Compare commits

..

42 Commits

Author SHA1 Message Date
jmiller 81d065b9bb feat: MokoGIT branding -- mokoconsulting.tech reskin, Font Awesome, toggle, a11y menu, PWA
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Universal: PR Check / Validate PR (pull_request) Successful in 9s
Generic: Project CI / Lint & Validate (pull_request) Successful in 32s
Generic: Standards Compliance / Secret Scanning (push) Failing after 9s
Universal: PR Check / Secret Scan (pull_request) Successful in 51s
Generic: Standards Compliance / License Header Validation (push) Successful in 9s
Generic: Standards Compliance / Repository Structure Validation (push) Successful in 8s
Generic: Standards Compliance / Coding Standards Check (push) Successful in 10s
Generic: Standards Compliance / Workflow Configuration Check (push) Failing after 9s
Generic: Standards Compliance / Documentation Quality Check (push) Successful in 8s
Generic: Standards Compliance / README Completeness Check (push) Failing after 7s
Generic: Standards Compliance / Version Consistency Check (push) Successful in 1m2s
Generic: Standards Compliance / Script Integrity Validation (push) Successful in 26s
Generic: Standards Compliance / Git Repository Hygiene (push) Successful in 1m5s
Generic: Standards Compliance / File Naming Standards (push) Successful in 10s
Generic: Standards Compliance / Line Length Check (push) Successful in 23s
Generic: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 10s
Generic: Standards Compliance / Code Complexity Analysis (push) Successful in 1m2s
Generic: Standards Compliance / Code Duplication Detection (push) Successful in 1m8s
Generic: Standards Compliance / Dead Code Detection (push) Successful in 16s
Generic: Standards Compliance / File Size Limits (push) Successful in 16s
Generic: Standards Compliance / TODO/FIXME Tracking (push) Successful in 14s
Generic: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 1m3s
Deploy (Prod) / Build & Deploy to Prod (push) Successful in 5m9s
Generic: Standards Compliance / Broken Link Detection (push) Successful in 12s
Generic: Standards Compliance / API Documentation Coverage (push) Successful in 7s
Generic: Standards Compliance / Accessibility Check (push) Successful in 7s
Generic: Standards Compliance / Performance Metrics (push) Successful in 8s
Generic: Standards Compliance / Binary File Detection (push) Successful in 2m12s
Generic: Standards Compliance / Unused Dependencies Check (push) Successful in 55s
Generic: Standards Compliance / Terraform Configuration Validation (push) Successful in 12s
Generic: Standards Compliance / Enterprise Readiness Check (push) Successful in 55s
Generic: Standards Compliance / Repository Health Check (push) Successful in 54s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Standards Compliance / Compliance Summary (push) Has been cancelled
Comprehensive MokoGIT theme/branding built from the authoritative mokoconsulting.tech
design tokens (MokoOnyx *.custom.css):

- Theme: replace gitea themes entirely with theme-mokogit-{light,dark,auto} (default
  mokogit-auto); brand tokens (primary #010156 / accent #3f8ff0, navy nav+footer #112855,
  semantic palette); mokogit-brand.css component reskin; runtime custom-stylesheet override
  hook (templates/custom/header.tmpl -> mokogit-custom.css, re-skin live with no rebuild).
- Font Awesome 7 Free 7.1.0: vendored unmodified (CSS headers intact + webfonts + verbatim
  LICENSE.txt), license-compliant for distribution/white-label (Icons CC BY 4.0, Fonts SIL
  OFL 1.1, Code MIT); attributed in THIRD-PARTY-NOTICES.md, README, and wiki.
- Light/dark toggle: navbar sun/moon control, server-persisted via the existing
  /user/settings/appearance/theme endpoint (anonymous falls back to localStorage).
- Accessibility menu: 6 options (text resize, color invert, high contrast, link highlight,
  readable font, pause animations); localStorage-persisted, applied on <html>, ARIA/keyboard.
- PWA: service worker (network-first navigation + cached offline fallback) + branded offline
  page + enhanced manifest (display standalone, navy theme_color, app shortcuts); manifest
  icon sourced from the site-admin branding icon if set, else the bundled MokoGIT logo.

Verified: `go build ./...` and `vite build` both green; only mokogit themes emit.
2026-07-16 14:31:52 -05:00
jmiller c5b15a8ea9 fix(build): report the xx.xx.xx VERSION in Docker builds (not git describe)
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Generic: Project CI / Lint & Validate (pull_request) Successful in 40s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Universal: PR Check / Secret Scan (pull_request) Successful in 58s
Generic: Standards Compliance / Secret Scanning (push) Failing after 12s
Generic: Standards Compliance / License Header Validation (push) Successful in 11s
Generic: Standards Compliance / Repository Structure Validation (push) Successful in 11s
Generic: Standards Compliance / Coding Standards Check (push) Successful in 15s
Generic: Standards Compliance / Workflow Configuration Check (push) Failing after 11s
Generic: Standards Compliance / Documentation Quality Check (push) Successful in 11s
Generic: Standards Compliance / README Completeness Check (push) Failing after 14s
Generic: Standards Compliance / Script Integrity Validation (push) Has been cancelled
Generic: Standards Compliance / Line Length Check (push) Has been cancelled
Generic: Standards Compliance / File Naming Standards (push) Has been cancelled
Generic: Standards Compliance / Insecure Code Pattern Detection (push) Has been cancelled
Generic: Standards Compliance / Code Complexity Analysis (push) Has been cancelled
Generic: Standards Compliance / Code Duplication Detection (push) Has been cancelled
Generic: Standards Compliance / Dead Code Detection (push) Has been cancelled
Generic: Standards Compliance / File Size Limits (push) Has been cancelled
Generic: Standards Compliance / Binary File Detection (push) Has been cancelled
Generic: Standards Compliance / TODO/FIXME Tracking (push) Has been cancelled
Generic: Standards Compliance / Dependency Vulnerability Scanning (push) Has been cancelled
Generic: Standards Compliance / Unused Dependencies Check (push) Has been cancelled
Generic: Standards Compliance / Broken Link Detection (push) Has been cancelled
Generic: Standards Compliance / API Documentation Coverage (push) Has been cancelled
Generic: Standards Compliance / Accessibility Check (push) Has been cancelled
Generic: Standards Compliance / Performance Metrics (push) Has been cancelled
Generic: Standards Compliance / Enterprise Readiness Check (push) Has been cancelled
Generic: Standards Compliance / Repository Health Check (push) Has been cancelled
Generic: Standards Compliance / Terraform Configuration Validation (push) Has been cancelled
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Standards Compliance / Compliance Summary (push) Has been cancelled
Generic: Standards Compliance / Version Consistency Check (push) Successful in 1m28s
Generic: Standards Compliance / Git Repository Hygiene (push) Successful in 1m17s
Deploy (Prod) / Build & Deploy to Prod (push) Successful in 6m21s
The Dockerfile bind-mounts .git for `make backend` ("required for version data"),
so the Makefile computed the binary version via `git describe` — the leaked upstream
Gitea version (e.g. 1.26.1+moko...-967-gHASH) — even though a VERSION file (01.00.00)
is committed. The Makefile's STORED_VERSION (VERSION file) takes precedence over
`git describe`, but .dockerignore excluded `/VERSION`, so the build never saw it.

Stop excluding VERSION from the Docker build context. STORED_VERSION=01.00.00 now
wins and the built binary reports the MokoOrgStandards xx.xx.xx version. (Upstream
excludes VERSION because it's normally a generated release-tarball artifact; MokoGIT
commits it intentionally as the version source.)

Verify after deploy: the footer and /api/v1/version report 01.00.00, not a git-describe
string. Completes the versioning adoption whose repo-side pieces (VERSION file,
update-checker default off) were already in place.
2026-07-16 13:44:58 -05:00
jmiller 3267fa42b1 chore: sync issue-branch.yml from Template-Go [skip ci] 2026-07-16 18:37:20 +00:00
jmiller 8684ce0e3e chore: sync branch-cleanup.yml from Template-Go [skip ci] 2026-07-16 18:36:43 +00:00
jmiller dbcbff79ee merge(main): promote dev to production
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Generic: Project CI / Lint & Validate (pull_request) Successful in 33s
Generic: Standards Compliance / Secret Scanning (push) Failing after 10s
Generic: Standards Compliance / License Header Validation (push) Successful in 8s
Universal: PR Check / Secret Scan (pull_request) Successful in 50s
Generic: Standards Compliance / Repository Structure Validation (push) Successful in 9s
Generic: Standards Compliance / Coding Standards Check (push) Successful in 11s
Generic: Standards Compliance / Workflow Configuration Check (push) Failing after 10s
Generic: Standards Compliance / Documentation Quality Check (push) Successful in 10s
Generic: Standards Compliance / README Completeness Check (push) Failing after 10s
Generic: Standards Compliance / Version Consistency Check (push) Successful in 1m22s
Generic: Standards Compliance / Git Repository Hygiene (push) Successful in 55s
Generic: Standards Compliance / Script Integrity Validation (push) Successful in 13s
Generic: Standards Compliance / File Naming Standards (push) Successful in 8s
Generic: Standards Compliance / Line Length Check (push) Successful in 23s
Generic: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 9s
Generic: Standards Compliance / Code Duplication Detection (push) Successful in 1m24s
Generic: Standards Compliance / Code Complexity Analysis (push) Successful in 1m27s
Generic: Standards Compliance / File Size Limits (push) Successful in 13s
Generic: Standards Compliance / Dead Code Detection (push) Successful in 15s
Generic: Standards Compliance / TODO/FIXME Tracking (push) Successful in 9s
Deploy (Prod) / Build & Deploy to Prod (push) Successful in 5m8s
Generic: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 53s
Generic: Standards Compliance / Broken Link Detection (push) Successful in 11s
Generic: Standards Compliance / API Documentation Coverage (push) Successful in 7s
Generic: Standards Compliance / Accessibility Check (push) Successful in 7s
Generic: Standards Compliance / Performance Metrics (push) Successful in 7s
Generic: Standards Compliance / Unused Dependencies Check (push) Successful in 53s
Generic: Standards Compliance / Binary File Detection (push) Successful in 1m46s
Generic: Standards Compliance / Terraform Configuration Validation (push) Successful in 12s
Generic: Standards Compliance / Enterprise Readiness Check (push) Successful in 54s
Generic: Standards Compliance / Repository Health Check (push) Successful in 57s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Standards Compliance / Compliance Summary (push) Has been cancelled
Session work: #798 WorkflowDirs (detect .mokogit/workflows, retire .mokogitea),
org internal-wiki merge, issue custom-status dropdown visibility fix, MokoOrgStandards
xx.xx.xx versioning + .vault deploy staging, and restored .mokogit/workflows from
Template-Go.

Conflict resolution: main had dropped .mokogit/workflows/* (4885f3c1 "drop orphaned
dupes"); kept dev's restored set. main's rebrand + prod hotfixes (#793/#794/#795,
.mokogitea config-dir removal) are preserved. CHANGELOG updated.
2026-07-16 13:04:35 -05:00
jmiller 42ea214a64 chore(ci): restore .mokogit/workflows from Template-Go (sync was broken)
Universal: Auto Version Bump / Version Bump (push) Successful in 15s
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 1m26s
Deploy (Dev) / Build & Deploy to Dev (push) Successful in 4m30s
The MokoGIT repo's dev/main branches had lost all .mokogit/workflows/ files
(0 present in any workflows dir), which — compounded with the #798 workflow-
discovery break — left the repo with no CI/deploy. The workflow-sync (Template-Go
-> repo .mokogit/workflows) appears to have stopped; since the sync trigger lives
in .mokogit/workflows itself, broken discovery prevented it from self-healing.

Restore the full canonical set from Template-Go (deploy-{dev,rc,prod}, pr-check,
standards-compliance, auto-release, pre-release, auto-bump, cascade-dev,
version-set, repo-health, custom/workflow-sync-trigger, etc.). deploy-* are the
portable Go image-build workflows (Dockerfile build -> registry -> recreate).
2026-07-16 12:50:33 -05:00
jmiller d16b417a24 fix(issues): make custom-status select render its options (visibility bug)
The issue-view "status" control was a native <select> carrying the fomantic
"ui compact dropdown" class. Fomantic enhanced it into an overlay menu that
rendered mispositioned and stacked BEHIND .issue-content, so the status options
were present in the DOM but invisible (a raised z-index did not rescue it — the
menu was trapped in an ancestor stacking context). Nothing in web_src/js depends
on it being a fomantic dropdown.

Drop the fomantic class so it stays a plain native <select> (the browser renders
its option list, so the options always show), and move the element's inline
style= into a new stylesheet web_src/css/repo/issue-status.css (imported from
index.css), per the "no inline styles" standard.
2026-07-16 12:28:57 -05:00
jmiller fdde590491 fix(actions): detect .mokogit/workflows; retire .mokogitea/workflows (#798)
The deployed binary's WorkflowDirs scanned only .mokogitea/workflows (the
temporary cutover name) plus .gitea/.github, but every repo moved its CI to
the rebranded .mokogit/workflows — so those workflows were never indexed, no
runs were created on push, and workflow_dispatch 404'd. Org-wide CI/deploys
were down, surviving only via a temporary .gitea/workflows bridge.

Set the default WorkflowDirs to [.mokogit/workflows, .gitea/workflows,
.github/workflows] and drop .mokogitea/workflows entirely (fully retired).
Runtime override remains available via [actions] WORKFLOW_DIRS.

Once deployed, the .gitea/workflows deploy bridge can be retired.

Updated Test_WorkflowDirs default expectation.
2026-07-16 11:56:23 -05:00
jmiller 2708f61a53 merge(dev): org internal-wiki (Overview renders wiki, drop Wiki tab) 2026-07-16 11:56:18 -05:00
jmiller 55639a6453 merge(dev): .vault deploy staging + xx.xx.xx versioning (feat/vault-align-versioning) 2026-07-16 11:56:14 -05:00
jmiller afc3fc6f16 feat(org): merge profile into internal wiki — Overview renders wiki, drop Wiki tab
Streamlines the org WebUI now that the profile and wiki share the same
.mokogit / .mokogit-private repos:

- Org Overview renders the internal wiki's landing page (resolution order
  home -> index -> readme -> profile) from the .mokogit (public) /
  .mokogit-private (members-only) repo wiki, respecting the existing
  public/members view split. Safe fallback: if the wiki or a landing page is
  absent or errors, it falls back to the legacy root README.md (never 500s).
- Hide the per-repo Wiki tab for .mokogit / .mokogit-private, since their wiki
  is now surfaced as the org Overview.
- Relabel the existing org-settings "Internal wiki" control from .profile ->
  .mokogit / .mokogit-private (backed by the existing WikiMode field/handler).

go build ./... green.
2026-07-16 11:45:08 -05:00
jmiller 0cb94ef37d chore(deploy): stage .vault git-stack compose + adopt xx.xx.xx versioning
Repo-only prep to align MokoGIT with the .vault single-source-of-truth structure and the
MokoOrgStandards xx.xx.xx version scheme. No server/.vault changes; relocation coordinated later.

Versioning (replaces leaked Gitea 1.24.0+dev-N-ghash):
- VERSION = 01.00.00 (Makefile STORED_VERSION uses it verbatim on branch builds -> strips the
  git-describe Gitea base; tag builds use the xx.xx.xx tag name).
- VERSIONING.md documents the scheme + how the binary/image version resolves.
- Default the upstream update-checker OFF (modules/setting/setting.go) so the fork never compares
  AppVer against Gitea's release feed.

Staged git-stack compose (target .vault/stacks/git/{prod,rc,dev}):
- deploy/git/{prod,rc,dev}/ each: docker-compose.yml (image mokoconsulting/mokogit per tier tag env
  MOKOGIT[_RC|_DEV]_TAG, containers mokogit/-rc/-dev, /opt/mokogit/{prod,rc,dev} data, host-MySQL
  db mokogit[_rc|_dev], /api/healthz healthcheck), VERSION (01.00.00), .env.example.
- deploy/git/VERSION (per-stack) + README.md (ownership split, reconcile-before-drop, restructure paused).
- Every host/secret value is ${VAR}; modeled on documented live config, marked RECONCILE (diff vs
  the live /opt/mokogitea/docker-compose.yml before dropping into .vault).

Secrets externalized:
- .gitignore now ignores real .env / *.env but keeps *.env.example. No real tokens committed.

