backup of current workflows
### Per-Workflow Migration
- [ ] Analyze workflow complexity
- [ ] Identify sensitive content
- [ ] Design reusable workflow interface
- [ ] Create reusable workflow in `.github-private`
- [ ] Test reusable workflow in isolation
- [ ] Update caller workflow in public repo
- [ ] Test integration end-to-end
- [ ] Archive old workflow with deprecation notice
- [ ] Update documentation
- [ ] Notify affected teams
### Post-Migration
- [ ] Monitor workflow runs
- [ ] Verify all repositories using new workflows
- [ ] Clean up archived workflows
- [ ] Update repository documentation
- [ ] Conduct team training session
- [ ] Create runbook for common issues
## Risk Assessment
### High Risk
- **Breaking Changes:** Workflow interface changes could break existing implementations
- **Access Issues:** Repository permission problems could block workflow execution
- **Secret Management:** Incorrect secret configuration could expose sensitive data
### Medium Risk
- **Performance:** Additional indirection could slow workflow execution
- **Debugging:** Harder to troubleshoot issues in private repository
- **Maintenance:** Two repositories to manage instead of one
### Low Risk
- **Documentation:** Migration guide reduces knowledge transfer issues
- **Testing:** Comprehensive testing strategy mitigates most risks
- **Rollback:** Clear rollback plan available
## Success Metrics
### Migration Success
- All workflows migrated within 4-week timeline
- Zero downtime or failed runs during migration
- All secrets properly configured
- Complete documentation updated
### Post-Migration Success
- Workflow run success rate > 95%
- Average workflow execution time maintained or improved
- Zero security incidents related to workflow access
- Team satisfaction rating > 4/5
## Metadata
| Field | Value |
|-------|-------|
| Document | Workflow Inventory |
| Path | /.github/WORKFLOW_INVENTORY.md |
| Status | Active |
| Version | 01.00.00 |
| Date | 2026-01-04 |
| Last Updated | 2026-01-04 |
## Revision History
| Date | Change | Author |
|------|--------|--------|
| 2026-01-04 | Initial inventory created for migration planning | DevOps Team |