Verified: go build ./modules/setting/ ok; .env.example tracked, real .env ignored.
2026-07-16 10:43:18 -05:00
jmiller 6f482e7fdb Merge pull request 'fix: remove stale .mokogitea from dev (MOKOGIT migration)' (#797) from fix/remove-mokogitea-dev into dev 2026-07-16 14:09:43 +00:00
jmiller 1be5a89286 fix: remove stale .mokogitea/workflows/version-set.yml 2026-07-16 14:09:31 +00:00
jmiller 675a14615a fix: remove stale .mokogitea/workflows/standards-compliance.yml 2026-07-16 14:09:19 +00:00
jmiller 2d14619461 fix: remove stale .mokogitea/workflows/repo-health.yml 2026-07-16 14:09:03 +00:00
jmiller ca37d9728e fix: remove stale .mokogitea/workflows/rc-revert.yml 2026-07-16 14:08:49 +00:00
jmiller 232e7bcf83 fix: remove stale .mokogitea/workflows/pre-release.yml 2026-07-16 14:08:33 +00:00
jmiller 5de6ace021 fix: remove stale .mokogitea/workflows/pr-check.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 4s
2026-07-16 14:08:20 +00:00
jmiller dd864c2268 fix: remove stale .mokogitea/workflows/notify.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 9s
Universal: PR Check / Secret Scan (pull_request) Successful in 44s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:08:07 +00:00
jmiller 245a74024b fix: remove stale .mokogitea/workflows/issue-branch.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 4s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 9s
Universal: PR Check / Secret Scan (pull_request) Successful in 49s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:07:52 +00:00
jmiller ec913d7993 fix: remove stale .mokogitea/workflows/gitleaks.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Universal: PR Check / Secret Scan (pull_request) Successful in 52s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:07:38 +00:00
jmiller 8ff637684a fix: remove stale .mokogitea/workflows/deploy-rc.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 4s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 10s
Universal: PR Check / Secret Scan (pull_request) Successful in 54s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:07:24 +00:00
jmiller d0e39c027b fix: remove stale .mokogitea/workflows/deploy-prod.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
2026-07-16 14:07:09 +00:00
jmiller acefbe6e44 fix: remove stale .mokogitea/workflows/deploy-dev.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 7s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Universal: PR Check / Secret Scan (pull_request) Successful in 56s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:06:55 +00:00
jmiller f430a4c10d fix: remove stale .mokogitea/workflows/custom/upstream-bug-sync.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 4s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Universal: PR Check / Secret Scan (pull_request) Successful in 57s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:06:39 +00:00
jmiller db1d97072a fix: remove stale .mokogitea/workflows/custom/test-mokogitea.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 4s
Universal: PR Check / Branch Policy (pull_request) Successful in 3s
Universal: PR Check / Validate PR (pull_request) Successful in 10s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m0s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:06:25 +00:00
jmiller d37da15aa7 fix: remove stale .mokogitea/workflows/custom/pr-rc-release.yml 2026-07-16 14:05:06 +00:00
jmiller f31a60cf53 fix: remove stale .mokogitea/workflows/custom/cascade-dev.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
PR RC Release / Build RC Release (pull_request) Successful in 2s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m0s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:04:51 +00:00
jmiller 871ede1450 fix: remove stale .mokogitea/workflows/cleanup.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
PR RC Release / Build RC Release (pull_request) Successful in 2s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m1s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:04:38 +00:00
jmiller e16ea6f934 fix: remove stale .mokogitea/workflows/ci-issue-reporter.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 4s
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 9s
Universal: PR Check / Secret Scan (pull_request) Successful in 56s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:04:22 +00:00
jmiller c610c2388d fix: remove stale .mokogitea/workflows/ci-generic.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
PR RC Release / Build RC Release (pull_request) Successful in 2s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Universal: PR Check / Validate PR (pull_request) Successful in 9s
Universal: PR Check / Secret Scan (pull_request) Successful in 53s
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:04:08 +00:00
jmiller cb2ff768e5 fix: remove stale .mokogitea/workflows/cascade-dev.yml
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Generic: Project CI / Lint & Validate (pull_request) Successful in 29s
Universal: PR Check / Validate PR (pull_request) Successful in 9s
Universal: PR Check / Secret Scan (pull_request) Successful in 51s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:03:53 +00:00
jmiller 78f1d8fe15 fix: remove stale .mokogitea/workflows/branch-cleanup.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
PR RC Release / Build RC Release (pull_request) Successful in 4s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Generic: Project CI / Lint & Validate (pull_request) Successful in 30s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Universal: PR Check / Secret Scan (pull_request) Successful in 59s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:03:40 +00:00
jmiller 8c121c08c1 fix: remove stale .mokogitea/workflows/auto-release.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 5s
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Generic: Project CI / Lint & Validate (pull_request) Successful in 30s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m3s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:03:30 +00:00
jmiller 423c3c0f83 fix: remove stale .mokogitea/workflows/auto-bump.yml
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 3s
PR RC Release / Build RC Release (pull_request) Successful in 2s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 11s
Generic: Project CI / Lint & Validate (pull_request) Successful in 38s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m5s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-16 14:03:19 +00:00
jmiller 411bed0d05 Merge pull request 'fix: remove stale .mokogitea config dir (superseded by .mokogit)' (#795) from fix/migrate-mokogitea-to-mokogit into main 2026-07-16 13:39:30 +00:00
jmiller 7a71ebd0b1 fix: remove stale .mokogitea config dir (superseded by .mokogit) 2026-07-16 07:34:27 -05:00
jmiller 6dd0f1fb6d Merge pull request 'fix(repo): case-sensitive system-repo name normalization' (#794) from rc into main
Generic: Standards Compliance / Secret Scanning (push) Failing after 15s
Generic: Standards Compliance / License Header Validation (push) Successful in 12s
Generic: Standards Compliance / Repository Structure Validation (push) Successful in 10s
Generic: Standards Compliance / Coding Standards Check (push) Successful in 12s
Generic: Standards Compliance / Version Consistency Check (push) Successful in 1m28s
Generic: Standards Compliance / Workflow Configuration Check (push) Failing after 12s
Generic: Standards Compliance / Documentation Quality Check (push) Successful in 13s
Generic: Standards Compliance / README Completeness Check (push) Failing after 22s
Generic: Standards Compliance / Script Integrity Validation (push) Has been cancelled
Generic: Standards Compliance / Line Length Check (push) Has been cancelled
Generic: Standards Compliance / File Naming Standards (push) Has been cancelled
Generic: Standards Compliance / Insecure Code Pattern Detection (push) Has been cancelled
Generic: Standards Compliance / Code Complexity Analysis (push) Has been cancelled
Generic: Standards Compliance / Code Duplication Detection (push) Has been cancelled
Generic: Standards Compliance / Dead Code Detection (push) Has been cancelled
Generic: Standards Compliance / File Size Limits (push) Has been cancelled
Generic: Standards Compliance / Binary File Detection (push) Has been cancelled
Generic: Standards Compliance / TODO/FIXME Tracking (push) Has been cancelled
Generic: Standards Compliance / Dependency Vulnerability Scanning (push) Has been cancelled
Generic: Standards Compliance / Unused Dependencies Check (push) Has been cancelled
Generic: Standards Compliance / Broken Link Detection (push) Has been cancelled
Generic: Standards Compliance / API Documentation Coverage (push) Has been cancelled
Generic: Standards Compliance / Accessibility Check (push) Has been cancelled
Generic: Standards Compliance / Performance Metrics (push) Has been cancelled
Generic: Standards Compliance / Enterprise Readiness Check (push) Has been cancelled
Generic: Standards Compliance / Repository Health Check (push) Has been cancelled
Generic: Standards Compliance / Terraform Configuration Validation (push) Has been cancelled
Generic: Standards Compliance / Compliance Summary (push) Has been cancelled
Generic: Standards Compliance / Git Repository Hygiene (push) Successful in 2m16s
Deploy (Prod) / Build & Deploy to Prod (push) Successful in 7m2s
2026-07-15 15:21:21 +00:00
jmiller 1f73a14cb0 Merge pull request 'feat: MokoGitea -> MokoGIT rebrand (validated on dev + rc)' (#793) from rc into main
Generic: Standards Compliance / Secret Scanning (push) Failing after 8s
Generic: Standards Compliance / License Header Validation (push) Successful in 9s
Generic: Standards Compliance / Repository Structure Validation (push) Successful in 10s
Generic: Standards Compliance / Coding Standards Check (push) Successful in 11s
Generic: Standards Compliance / Version Consistency Check (push) Successful in 1m15s
Generic: Standards Compliance / Workflow Configuration Check (push) Failing after 10s
Generic: Standards Compliance / Documentation Quality Check (push) Successful in 8s
Generic: Standards Compliance / README Completeness Check (push) Failing after 10s
Generic: Standards Compliance / Git Repository Hygiene (push) Successful in 2m1s
Generic: Standards Compliance / Script Integrity Validation (push) Successful in 24s
Generic: Standards Compliance / Line Length Check (push) Successful in 33s
Generic: Standards Compliance / File Naming Standards (push) Successful in 9s
Generic: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 8s
Deploy (Prod) / Build & Deploy to Prod (push) Successful in 6m15s
Generic: Standards Compliance / Dead Code Detection (push) Successful in 10s
Generic: Standards Compliance / File Size Limits (push) Successful in 8s
Generic: Standards Compliance / Code Complexity Analysis (push) Successful in 1m8s
Generic: Standards Compliance / TODO/FIXME Tracking (push) Successful in 8s
Generic: Standards Compliance / Code Duplication Detection (push) Successful in 55s
Generic: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 57s
Generic: Standards Compliance / Unused Dependencies Check (push) Successful in 54s
Generic: Standards Compliance / API Documentation Coverage (push) Successful in 8s
Generic: Standards Compliance / Broken Link Detection (push) Successful in 11s
Generic: Standards Compliance / Binary File Detection (push) Successful in 1m45s
Generic: Standards Compliance / Accessibility Check (push) Successful in 8s
Generic: Standards Compliance / Performance Metrics (push) Successful in 8s
Generic: Standards Compliance / Terraform Configuration Validation (push) Successful in 14s
Generic: Standards Compliance / Repository Health Check (push) Successful in 57s
Generic: Standards Compliance / Enterprise Readiness Check (push) Successful in 1m0s
Generic: Standards Compliance / Compliance Summary (push) Has been cancelled
2026-07-15 06:05:54 +00:00
jmiller 2c0d71a27f chore(ci): re-trigger dev deploy for MokoGIT rebrand
Universal: Auto Version Bump / Version Bump (push) Successful in 15s
Deploy (Dev) / Build & Deploy to Dev (push) Successful in 4m56s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
PR RC Release / Build RC Release (pull_request) Successful in 1s
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 3s
Universal: PR Check / Validate PR (pull_request) Successful in 8s
Generic: Project CI / Lint & Validate (pull_request) Successful in 31s
Universal: PR Check / Secret Scan (pull_request) Successful in 42s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
2026-07-15 04:06:18 +00:00
jmiller 584c50a4be Merge pull request 'feat: MokoGitea -> MokoGIT rebrand (module rename, branding, .mokogit, icon)' (#791) from feature/rebrand-mokogit into dev 2026-07-15 03:07:38 +00:00
78 changed files with 7481 additions and 195 deletions
+6 -1
View File
@@ -63,7 +63,12 @@ cpu.out
/public/assets/fonts
/public/assets/img/avatar
/vendor
/VERSION
# MokoGIT: keep the committed VERSION file in the Docker build context. The Makefile
# reads it as STORED_VERSION, which takes precedence over `git describe`, so the built
# binary reports the MokoOrgStandards xx.xx.xx version (e.g. 01.00.00) instead of the
# leaked upstream Gitea `git describe` version. (Upstream excludes it because VERSION is
# normally a generated release-tarball artifact; here it is intentionally committed.)
# /VERSION
/.air
/.go-licenses
/Dockerfile
+7
View File
@@ -115,6 +115,13 @@ prime/
/.github/copilot-instructions.md
/llms.txt
# Real deploy env files -- NEVER commit secrets. Keep the *.env.example templates.
.env
*.env
!*.env.example
!.env.example
deploy/**/.env
# Ignore worktrees when working on multiple branches
.worktrees/
+66
View File
@@ -0,0 +1,66 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.Release
# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
# PATH: /.mokogit/workflows/auto-bump.yml
# VERSION: 09.02.00
# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
name: "Universal: Auto Version Bump"
on:
push:
branches:
- dev
- rc
- 'feature/**'
- 'patch/**'
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
MOKOGIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
permissions:
contents: write
jobs:
bump:
name: Version Bump
runs-on: release
if: >-
!contains(github.event.head_commit.message, '[skip ci]') &&
!contains(github.event.head_commit.message, '[skip bump]') &&
!startsWith(github.event.head_commit.message, 'Merge pull request')
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ secrets.MOKOGIT_TOKEN }}
fetch-depth: 1
- name: Setup mokocli tools
run: |
if ! command -v composer &> /dev/null; then
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
fi
if [ -d "/opt/mokocli/cli" ]; then
echo "MOKO_CLI=/opt/mokocli/cli" >> "$GITHUB_ENV"
else
git clone --depth 1 --branch main --quiet \
"https://x-access-token:${{ secrets.MOKOGIT_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokocli.git" \
/tmp/mokocli
cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
echo "MOKO_CLI=/tmp/mokocli/cli" >> "$GITHUB_ENV"
fi
- name: Bump version
run: |
php ${MOKO_CLI}/version_auto_bump.php \
--path . --branch "${GITHUB_REF_NAME}" \
--token "${{ secrets.MOKOGIT_TOKEN }}" \
--repo-url "https://x-access-token:${{ secrets.MOKOGIT_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+505
View File
@@ -0,0 +1,505 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.Release
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
# PATH: /templates/workflows/universal/auto-release.yml.template
# VERSION: 05.00.00
# BRIEF: Universal build & release detects platform from manifest.xml
#
# +=======================================================================+
# | UNIVERSAL BUILD & RELEASE PIPELINE |
# +=======================================================================+
# | |
# | Reads manifest.xml (joomla|dolibarr|generic) to branch logic. |
# | |
# | Platform-specific: |
# | joomla: XML manifest, type-prefixed packages |
# | dolibarr: mod*.class.php, update.txt, dev version reset |
# | generic: README-only, no update stream |
# | |
# +=======================================================================+
name: "Universal: Build & Release"
on:
pull_request:
types: [opened, synchronize, closed]
branches:
- main
paths-ignore:
- '.mokogit/workflows/**'
- '*.md'
- 'wiki/**'
- '.editorconfig'
- '.gitignore'
- '.gitattributes'
- '.gitmessage'
- 'LICENSE'
workflow_dispatch:
inputs:
action:
description: 'Action to perform'
required: false
type: choice
default: release
options:
- release
- promote-rc
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
MOKOGIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
GIT_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
GIT_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
permissions:
contents: write
jobs:
# ── PR Opened → Rename branch to RC and build RC release ─────────────────────────
promote-rc:
name: Promote to RC
runs-on: release
if: >-
(github.event.action == 'opened' && github.event.pull_request.merged != true) ||
(github.event.action == 'synchronize' && github.event.pull_request.merged != true) ||
(github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ secrets.MOKOGIT_TOKEN }}
fetch-depth: 1
- name: Setup mokocli tools
env:
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
run: |
if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
echo Using pre-installed /opt/mokocli
echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
else
echo Falling back to fresh clone
if ! command -v composer > /dev/null 2>&1; then
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
fi
rm -rf /tmp/mokocli
CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
cd /tmp/mokocli
composer install --no-dev --no-interaction --quiet
echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
fi
- name: Rename branch to rc
run: |
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
AUTH="Authorization: token ${{ secrets.MOKOGIT_TOKEN }}"
FROM="${{ github.event.pull_request.head.ref || 'dev' }}"
PR="${{ github.event.pull_request.number }}"
# Resolve the source branch HEAD commit.
SRC_JSON=$(curl -sf -H "$AUTH" "${API_BASE}/branches/${FROM}") \
|| { echo "::error::Source branch ${FROM} not found"; exit 1; }
SRC_SHA=$(printf '%s' "$SRC_JSON" | python3 -c "import sys, json; print(json.load(sys.stdin)['commit']['id'])" 2>/dev/null || true)
[ -n "$SRC_SHA" ] || { echo "::error::Could not resolve HEAD of ${FROM}"; exit 1; }
# Point rc at the source commit via git push. Git's git/refs PATCH API
# returns HTTP 405 on ANY protected branch (force or not, even for a user in
# the force-push allowlist), so it cannot move a protected rc. git push honors
# the push + force-push allowlists and creates rc if it is absent.
PUSH_URL="https://x-access-token:${{ secrets.MOKOGIT_TOKEN }}@${MOKOGIT_URL#https://}/${GIT_ORG}/${GIT_REPO}.git"
git config --global user.name "mokogit-actions[bot]"
git config --global user.email "actions@mokoconsulting.tech"
git fetch --no-tags "$PUSH_URL" "${FROM}"
git push --force "$PUSH_URL" "FETCH_HEAD:refs/heads/rc" \
|| { echo "::error::Failed to point rc at ${FROM} (${SRC_SHA}) via git push"; exit 1; }
echo "rc set to ${FROM} (${SRC_SHA})"
# Repoint the PR at rc, then delete the old source branch (non-fatal).
if [ -n "$PR" ]; then
curl -s -X PATCH -H "$AUTH" -H "Content-Type: application/json" \
"${API_BASE}/pulls/${PR}" -d '{"head":"rc"}' >/dev/null || true
fi
# Never delete permanent branches (dev/main/rc/...); only ephemeral feature branches.
case "$FROM" in
dev|main|master|rc|stable|production|release|develop|staging|beta|alpha)
echo "Keeping permanent branch ${FROM} (not deleting)" ;;
*)
curl -s -X DELETE -H "$AUTH" "${API_BASE}/branches/${FROM}" >/dev/null || true ;;
esac
echo "Renamed ${FROM} -> rc"
- name: Trigger RC deploy
run: |
# Workflow-token pushes do NOT wake downstream workflows; dispatch deploy-rc explicitly.
curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGIT_TOKEN }}" \n -H "Content-Type: application/json" \n "${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}/actions/workflows/deploy-rc.yml/dispatches" \n -d '{"ref":"rc"}' \n && echo "Dispatched deploy-rc on rc" \n || echo "::warning::deploy-rc dispatch failed (no deploy-rc.yml on rc?)"
- name: Checkout rc and configure git
run: |
git fetch origin rc
git checkout rc
git config --local user.email "mokogit-actions[bot]@mokoconsulting.tech"
git config --local user.name "mokogit-actions[bot]"
git remote set-url origin "https://x-access-token:${{ secrets.MOKOGIT_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
- name: Publish RC release
continue-on-error: true
run: |
php ${MOKO_CLI}/release_publish.php \
--path . --stability rc --bump minor --branch rc \
--token "${{ secrets.MOKOGIT_TOKEN }}"
- name: Update RC release notes from CHANGELOG.md
continue-on-error: true
run: |
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
TOKEN="${{ secrets.MOKOGIT_TOKEN }}"
# Extract [Unreleased] section from changelog
NOTES=""
if [ -f "CHANGELOG.md" ]; then
NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
fi
[ -z "$NOTES" ] && NOTES="Release candidate"
# Find the RC release and update its body
RELEASE_ID=$(curl -sf -H "Authorization: token ${TOKEN}" \
"${API_BASE}/releases/tags/release-candidate" \
| python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
if [ -n "$RELEASE_ID" ]; then
python3 -c "
import json, urllib.request
body = open('/dev/stdin').read()
payload = json.dumps({'body': body}).encode()
req = urllib.request.Request(
'${API_BASE}/releases/${RELEASE_ID}',
data=payload, method='PATCH',
headers={
'Authorization': 'token ${TOKEN}',
'Content-Type': 'application/json'
})
urllib.request.urlopen(req)
" <<< "$NOTES"
echo "RC release notes updated from CHANGELOG.md"
fi
- name: Summary
if: always()
run: |
echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY
# ── Merged PR → Build & Release (or promote RC to stable) ─────────────────────────
release:
name: Build & Release Pipeline
runs-on: release
if: >-
github.event.pull_request.merged == true ||
(github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
token: ${{ secrets.MOKOGIT_TOKEN }}
fetch-depth: 0
- name: Configure git for bot pushes
run: |
git config --local user.email "mokogit-actions[bot]@mokoconsulting.tech"
git config --local user.name "mokogit-actions[bot]"
git remote set-url origin "https://x-access-token:${{ secrets.MOKOGIT_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
- name: Check for merge conflict markers
run: |
CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
if [ -n "$CONFLICTS" ]; then
echo "::error::Merge conflict markers found — aborting release"
echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
exit 1
fi
echo "No conflict markers found"
- name: Setup mokocli tools
env:
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
run: |
if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
echo Using pre-installed /opt/mokocli
echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
else
echo Falling back to fresh clone
if ! command -v composer > /dev/null 2>&1; then
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
fi
rm -rf /tmp/mokocli
CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
cd /tmp/mokocli
composer install --no-dev --no-interaction --quiet
echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
fi
- name: "Detect platform"
id: platform
run: |
php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
php ${MOKO_CLI}/manifest_read.php --path . --github-output 2>/dev/null || true
- name: "Determine version bump level"
id: bump
run: |
# Fix/patch branches: version was already bumped by pre-release, just strip suffix
# Feature/dev branches: bump minor for the new stable release
HEAD_REF="${{ github.event.pull_request.head.ref || 'dev' }}"
case "$HEAD_REF" in
fix/*|patch/*|hotfix/*|bugfix/*) BUMP="none" ;;
*) BUMP="minor" ;;
esac
echo "level=${BUMP}" >> "$GITHUB_OUTPUT"
echo "Bump level: ${BUMP} (from branch: ${HEAD_REF})"
- name: "Publish stable release"
run: |
BUMP_FLAG=""
if [ "${{ steps.bump.outputs.level }}" != "none" ]; then
BUMP_FLAG="--bump ${{ steps.bump.outputs.level }}"
fi
php ${MOKO_CLI}/release_publish.php \
--path . --stability stable ${BUMP_FLAG} --branch main \
--token "${{ secrets.MOKOGIT_TOKEN }}"
- name: "Read published version"
id: version
run: |
VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "")
VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
[ -z "$VERSION" ] && VERSION="00.00.00" && echo "skip=true" >> "$GITHUB_OUTPUT"
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
PLATFORM="${{ steps.platform.outputs.platform }}"
if [[ "$PLATFORM" == joomla* ]]; then
echo "tag=stable" >> "$GITHUB_OUTPUT"
echo "release_tag=stable" >> "$GITHUB_OUTPUT"
else
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"
echo "release_tag=v${VERSION}" >> "$GITHUB_OUTPUT"
fi
echo "branch=main" >> "$GITHUB_OUTPUT"
echo "Published version: ${VERSION}"
- name: "Create semver tag for non-Joomla repos"
id: semver
if: |
steps.version.outputs.skip != 'true' &&
!startsWith(steps.platform.outputs.platform, 'joomla')
run: |
VERSION="${{ steps.version.outputs.version }}"
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
TOKEN="${{ secrets.MOKOGIT_TOKEN }}"
SEMVER_TAG="v${VERSION}"
echo "Creating semver tag: ${SEMVER_TAG}"
# Create the git tag via API
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
-X POST -H "Authorization: token ${TOKEN}" \
-H "Content-Type: application/json" \
"${API_BASE}/tags" \
-d "{\"tag_name\":\"${SEMVER_TAG}\",\"target\":\"main\",\"message\":\"Release ${VERSION}\"}" 2>/dev/null || echo "000")
if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "200" ]; then
echo "Created semver tag: ${SEMVER_TAG}"
elif [ "$HTTP_CODE" = "409" ]; then
echo "Semver tag ${SEMVER_TAG} already exists (skipped)"
else
echo "::warning::Failed to create semver tag ${SEMVER_TAG} (HTTP ${HTTP_CODE})"
fi
echo "semver_tag=${SEMVER_TAG}" >> "$GITHUB_OUTPUT"
- name: Update release notes and promote changelog
run: |
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
TOKEN="${{ secrets.MOKOGIT_TOKEN }}"
# Get the stable release info (version and ID)
RELEASE_JSON=$(curl -sf -H "Authorization: token ${TOKEN}" \
"${API_BASE}/releases/tags/stable" 2>/dev/null || echo '{}')
RELEASE_ID=$(python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" <<< "$RELEASE_JSON" 2>/dev/null || true)
# Extract version from release name (e.g. "06.17.00" or "v06.17.00")
VERSION=$(python3 -c "
import json, sys, re
r = json.load(sys.stdin)
name = r.get('name', '')
m = re.search(r'(\d+\.\d+\.\d+)', name)
print(m.group(1) if m else '')
" <<< "$RELEASE_JSON" 2>/dev/null || true)
# Extract [Unreleased] section from changelog
NOTES=""
if [ -f "CHANGELOG.md" ]; then
NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
fi
[ -z "$NOTES" ] && NOTES="Stable release"
# Update release body via API
if [ -n "$RELEASE_ID" ]; then
python3 -c "
import json, urllib.request
body = open('/dev/stdin').read()
payload = json.dumps({'body': body}).encode()
req = urllib.request.Request(
'${API_BASE}/releases/${RELEASE_ID}',
data=payload, method='PATCH',
headers={
'Authorization': 'token ${TOKEN}',
'Content-Type': 'application/json'
})
urllib.request.urlopen(req)
" <<< "$NOTES"
echo "Release notes updated from CHANGELOG.md"
fi
# Promote [Unreleased] → [version] in CHANGELOG.md and reset
if [ -n "$VERSION" ] && [ -f "CHANGELOG.md" ]; then
DATE=$(date +%Y-%m-%d)
python3 -c "
import sys
version, date = sys.argv[1], sys.argv[2]
content = open('CHANGELOG.md').read()
old = '## [Unreleased]'
new = f'## [Unreleased]\n\n## [{version}] --- {date}'
content = content.replace(old, new, 1)
open('CHANGELOG.md', 'w').write(content)
" "$VERSION" "$DATE"
git add CHANGELOG.md
git commit -m "chore: promote changelog [Unreleased] → [${VERSION}]" || true
git push origin main || true
echo "Changelog promoted: [Unreleased] → [${VERSION}]"
fi
# -- STEP 9: Mirror to GitHub (stable only) --------------------------------
- name: "Step 9: Mirror release to GitHub"
if: >-
steps.version.outputs.skip != 'true' &&
secrets.GH_MIRROR_TOKEN != ''
continue-on-error: true
run: |
VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
php ${MOKO_CLI}/release_mirror.php \
--version "$VERSION" --tag "$RELEASE_TAG" \
--token "${{ secrets.MOKOGIT_TOKEN }}" --api-base "$API_BASE" \
--gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
--branch main 2>&1 || true
echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
# -- STEP 10: Sync main branch to GitHub mirror ----------------------------
- name: "Step 10: Push main to GitHub mirror"
if: >-
steps.version.outputs.skip != 'true' &&
secrets.GH_MIRROR_TOKEN != ''
continue-on-error: true
run: |
GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
git fetch origin main --depth=1
git push github origin/main:refs/heads/main --force 2>/dev/null \
&& echo "main branch pushed to GitHub mirror" \
|| echo "WARNING: GitHub mirror push failed"
- name: "Step 11: Delete rc branch and recreate dev from main"
if: steps.version.outputs.skip != 'true'
continue-on-error: true
run: |
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
TOKEN="${{ secrets.MOKOGIT_TOKEN }}"
# Delete rc branch (ephemeral — created by promote-rc)
curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
"${API_BASE}/branches/rc" 2>/dev/null \
&& echo "Deleted rc branch" || echo "rc branch not found"
# Delete dev branch
curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
"${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
# Recreate dev from main (now includes version bump + changelog promotion)
curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-H "Content-Type: application/json" \
"${API_BASE}/branches" \
-d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
- name: "Step 12: Create version branch from main"
if: steps.version.outputs.skip != 'true'
continue-on-error: true
run: |
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
TOKEN="${{ secrets.MOKOGIT_TOKEN }}"
VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
BRANCH_NAME="version/${VERSION}"
MAIN_SHA=$(git rev-parse HEAD)
# Delete old version branch if it exists (same version re-release)
curl -sf -X DELETE -H "Authorization: token ${TOKEN}" "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
# Create version/XX.YY.ZZ from main
curl -sf -X POST -H "Authorization: token ${TOKEN}" -H "Content-Type: application/json" "${API_BASE}/branches" -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})" || echo "WARNING: ${BRANCH_NAME} creation failed"
echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
# -- Dolibarr post-release: Reset dev version -----------------------------
- name: "Post-release: Reset dev version"
if: steps.version.outputs.skip != 'true'
continue-on-error: true
run: |
API_BASE="${MOKOGIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
php ${MOKO_CLI}/version_reset_dev.php \
--token "${{ secrets.MOKOGIT_TOKEN }}" --api-base "${API_BASE}" \
--branch dev --path . 2>&1 || true
# -- Summary --------------------------------------------------------------
- name: Pipeline Summary
if: always()
run: |
VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
PLATFORM="${{ steps.platform.outputs.platform }}"
if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
else
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
echo "| Release | [View](${MOKOGIT_URL}/${GIT_ORG}/${GIT_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
fi
+60
View File
@@ -0,0 +1,60 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: MokoCLI.Universal
# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
# PATH: /.mokogit/workflows/branch-cleanup.yml
# VERSION: 01.00.00
# BRIEF: Delete feature branches after PR merge
name: "Branch Cleanup"
on:
pull_request:
types: [closed]
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
cleanup:
name: Delete merged branch
runs-on: ubuntu-latest
if: >-
github.event.pull_request.merged == true &&
github.event.pull_request.head.ref != 'dev' &&
github.event.pull_request.head.ref != 'main'
steps:
- name: Delete source branch
# SECURITY: the PR head ref is attacker-controllable. Pass it (and the
# repo/token) through env so the Actions engine cannot splice it into the
# shell source, and validate it to a safe charset before use.
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
REPO: ${{ github.repository }}
API_BASE: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
BRANCH: ${{ github.event.pull_request.head.ref }}
run: |
set -euo pipefail
if ! printf '%s' "${BRANCH}" | grep -Eq '^[A-Za-z0-9._/-]+$'; then
echo "::error::unsafe branch name; refusing to proceed"; exit 1
fi
API="${API_BASE}/api/v1/repos/${REPO}/branches"
# URL-encode the branch name's slashes (no PHP dependency on the runner)
ENCODED=$(printf '%s' "${BRANCH}" | sed 's|/|%2F|g')
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
-H "Authorization: token ${MOKOGIT_TOKEN}" \
"${API}/${ENCODED}" 2>/dev/null || true)
if [ "$STATUS" = "204" ]; then
echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
elif [ "$STATUS" = "404" ]; then
echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
else
echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
fi
+10
View File
@@ -0,0 +1,10 @@
# DISABLED — auto-release Step 11 recreates dev from main after every release.
# Cascade-dev is redundant and causes version conflicts when both main and dev
# have different version numbers in templateDetails.xml / manifest.xml.
name: "Cascade Main → Dev (DISABLED)"
on: workflow_dispatch
jobs:
noop:
runs-on: ubuntu-latest
steps:
- run: echo "Cascade disabled — auto-release handles dev recreation"
+197
View File
@@ -0,0 +1,197 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: MokoStandards.CI
# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
# PATH: /.gitea/workflows/ci-generic.yml
# VERSION: 01.00.00
# BRIEF: CI pipeline — lint, validate, and test for generic projects (PHP + Node.js)
name: "Generic: Project CI"
on:
pull_request:
branches:
- main
- dev
- dev/**
- rc/**
workflow_dispatch:
permissions:
contents: read
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
# ── Lint & Validate ───────────────────────────────────────────────────
lint:
name: Lint & Validate
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Detect toolchain
id: detect
run: |
HAS_PHP=false
HAS_NODE=false
[ -f "composer.json" ] && HAS_PHP=true
[ -f "package.json" ] && HAS_NODE=true
echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
echo "Toolchain: PHP=$HAS_PHP Node=$HAS_NODE"
- name: Setup PHP
if: steps.detect.outputs.has_php == 'true'
run: |
if ! command -v php &> /dev/null; then
sudo apt-get update -qq
sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
fi
php -v
- name: Setup Node.js
if: steps.detect.outputs.has_node == 'true'
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install PHP dependencies
if: steps.detect.outputs.has_php == 'true'
run: |
if [ -f "composer.json" ]; then
composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
fi
- name: Install Node.js dependencies
if: steps.detect.outputs.has_node == 'true'
run: |
if [ -f "package.json" ]; then
npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true
fi
- name: PHP syntax check
if: steps.detect.outputs.has_php == 'true'
run: |
ERRORS=0
while IFS= read -r -d '' file; do
if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
echo "::error file=${file}::PHP syntax error"
ERRORS=$((ERRORS + 1))
fi
done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -not -path "./node_modules/*" -print0)
echo "## PHP Lint" >> $GITHUB_STEP_SUMMARY
if [ "$ERRORS" -eq 0 ]; then
echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
else
echo "${ERRORS} file(s) with syntax errors." >> $GITHUB_STEP_SUMMARY
exit 1
fi
- name: TypeScript/JavaScript lint
if: steps.detect.outputs.has_node == 'true'
run: |
if [ -f "node_modules/.bin/eslint" ]; then
npx eslint src/ --quiet 2>&1 || { echo "::error::ESLint errors found"; exit 1; }
echo "## ESLint" >> $GITHUB_STEP_SUMMARY
echo "All files passed ESLint." >> $GITHUB_STEP_SUMMARY
elif [ -f ".eslintrc.json" ] || [ -f ".eslintrc.js" ] || [ -f "eslint.config.js" ]; then
echo "::warning::ESLint config found but eslint not installed"
else
echo "No ESLint configured — skipping"
fi
- name: TypeScript compile check
if: steps.detect.outputs.has_node == 'true'
run: |
if [ -f "tsconfig.json" ] && [ -f "node_modules/.bin/tsc" ]; then
npx tsc --noEmit 2>&1 || { echo "::error::TypeScript compilation errors"; exit 1; }
echo "## TypeScript" >> $GITHUB_STEP_SUMMARY
echo "TypeScript compilation passed." >> $GITHUB_STEP_SUMMARY
fi
- name: PHPStan static analysis
if: steps.detect.outputs.has_php == 'true'
run: |
if [ -f "phpstan.neon" ] && [ -f "vendor/bin/phpstan" ]; then
vendor/bin/phpstan analyse --no-progress 2>&1 || { echo "::warning::PHPStan found issues"; }
fi
# ── Tests ─────────────────────────────────────────────────────────────
test:
name: Tests
runs-on: ubuntu-latest
needs: lint
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Detect toolchain
id: detect
run: |
HAS_PHP=false
HAS_NODE=false
[ -f "composer.json" ] && HAS_PHP=true
[ -f "package.json" ] && HAS_NODE=true
echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
- name: Setup PHP
if: steps.detect.outputs.has_php == 'true'
run: |
if ! command -v php &> /dev/null; then
sudo apt-get update -qq
sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
fi
- name: Setup Node.js
if: steps.detect.outputs.has_node == 'true'
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install dependencies
run: |
[ -f "composer.json" ] && composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
[ -f "package.json" ] && { npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true; }
- name: Run PHP tests
if: steps.detect.outputs.has_php == 'true'
run: |
if [ -f "vendor/bin/phpunit" ]; then
vendor/bin/phpunit --testdox 2>&1
echo "## PHPUnit" >> $GITHUB_STEP_SUMMARY
echo "Tests passed." >> $GITHUB_STEP_SUMMARY
elif [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
echo "::warning::PHPUnit config found but phpunit not installed"
else
echo "No PHPUnit configured — skipping"
fi
- name: Run Node.js tests
if: steps.detect.outputs.has_node == 'true'
run: |
if jq -e '.scripts.test' package.json > /dev/null 2>&1; then
npm test 2>&1
echo "## Node.js Tests" >> $GITHUB_STEP_SUMMARY
echo "Tests passed." >> $GITHUB_STEP_SUMMARY
else
echo "No test script in package.json — skipping"
fi
- name: Build check
run: |
if [ -f "Makefile" ]; then
make build 2>&1 || echo "::warning::Build failed or not configured"
elif [ -f "package.json" ] && jq -e '.scripts.build' package.json > /dev/null 2>&1; then
npm run build 2>&1 || echo "::warning::Build failed"
fi
+68
View File
@@ -0,0 +1,68 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.Universal
# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
# PATH: /.mokogit/workflows/ci-issue-reporter.yml
# VERSION: 01.00.00
# BRIEF: Reusable workflow — creates/updates a MokoGIT issue when a CI gate fails.
# Clones MokoCLI and runs cli/ci_issue_reporter.sh.
name: "Universal: CI Issue Reporter"
on:
workflow_call:
inputs:
gate:
description: "CI gate name (e.g. PR Validation, Repository Health)"
required: true
type: string
details:
description: "Human-readable failure description"
required: true
type: string
severity:
description: "error or warning"
required: false
type: string
default: "error"
workflow:
description: "Workflow name for the issue title"
required: false
type: string
default: ""
secrets:
MOKOGIT_TOKEN:
required: true
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
report:
name: "Report: ${{ inputs.gate }}"
runs-on: ubuntu-latest
steps:
- name: Clone MokoCLI
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
run: |
MOKOGIT_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
git clone --depth 1 --filter=blob:none --sparse "${MOKOGIT_URL}/MokoConsulting/MokoCLI.git" /tmp/mokocli
cd /tmp/mokocli && git sparse-checkout set cli/ci_issue_reporter.sh
- name: Report CI failure
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
MOKOGIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
run: |
chmod +x /tmp/mokocli/cli/ci_issue_reporter.sh
/tmp/mokocli/cli/ci_issue_reporter.sh \
--gate "${{ inputs.gate }}" \
--details "${{ inputs.details }}" \
--severity "${{ inputs.severity }}" \
--workflow "${{ inputs.workflow }}"
+87
View File
@@ -0,0 +1,87 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: MokoStandards.Maintenance
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
# PATH: /.gitea/workflows/cleanup.yml
# VERSION: 01.00.00
# BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
name: "Universal: Repository Cleanup"
on:
schedule:
- cron: '0 3 * * 0' # Weekly on Sunday at 03:00 UTC
workflow_dispatch:
permissions:
contents: write
env:
MOKOGIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
jobs:
cleanup:
name: Clean Merged Branches
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.MOKOGIT_TOKEN }}
- name: Delete merged branches
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
run: |
echo "=== Merged Branch Cleanup ==="
API="${MOKOGIT_URL}/api/v1/repos/${{ github.repository }}"
# List branches via API
BRANCHES=$(curl -sS -H "Authorization: token ${MOKOGIT_TOKEN}" \
"${API}/branches?limit=50" | jq -r '.[].name')
DELETED=0
for BRANCH in $BRANCHES; do
# Skip protected branches
case "$BRANCH" in
main|master|develop|release/*|hotfix/*) continue ;;
esac
# Check if branch is merged into main
if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
echo " Deleting merged branch: ${BRANCH}"
curl -sS -X DELETE -H "Authorization: token ${MOKOGIT_TOKEN}" \
"${API}/branches/${BRANCH}" 2>/dev/null || true
DELETED=$((DELETED + 1))
fi
done
echo "Deleted ${DELETED} merged branch(es)"
- name: Clean old workflow runs
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
run: |
echo "=== Workflow Run Cleanup ==="
API="${MOKOGIT_URL}/api/v1/repos/${{ github.repository }}"
CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
# Get old completed runs
RUNS=$(curl -sS -H "Authorization: token ${MOKOGIT_TOKEN}" \
"${API}/actions/runs?status=completed&limit=50" | \
jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
DELETED=0
for RUN_ID in $RUNS; do
curl -sS -X DELETE -H "Authorization: token ${MOKOGIT_TOKEN}" \
"${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
DELETED=$((DELETED + 1))
done
echo "Deleted ${DELETED} old workflow run(s)"
@@ -0,0 +1,83 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.Universal
# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
# PATH: /.mokogit/workflows/workflow-sync-trigger.yml
# VERSION: 01.01.00
# BRIEF: Trigger workflow sync to live repos when a PR is merged to main
name: "Universal: Workflow Sync Trigger"
on:
workflow_dispatch:
pull_request:
types: [closed]
branches:
- main
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
sync:
name: Sync workflows to live repos
runs-on: ubuntu-latest
if: >-
startsWith(github.event.repository.name, 'Template-') &&
(github.event_name == 'workflow_dispatch' ||
(github.event.pull_request.merged == true &&
!contains(github.event.pull_request.title, '[skip sync]')))
steps:
- name: Determine platform from repo name
id: platform
run: |
REPO="${{ github.event.repository.name }}"
case "$REPO" in
Template-Joomla) PLATFORM="joomla" ;;
Template-Dolibarr) PLATFORM="dolibarr" ;;
Template-Go) PLATFORM="go" ;;
Template-NPM) PLATFORM="npm" ;;
Template-Generic) PLATFORM="" ;;
*) PLATFORM="" ;;
esac
echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
echo "Platform: ${PLATFORM:-all}"
- name: Clone mokocli
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
run: |
MOKOGIT_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
git clone --depth 1 "${MOKOGIT_URL}/MokoConsulting/mokocli.git" /tmp/mokocli
- name: Install PHP
run: |
if ! command -v php &> /dev/null; then
apt-get update -qq && apt-get install -y -qq php-cli php-json php-curl > /dev/null 2>&1
fi
- name: Install dependencies
run: |
cd /tmp/mokocli
composer install --no-dev --no-interaction --quiet 2>/dev/null || true
- name: Run workflow sync
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
run: |
ARGS="--token ${MOKOGIT_TOKEN}"
ARGS="${ARGS} --org ${{ vars.GITEA_ORG || github.repository_owner }}"
ARGS="${ARGS} --phase repos"
ARGS="${ARGS} --delete-orphans"
PLATFORM="${{ steps.platform.outputs.platform }}"
if [ -n "$PLATFORM" ]; then
ARGS="${ARGS} --platform-filter ${PLATFORM}"
fi
php /tmp/mokocli/cli/workflow_sync.php ${ARGS}
+136
View File
@@ -0,0 +1,136 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
# SPDX-License-Identifier: GPL-3.0-or-later
# BRIEF: Build and deploy to the Dev environment on push to the dev branch.
# Portable across Go server repos: ALL deployment config comes from repo
# Actions variables (vars.*) and secrets (secrets.*), nothing hardcoded.
# The dev branch is the ongoing integration branch.
# OWNER: Template-Go (canonical source; syncs to the root workflows dir). See Template-Go#3.
#
# Required repo VARIABLES (all tier-scoped so each environment is independent —
# a repo may host its rc/dev/prod tiers on different machines):
# DEV_SSH_HOST, DEV_SSH_PORT, DEV_SSH_USERNAME - SSH deploy target for the dev tier
# DEV_REGISTRY, DEV_REGISTRY_USER, DEV_IMAGE - container registry + login user + image
# DEV_CONTAINER - compose service/container to recreate
# DEV_COMPOSE_PROJECT - docker compose -p project name
# DEV_COMPOSE_DIR - dir containing docker-compose.yml on host
# DEV_SOURCE_DIR - build source checkout on host
# DEV_TAG_ENV - compose env-var name that pins the image tag
# DEV_HEALTH_URL - external URL to verify after deploy
# Required SECRETS (already configured org-wide; reused, not re-set):
# DEPLOY_SSH_KEY - deploy private key (repo/org secret)
# MOKOGIT_TOKEN - registry/API token (org secret)
name: Deploy (Dev)
on:
push:
branches:
- dev
# Manual trigger for isolated end-to-end tests.
# Runs on the ref it is dispatched from.
workflow_dispatch:
concurrency:
group: deploy-dev
cancel-in-progress: true
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
deploy-dev:
name: "Build & Deploy to Dev"
runs-on: ubuntu-latest
steps:
- name: Checkout source
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine version
id: config
run: |
VERSION=$(git describe --tags --always 2>/dev/null || echo "dev-$(git rev-parse --short HEAD)")
echo "tag=${VERSION}-dev" >> $GITHUB_OUTPUT
echo "Version: ${VERSION}-dev"
- name: Write deploy key
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$DEPLOY_KEY" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key
- name: Build and deploy to RC via SSH
env:
REGISTRY_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
TAG: ${{ steps.config.outputs.tag }}
run: |
# Runner-side values (TAG, REGISTRY_TOKEN) are injected into the remote shell
# via an env prefix; a *quoted* heredoc keeps every $var expanding once, on the
# remote. Repo variables (vars.*) are substituted inline by Actions before ssh.
ssh -i ~/.ssh/deploy_key -p ${{ vars.DEV_SSH_PORT }} \
-o ConnectTimeout=30 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-o ServerAliveInterval=30 -o ServerAliveCountMax=10 \
${{ vars.DEV_SSH_USERNAME }}@${{ vars.DEV_SSH_HOST }} \
"TAG='$TAG' REGISTRY_TOKEN='$REGISTRY_TOKEN' bash -s" <<'DEPLOY_EOF'
set -e
echo 'SSH connected to Dev environment'
if [ -z "$TAG" ]; then
echo 'ERROR: TAG is empty; refusing to build an untagged image' >&2
exit 1
fi
HEALTH_FMT='{{.State.Health.Status}}'
echo 'Cleaning Docker build cache...'
docker builder prune -af 2>/dev/null || true
docker image prune -af 2>/dev/null || true
echo 'Pulling source...'
SOURCE_DIR='${{ vars.DEV_SOURCE_DIR }}'
if [ ! -d "$SOURCE_DIR/.git" ]; then
git clone -b dev https://x-access-token:${REGISTRY_TOKEN}@git.mokoconsulting.tech/${{ github.repository }}.git "$SOURCE_DIR"
fi
cd "$SOURCE_DIR"
git remote set-url origin https://x-access-token:${REGISTRY_TOKEN}@git.mokoconsulting.tech/${{ github.repository }}.git 2>/dev/null || true
git fetch origin dev
git reset --hard origin/dev
echo "Building image: ${{ vars.DEV_REGISTRY }}/${{ vars.DEV_IMAGE }}:$TAG"
docker build --no-cache --build-arg GOFLAGS='-p 1' \
--tag "${{ vars.DEV_REGISTRY }}/${{ vars.DEV_IMAGE }}:$TAG" \
-f Dockerfile .
echo 'Pushing to registry...'
echo "$REGISTRY_TOKEN" | docker login ${{ vars.DEV_REGISTRY }} -u ${{ vars.DEV_REGISTRY_USER }} --password-stdin
docker push "${{ vars.DEV_REGISTRY }}/${{ vars.DEV_IMAGE }}:$TAG"
echo 'Restarting Dev container...'
cd '${{ vars.DEV_COMPOSE_DIR }}'
# Drive the rc service image tag via its compose env-var (no sed on the shared
# file); remove any lingering fixed-name container first, then force-recreate.
docker rm -f '${{ vars.DEV_CONTAINER }}' 2>/dev/null || true
${{ vars.DEV_TAG_ENV }}="$TAG" docker compose -p '${{ vars.DEV_COMPOSE_PROJECT }}' up -d --force-recreate '${{ vars.DEV_CONTAINER }}'
echo 'Health check...'
for i in 1 2 3 4 5 6 7 8; do
sleep 15
if docker inspect --format="$HEALTH_FMT" '${{ vars.DEV_CONTAINER }}' 2>/dev/null | grep -q healthy; then
echo 'Dev container healthy!'
exit 0
fi
echo "Waiting... (attempt $i/8)"
done
echo 'Health check failed'
docker logs '${{ vars.DEV_CONTAINER }}' --tail 20
exit 1
DEPLOY_EOF
- name: Verify Dev instance
continue-on-error: true
run: |
sleep 5
ssh -i ~/.ssh/deploy_key -p ${{ vars.DEV_SSH_PORT }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${{ vars.DEV_SSH_USERNAME }}@${{ vars.DEV_SSH_HOST }} "curl -sf '${{ vars.DEV_HEALTH_URL }}'" && echo " Dev API healthy"
+136
View File
@@ -0,0 +1,136 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
# SPDX-License-Identifier: GPL-3.0-or-later
# BRIEF: Build and deploy to the Prod environment on push to the main branch.
# Portable across Go server repos: ALL deployment config comes from repo
# Actions variables (vars.*) and secrets (secrets.*), nothing hardcoded.
# Prod deploys on merge to main (dev -> rc -> main pipeline).
# OWNER: Template-Go (canonical source; syncs to the root workflows dir). See Template-Go#3.
#
# Required repo VARIABLES (all tier-scoped so each environment is independent —
# a repo may host its rc/dev/prod tiers on different machines):
# PROD_SSH_HOST, PROD_SSH_PORT, PROD_SSH_USERNAME - SSH deploy target for the prod tier
# PROD_REGISTRY, PROD_REGISTRY_USER, PROD_IMAGE - container registry + login user + image
# PROD_CONTAINER - compose service/container to recreate
# PROD_COMPOSE_PROJECT - docker compose -p project name
# PROD_COMPOSE_DIR - dir containing docker-compose.yml on host
# PROD_SOURCE_DIR - build source checkout on host
# PROD_TAG_ENV - compose env-var name that pins the image tag
# PROD_HEALTH_URL - external URL to verify after deploy
# Required SECRETS (already configured org-wide; reused, not re-set):
# DEPLOY_SSH_KEY - deploy private key (repo/org secret)
# MOKOGIT_TOKEN - registry/API token (org secret)
name: Deploy (Prod)
on:
push:
branches:
- main
# Manual trigger for a prod re-deploy.
# Runs on the ref it is dispatched from (use main).
workflow_dispatch:
concurrency:
group: deploy-prod
cancel-in-progress: false
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
deploy-prod:
name: "Build & Deploy to Prod"
runs-on: ubuntu-latest
steps:
- name: Checkout source
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine version
id: config
run: |
VERSION=$(git describe --tags --always 2>/dev/null || echo "$(git rev-parse --short HEAD)")
echo "tag=${VERSION}" >> $GITHUB_OUTPUT
echo "Version: ${VERSION}"
- name: Write deploy key
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$DEPLOY_KEY" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key
- name: Build and deploy to RC via SSH
env:
REGISTRY_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
TAG: ${{ steps.config.outputs.tag }}
run: |
# Runner-side values (TAG, REGISTRY_TOKEN) are injected into the remote shell
# via an env prefix; a *quoted* heredoc keeps every $var expanding once, on the
# remote. Repo variables (vars.*) are substituted inline by Actions before ssh.
ssh -i ~/.ssh/deploy_key -p ${{ vars.PROD_SSH_PORT }} \
-o ConnectTimeout=30 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-o ServerAliveInterval=30 -o ServerAliveCountMax=10 \
${{ vars.PROD_SSH_USERNAME }}@${{ vars.PROD_SSH_HOST }} \
"TAG='$TAG' REGISTRY_TOKEN='$REGISTRY_TOKEN' bash -s" <<'DEPLOY_EOF'
set -e
echo 'SSH connected to Prod environment'
if [ -z "$TAG" ]; then
echo 'ERROR: TAG is empty; refusing to build an untagged image' >&2
exit 1
fi
HEALTH_FMT='{{.State.Health.Status}}'
echo 'Cleaning Docker build cache...'
docker builder prune -af 2>/dev/null || true
docker image prune -af 2>/dev/null || true
echo 'Pulling source...'
SOURCE_DIR='${{ vars.PROD_SOURCE_DIR }}'
if [ ! -d "$SOURCE_DIR/.git" ]; then
git clone -b main https://x-access-token:${REGISTRY_TOKEN}@git.mokoconsulting.tech/${{ github.repository }}.git "$SOURCE_DIR"
fi
cd "$SOURCE_DIR"
git remote set-url origin https://x-access-token:${REGISTRY_TOKEN}@git.mokoconsulting.tech/${{ github.repository }}.git 2>/dev/null || true
git fetch origin main
git reset --hard origin/main
echo "Building image: ${{ vars.PROD_REGISTRY }}/${{ vars.PROD_IMAGE }}:$TAG"
docker build --no-cache --build-arg GOFLAGS='-p 1' \
--tag "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_IMAGE }}:$TAG" \
-f Dockerfile .
echo 'Pushing to registry...'
echo "$REGISTRY_TOKEN" | docker login ${{ vars.PROD_REGISTRY }} -u ${{ vars.PROD_REGISTRY_USER }} --password-stdin
docker push "${{ vars.PROD_REGISTRY }}/${{ vars.PROD_IMAGE }}:$TAG"
echo 'Restarting Prod container...'
cd '${{ vars.PROD_COMPOSE_DIR }}'
# Drive the rc service image tag via its compose env-var (no sed on the shared
# file); remove any lingering fixed-name container first, then force-recreate.
docker rm -f '${{ vars.PROD_CONTAINER }}' 2>/dev/null || true
${{ vars.PROD_TAG_ENV }}="$TAG" docker compose -p '${{ vars.PROD_COMPOSE_PROJECT }}' up -d --force-recreate '${{ vars.PROD_CONTAINER }}'
echo 'Health check...'
for i in 1 2 3 4 5 6 7 8; do
sleep 15
if docker inspect --format="$HEALTH_FMT" '${{ vars.PROD_CONTAINER }}' 2>/dev/null | grep -q healthy; then
echo 'Prod container healthy!'
exit 0
fi
echo "Waiting... (attempt $i/8)"
done
echo 'Health check failed'
docker logs '${{ vars.PROD_CONTAINER }}' --tail 20
exit 1
DEPLOY_EOF
- name: Verify Prod instance
continue-on-error: true
run: |
sleep 5
ssh -i ~/.ssh/deploy_key -p ${{ vars.PROD_SSH_PORT }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${{ vars.PROD_SSH_USERNAME }}@${{ vars.PROD_SSH_HOST }} "curl -sf '${{ vars.PROD_HEALTH_URL }}'" && echo " Prod API healthy"
+138
View File
@@ -0,0 +1,138 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
# SPDX-License-Identifier: GPL-3.0-or-later
# BRIEF: Build and deploy to the RC environment on push to the rc branch.
# Portable across Go server repos: ALL deployment config comes from repo
# Actions variables (vars.*) and secrets (secrets.*), nothing hardcoded.
# The rc branch is created by promote-rc when a PR to main opens.
# OWNER: Template-Go (canonical source; syncs to the root workflows dir). See Template-Go#3.
#
# Required repo VARIABLES (all tier-scoped so each environment is independent —
# a repo may host its rc/dev/prod tiers on different machines):
# RC_SSH_HOST, RC_SSH_PORT, RC_SSH_USERNAME - SSH deploy target for the rc tier
# RC_REGISTRY, RC_REGISTRY_USER, RC_IMAGE - container registry + login user + image
# RC_CONTAINER - compose service/container to recreate
# RC_COMPOSE_PROJECT - docker compose -p project name
# RC_COMPOSE_DIR - dir containing docker-compose.yml on host
# RC_SOURCE_DIR - build source checkout on host
# RC_TAG_ENV - compose env-var name that pins the image tag
# RC_HEALTH_URL - external URL to verify after deploy
# Required SECRETS (already configured org-wide; reused, not re-set):
# DEPLOY_SSH_KEY - deploy private key (repo/org secret)
# MOKOGIT_TOKEN - registry/API token (org secret)
name: Deploy (RC)
on:
push:
branches:
- rc
# Manual trigger for isolated end-to-end tests without a full RC promotion.
# Runs on the ref it is dispatched from; that ref must carry current source
# (>= the RC database migration version) or the rebuilt image will refuse the
# newer DB. Dispatch from `rc` once `rc` is current.
workflow_dispatch:
concurrency:
group: deploy-rc
cancel-in-progress: true
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
deploy-rc:
name: "Build & Deploy to RC"
runs-on: ubuntu-latest
steps:
- name: Checkout source
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine version
id: config
run: |
VERSION=$(git describe --tags --always 2>/dev/null || echo "rc-$(git rev-parse --short HEAD)")
echo "tag=${VERSION}-rc" >> $GITHUB_OUTPUT
echo "Version: ${VERSION}-rc"
- name: Write deploy key
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$DEPLOY_KEY" > ~/.ssh/deploy_key
chmod 600 ~/.ssh/deploy_key
- name: Build and deploy to RC via SSH
env:
REGISTRY_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
TAG: ${{ steps.config.outputs.tag }}
run: |
# Runner-side values (TAG, REGISTRY_TOKEN) are injected into the remote shell
# via an env prefix; a *quoted* heredoc keeps every $var expanding once, on the
# remote. Repo variables (vars.*) are substituted inline by Actions before ssh.
ssh -i ~/.ssh/deploy_key -p ${{ vars.RC_SSH_PORT }} \
-o ConnectTimeout=30 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-o ServerAliveInterval=30 -o ServerAliveCountMax=10 \
${{ vars.RC_SSH_USERNAME }}@${{ vars.RC_SSH_HOST }} \
"TAG='$TAG' REGISTRY_TOKEN='$REGISTRY_TOKEN' bash -s" <<'DEPLOY_EOF'
set -e
echo 'SSH connected to RC environment'
if [ -z "$TAG" ]; then
echo 'ERROR: TAG is empty; refusing to build an untagged image' >&2
exit 1
fi
HEALTH_FMT='{{.State.Health.Status}}'
echo 'Cleaning Docker build cache...'
docker builder prune -af 2>/dev/null || true
docker image prune -af 2>/dev/null || true
echo 'Pulling source...'
SOURCE_DIR='${{ vars.RC_SOURCE_DIR }}'
if [ ! -d "$SOURCE_DIR/.git" ]; then
git clone -b rc https://x-access-token:${REGISTRY_TOKEN}@git.mokoconsulting.tech/${{ github.repository }}.git "$SOURCE_DIR"
fi
cd "$SOURCE_DIR"
git remote set-url origin https://x-access-token:${REGISTRY_TOKEN}@git.mokoconsulting.tech/${{ github.repository }}.git 2>/dev/null || true
git fetch origin rc
git reset --hard origin/rc
echo "Building image: ${{ vars.RC_REGISTRY }}/${{ vars.RC_IMAGE }}:$TAG"
docker build --no-cache --build-arg GOFLAGS='-p 1' \
--tag "${{ vars.RC_REGISTRY }}/${{ vars.RC_IMAGE }}:$TAG" \
-f Dockerfile .
echo 'Pushing to registry...'
echo "$REGISTRY_TOKEN" | docker login ${{ vars.RC_REGISTRY }} -u ${{ vars.RC_REGISTRY_USER }} --password-stdin
docker push "${{ vars.RC_REGISTRY }}/${{ vars.RC_IMAGE }}:$TAG"
echo 'Restarting RC container...'
cd '${{ vars.RC_COMPOSE_DIR }}'
# Drive the rc service image tag via its compose env-var (no sed on the shared
# file); remove any lingering fixed-name container first, then force-recreate.
docker rm -f '${{ vars.RC_CONTAINER }}' 2>/dev/null || true
${{ vars.RC_TAG_ENV }}="$TAG" docker compose -p '${{ vars.RC_COMPOSE_PROJECT }}' up -d --force-recreate '${{ vars.RC_CONTAINER }}'
echo 'Health check...'
for i in 1 2 3 4 5 6 7 8; do
sleep 15
if docker inspect --format="$HEALTH_FMT" '${{ vars.RC_CONTAINER }}' 2>/dev/null | grep -q healthy; then
echo 'RC container healthy!'
exit 0
fi
echo "Waiting... (attempt $i/8)"
done
echo 'Health check failed'
docker logs '${{ vars.RC_CONTAINER }}' --tail 20
exit 1
DEPLOY_EOF
- name: Verify RC instance
continue-on-error: true
run: |
sleep 5
ssh -i ~/.ssh/deploy_key -p ${{ vars.RC_SSH_PORT }} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ${{ vars.RC_SSH_USERNAME }}@${{ vars.RC_SSH_HOST }} "curl -sf '${{ vars.RC_HEALTH_URL }}'" && echo " RC API healthy"
+92
View File
@@ -0,0 +1,92 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: MokoStandards.Security
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
# PATH: /templates/workflows/gitleaks.yml.template
# VERSION: 01.00.00
# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
#
# +========================================================================+
# | SECRET SCANNING |
# +========================================================================+
# | |
# | Scans commits for leaked secrets using Gitleaks. |
# | |
# | - PR scan: only new commits in the PR |
# | - Scheduled: full repo scan weekly |
# | - Alerts via ntfy on findings |
# | |
# +========================================================================+
name: "Universal: Secret Scanning"
on:
schedule:
- cron: '0 5 * * 1' # Weekly Monday 05:00 UTC
workflow_dispatch:
permissions:
contents: read
env:
NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'git-security' }}
jobs:
gitleaks:
name: Gitleaks Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Gitleaks
run: |
GITLEAKS_VERSION="8.21.2"
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| tar -xz -C /usr/local/bin gitleaks
gitleaks version
- name: Scan for secrets
id: scan
run: |
echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
if [ "${{ github.event_name }}" = "pull_request" ]; then
# Scan only PR commits
ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
else
echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
fi
if gitleaks detect $ARGS 2>&1; then
echo "result=clean" >> "$GITHUB_OUTPUT"
echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
else
echo "result=found" >> "$GITHUB_OUTPUT"
FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
exit 1
fi
- name: Notify on findings
if: failure() && steps.scan.outputs.result == 'found'
run: |
REPO="${{ github.event.repository.name }}"
curl -sS \
-H "Title: ${REPO} — secrets detected in code" \
-H "Tags: rotating_light,key" \
-H "Priority: urgent" \
-d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
"${NTFY_URL}/${NTFY_TOPIC}" || true
+81
View File
@@ -0,0 +1,81 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: MokoCLI.Automation
# VERSION: 01.00.00
# BRIEF: Auto-create feature branch when an issue is opened
name: "Universal: Issue Branch"
on:
issues:
types: [opened]
permissions:
contents: write
issues: write
env:
MOKOGIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
jobs:
create-branch:
name: Create feature branch
runs-on: ubuntu-latest
steps:
- name: Create branch and comment
# SECURITY: never interpolate github.event.* into a run: script — the
# Actions engine splices the raw value into the shell source (command
# injection via a crafted issue title). Pass everything through env so
# the values arrive as ordinary shell variables that are not re-parsed.
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
REPO: ${{ github.repository }}
ISSUE_NUM: ${{ github.event.issue.number }}
ISSUE_TITLE: ${{ github.event.issue.title }}
run: |
TOKEN="${MOKOGIT_TOKEN}"
API="${MOKOGIT_URL}/api/v1/repos/${REPO}"
# Build slug from title: lowercase, replace non-alnum with dash, trim.
# printf (not echo) so a title beginning with "-" is not read as flags.
SLUG=$(printf '%s' "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40)
BRANCH="feature/${ISSUE_NUM}-${SLUG}"
# Check dev branch exists
DEV_EXISTS=$(curl -sf -o /dev/null -w '%{http_code}' \
-H "Authorization: token ${TOKEN}" \
"${API}/branches/dev" 2>/dev/null || echo "000")
if [ "${DEV_EXISTS}" != "200" ]; then
echo "No dev branch -- skipping"
exit 0
fi
# Create branch from dev
HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
-H "Authorization: token ${TOKEN}" \
-H "Content-Type: application/json" \
"${API}/branches" \
-d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"dev\"}" 2>/dev/null || echo "000")
if [ "${HTTP}" = "201" ]; then
echo "Created branch: ${BRANCH}"
# Comment on issue with branch link
REPO_URL="${MOKOGIT_URL}/${REPO}"
BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
curl -sf -X POST \
-H "Authorization: token ${TOKEN}" \
-H "Content-Type: application/json" \
"${API}/issues/${ISSUE_NUM}/comments" \
-d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
echo "Commented on issue #${ISSUE_NUM}"
else
echo "Failed to create branch (HTTP ${HTTP}) -- may already exist"
fi
+70
View File
@@ -0,0 +1,70 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: MokoStandards.Notifications
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
# PATH: /.gitea/workflows/notify.yml
# VERSION: 01.00.00
# BRIEF: Push notifications via ntfy on release success or workflow failure
name: "Universal: Notifications"
on:
workflow_run:
workflows:
- "Joomla Build & Release"
- "Joomla Extension CI"
- "Deploy"
types:
- completed
permissions:
contents: read
env:
NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'git-releases' }}
jobs:
notify:
name: Send Notification
runs-on: ubuntu-latest
if: >-
github.event.workflow_run.conclusion == 'success' ||
github.event.workflow_run.conclusion == 'failure'
steps:
- name: Notify on success (releases only)
if: >-
github.event.workflow_run.conclusion == 'success' &&
contains(github.event.workflow_run.name, 'Release')
run: |
REPO="${{ github.event.repository.name }}"
WORKFLOW="${{ github.event.workflow_run.name }}"
URL="${{ github.event.workflow_run.html_url }}"
curl -sS \
-H "Title: ${REPO} released" \
-H "Tags: white_check_mark,package" \
-H "Priority: default" \
-H "Click: ${URL}" \
-d "${WORKFLOW} completed successfully." \
"${NTFY_URL}/${NTFY_TOPIC}"
- name: Notify on failure
if: github.event.workflow_run.conclusion == 'failure'
run: |
REPO="${{ github.event.repository.name }}"
WORKFLOW="${{ github.event.workflow_run.name }}"
URL="${{ github.event.workflow_run.html_url }}"
curl -sS \
-H "Title: ${REPO} workflow failed" \
-H "Tags: x,warning" \
-H "Priority: high" \
-H "Click: ${URL}" \
-d "${WORKFLOW} failed. Check the run for details." \
"${NTFY_URL}/${NTFY_TOPIC}"
+522
View File
@@ -0,0 +1,522 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.CI
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
# PATH: /templates/workflows/universal/pr-check.yml.template
# VERSION: 09.23.00
# BRIEF: PR gate — branch policy + code validation before merge
name: "Universal: PR Check"
on:
pull_request:
types: [opened, synchronize, reopened, edited]
permissions:
contents: read
pull-requests: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
# ── Branch Policy ──────────────────────────────────────────────────────
branch-policy:
name: Branch Policy
runs-on: ubuntu-latest
steps:
- name: Check branch merge target
run: |
HEAD="${{ github.head_ref }}"
BASE="${{ github.base_ref }}"
echo "PR: ${HEAD} → ${BASE}"
ALLOWED=true
REASON=""
case "$HEAD" in
feature/*|feat/*)
if [ "$BASE" != "dev" ]; then
ALLOWED=false
REASON="Feature branches must target 'dev', not '${BASE}'"
fi
;;
fix/*|bugfix/*)
if [ "$BASE" != "dev" ]; then
ALLOWED=false
REASON="Fix branches must target 'dev', not '${BASE}'"
fi
;;
patch/*)
if [ "$BASE" != "dev" ] && [ "$BASE" != "rc" ]; then
ALLOWED=false
REASON="Patch branches must target 'dev' or 'rc', not '${BASE}'"
fi
;;
hotfix/*)
if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
ALLOWED=false
REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
fi
;;
rc)
if [ "$BASE" != "main" ]; then
ALLOWED=false
REASON="RC branch can only merge into 'main', not '${BASE}'"
fi
;;
dev)
if [ "$BASE" != "main" ]; then
ALLOWED=false
REASON="Dev branch can only merge into 'main', not '${BASE}'"
fi
;;
esac
if [ "$ALLOWED" = false ]; then
echo "::error::${REASON}"
echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "${REASON}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
exit 1
fi
echo "Branch policy: OK (${HEAD} → ${BASE})"
echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
# ── Secret Scanning ──────────────────────────────────────────────────
gitleaks:
name: Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Gitleaks
run: |
GITLEAKS_VERSION="8.21.2"
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| tar -xz -C /usr/local/bin gitleaks
- name: Scan PR commits for secrets
run: |
if gitleaks detect --source . --verbose \
--log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} 2>&1; then
echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
else
echo "::error::Potential secrets detected in PR commits"
exit 1
fi
# ── Code Validation ────────────────────────────────────────────────────
validate:
name: Validate PR
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check for merge conflict markers
run: |
CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
if [ -n "$CONFLICTS" ]; then
echo "::error::Merge conflict markers found in source files"
echo "## Conflict Markers Found" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
exit 1
fi
echo "No conflict markers found"
- name: Detect platform
id: platform
run: |
# Platform comes from the MokoGIT metadata API (public GET).
API="${GITHUB_SERVER_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${GITHUB_REPOSITORY}/metadata"
PLATFORM="$(curl -sf "$API" 2>/dev/null | python3 -c "import sys, json; print(json.load(sys.stdin).get('platform') or '')" 2>/dev/null || true)"
[ -z "$PLATFORM" ] && PLATFORM="generic"
echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
echo "Detected platform: $PLATFORM"
- name: Setup PHP
if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
run: |
if ! command -v php &> /dev/null; then
sudo apt-get update -qq
sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
fi
- name: PHP syntax check
if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
run: |
ERRORS=0
while IFS= read -r -d '' file; do
if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
ERRORS=$((ERRORS + 1))
fi
done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
echo "PHP lint: ${ERRORS} error(s)"
[ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
- name: Joomla JEXEC guard check
if: steps.platform.outputs.platform == 'joomla'
run: |
ERRORS=0
while IFS= read -r -d '' file; do
# Skip vendor, node_modules, and index.html stub files
case "$file" in ./vendor/*|./node_modules/*) continue ;; esac
# Check first 10 lines for JEXEC or JPATH guard
if ! head -20 "$file" | grep -qE "defined\s*\(\s*['\"](_JEXEC|JPATH_BASE|\\\\JPATH_PLATFORM)['\"]"; then
echo "::error file=${file}::Missing JEXEC guard: ${file}"
ERRORS=$((ERRORS + 1))
fi
done < <(find . -name "*.php" -path "*/src/*" -not -path "./.git/*" -not -path "./vendor/*" -print0)
if [ "$ERRORS" -gt 0 ]; then
echo "::error::${ERRORS} PHP file(s) missing defined('_JEXEC') or die guard"
echo "## JEXEC Guard Check: Failed" >> $GITHUB_STEP_SUMMARY
echo "${ERRORS} file(s) in src/ are missing the Joomla execution guard." >> $GITHUB_STEP_SUMMARY
exit 1
fi
echo "JEXEC guard: OK"
- name: Joomla directory listing protection
if: steps.platform.outputs.platform == 'joomla'
run: |
MISSING=0
SOURCE_DIR="src"
[ ! -d "$SOURCE_DIR" ] && exit 0
while IFS= read -r dir; do
if [ ! -f "${dir}/index.html" ]; then
echo "::warning::Missing index.html in ${dir} (directory listing protection)"
MISSING=$((MISSING + 1))
fi
done < <(find "$SOURCE_DIR" -type d -not -path "./.git/*" -not -path "*/vendor/*" -not -path "*/node_modules/*")
if [ "$MISSING" -gt 0 ]; then
echo "## Directory Protection" >> $GITHUB_STEP_SUMMARY
echo "${MISSING} director(ies) missing index.html" >> $GITHUB_STEP_SUMMARY
fi
echo "Directory protection: ${MISSING} missing (advisory)"
- name: Joomla script file and asset checks
if: steps.platform.outputs.platform == 'joomla'
run: |
ERRORS=0
MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
[ -z "$MANIFEST" ] && exit 0
MANIFEST_DIR=$(dirname "$MANIFEST")
# Check scriptfile exists if declared
SCRIPTFILE=$(sed -n 's/.*<scriptfile>\([^<]*\)<\/scriptfile>.*/\1/p' "$MANIFEST" 2>/dev/null)
if [ -n "$SCRIPTFILE" ]; then
if [ ! -f "${MANIFEST_DIR}/${SCRIPTFILE}" ]; then
echo "::error::Manifest declares <scriptfile>${SCRIPTFILE}</scriptfile> but file not found at ${MANIFEST_DIR}/${SCRIPTFILE}"
ERRORS=$((ERRORS + 1))
else
echo "Script file: ${MANIFEST_DIR}/${SCRIPTFILE} (OK)"
fi
fi
# Require joomla.asset.json and validate it
ASSET_JSON=$(find "$MANIFEST_DIR" -name "joomla.asset.json" -not -path "./.git/*" 2>/dev/null | head -1)
if [ -z "$ASSET_JSON" ]; then
echo "::error::joomla.asset.json not found — Joomla asset system is required"
ERRORS=$((ERRORS + 1))
else
if command -v php &> /dev/null; then
php -r "json_decode(file_get_contents('$ASSET_JSON')); if(json_last_error()!==JSON_ERROR_NONE){echo json_last_error_msg();exit(1);}" 2>&1 || {
echo "::error::joomla.asset.json is not valid JSON"
ERRORS=$((ERRORS + 1))
}
fi
echo "joomla.asset.json: valid"
fi
# Validate all XML files in src/ are well-formed
XML_ERRORS=0
if command -v php &> /dev/null; then
while IFS= read -r -d '' xmlfile; do
if ! php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$xmlfile'); if(!\$x){foreach(libxml_get_errors() as \$e) echo trim(\$e->message) . ' in $xmlfile'; exit(1);}" 2>&1; then
XML_ERRORS=$((XML_ERRORS + 1))
fi
done < <(find "$MANIFEST_DIR" -name "*.xml" -not -path "./.git/*" -print0)
fi
if [ "$XML_ERRORS" -gt 0 ]; then
echo "::error::${XML_ERRORS} XML file(s) are malformed"
ERRORS=$((ERRORS + 1))
else
echo "XML well-formedness: OK"
fi
[ "$ERRORS" -gt 0 ] && exit 1
echo "Joomla asset checks: OK"
- name: Validate platform manifest
run: |
PLATFORM="${{ steps.platform.outputs.platform }}"
case "$PLATFORM" in
joomla)
MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
if [ -z "$MANIFEST" ]; then
echo "::warning::No Joomla manifest found (WaaS site)"
exit 0
fi
echo "Manifest: ${MANIFEST}"
if command -v php &> /dev/null; then
php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
fi
for ELEMENT in name version description; do
grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
done
# Block legacy raw/branch update server URLs on MokoGIT
RAW_URLS=$(grep -n 'raw/branch' "$MANIFEST" | grep -i 'mokoconsulting\|mokogit\|git\.mokoconsulting\.tech' || true)
if [ -n "$RAW_URLS" ]; then
echo "::error::Manifest contains legacy raw/branch update server URL on MokoGIT. Use the MokoGIT Pages URL instead (e.g. /{REPO}/updates.xml not /{REPO}/raw/branch/main/updates.xml)"
echo "$RAW_URLS"
exit 1
fi
echo "Joomla manifest valid"
;;
dolibarr)
MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
if [ -z "$MOD_FILE" ]; then
echo "::error::No mod*.class.php found"
exit 1
fi
echo "Dolibarr module: ${MOD_FILE}"
;;
*)
echo "Generic platform — no manifest validation"
;;
esac
- name: Check update stream format
run: |
PLATFORM="${{ steps.platform.outputs.platform }}"
case "$PLATFORM" in
joomla)
if [ -f "updates.xml" ]; then
if command -v php &> /dev/null; then
php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
fi
echo "updates.xml valid"
fi
;;
dolibarr)
[ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
;;
esac
- name: Validate Joomla language files
if: steps.platform.outputs.platform == 'joomla'
run: |
ERRORS=0
WARNINGS=0
# Require both en-GB and en-US language directories
LANG_ROOT=$(find . -path "*/language" -type d -not -path "./.git/*" 2>/dev/null | head -1)
if [ -z "$LANG_ROOT" ]; then
echo "No language/ directory found — skipping"
exit 0
fi
if [ ! -d "$LANG_ROOT/en-GB" ]; then
echo "::error::Missing en-GB language directory (${LANG_ROOT}/en-GB)"
ERRORS=$((ERRORS + 1))
fi
if [ ! -d "$LANG_ROOT/en-US" ]; then
echo "::error::Missing en-US language directory (${LANG_ROOT}/en-US)"
ERRORS=$((ERRORS + 1))
fi
# Check that en-GB and en-US have matching .ini files
if [ -d "$LANG_ROOT/en-GB" ] && [ -d "$LANG_ROOT/en-US" ]; then
for GB_INI in "$LANG_ROOT/en-GB"/*.ini; do
[ ! -f "$GB_INI" ] && continue
US_INI="$LANG_ROOT/en-US/$(basename "$GB_INI")"
if [ ! -f "$US_INI" ]; then
echo "::error::$(basename "$GB_INI") exists in en-GB but missing from en-US"
ERRORS=$((ERRORS + 1))
fi
done
for US_INI in "$LANG_ROOT/en-US"/*.ini; do
[ ! -f "$US_INI" ] && continue
GB_INI="$LANG_ROOT/en-GB/$(basename "$US_INI")"
if [ ! -f "$GB_INI" ]; then
echo "::error::$(basename "$US_INI") exists in en-US but missing from en-GB"
ERRORS=$((ERRORS + 1))
fi
done
fi
# Find all .ini language files
INI_FILES=$(find . -path "*/language/*/*.ini" -not -path "./.git/*" 2>/dev/null)
if [ -z "$INI_FILES" ]; then
echo "No .ini language files found"
[ "$ERRORS" -gt 0 ] && exit 1
exit 0
fi
echo "Found $(echo "$INI_FILES" | wc -l) language file(s)"
for FILE in $INI_FILES; do
FNAME=$(basename "$FILE")
LINENUM=0
SEEN_KEYS=""
while IFS= read -r line || [ -n "$line" ]; do
LINENUM=$((LINENUM + 1))
# Skip empty lines and comments
[ -z "$line" ] && continue
echo "$line" | grep -qE '^\s*;' && continue
echo "$line" | grep -qE '^\s*$' && continue
# Must match KEY="VALUE" format
if ! echo "$line" | grep -qE '^[A-Z_][A-Z0-9_]*=".*"$'; then
echo "::error file=${FILE},line=${LINENUM}::Malformed line: ${line}"
ERRORS=$((ERRORS + 1))
continue
fi
# Extract key and check for duplicates
KEY=$(echo "$line" | sed 's/=.*//')
if echo "$SEEN_KEYS" | grep -qx "$KEY"; then
echo "::error file=${FILE},line=${LINENUM}::Duplicate key: ${KEY}"
ERRORS=$((ERRORS + 1))
fi
SEEN_KEYS="${SEEN_KEYS}
${KEY}"
done < "$FILE"
echo " ${FILE}: checked ${LINENUM} lines"
done
# Cross-check en-GB vs en-US key consistency
GB_DIR=$(find . -path "*/language/en-GB" -type d -not -path "./.git/*" 2>/dev/null | head -1)
US_DIR=$(find . -path "*/language/en-US" -type d -not -path "./.git/*" 2>/dev/null | head -1)
if [ -n "$GB_DIR" ] && [ -n "$US_DIR" ]; then
for GB_FILE in "$GB_DIR"/*.ini; do
[ ! -f "$GB_FILE" ] && continue
FNAME=$(basename "$GB_FILE")
US_FILE="$US_DIR/$FNAME"
[ ! -f "$US_FILE" ] && continue
GB_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$GB_FILE" 2>/dev/null | sort)
US_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$US_FILE" 2>/dev/null | sort)
# Keys in en-GB but not en-US
MISSING_US=$(comm -23 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
if [ -n "$MISSING_US" ]; then
echo "::warning::Keys in en-GB/$FNAME but missing from en-US/$FNAME:"
echo "$MISSING_US" | while read -r k; do echo " - $k"; done
WARNINGS=$((WARNINGS + 1))
fi
# Keys in en-US but not en-GB
MISSING_GB=$(comm -13 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
if [ -n "$MISSING_GB" ]; then
echo "::warning::Keys in en-US/$FNAME but missing from en-GB/$FNAME:"
echo "$MISSING_GB" | while read -r k; do echo " - $k"; done
WARNINGS=$((WARNINGS + 1))
fi
done
fi
{
echo "### Language File Validation"
echo "| Metric | Count |"
echo "|---|---|"
echo "| Files checked | $(echo "$INI_FILES" | wc -l) |"
echo "| Errors | ${ERRORS} |"
echo "| Warnings | ${WARNINGS} |"
} >> $GITHUB_STEP_SUMMARY
if [ "$ERRORS" -gt 0 ]; then
echo "::error::Language validation failed with ${ERRORS} error(s)"
exit 1
fi
echo "Language files: OK (${WARNINGS} warning(s))"
- name: Check changelog has unreleased entry
run: |
if [ ! -f "CHANGELOG.md" ]; then
echo "::warning::No CHANGELOG.md found"
exit 0
fi
# Check for content under [Unreleased] section
if ! grep -q "## \[Unreleased\]" CHANGELOG.md; then
echo "::error::CHANGELOG.md missing [Unreleased] section"
exit 1
fi
# Check there's at least one entry (Added/Changed/Fixed/Removed) under Unreleased
UNRELEASED_CONTENT=$(sed -n '/## \[Unreleased\]/,/## \[/p' CHANGELOG.md | grep -cE '^\s*-\s' || true)
if [ "$UNRELEASED_CONTENT" -eq 0 ]; then
echo "::error::CHANGELOG.md [Unreleased] section has no entries. Add a changelog entry describing your changes."
echo "## Changelog Check: Failed" >> $GITHUB_STEP_SUMMARY
echo "The \`[Unreleased]\` section in CHANGELOG.md has no entries." >> $GITHUB_STEP_SUMMARY
echo "Add a line like \`- Description of your change\` under a heading (\`### Added\`, \`### Changed\`, \`### Fixed\`, etc.)" >> $GITHUB_STEP_SUMMARY
exit 1
fi
echo "Changelog: ${UNRELEASED_CONTENT} entry/entries in [Unreleased]"
- name: Verify package source
run: |
SOURCE_DIR="src"
[ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
if [ ! -d "$SOURCE_DIR" ]; then
echo "::warning::No src/ or htdocs/ directory"
exit 0
fi
FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
echo "Source: ${FILE_COUNT} files"
[ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
# ── Pre-Release RC Build ─────────────────────────────────────────────────
pre-release:
name: Build RC Package
runs-on: ubuntu-latest
needs: [branch-policy, validate]
steps:
- name: Trigger RC pre-release
env:
MOKOGIT_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
REPO: ${{ github.repository }}
BRANCH: ${{ github.head_ref }}
MOKOGIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
run: |
curl -s -X POST "${MOKOGIT_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches" -H "Authorization: token ${MOKOGIT_TOKEN}" -H "Content-Type: application/json" -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
# ── Issue Reporter ──────────────────────────────────────────────────────
report-issues:
name: Report Issues
needs: [branch-policy, validate]
if: >-
always() &&
needs.validate.result == 'failure'
uses: ./.mokogit/workflows/ci-issue-reporter.yml
with:
gate: "PR Validation"
workflow: "PR Check"
severity: error
details: "PR validation failed (syntax, manifest, changelog, or source checks). See the CI run for the specific check that failed."
secrets: inherit
+273
View File
@@ -0,0 +1,273 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.Release
# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
# PATH: /templates/workflows/universal/pre-release.yml.template
# VERSION: 05.02.00
# BRIEF: Auto pre-release on push to dev/alpha/beta/rc branches
name: "Universal: Pre-Release"
on:
push:
branches:
- dev
- 'fix/**'
- 'patch/**'
- 'hotfix/**'
- 'bugfix/**'
- 'chore/**'
- alpha
- beta
- rc
workflow_dispatch:
inputs:
stability:
description: 'Pre-release channel'
required: true
type: choice
options:
- development
- alpha
- beta
- release-candidate
permissions:
contents: write
env:
GIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
GIT_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
GIT_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
jobs:
build:
name: "Build Pre-Release (${{ inputs.stability || github.ref_name }})"
runs-on: release
if: >-
github.event_name == 'workflow_dispatch' ||
github.event_name == 'push'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.MOKOGIT_TOKEN }}
ref: ${{ github.ref_name }}
submodules: recursive
- name: Update submodules to main
run: |
git submodule foreach --quiet 'git checkout main && git pull --quiet origin main' 2>/dev/null || true
- name: Setup mokocli tools
env:
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
run: |
# Use pre-installed /opt/mokocli if available (updated by cron every 6h)
if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/cli/manifest_element.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
echo Using pre-installed /opt/mokocli
echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
else
echo Falling back to fresh clone
if ! command -v composer > /dev/null 2>&1; then
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
fi
rm -rf /tmp/mokocli
CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
fi
- name: Detect platform
id: platform
run: |
# Auto-detect and update platform if not set in manifest
php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
php ${MOKO_CLI}/manifest_read.php --path . --github-output
- name: Check platform eligibility (Joomla only)
id: eligibility
run: |
PLATFORM="${{ steps.platform.outputs.platform }}"
if [[ "$PLATFORM" == joomla* ]] || [[ "$PLATFORM" == "joomla" ]]; then
echo "proceed=true" >> "$GITHUB_OUTPUT"
else
echo "proceed=false" >> "$GITHUB_OUTPUT"
echo "::notice::Platform '$PLATFORM' — non-Joomla, skipping pre-release auto-bump"
fi
- name: Resolve metadata and bump version
id: meta
if: steps.eligibility.outputs.proceed == 'true'
run: |
# Auto-detect stability from branch name on push, or use input on dispatch
if [ "${{ github.event_name }}" = "push" ]; then
case "${{ github.ref_name }}" in
rc) STABILITY="release-candidate" ;;
alpha) STABILITY="alpha" ;;
beta) STABILITY="beta" ;;
*) STABILITY="development" ;;
esac
else
STABILITY="${{ inputs.stability || 'development' }}"
fi
case "$STABILITY" in
development) SUFFIX="-dev"; TAG="development" ;;
alpha) SUFFIX="-alpha"; TAG="alpha" ;;
beta) SUFFIX="-beta"; TAG="beta" ;;
release-candidate) SUFFIX="-rc"; TAG="release-candidate" ;;
esac
# Bump version via CLI: patch for dev/alpha/beta, minor for RC
case "$STABILITY" in
release-candidate) BUMP="minor" ;;
*) BUMP="patch" ;;
esac
php ${MOKO_CLI}/version_bump.php --path . $([ "$BUMP" = "minor" ] && echo "--minor") 2>/dev/null || true
# Set stability suffix and verify consistency
VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "00.00.01")
VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
php ${MOKO_CLI}/version_set_platform.php \
--path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
# Ensure licensing tags (updateservers, dlid) if enabled in manifest.xml
php ${MOKO_CLI}/manifest_licensing.php --path . --fix 2>/dev/null || true
# Append suffix for output
if [ -n "$SUFFIX" ]; then
VERSION="${VERSION}${SUFFIX}"
fi
# Commit version bump
git config --local user.email "mokogit-actions[bot]@mokoconsulting.tech"
git config --local user.name "mokogit-actions[bot]"
git remote set-url origin "https://x-access-token:${{ secrets.MOKOGIT_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
git add -A
git diff --cached --quiet || {
git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
git push origin HEAD 2>&1
}
# Auto-detect element via manifest_element.php
php ${MOKO_CLI}/manifest_element.php \
--path . --version "$VERSION" --stability "$STABILITY" \
--repo "${GIT_REPO}" --github-output
# Read back element outputs
EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
[ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GIT_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
[ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
- name: Create release
id: release
if: steps.eligibility.outputs.proceed == 'true'
run: |
TAG="${{ steps.meta.outputs.tag }}"
VERSION="${{ steps.meta.outputs.version }}"
API_BASE="${GIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
php ${MOKO_CLI}/release_create.php \
--path . --version "$VERSION" --tag "$TAG" \
--token "${{ secrets.MOKOGIT_TOKEN }}" --api-base "$API_BASE" \
--repo "${GIT_REPO}" --branch "${{ github.ref_name }}" --prerelease
- name: Update release notes from CHANGELOG.md
if: steps.eligibility.outputs.proceed == 'true'
run: |
TAG="${{ steps.meta.outputs.tag }}"
VERSION="${{ steps.meta.outputs.version }}"
API_BASE="${GIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
# Extract [Unreleased] section from changelog (everything between [Unreleased] and next ## heading)
if [ -f "CHANGELOG.md" ]; then
NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
[ -z "$NOTES" ] && NOTES="Release ${VERSION}"
else
NOTES="Release ${VERSION}"
fi
# Update release body via API
RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGIT_TOKEN }}" \
"${API_BASE}/releases/tags/${TAG}" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
if [ -n "$RELEASE_ID" ]; then
python3 -c "
import json, urllib.request
body = open('/dev/stdin').read()
payload = json.dumps({'body': body}).encode()
req = urllib.request.Request(
'${API_BASE}/releases/${RELEASE_ID}',
data=payload, method='PATCH',
headers={
'Authorization': 'token ${{ secrets.MOKOGIT_TOKEN }}',
'Content-Type': 'application/json'
})
urllib.request.urlopen(req)
" <<< "$NOTES"
echo "Release notes updated from CHANGELOG.md"
fi
- name: Build package and upload
id: package
if: steps.eligibility.outputs.proceed == 'true'
run: |
VERSION="${{ steps.meta.outputs.version }}"
TAG="${{ steps.meta.outputs.tag }}"
API_BASE="${GIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
php ${MOKO_CLI}/release_package.php \
--path . --version "$VERSION" --tag "$TAG" \
--token "${{ secrets.MOKOGIT_TOKEN }}" --api-base "$API_BASE" \
--repo "${GIT_REPO}" --output /tmp || true
# updates.xml is generated dynamically by MokoGIT license server
# No need to build, commit, or sync updates.xml from workflows
- name: "Delete lesser pre-release channels (cascade)"
if: steps.eligibility.outputs.proceed == 'true'
continue-on-error: true
run: |
API_BASE="${GIT_URL}/api/v1/repos/${GIT_ORG}/${GIT_REPO}"
TOKEN="${{ secrets.MOKOGIT_TOKEN }}"
php ${MOKO_CLI}/release_cascade.php \
--stability "${{ steps.meta.outputs.stability }}" \
--token "${TOKEN}" \
--api-base "${API_BASE}"
- name: Summary
if: always()
run: |
VERSION="${{ steps.meta.outputs.version }}"
STABILITY="${{ steps.meta.outputs.stability }}"
ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
SHA256="${{ steps.package.outputs.sha256_zip }}"
echo "## Pre-Release Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
echo "| Channel | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
echo "| SHA-256 | \`${SHA256:-n/a}\` |" >> $GITHUB_STEP_SUMMARY
+71
View File
@@ -0,0 +1,71 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.Universal
# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
# PATH: /.mokogit/workflows/rc-revert.yml
# VERSION: 09.23.00
# BRIEF: Rename rc/ branch back to dev/ when PR is closed without merge
name: "RC Revert"
on:
pull_request:
types: [closed]
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
revert:
name: Rename rc/ back to dev/
runs-on: ubuntu-latest
if: >-
github.event.pull_request.merged == false &&
startsWith(github.event.pull_request.head.ref, 'rc/')
steps:
- name: Rename branch
env:
BRANCH: ${{ github.event.pull_request.head.ref }}
REPO: ${{ github.repository }}
GIT_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
TOKEN: ${{ secrets.MOKOGIT_TOKEN }}
run: |
set -euo pipefail
# BRANCH is attacker-controlled (PR head ref). Strict allowlist before ANY use.
if ! printf '%s' "$BRANCH" | grep -Eq '^rc/[A-Za-z0-9._/-]+$'; then
echo "::error::Refusing unsafe branch name: $BRANCH"; exit 1
fi
SUFFIX="${BRANCH#rc/}"
DEV_BRANCH="dev/${SUFFIX}"
API="${GIT_URL}/api/v1/repos/${REPO}/branches"
# Create dev/ branch from rc/ branch
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
-H "Authorization: token ${TOKEN}" \
-H "Content-Type: application/json" \
-d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
"${API}" 2>/dev/null || true)
if [ "$STATUS" = "201" ]; then
echo "Created branch: ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
else
echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"; exit 1
fi
# Read BRANCH from the environment inside PHP (getenv, no string interpolation -> no PHP injection)
ENCODED=$(php -r 'echo rawurlencode(getenv("BRANCH"));')
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
-H "Authorization: token ${TOKEN}" \
"${API}/${ENCODED}" 2>/dev/null || true)
if [ "$STATUS" = "204" ]; then
echo "Deleted branch: ${BRANCH}" >> "$GITHUB_STEP_SUMMARY"
else
echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
fi
echo "### RC Reverted" >> "$GITHUB_STEP_SUMMARY"
echo "${BRANCH} → ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
+700
View File
@@ -0,0 +1,700 @@
# ============================================================================
# Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
#
# This file is part of a Moko Consulting project.
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow
# INGROUP: mokocli.Validation
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
# PATH: /templates/workflows/joomla/repo_health.yml.template
# VERSION: 09.23.00
# BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
# ============================================================================
name: "Generic: Repo Health"
defaults:
run:
shell: bash
on:
workflow_dispatch:
inputs:
profile:
description: 'Validation profile: all, scripts, or repo'
required: true
default: all
type: choice
options:
- all
- scripts
- repo
pull_request:
branches:
- main
permissions:
contents: read
env:
# Scripts governance policy
SCRIPTS_REQUIRED_DIRS:
SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
# Repo health policy
REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.mokogit/workflows/
REPO_OPTIONAL_FILES: SECURITY.md,GOVERNANCE.md,.editorconfig,.gitattributes,.gitignore,README.md,docs/
REPO_DISALLOWED_DIRS:
REPO_DISALLOWED_FILES: TODO.md,todo.md
# Extended checks toggles
EXTENDED_CHECKS: "true"
# File / directory variables
DOCS_INDEX: docs/docs-index.md
SCRIPT_DIR: scripts
WORKFLOWS_DIR: .mokogit/workflows
SHELLCHECK_PATTERN: '*.sh'
SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
access_check:
name: Access control
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read
outputs:
allowed: ${{ steps.perm.outputs.allowed }}
permission: ${{ steps.perm.outputs.permission }}
steps:
- name: Check actor permission (admin only)
id: perm
env:
TOKEN: ${{ secrets.MOKOGIT_TOKEN || github.token }}
REPO: ${{ github.repository }}
ACTOR: ${{ github.actor }}
run: |
set -euo pipefail
ALLOWED=false
PERMISSION=unknown
METHOD=""
# Hardcoded authorized users — always allowed
case "$ACTOR" in
jmiller|mokogit-actions[bot])
ALLOWED=true
PERMISSION=admin
METHOD="hardcoded allowlist"
;;
*)
# Detect platform and check permissions via API
API_BASE="${GITHUB_API_URL:-${GIT_API_URL:-https://api.github.com}}"
RESP=$(curl -sf -H "Authorization: token ${TOKEN}" \
"${API_BASE}/repos/${REPO}/collaborators/${ACTOR}/permission" 2>/dev/null || echo '{}')
PERMISSION=$(echo "$RESP" | grep -oP '"permission"\s*:\s*"\K[^"]+' || echo "unknown")
if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "maintain" ] || [ "$PERMISSION" = "owner" ]; then
ALLOWED=true
fi
METHOD="collaborator API"
;;
esac
echo "permission=${PERMISSION}" >> "$GITHUB_OUTPUT"
echo "allowed=${ALLOWED}" >> "$GITHUB_OUTPUT"
{
echo "## Access Authorization"
echo ""
echo "| Field | Value |"
echo "|-------|-------|"
echo "| **Actor** | \`${ACTOR}\` |"
echo "| **Repository** | \`${REPO}\` |"
echo "| **Permission** | \`${PERMISSION}\` |"
echo "| **Method** | ${METHOD} |"
echo "| **Authorized** | ${ALLOWED} |"
echo ""
if [ "$ALLOWED" = "true" ]; then
echo "${ACTOR} authorized (${METHOD})"
else
echo "${ACTOR} is NOT authorized. Requires admin or maintain role."
fi
} >> "${GITHUB_STEP_SUMMARY}"
- name: Deny execution when not permitted
if: ${{ steps.perm.outputs.allowed != 'true' }}
run: |
set -euo pipefail
printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
exit 1
scripts_governance:
name: Scripts governance
needs: access_check
if: ${{ needs.access_check.outputs.allowed == 'true' }}
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: Scripts folder checks
env:
PROFILE_RAW: ${{ github.event.inputs.profile }}
run: |
set -euo pipefail
profile="${PROFILE_RAW:-all}"
case "${profile}" in
all|scripts|repo) ;;
*)
printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
exit 1
;;
esac
if [ "${profile}" = 'repo' ]; then
{
printf '%s\n' '### Scripts governance'
printf '%s\n' "Profile: ${profile}"
printf '%s\n' 'Status: SKIPPED'
printf '%s\n' 'Reason: profile excludes scripts governance'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
if [ ! -d "${SCRIPT_DIR}" ]; then
{
printf '%s\n' '### Scripts governance'
printf '%s\n' 'Status: OK (advisory)'
printf '%s\n' 'scripts/ directory not present. No scripts governance enforced.'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
if [ -n "${SCRIPTS_REQUIRED_DIRS:-}" ]; then IFS=',' read -r -a required_dirs <<< "${SCRIPTS_REQUIRED_DIRS}"; else required_dirs=(); fi
IFS=',' read -r -a allowed_dirs <<< "${SCRIPTS_ALLOWED_DIRS}"
missing_dirs=()
unapproved_dirs=()
for d in "${required_dirs[@]}"; do
req="${d%/}"
[ ! -d "${req}" ] && missing_dirs+=("${req}/")
done
while IFS= read -r d; do
allowed=false
for a in "${allowed_dirs[@]}"; do
a_norm="${a%/}"
[ "${d%/}" = "${a_norm}" ] && allowed=true
done
[ "${allowed}" = false ] && unapproved_dirs+=("${d%/}/")
done < <(find "${SCRIPT_DIR}" -maxdepth 1 -mindepth 1 -type d 2>/dev/null | sed 's#^\./##')
{
printf '%s\n' '### Scripts governance'
printf '%s\n' "Profile: ${profile}"
printf '%s\n' '| Area | Status | Notes |'
printf '%s\n' '|---|---|---|'
if [ "${#missing_dirs[@]}" -gt 0 ]; then
printf '%s\n' '| Required directories | Warning | Missing required subfolders |'
else
printf '%s\n' '| Required directories | OK | All required subfolders present |'
fi
if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
printf '%s\n' '| Directory policy | Warning | Unapproved directories detected |'
else
printf '%s\n' '| Directory policy | OK | No unapproved directories |'
fi
printf '%s\n' '| Enforcement mode | Advisory | scripts folder is optional |'
printf '\n'
if [ "${#missing_dirs[@]}" -gt 0 ]; then
printf '%s\n' 'Missing required script directories:'
for m in "${missing_dirs[@]}"; do printf '%s\n' "- ${m}"; done
printf '\n'
else
printf '%s\n' 'Missing required script directories: none.'
printf '\n'
fi
if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
printf '%s\n' 'Unapproved script directories detected:'
for m in "${unapproved_dirs[@]}"; do printf '%s\n' "- ${m}"; done
printf '\n'
else
printf '%s\n' 'Unapproved script directories detected: none.'
printf '\n'
fi
printf '%s\n' 'Scripts governance completed in advisory mode.'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
repo_health:
name: Repository health
needs: access_check
if: ${{ needs.access_check.outputs.allowed == 'true' }}
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: Repository health checks
env:
PROFILE_RAW: ${{ github.event.inputs.profile }}
run: |
set -euo pipefail
profile="${PROFILE_RAW:-all}"
case "${profile}" in
all|scripts|repo) ;;
*)
printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
exit 1
;;
esac
if [ "${profile}" = 'scripts' ]; then
{
printf '%s\n' '### Repository health'
printf '%s\n' "Profile: ${profile}"
printf '%s\n' 'Status: SKIPPED'
printf '%s\n' 'Reason: profile excludes repository health'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
IFS=',' read -r -a required_artifacts <<< "${REPO_REQUIRED_ARTIFACTS}"
IFS=',' read -r -a optional_files <<< "${REPO_OPTIONAL_FILES}"
if [ -n "${REPO_DISALLOWED_DIRS:-}" ]; then IFS=',' read -r -a disallowed_dirs <<< "${REPO_DISALLOWED_DIRS}"; else disallowed_dirs=(); fi
IFS=',' read -r -a disallowed_files <<< "${REPO_DISALLOWED_FILES:-}"
missing_required=()
missing_optional=()
# Source directory: src/ or htdocs/ (either is valid for extension repos)
SOURCE_DIR=""
if [ -d "src" ]; then
SOURCE_DIR="src"
elif [ -d "htdocs" ]; then
SOURCE_DIR="htdocs"
elif [ -d "deploy" ] || [ -d "cli" ] || [ -d "monitoring" ]; then
# Platform/tooling repos don't need src/
SOURCE_DIR=""
else
missing_required+=("src/ or htdocs/ (source directory required)")
fi
for item in "${required_artifacts[@]}"; do
if printf '%s' "${item}" | grep -q '/$'; then
d="${item%/}"
[ ! -d "${d}" ] && missing_required+=("${item}")
else
[ ! -f "${item}" ] && missing_required+=("${item}")
fi
done
for f in "${optional_files[@]}"; do
if printf '%s' "${f}" | grep -q '/$'; then
d="${f%/}"
[ ! -d "${d}" ] && missing_optional+=("${f}")
else
[ ! -f "${f}" ] && missing_optional+=("${f}")
fi
done
for d in "${disallowed_dirs[@]}"; do
d_norm="${d%/}"
[ -d "${d_norm}" ] && missing_required+=("${d_norm}/ (disallowed)")
done
for f in "${disallowed_files[@]}"; do
[ -f "${f}" ] && missing_required+=("${f} (disallowed)")
done
git fetch origin --prune
dev_paths=()
dev_branches=()
while IFS= read -r b; do
name="${b#origin/}"
if [ "${name}" = 'dev' ]; then
dev_branches+=("${name}")
else
dev_paths+=("${name}")
fi
done < <(git branch -r --list 'origin/dev*' | sed 's/^ *//')
if [ "${#dev_paths[@]}" -eq 0 ] && [ "${#dev_branches[@]}" -eq 0 ]; then
missing_required+=("dev or dev/* branch")
fi
content_warnings=()
if [ -f 'CHANGELOG.md' ] && ! grep -Eq '^# Changelog' CHANGELOG.md; then
content_warnings+=("CHANGELOG.md missing '# Changelog' header")
fi
if [ -f 'CHANGELOG.md' ] && grep -Eq '^[# ]*Unreleased' CHANGELOG.md; then
content_warnings+=("CHANGELOG.md contains Unreleased section (review release readiness)")
fi
if [ -f 'LICENSE' ] && ! grep -qiE 'GNU GENERAL PUBLIC LICENSE|GPL' LICENSE; then
content_warnings+=("LICENSE does not look like a GPL text")
fi
if [ -f 'README.md' ] && ! grep -qiE 'moko|Moko' README.md; then
content_warnings+=("README.md missing expected brand keyword")
fi
export PROFILE_RAW="${profile}"
export MISSING_REQUIRED="$(printf '%s\n' "${missing_required[@]:-}")"
export MISSING_OPTIONAL="$(printf '%s\n' "${missing_optional[@]:-}")"
export CONTENT_WARNINGS="$(printf '%s\n' "${content_warnings[@]:-}")"
report_json=$(printf '{"profile":"%s","missing_required":%d,"missing_optional":%d,"content_warnings":%d}' "$profile" "${#missing_required[@]}" "${#missing_optional[@]}" "${#content_warnings[@]}")
{
printf '%s\n' '### Repository health'
printf '%s\n' "Profile: ${profile}"
printf '%s\n' '| Metric | Value |'
printf '%s\n' '|---|---|'
printf '%s\n' "| Missing required | ${#missing_required[@]} |"
printf '%s\n' "| Missing optional | ${#missing_optional[@]} |"
printf '%s\n' "| Content warnings | ${#content_warnings[@]} |"
printf '\n'
printf '%s\n' '### Guardrails report (JSON)'
printf '%s\n' '```json'
printf '%s\n' "${report_json}"
printf '%s\n' '```'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
if [ "${#missing_required[@]}" -gt 0 ]; then
{
printf '%s\n' '### Missing required repo artifacts'
for m in "${missing_required[@]}"; do printf '%s\n' "- ${m}"; done
printf '%s\n' 'ERROR: Guardrails failed. Missing required repository artifacts.'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
exit 1
fi
if [ "${#missing_optional[@]}" -gt 0 ]; then
{
printf '%s\n' '### Missing optional repo artifacts'
for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
if [ "${#content_warnings[@]}" -gt 0 ]; then
{
printf '%s\n' '### Repo content warnings'
for m in "${content_warnings[@]}"; do printf '%s\n' "- ${m}"; done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
# -- Joomla-specific checks --
joomla_findings=()
MANIFEST="$(find . -maxdepth 2 -name '*.xml' -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)"
if [ -z "${MANIFEST}" ]; then
joomla_findings+=("Joomla XML manifest not found (no *.xml with <extension> tag)")
else
if ! grep -qP '<version>' "${MANIFEST}"; then
joomla_findings+=("XML manifest: <version> tag missing")
fi
if ! grep -qP 'type="(component|module|plugin|library|package|template|language)"' "${MANIFEST}"; then
joomla_findings+=("XML manifest: type attribute missing or invalid")
fi
if ! grep -qP '<name>' "${MANIFEST}"; then
joomla_findings+=("XML manifest: <name> tag missing")
fi
if ! grep -qP '<author>' "${MANIFEST}"; then
joomla_findings+=("XML manifest: <author> tag missing")
fi
if ! grep -qP '<namespace' "${MANIFEST}"; then
joomla_findings+=("XML manifest: <namespace> missing (required for Joomla 5+)")
fi
fi
INI_COUNT="$(find . -name '*.ini' -type f 2>/dev/null | wc -l)"
if [ "${INI_COUNT}" -eq 0 ]; then
joomla_findings+=("No .ini language files found")
fi
if [ ! -f 'updates.xml' ]; then
joomla_findings+=("updates.xml missing in root (required for Joomla update server)")
fi
if [ -n "${SOURCE_DIR}" ]; then
INDEX_DIRS=("${SOURCE_DIR}" "${SOURCE_DIR}/admin" "${SOURCE_DIR}/site")
for dir in "${INDEX_DIRS[@]}"; do
if [ -d "${dir}" ] && [ ! -f "${dir}/index.html" ]; then
joomla_findings+=("${dir}/index.html missing (directory listing protection)")
fi
done
fi
if [ "${#joomla_findings[@]}" -gt 0 ]; then
{
printf '%s\n' '### Joomla extension checks'
printf '%s\n' '| Check | Status |'
printf '%s\n' '|---|---|'
for f in "${joomla_findings[@]}"; do
printf '%s\n' "| ${f} | Warning |"
done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
else
{
printf '%s\n' '### Joomla extension checks'
printf '%s\n' 'All Joomla-specific checks passed.'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
extended_enabled="${EXTENDED_CHECKS:-true}"
extended_findings=()
if [ "${extended_enabled}" = 'true' ]; then
if [ -f '.github/CODEOWNERS' ] || [ -f 'CODEOWNERS' ] || [ -f 'docs/CODEOWNERS' ]; then
:
else
extended_findings+=("CODEOWNERS not found (.github/CODEOWNERS preferred)")
fi
if ls "${WORKFLOWS_DIR}"/*.yml >/dev/null 2>&1 || ls "${WORKFLOWS_DIR}"/*.yaml >/dev/null 2>&1; then
bad_refs="$(grep -RIn --include='*.yml' --include='*.yaml' -E '^[[:space:]]*uses:[[:space:]]*[^#]+@(main|master)\b' "${WORKFLOWS_DIR}" 2>/dev/null || true)"
if [ -n "${bad_refs}" ]; then
extended_findings+=("Workflows reference actions @main/@master (pin versions): see log excerpt")
{
printf '%s\n' '### Workflow pinning advisory'
printf '%s\n' 'Found uses: entries pinned to main/master:'
printf '%s\n' '```'
printf '%s\n' "${bad_refs}"
printf '%s\n' '```'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
fi
if [ -f "${DOCS_INDEX}" ]; then
missing_links=""
while IFS= read -r docline; do
for link in $(echo "$docline" | grep -oE '\]\([^)]+\)' | sed 's/\](//' | sed 's/)$//' || true); do
case "$link" in http://*|https://*|"#"*|mailto:*) continue ;; esac
linkpath="${link%%#*}"
linkpath="${linkpath%%\?*}"
[ -z "$linkpath" ] && continue
if [ "${linkpath:0:1}" = "/" ]; then
testpath="${linkpath#/}"
else
testpath="$(dirname "${DOCS_INDEX}")/${linkpath}"
fi
[ ! -e "$testpath" ] && missing_links="${missing_links}${testpath} "
done
done < "${DOCS_INDEX}"
if [ -n "${missing_links}" ]; then
extended_findings+=("docs/docs-index.md contains broken relative links")
{
printf '%s\n' '### Docs index link integrity'
printf '%s\n' 'Broken relative links:'
for bl in ${missing_links}; do
printf '%s\n' "- ${bl}"
done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
fi
if [ -d "${SCRIPT_DIR}" ]; then
if ! command -v shellcheck >/dev/null 2>&1; then
sudo apt-get update -qq
sudo apt-get install -y shellcheck >/dev/null
fi
sc_out=''
while IFS= read -r shf; do
[ -z "${shf}" ] && continue
out_one="$(shellcheck -S warning -x "${shf}" 2>/dev/null || true)"
if [ -n "${out_one}" ]; then
sc_out="${sc_out}${out_one}\n"
fi
done < <(find "${SCRIPT_DIR}" -type f -name "${SHELLCHECK_PATTERN}" 2>/dev/null | sort)
if [ -n "${sc_out}" ]; then
extended_findings+=("ShellCheck warnings detected (advisory)")
sc_head="$(printf '%s' "${sc_out}" | head -n 200)"
{
printf '%s\n' '### ShellCheck (advisory)'
printf '%s\n' '```'
printf '%s\n' "${sc_head}"
printf '%s\n' '```'
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
fi
spdx_missing=()
IFS=',' read -r -a spdx_globs <<< "${SPDX_FILE_GLOBS}"
spdx_args=()
for g in "${spdx_globs[@]}"; do spdx_args+=("${g}"); done
while IFS= read -r f; do
[ -z "${f}" ] && continue
if ! head -n 40 "${f}" | grep -q 'SPDX-License-Identifier:'; then
spdx_missing+=("${f}")
fi
done < <(git ls-files "${spdx_args[@]}" 2>/dev/null || true)
if [ "${#spdx_missing[@]}" -gt 0 ]; then
extended_findings+=("SPDX header missing in some tracked files (advisory)")
{
printf '%s\n' '### SPDX header advisory'
printf '%s\n' 'Files missing SPDX-License-Identifier (first 40 lines scan):'
for f in "${spdx_missing[@]}"; do printf '%s\n' "- ${f}"; done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
stale_cutoff_days=180
stale_branches="$(git for-each-ref --format='%(refname:short) %(committerdate:unix)' refs/remotes/origin 2>/dev/null | awk -v now="$(date +%s)" -v days="${stale_cutoff_days}" '{if (now-$2 > days*86400) print $1}' | head -50)"
if [ -n "${stale_branches}" ]; then
extended_findings+=("Stale remote branches detected (advisory)")
{
printf '%s\n' '### Git hygiene advisory'
printf '%s\n' "Branches with last commit older than ${stale_cutoff_days} days (sample up to 50):"
while IFS= read -r b; do [ -n "${b}" ] && printf '%s\n' "- ${b}"; done <<< "${stale_branches}"
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
fi
{
printf '%s\n' '### Guardrails coverage matrix'
printf '%s\n' '| Domain | Status | Notes |'
printf '%s\n' '|---|---|---|'
printf '%s\n' '| Access control | OK | Admin-only execution gate |'
printf '%s\n' '| Release policy | N/A | Releases handled by MokoGIT |'
printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
if [ "${extended_enabled}" = 'true' ]; then
if [ "${#extended_findings[@]}" -gt 0 ]; then
printf '%s\n' '| Extended checks | Warning | See extended findings below |'
else
printf '%s\n' '| Extended checks | OK | No findings |'
fi
else
printf '%s\n' '| Extended checks | SKIPPED | EXTENDED_CHECKS disabled |'
fi
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
if [ "${extended_enabled}" = 'true' ] && [ "${#extended_findings[@]}" -gt 0 ]; then
{
printf '%s\n' '### Extended findings (advisory)'
for f in "${extended_findings[@]}"; do printf '%s\n' "- ${f}"; done
printf '\n'
} >> "${GITHUB_STEP_SUMMARY}"
fi
printf '%s\n' 'Repository health guardrails passed.' >> "${GITHUB_STEP_SUMMARY}"
site-health:
name: Site Health
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v4
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
- name: Uptime check
if: env.URLS != ''
run: |
echo "$URLS" > /tmp/urls.txt
php monitoring/uptime-probe.php --urls /tmp/urls.txt --timeout 15 || echo "::warning::Some sites are down"
rm -f /tmp/urls.txt
env:
URLS: ${{ vars.MONITORED_URLS }}
- name: SSL certificate check
if: env.DOMAINS != ''
run: |
echo "$DOMAINS" > /tmp/domains.txt
php monitoring/ssl-check.php --domains /tmp/domains.txt --warn-days 30 || echo "::warning::SSL certificates expiring soon"
rm -f /tmp/domains.txt
env:
DOMAINS: ${{ vars.MONITORED_DOMAINS }}
- name: Summary
if: always()
run: |
echo "### Site Health" >> $GITHUB_STEP_SUMMARY
echo "Uptime and SSL checks completed." >> $GITHUB_STEP_SUMMARY
# ═══════════════════════════════════════════════════════════════════════
# Issue Reporter — file issues for failed gates
# ═══════════════════════════════════════════════════════════════════════
report-scripts:
name: "Report: Scripts Governance"
needs: [access_check, scripts_governance]
if: >-
always() &&
needs.scripts_governance.result == 'failure'
uses: ./.mokogit/workflows/ci-issue-reporter.yml
with:
gate: "Scripts Governance"
workflow: "Repo Health"
severity: error
details: "Scripts directory policy violations detected. Review required and allowed directories."
secrets: inherit
report-health:
name: "Report: Repository Health"
needs: [access_check, repo_health]
if: >-
always() &&
needs.repo_health.result == 'failure'
uses: ./.mokogit/workflows/ci-issue-reporter.yml
with:
gate: "Repository Health"
workflow: "Repo Health"
severity: error
details: "Repository health checks failed — missing required artifacts, disallowed files, or content warnings. Check the CI run summary."
secrets: inherit
File diff suppressed because it is too large Load Diff
+130
View File
@@ -0,0 +1,130 @@
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
#
# SPDX-License-Identifier: GPL-3.0-or-later
#
# FILE INFORMATION
# DEFGROUP: MokoGIT.Workflow.Template
# INGROUP: MokoStandards.CI
# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Joomla
# PATH: /.mokogit/workflows/version-set.yml
# VERSION: 01.00.00
# BRIEF: Set or reset the extension version across all version-bearing files
name: "Joomla: Set Version"
on:
workflow_dispatch:
inputs:
version:
description: "Version number (e.g. 01.00.00)"
required: true
type: string
branch:
description: "Branch to update (default: current)"
required: false
type: string
permissions:
contents: write
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
set-version:
name: Set Version to ${{ inputs.version }}
runs-on: ubuntu-latest
steps:
- name: Validate version format
run: |
VERSION="${{ inputs.version }}"
if ! echo "$VERSION" | grep -qP '^\d{2}\.\d{2}\.\d{2}$'; then
echo "::error::Invalid version format '${VERSION}' — expected XX.YY.ZZ (e.g. 01.00.00)"
exit 1
fi
echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.MOKOGIT_TOKEN || github.token }}
ref: ${{ inputs.branch || github.ref }}
fetch-depth: 1
- name: Update manifest version
run: |
MANIFEST=""
for XML_FILE in $(find . -maxdepth 3 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
MANIFEST="$XML_FILE"
break
fi
done
if [ -z "$MANIFEST" ]; then
echo "::warning::No Joomla extension manifest found — skipping manifest update"
else
OLD_VER=$(grep -oP '<version>\K[^<]+' "$MANIFEST" | head -1)
sed -i "s|<version>${OLD_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
echo "Manifest: ${OLD_VER} → ${VERSION} (${MANIFEST})"
fi
- name: Update README.md version
run: |
if [ -f "README.md" ]; then
if grep -qP '^\s*VERSION:\s*\d' README.md; then
sed -i -E "s/(VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" README.md
echo "README.md version updated to ${VERSION}"
else
echo "::warning::No VERSION line found in README.md — skipping"
fi
fi
- name: Update CHANGELOG.md
run: |
if [ -f "CHANGELOG.md" ]; then
DATE=$(date +%Y-%m-%d)
# Check if this version already has an entry
if grep -q "^\#\# \[${VERSION}\]" CHANGELOG.md; then
echo "CHANGELOG.md already has entry for ${VERSION} — skipping"
else
# Insert new version entry after [Unreleased] or at the top after header
if grep -q '^\#\# \[Unreleased\]' CHANGELOG.md; then
sed -i "/^\#\# \[Unreleased\]/a\\\\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
else
sed -i "/^\# Changelog/a\\\\n## [Unreleased]\n\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
fi
echo "CHANGELOG.md: added entry for ${VERSION}"
fi
else
echo "::warning::No CHANGELOG.md found — skipping"
fi
- name: Update FILE INFORMATION blocks
run: |
# Update VERSION in file header blocks (# VERSION: XX.YY.ZZ)
find . -maxdepth 1 -type f \( -name "*.yml" -o -name "*.yaml" -o -name "*.php" -o -name "*.md" \) \
-not -path "./.git/*" -not -path "./vendor/*" -print0 2>/dev/null | \
while IFS= read -r -d '' FILE; do
if head -20 "$FILE" | grep -qP '^\s*#?\s*VERSION:\s*\d{2}\.\d{2}\.\d{2}'; then
sed -i -E "s/(#?\s*VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" "$FILE"
echo "Updated FILE INFORMATION VERSION in ${FILE}"
fi
done
- name: Commit and push
run: |
git config user.name "Moko Consulting [bot]"
git config user.email "hello@mokoconsulting.tech"
git add -A
if git diff --cached --quiet; then
echo "No version changes detected — nothing to commit"
else
git commit -m "chore: set version to ${VERSION} [skip bump]
Authored-by: Moko Consulting"
git push
echo "### Version Set" >> $GITHUB_STEP_SUMMARY
echo "Version updated to \`${VERSION}\` on branch \`${GITHUB_REF_NAME}\`" >> $GITHUB_STEP_SUMMARY
fi
+8
View File
@@ -2,10 +2,18 @@
## [Unreleased]
### Fixed
- **Actions: `.mokogit/workflows` custom-path detection restored** — `WorkflowDirs` now scans `.mokogit/workflows`; the legacy `.mokogitea/workflows` is fully retired. Workflow indexing, push-triggered CI/deploys, and `workflow_dispatch` work again (#798)
- **Issue custom-status dropdown shows its options again** — the status `<select>` carried the `ui compact dropdown` class, so fomantic turned it into an overlay menu that painted behind the page content (options were present in the DOM but invisible); it is now a plain native `<select>` with its inline styles moved to a stylesheet (`web_src/css/repo/issue-status.css`)
- Restored the repo's `.mokogit/workflows/` (deploy + org CI, ~20 workflows) from Template-Go after the workflow sync had dropped them
### Changed
- Adopt MokoOrgStandards `xx.xx.xx` versioning: the app version now comes from a committed `VERSION` file (`01.00.00`), so the binary reports the MokoGIT version instead of the leaked upstream Gitea `1.24.0+dev-N-ghash`; the upstream update-checker is disabled by default
- **Rebrand: MokoGitea → MokoGIT (complete retirement of the MokoGitea name).** Go module path `code.mokoconsulting.tech/MokoConsulting/MokoGitea``.../MokoGIT` (all imports + `go.mod`); default app name `MokoGitea``MokoGIT`; the in-repo config directory and the special org profile/wiki repo names `.mokogitea` / `.mokogitea-private``.mokogit` / `.mokogit-private`; the Actions system user `mokogitea-actions``mokogit-actions` (DB migration #369); Docker image, ntfy topic, mail tags, and remaining lowercase `mokogitea` references → `mokogit`; bundled the Moko `favicon.svg` as the app icon and PWA manifest icon. Shared `MOKOGITEA_*` CI/compose env-var and org-secret names are renamed in the coordinated server cutover (not in this repo change) to avoid breaking cross-repo CI mid-transition.
### Added
- **Org internal wiki merge** — the organization Overview renders the org's internal wiki landing page (from the `.mokogit` public / `.mokogit-private` members-only repo wiki, resolved `home``index``readme``profile`) instead of a separate profile README, with a safe fallback to the legacy README; the per-repo Wiki tab is hidden for the `.mokogit` / `.mokogit-private` profile repos since their wiki now surfaces as the Overview; the org-settings "Internal wiki" control is relabeled to `.mokogit` / `.mokogit-private`
- Staged `.vault` git-stack deploy compose under `deploy/git/{prod,rc,dev}/` (per-tier `docker-compose.yml` + `VERSION` + `.env.example`; every secret externalized as `${VAR}`), ready to drop into the `.vault` hub
- Metadata platform options are now **admin-configurable** instead of hardcoded: a new **Admin → Metadata** page edits the allowed `platform` values (persisted to `app.ini` `[metadata] PLATFORM_OPTIONS`, default `joomla,dolibarr,go,npm,generic`), and the repo Settings → Metadata platform dropdown reads from it. Changing the taxonomy no longer needs a code change/redeploy. A repo's existing platform value stays selectable even if later removed from the list (#777)
- Org branch protection: repositories now show the inherited organization rules read-only in their Branch Protection settings, with an expandable detail (direct push, force-push, branch deletion, merge restrictions, required approvals, status checks, protected files, and whitelisted teams) — like GitHub surfaces org rulesets in a repo (#727)
- Org branch protection: org-level rules can now also protect against branch deletion (`enable_delete` + delete allowlist teams), mirroring the per-repo delete allowlist (#727)
+11
View File
@@ -37,6 +37,17 @@ See the [org wiki](https://git.mokoconsulting.tech/MokoConsulting/.mokogit/wiki/
This project is licensed under the GNU General Public License v3.0 or later -- see the [LICENSE](LICENSE) file.
## Third-Party & Vendored Assets
MokoGIT bundles third-party assets under their own licenses. Full attribution and
license texts are in [THIRD-PARTY-NOTICES.md](THIRD-PARTY-NOTICES.md) and travel with
every distribution and white-labeled build.
- **[Font Awesome Free 7.1.0](https://fontawesome.com)** -- (c) 2025 Fonticons, Inc.
Icons under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/), fonts under
[SIL OFL 1.1](https://scripts.sil.org/OFL), code under [MIT](https://opensource.org/licenses/MIT).
Vendored unmodified at `web_src/css/vendor/fontawesome/` (see its `LICENSE.txt`).
---
*[Moko Consulting](https://mokoconsulting.tech)*
+40
View File
@@ -0,0 +1,40 @@
<!--
SPDX-License-Identifier: MIT
This file lists third-party assets vendored into MokoGIT and the attribution
required by their licenses. It is intended to travel with every distribution and
white-labeled build. Do not remove third-party attribution when rebranding.
-->
# Third-Party Notices
MokoGIT bundles the third-party assets listed below. Each is redistributed under
its own license; the required attribution and license texts are retained here and
alongside the vendored files. Rebranding / white-labeling MokoGIT does **not**
remove these obligations — this file (and the referenced license files) must be
distributed with the product.
## Font Awesome Free 7.1.0
- **Project:** Font Awesome Free
- **Version:** 7.1.0
- **Author / Copyright:** © 2025 Fonticons, Inc. — https://fontawesome.com
- **Homepage / License:** https://fontawesome.com/license/free
- **Vendored at:** `web_src/css/vendor/fontawesome/` (CSS + webfonts, unmodified)
- **Full license text:** `web_src/css/vendor/fontawesome/LICENSE.txt`
Font Awesome Free is multi-licensed by file type:
| Component | License | Notes |
| --- | --- | --- |
| Icons (SVG/JS glyph designs) | **CC BY 4.0** (https://creativecommons.org/licenses/by/4.0/) | Attribution to Fonticons, Inc. required. Satisfied by this notice + the retained CSS header. |
| Fonts (`.woff2` webfonts) | **SIL OFL 1.1** (https://scripts.sil.org/OFL) | Distributed with the OFL text (in `LICENSE.txt`). Font files are shipped **unmodified**; the reserved font name "Font Awesome" is retained. |
| Code (CSS) | **MIT** (https://opensource.org/licenses/MIT) | Copyright header retained in `all.min.css`. |
**Compliance notes for distribution / white-labeling:**
- The vendored `.woff2` font files are byte-for-byte unmodified. Do not subset,
re-generate, or rename them — doing so triggers the SIL OFL Reserved Font Name
restriction.
- The license header comment in `all.min.css` must be preserved.
- Attribution may live in this notices file and the licenses page rather than in
the visible (white-labeled) UI; it must remain accessible to end users.
+1
View File
@@ -0,0 +1 @@
01.00.00
+42
View File
@@ -0,0 +1,42 @@
<!-- SPDX-License-Identifier: GPL-3.0-or-later -->
# MokoGIT Versioning
MokoGIT follows the **MokoOrgStandards `xx.xx.xx`** scheme: `MAJOR.MINOR.PATCH`, **two digits
per segment** (e.g. `01.00.00`, `01.04.12`). This is MokoGIT's own version line — it deliberately
**replaces the inherited upstream Gitea version** (which previously leaked through as
`1.24.0+dev-<N>-g<hash>`).
## Where the version comes from
The binary version is injected at build time into `main.Version``setting.AppVer` (drives the
footer, `/api/v1/version`, and the PWA manifest). The Makefile resolves it in this order:
| Build type | Source | Result |
| --- | --- | --- |
| **Release (git tag)** | the tag name (`$GITHUB_REF_NAME`, `v` stripped) | e.g. tag `01.00.00``01.00.00` |
| **Branch / dev** | the repo-root **`VERSION`** file (`STORED_VERSION`) | `01.00.00` |
| _(fallback only if `VERSION` is absent)_ | `git describe --tags` | would leak the Gitea base — avoided by shipping `VERSION` |
The committed `VERSION` file (currently `01.00.00`) is what strips the Gitea base on ordinary
branch builds. **Do not delete it.**
## Release tagging — MUST use `xx.xx.xx`
Release/tag automation MUST create tags in the `xx.xx.xx` form (e.g. `01.00.00`). Because the
deploy workflows derive the container image tag from `git describe --tags`, tagging with
`01.00.00` makes the deployed image report MokoGIT's version rather than Gitea's. Tiers append a
suffix: dev → `-dev`, rc → `-rc`.
## Update checker
The upstream update-checker defaults to **disabled** (`modules/setting/setting.go`) — a fork must
not compare its `AppVer` against Gitea's release feed. Re-enable only against a MokoGIT endpoint.
## Scope of a bump
- **PATCH** — fixes, no behavior change.
- **MINOR** — backward-compatible features (default bump for feature/dev → stable releases).
- **MAJOR** — breaking changes.
Per-stack and per-tier `VERSION` files also live under `deploy/git/` for the `.vault` git stack.
+49
View File
@@ -0,0 +1,49 @@
<!-- SPDX-License-Identifier: GPL-3.0-or-later -->
# MokoGIT git stack (staged for `.vault`)
This directory is the **staged server compose** for the MokoGIT git service, laid out to match the
target `.vault/stacks/git/{prod,rc,dev}/` structure so it can be dropped into `.vault` when the
restructure resumes.
## Ownership split
- **This repo** (the Gitea fork) builds + pushes the **image** (`mokoconsulting/mokogit`, tiers
`mokogit` / `-rc` / `-dev`) via its own CI.
- **`.vault`** (`MokoConsulting/.vault`, `/opt/.vault` on the Beelink) owns the **server compose +
config** that RUNS those containers. `.vault` is the single source of truth for the box.
## Layout
```
deploy/git/
VERSION # per-stack version (xx.xx.xx)
prod/ { docker-compose.yml, VERSION, .env.example } -> container mokogit, /opt/mokogit/prod, db mokogit
rc/ { docker-compose.yml, VERSION, .env.example } -> container mokogit-rc, /opt/mokogit/rc, db mokogit_rc
dev/ { docker-compose.yml, VERSION, .env.example } -> container mokogit-dev, /opt/mokogit/dev, db mokogit_dev
```
Versioning follows MokoOrgStandards `xx.xx.xx` (see repo-root `VERSIONING.md`). Each tier and the
stack carry a `VERSION` file.
## ⚠️ Not yet live — reconcile first
These composes are **modeled on the documented live config**, not copied from the running box, so
they are **NOT guaranteed byte-accurate**. Before dropping into `.vault`:
1. **DIFF against the live** `/opt/mokogitea/docker-compose.yml` (run with `docker compose -p
gitea-dev`). Reconcile every line tagged `RECONCILE` in the compose: exact volume/conf layout
(live app.ini is at `${GIT_DATA_DIR}/conf/app.ini`), host ports, the DB host reachability (DB is
**host MySQL**; app DB user is `mokogitea`), the docker network name, and any `act_runner` /
`depends_on` wiring (note: `depends_on` uses the prod service key — mismatches caused a past
outage).
2. **Secrets stay external** — every host/secret value is `${VAR}`; real values go in a **gitignored
`.env`** or Gitea Actions secrets, never committed. `.env.example` files carry only placeholders.
## Do NOT relocate yet
The `.vault` restructure is **PAUSED** on server drift (partly from the mokogitea→mokogit rebrand
leaving the box tree dirty) and an **open critical secrets-in-git issue** in `.vault` history. Moving
the git compose onto the box now risks breaking the `--ff-only` pull. Relocation happens when the
restructure resumes — coordinate first. Until then git keeps running from `/opt/mokogitea` +
`/opt/gitea-dev` (the old locations).
+1
View File
@@ -0,0 +1 @@
01.00.00
+27
View File
@@ -0,0 +1,27 @@
# MokoGIT git stack -- DEV tier env (EXAMPLE -- copy to .env and fill; .env is gitignored)
# SPDX-License-Identifier: GPL-3.0-or-later
# No real secrets here. RECONCILE all values against the live box before use.
GIT_REGISTRY=git.mokoconsulting.tech
GIT_IMAGE=mokoconsulting/mokogit
MOKOGIT_DEV_TAG=01.00.00-dev # dev image tag. Deploy CI pins this per build.
GIT_UID=1000
GIT_GID=1000
GIT_DOMAIN=dev.git.mokoconsulting.tech
GIT_ROOT_URL=https://dev.git.mokoconsulting.tech/
GIT_SSH_DOMAIN=dev.git.mokoconsulting.tech
GIT_SSH_PUBLIC_PORT=2918
GIT_HTTP_PORT=3002
GIT_SSH_PORT=2224
GIT_DATA_DIR=/opt/mokogit/dev
GIT_DB_HOST=host.docker.internal:3306
GIT_DB_NAME=mokogit_dev
GIT_DB_USER=mokogitea
GIT_DB_PASSWD=__SET_IN_REAL_ENV__
GIT_NETWORK=gitea-dev_default
+1
View File
@@ -0,0 +1 @@
01.00.00
+47
View File
@@ -0,0 +1,47 @@
# MokoGIT git stack -- DEV tier
# SPDX-License-Identifier: GPL-3.0-or-later
#
# STAGED for .vault/stacks/git/dev/ -- see ../README.md. Modeled on the documented live config;
# DIFF against the live /opt/mokogitea/docker-compose.yml before dropping into .vault.
# Every host/secret value is ${VAR} (define real values in a gitignored .env; see .env.example).
services:
git:
image: "${GIT_REGISTRY}/${GIT_IMAGE}:${MOKOGIT_DEV_TAG}"
container_name: mokogit-dev
restart: unless-stopped
environment:
- USER_UID=${GIT_UID}
- USER_GID=${GIT_GID}
- GITEA__server__DOMAIN=${GIT_DOMAIN}
- GITEA__server__ROOT_URL=${GIT_ROOT_URL}
- GITEA__server__SSH_DOMAIN=${GIT_SSH_DOMAIN}
- GITEA__server__SSH_PORT=${GIT_SSH_PUBLIC_PORT}
- GITEA__database__DB_TYPE=mysql
- GITEA__database__HOST=${GIT_DB_HOST}
- GITEA__database__NAME=${GIT_DB_NAME}
- GITEA__database__USER=${GIT_DB_USER}
- GITEA__database__PASSWD=${GIT_DB_PASSWD}
volumes:
# RECONCILE: live app.ini at ${GIT_DATA_DIR}/conf/app.ini (/opt/mokogit/dev/conf).
- "${GIT_DATA_DIR}:/data"
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "${GIT_HTTP_PORT}:3000"
- "${GIT_SSH_PORT}:22"
healthcheck:
test: ["CMD", "curl", "-fsS", "http://localhost:3000/api/healthz"]
interval: 30s
timeout: 10s
retries: 5
start_period: 30s
extra_hosts:
- "host.docker.internal:host-gateway"
networks:
- git
networks:
git:
name: ${GIT_NETWORK}
external: true
+34
View File
@@ -0,0 +1,34 @@
# MokoGIT git stack -- PROD tier env (EXAMPLE -- copy to .env and fill real values; .env is gitignored)
# SPDX-License-Identifier: GPL-3.0-or-later
# No real secrets in this file. RECONCILE all values against the live box before use.
# --- image ---
GIT_REGISTRY=git.mokoconsulting.tech
GIT_IMAGE=mokoconsulting/mokogit
MOKOGIT_TAG=01.00.00 # prod image tag (release xx.xx.xx). Deploy CI pins this per build.
# --- runtime user ---
GIT_UID=1000
GIT_GID=1000
# --- server / URLs ---
GIT_DOMAIN=git.mokoconsulting.tech
GIT_ROOT_URL=https://git.mokoconsulting.tech/
GIT_SSH_DOMAIN=git.mokoconsulting.tech
GIT_SSH_PUBLIC_PORT=2918 # public SSH port advertised to clients
# --- host ports (container 3000/22 mapped to host) ---
GIT_HTTP_PORT=3000
GIT_SSH_PORT=2222
# --- data ---
GIT_DATA_DIR=/opt/mokogit/prod
# --- database (HOST MySQL; app DB user is 'mokogitea') ---
GIT_DB_HOST=host.docker.internal:3306
GIT_DB_NAME=mokogit
GIT_DB_USER=mokogitea
GIT_DB_PASSWD=__SET_IN_REAL_ENV__ # real value ONLY in gitignored .env / Actions secret
# --- docker network (external; RECONCILE actual name) ---
GIT_NETWORK=gitea-dev_default
+1
View File
@@ -0,0 +1 @@
01.00.00
+52
View File
@@ -0,0 +1,52 @@
# MokoGIT git stack -- PROD tier
# SPDX-License-Identifier: GPL-3.0-or-later
#
# STAGED for .vault/stacks/git/prod/ -- see ../README.md. Modeled on the documented live
# config; DIFF against the live /opt/mokogitea/docker-compose.yml before dropping into .vault.
# Ownership: THIS repo builds+pushes the image; .vault runs it. Every host/secret value is ${VAR}
# (define real values in a gitignored .env; see .env.example). Do NOT commit a real .env.
#
# RECONCILE before use: exact volume/conf layout, ports, DB host reachability (host MySQL),
# network name, and any act_runner/depends_on wiring are modeled -- verify against the box.
services:
git:
image: "${GIT_REGISTRY}/${GIT_IMAGE}:${MOKOGIT_TAG}"
container_name: mokogit
restart: unless-stopped
environment:
- USER_UID=${GIT_UID}
- USER_GID=${GIT_GID}
- GITEA__server__DOMAIN=${GIT_DOMAIN}
- GITEA__server__ROOT_URL=${GIT_ROOT_URL}
- GITEA__server__SSH_DOMAIN=${GIT_SSH_DOMAIN}
- GITEA__server__SSH_PORT=${GIT_SSH_PUBLIC_PORT}
# DB is HOST MySQL (RECONCILE host reachability: host-gateway / socket / LAN IP).
- GITEA__database__DB_TYPE=mysql
- GITEA__database__HOST=${GIT_DB_HOST}
- GITEA__database__NAME=${GIT_DB_NAME}
- GITEA__database__USER=${GIT_DB_USER}
- GITEA__database__PASSWD=${GIT_DB_PASSWD}
volumes:
# RECONCILE: live app.ini is at ${GIT_DATA_DIR}/conf/app.ini (/opt/mokogit/prod/conf).
- "${GIT_DATA_DIR}:/data"
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "${GIT_HTTP_PORT}:3000"
- "${GIT_SSH_PORT}:22"
healthcheck:
test: ["CMD", "curl", "-fsS", "http://localhost:3000/api/healthz"]
interval: 30s
timeout: 10s
retries: 5
start_period: 30s
extra_hosts:
- "host.docker.internal:host-gateway"
networks:
- git
networks:
git:
name: ${GIT_NETWORK}
external: true
+27
View File
@@ -0,0 +1,27 @@
# MokoGIT git stack -- RC tier env (EXAMPLE -- copy to .env and fill; .env is gitignored)
# SPDX-License-Identifier: GPL-3.0-or-later
# No real secrets here. RECONCILE all values against the live box before use.
GIT_REGISTRY=git.mokoconsulting.tech
GIT_IMAGE=mokoconsulting/mokogit
MOKOGIT_RC_TAG=01.00.00-rc # rc image tag. Deploy CI pins this per build.
GIT_UID=1000
GIT_GID=1000
GIT_DOMAIN=rc.git.mokoconsulting.tech
GIT_ROOT_URL=https://rc.git.mokoconsulting.tech/
GIT_SSH_DOMAIN=rc.git.mokoconsulting.tech
GIT_SSH_PUBLIC_PORT=2918
GIT_HTTP_PORT=3001
GIT_SSH_PORT=2223
GIT_DATA_DIR=/opt/mokogit/rc
GIT_DB_HOST=host.docker.internal:3306
GIT_DB_NAME=mokogit_rc
GIT_DB_USER=mokogitea
GIT_DB_PASSWD=__SET_IN_REAL_ENV__
GIT_NETWORK=gitea-dev_default
+1
View File
@@ -0,0 +1 @@
01.00.00
+47
View File
@@ -0,0 +1,47 @@
# MokoGIT git stack -- RC tier
# SPDX-License-Identifier: GPL-3.0-or-later
#
# STAGED for .vault/stacks/git/rc/ -- see ../README.md. Modeled on the documented live config;
# DIFF against the live /opt/mokogitea/docker-compose.yml before dropping into .vault.
# Every host/secret value is ${VAR} (define real values in a gitignored .env; see .env.example).
services:
git:
image: "${GIT_REGISTRY}/${GIT_IMAGE}:${MOKOGIT_RC_TAG}"
container_name: mokogit-rc
restart: unless-stopped
environment:
- USER_UID=${GIT_UID}
- USER_GID=${GIT_GID}
- GITEA__server__DOMAIN=${GIT_DOMAIN}
- GITEA__server__ROOT_URL=${GIT_ROOT_URL}
- GITEA__server__SSH_DOMAIN=${GIT_SSH_DOMAIN}
- GITEA__server__SSH_PORT=${GIT_SSH_PUBLIC_PORT}
- GITEA__database__DB_TYPE=mysql
- GITEA__database__HOST=${GIT_DB_HOST}
- GITEA__database__NAME=${GIT_DB_NAME}
- GITEA__database__USER=${GIT_DB_USER}
- GITEA__database__PASSWD=${GIT_DB_PASSWD}
volumes:
# RECONCILE: live app.ini at ${GIT_DATA_DIR}/conf/app.ini (/opt/mokogit/rc/conf).
- "${GIT_DATA_DIR}:/data"
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "${GIT_HTTP_PORT}:3000"
- "${GIT_SSH_PORT}:22"
healthcheck:
test: ["CMD", "curl", "-fsS", "http://localhost:3000/api/healthz"]
interval: 30s
timeout: 10s
retries: 5
start_period: 30s
extra_hosts:
- "host.docker.internal:host-gateway"
networks:
- git
networks:
git:
name: ${GIT_NETWORK}
external: true
+5 -5
View File
@@ -34,11 +34,11 @@ var (
Enabled: true,
DefaultActionsURL: defaultActionsURLGitHub,
SkipWorkflowStrings: []string{"[skip ci]", "[ci skip]", "[no ci]", "[skip actions]", "[actions skip]"},
// TODO(MokoGIT rebrand): workflow discovery is temporarily kept at
// .mokogitea/workflows so the currently-deployed (old) binary can discover
// and run the deploy workflows during the cutover. Once the MokoGIT image is
// live, switch this and the workflow directory to .mokogit/workflows.
WorkflowDirs: []string{".mokogitea/workflows", ".gitea/workflows", ".github/workflows"},
// MokoGIT: custom workflow-discovery path is .mokogit/workflows (the legacy
// .mokogitea/workflows name is fully retired — do not re-add it). Fixes #798,
// where the deployed binary scanned only .mokogitea/workflows so the org's
// .mokogit/workflows CI was invisible. Override via [actions] WORKFLOW_DIRS.
WorkflowDirs: []string{".mokogit/workflows", ".gitea/workflows", ".github/workflows"},
MaxRerunAttempts: defaultMaxRerunAttempts,
}
)
+1 -1
View File
@@ -112,7 +112,7 @@ func Test_WorkflowDirs(t *testing.T) {
{
name: "default",
iniStr: `[actions]`,
wantDirs: []string{".mokogitea/workflows", ".gitea/workflows", ".github/workflows"},
wantDirs: []string{".mokogit/workflows", ".gitea/workflows", ".github/workflows"},
},
{
name: "single dir",
+3 -1
View File
@@ -187,7 +187,9 @@ func loadCommonSettingsFrom(cfg ConfigProvider) error {
func loadUpdateCheckerFrom(cfg ConfigProvider) {
sec := cfg.Section("update_checker")
UpdateChecker.Enabled = sec.Key("ENABLED").MustBool(true)
// MokoGIT is a fork with its own xx.xx.xx version scheme (see repo VERSION / VERSIONING.md);
// default the upstream update-checker OFF so we never compare AppVer against Gitea's release feed.
UpdateChecker.Enabled = sec.Key("ENABLED").MustBool(false)
UpdateChecker.Endpoint = sec.Key("ENDPOINT").MustString(UpdateChecker.Endpoint)
UpdateChecker.Channel = sec.Key("CHANNEL").MustString(UpdateChecker.Channel)
}
+1 -1
View File
@@ -95,7 +95,7 @@ var UI = struct {
CodeCommentLines: 4,
ReactionMaxUserNum: 10,
MaxDisplayFileSize: 8388608,
DefaultTheme: `gitea-auto`,
DefaultTheme: `mokogit-auto`,
FileIconTheme: `material`,
FolderIconTheme: `basic`,
Reactions: []string{`+1`, `-1`, `laugh`, `hooray`, `confused`, `heart`, `rocket`, `eyes`},
+12
View File
@@ -3,6 +3,18 @@
"dashboard": "Dashboard",
"explore_title": "Explore",
"help": "Help",
"mokogit.theme_toggle": "Toggle light / dark theme",
"mokogit.a11y_title": "Accessibility",
"mokogit.a11y_text_size": "Text size",
"mokogit.a11y_decrease": "Decrease text size",
"mokogit.a11y_increase": "Increase text size",
"mokogit.a11y_reset": "Reset",
"mokogit.a11y_invert": "Invert colors",
"mokogit.a11y_contrast": "High contrast",
"mokogit.a11y_links": "Highlight links",
"mokogit.a11y_readable": "Readable font",
"mokogit.a11y_pause": "Pause animations",
"mokogit.a11y_reset_all": "Reset all",
"logo": "Logo",
"sign_in": "Sign In",
"sign_in_with_provider": "Sign in with %s",
+122 -6
View File
@@ -31,20 +31,136 @@ func SiteManifest(w http.ResponseWriter, req *http.Request) {
ctx := req.Context()
absoluteAssetURL := strings.TrimSuffix(httplib.MakeAbsoluteURL(ctx, setting.StaticURLPrefix), "/")
appURL := strings.TrimSuffix(httplib.GuessCurrentAppURL(ctx), "/")
// Icons resolve to admin-uploaded branding (nav-icon writes logo.png, favicon
// upload writes favicon.*) when set, otherwise to the bundled MokoGIT branded
// defaults at the same /assets/img/ paths. See routers/web/admin/branding.go.
manifest := map[string]any{
"name": setting.AppName,
"short_name": setting.AppName,
"start_url": httplib.GuessCurrentAppURL(ctx),
"name": setting.AppName,
"short_name": setting.AppName,
"description": setting.AppName + " — self-hosted Git service",
"id": appURL + "/",
"start_url": appURL + "/",
"scope": appURL + "/",
"display": "standalone",
"display_override": []string{"standalone", "minimal-ui", "browser"},
"orientation": "any",
"theme_color": "#112855", // MokoGIT signature navy
"background_color": "#0e1318",
"categories": []string{"developer", "productivity"},
"icons": []map[string]string{
{"src": absoluteAssetURL + "/assets/img/favicon.svg", "type": "image/svg+xml", "sizes": "any", "purpose": "any"},
{"src": absoluteAssetURL + "/assets/img/favicon.png", "type": "image/png", "sizes": "256x256"},
{"src": absoluteAssetURL + "/assets/img/logo-small.png", "type": "image/png", "sizes": "512x512"},
{"src": absoluteAssetURL + "/assets/img/logo.png", "type": "image/png", "sizes": "512x512"},
{"src": absoluteAssetURL + "/assets/img/favicon.png", "type": "image/png", "sizes": "256x256", "purpose": "any"},
{"src": absoluteAssetURL + "/assets/img/logo-small.png", "type": "image/png", "sizes": "512x512", "purpose": "any"},
{"src": absoluteAssetURL + "/assets/img/logo-small.png", "type": "image/png", "sizes": "512x512", "purpose": "maskable"},
{"src": absoluteAssetURL + "/assets/img/logo.png", "type": "image/png", "sizes": "512x512", "purpose": "any"},
},
"shortcuts": []map[string]any{
{"name": "Dashboard", "url": appURL + "/", "icons": []map[string]string{{"src": absoluteAssetURL + "/assets/img/logo-small.png", "sizes": "512x512"}}},
{"name": "Issues", "url": appURL + "/issues"},
{"name": "Pull Requests", "url": appURL + "/pulls"},
{"name": "Explore", "url": appURL + "/explore/repos"},
},
}
_ = json.NewEncoder(w).Encode(manifest)
}
// serviceWorkerJS is the MokoGIT PWA service worker. Tokens are replaced per
// request so the scope and offline/asset URLs honor AppSubURL. Strategy:
// - navigation requests: network-first, fall back to the cached offline page
// - same-origin static assets under the asset prefix: cache-first
// - everything else: passthrough
const serviceWorkerJS = `
const CACHE = '__CACHE__';
const OFFLINE_URL = '__OFFLINE__';
const ASSET_PREFIX = '__ASSETS__';
self.addEventListener('install', (e) => {
e.waitUntil(caches.open(CACHE).then((c) => c.add(new Request(OFFLINE_URL, {cache: 'reload'}))).then(() => self.skipWaiting()));
});
self.addEventListener('activate', (e) => {
e.waitUntil(caches.keys().then((keys) => Promise.all(keys.filter((k) => k !== CACHE).map((k) => caches.delete(k)))).then(() => self.clients.claim()));
});
self.addEventListener('fetch', (e) => {
const req = e.request;
if (req.method !== 'GET') return;
const url = new URL(req.url);
if (url.origin !== self.location.origin) return;
if (req.mode === 'navigate') {
e.respondWith(fetch(req).catch(() => caches.match(OFFLINE_URL)));
return;
}
if (ASSET_PREFIX && url.pathname.startsWith(ASSET_PREFIX)) {
e.respondWith(caches.match(req).then((cached) => cached || fetch(req).then((resp) => {
if (resp && resp.ok && resp.type === 'basic') { const clone = resp.clone(); caches.open(CACHE).then((c) => c.put(req, clone)); }
return resp;
}).catch(() => cached)));
}
});
`
// ServiceWorker serves the PWA service worker script with a root-scoped
// Service-Worker-Allowed header so it can control navigations under AppSubURL.
func ServiceWorker(w http.ResponseWriter, req *http.Request) {
scope := setting.AppSubURL + "/"
assetPrefix := strings.TrimSuffix(setting.StaticURLPrefix, "/") + "/assets/"
js := serviceWorkerJS
js = strings.ReplaceAll(js, "__CACHE__", "mokogit-pwa-"+setting.AppStartTime.Format("20060102150405"))
js = strings.ReplaceAll(js, "__OFFLINE__", setting.AppSubURL+"/-/offline")
js = strings.ReplaceAll(js, "__ASSETS__", assetPrefix)
w.Header().Set("Content-Type", "application/javascript; charset=utf-8")
w.Header().Set("Service-Worker-Allowed", scope)
if httpcache.HandleGenericETagPublicCache(req, w, "", &setting.AppStartTime) {
return
}
if req.Method == http.MethodHead {
return
}
_, _ = w.Write([]byte(js))
}
// Offline serves a self-contained, branded offline fallback page. It is
// precached by the service worker and shown when a navigation fails offline.
func Offline(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
if req.Method == http.MethodHead {
return
}
page := strings.ReplaceAll(offlineHTML, "__NAME__", setting.AppName)
page = strings.ReplaceAll(page, "__ICON__", strings.TrimSuffix(setting.StaticURLPrefix, "/")+"/assets/img/logo.png")
_, _ = w.Write([]byte(page))
}
// offlineHTML is a dependency-light offline page (inline styles, MokoGIT navy).
const offlineHTML = `<!DOCTYPE html>
<html lang="en" data-theme="mokogit-auto">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Offline &middot; __NAME__</title>
<style>
:root { color-scheme: light dark; }
html,body { height:100%; margin:0; }
body { display:flex; align-items:center; justify-content:center; font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif; background:#0e1318; color:#e6ebf1; text-align:center; padding:2rem; }
.card { max-width:28rem; }
img { width:72px; height:72px; object-fit:contain; margin-bottom:1.25rem; }
h1 { font-size:1.5rem; margin:0 0 .5rem; color:#f1f5f9; }
p { color:#c7ccd4; line-height:1.5; margin:0 0 1.5rem; }
button { background:#010156; color:#fff; border:0; border-radius:.25rem; padding:.6rem 1.25rem; font-size:1rem; cursor:pointer; }
button:hover { background:#010149; }
.bar { height:4px; background:#112855; position:fixed; top:0; left:0; right:0; }
</style>
</head>
<body>
<div class="bar"></div>
<div class="card">
<img src="__ICON__" alt="" onerror="this.style.display='none'">
<h1>You're offline</h1>
<p>__NAME__ can't be reached right now. Check your connection and try again &mdash; recently visited pages may still be available.</p>
<button onclick="location.reload()">Retry</button>
</div>
</body>
</html>`
func SSHInfo(rw http.ResponseWriter, req *http.Request) {
if !git.DefaultFeatures().SupportProcReceive {
rw.WriteHeader(http.StatusNotFound)
+60 -2
View File
@@ -14,6 +14,7 @@ import (
"code.mokoconsulting.tech/MokoConsulting/MokoGIT/models/renderhelper"
repo_model "code.mokoconsulting.tech/MokoConsulting/MokoGIT/models/repo"
"code.mokoconsulting.tech/MokoConsulting/MokoGIT/modules/git"
"code.mokoconsulting.tech/MokoConsulting/MokoGIT/modules/gitrepo"
"code.mokoconsulting.tech/MokoConsulting/MokoGIT/modules/log"
"code.mokoconsulting.tech/MokoConsulting/MokoGIT/modules/markup/markdown"
"code.mokoconsulting.tech/MokoConsulting/MokoGIT/modules/setting"
@@ -170,23 +171,37 @@ func prepareOrgProfileReadme(ctx *context.Context, prepareResult *shared_user.Pr
viewAs := ctx.FormString("view_as", util.Iif(ctx.Org.IsMember, "member", "public"))
viewAsMember := viewAs == "member"
// Prefer the repo that exists for the chosen view; the internal wiki landing
// (below) is rendered even when the legacy root README.md has been removed.
var profileRepo *repo_model.Repository
var readmeBlob *git.Blob
if viewAsMember {
if prepareResult.ProfilePrivateReadmeBlob != nil {
if prepareResult.ProfilePrivateRepo != nil {
profileRepo, readmeBlob = prepareResult.ProfilePrivateRepo, prepareResult.ProfilePrivateReadmeBlob
} else {
profileRepo, readmeBlob = prepareResult.ProfilePublicRepo, prepareResult.ProfilePublicReadmeBlob
viewAsMember = false
}
} else {
if prepareResult.ProfilePublicReadmeBlob != nil {
if prepareResult.ProfilePublicRepo != nil {
profileRepo, readmeBlob = prepareResult.ProfilePublicRepo, prepareResult.ProfilePublicReadmeBlob
} else {
profileRepo, readmeBlob = prepareResult.ProfilePrivateRepo, prepareResult.ProfilePrivateReadmeBlob
viewAsMember = true
}
}
if profileRepo == nil {
return false
}
// Merged profile+wiki: render the internal wiki's landing page as the org
// Overview (resolution: home -> index -> readme -> profile). Falls back to the
// legacy root README.md below if the wiki has no landing page or errors.
if renderOrgWikiLanding(ctx, profileRepo) {
ctx.Data["IsViewingOrgAsMember"] = viewAsMember
return true
}
if readmeBlob == nil {
return false
}
@@ -208,3 +223,46 @@ func prepareOrgProfileReadme(ctx *context.Context, prepareResult *shared_user.Pr
ctx.Data["IsViewingOrgAsMember"] = viewAsMember
return true
}
// renderOrgWikiLanding renders the profile repo's internal wiki landing page as
// the org Overview content. It looks for the first existing landing page in the
// order home -> index -> readme -> profile (.md) in the repo's attached wiki and,
// if found, renders it into ctx.Data["ProfileReadmeContent"]. Returns false (with
// no error surfaced) when the wiki or a landing page is absent, so the caller can
// safely fall back to the legacy root README.md.
func renderOrgWikiLanding(ctx *context.Context, profileRepo *repo_model.Repository) bool {
wikiGitRepo, err := gitrepo.RepositoryFromRequestContextOrOpen(ctx, profileRepo.WikiStorageRepo())
if err != nil {
return false
}
branch := profileRepo.DefaultWikiBranch
if branch == "" {
branch = setting.Repository.DefaultBranch
}
commit, err := wikiGitRepo.GetBranchCommit(branch)
if err != nil {
return false
}
// Wiki pages are stored as "<Name>.md"; try common casings for each landing name.
for _, name := range []string{"Home", "home", "Index", "index", "README", "Readme", "readme", "Profile", "profile"} {
blob, err := commit.GetBlobByPath(name + ".md")
if err != nil || blob == nil {
continue
}
content, err := blob.GetBlobContent(setting.UI.MaxDisplayFileSize)
if err != nil {
return false
}
rctx := renderhelper.NewRenderContextRepoFile(ctx, profileRepo, renderhelper.RepoFileOptions{
CurrentRefPath: path.Join("branch", util.PathEscapeSegments(branch)),
})
ctx.Data["ProfileReadmeContent"], err = markdown.RenderString(rctx, content)
if err != nil {
return false
}
return true
}
return false
}
+2
View File
@@ -276,6 +276,8 @@ func Routes() *web.Router {
routes.Head("/", misc.DummyOK) // for health check - doesn't need to be passed through gzip handler
routes.Methods("GET, HEAD", "/assets/site-manifest.json", misc.SiteManifest)
routes.Methods("GET, HEAD", "/serviceworker.js", misc.ServiceWorker) // PWA service worker (root-scoped)
routes.Methods("GET, HEAD", "/-/offline", misc.Offline) // PWA offline fallback page
routes.Methods("GET, HEAD, OPTIONS", "/assets/*", routing.MarkLogLevelTrace, public.AssetsCors(), public.FileHandlerFunc())
routes.Methods("GET, HEAD", "/avatars/*", avatarStorageHandler(setting.Avatar.Storage, "avatars", storage.Avatars))
routes.Methods("GET, HEAD", "/repo-avatars/*", avatarStorageHandler(setting.RepoAvatar.Storage, "repo-avatars", storage.RepoAvatars))
+2 -2
View File
@@ -3,8 +3,8 @@ import type {Config} from 'stylelint';
const cssVarFiles = [
fileURLToPath(new URL('web_src/css/base.css', import.meta.url)),
fileURLToPath(new URL('web_src/css/themes/theme-gitea-light.css', import.meta.url)),
fileURLToPath(new URL('web_src/css/themes/theme-gitea-dark.css', import.meta.url)),
fileURLToPath(new URL('web_src/css/themes/theme-mokogit-light.css', import.meta.url)),
fileURLToPath(new URL('web_src/css/themes/theme-mokogit-dark.css', import.meta.url)),
];
export default {
+2 -2
View File
@@ -18,8 +18,8 @@ function extractRootVars(css: string) {
}
const vars = extractRootVars([
readFileSync(new URL('web_src/css/themes/theme-gitea-light.css', import.meta.url), 'utf8'),
readFileSync(new URL('web_src/css/themes/theme-gitea-dark.css', import.meta.url), 'utf8'),
readFileSync(new URL('web_src/css/themes/theme-mokogit-light.css', import.meta.url), 'utf8'),
readFileSync(new URL('web_src/css/themes/theme-mokogit-dark.css', import.meta.url), 'utf8'),
].join('\n'));
export default {
+12
View File
@@ -5,6 +5,11 @@
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>{{if .Title}}{{.Title}} - {{end}}{{.PageTitleCommon}}</title>
<link rel="manifest" href="{{AssetUrlPrefix}}/site-manifest.json">
<meta name="theme-color" content="#112855">{{/* MokoGIT navy installed PWA / mobile browser chrome */}}
<meta name="mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="apple-mobile-web-app-title" content="{{AppName}}">
<meta name="author" content="{{if .Repository}}{{.Owner.Name}}{{else}}{{MetaAuthor}}{{end}}">
<meta name="description" content="{{if .Repository}}{{.Repository.Name}}{{if .Repository.Description}} - {{.Repository.Description}}{{end}}{{else}}{{MetaDescription}}{{end}}">
<meta name="keywords" content="{{MetaKeywords}}">
@@ -23,6 +28,13 @@
{{template "base/head_style" .}}
{{template "base/head_script" .}}
{{template "custom/header" .}}
<script nonce="{{ctx.CspScriptNonce}}">
if ('serviceWorker' in navigator) {
window.addEventListener('load', function () {
navigator.serviceWorker.register('{{AppSubUrl}}/serviceworker.js', {scope: '{{AppSubUrl}}/'}).catch(function () {});
});
}
</script>
</head>
<body>
{{template "custom/body_outer_pre" .}}
+30
View File
@@ -40,6 +40,36 @@
<!-- the full dropdown menus -->
<div class="navbar-right">
{{/* MokoGIT: accessibility menu toggle (client-side, all users) */}}
<button type="button" class="item mokogit-a11y-toggle" id="mokogit-a11y-toggle"
aria-haspopup="dialog" aria-expanded="false" aria-controls="mokogit-a11y-panel"
data-tooltip-content="{{ctx.Locale.Tr "mokogit.a11y_title"}}"
aria-label="{{ctx.Locale.Tr "mokogit.a11y_title"}}"
data-label-title="{{ctx.Locale.Tr "mokogit.a11y_title"}}"
data-label-textsize="{{ctx.Locale.Tr "mokogit.a11y_text_size"}}"
data-label-decrease="{{ctx.Locale.Tr "mokogit.a11y_decrease"}}"
data-label-increase="{{ctx.Locale.Tr "mokogit.a11y_increase"}}"
data-label-reset="{{ctx.Locale.Tr "mokogit.a11y_reset"}}"
data-label-invert="{{ctx.Locale.Tr "mokogit.a11y_invert"}}"
data-label-contrast="{{ctx.Locale.Tr "mokogit.a11y_contrast"}}"
data-label-links="{{ctx.Locale.Tr "mokogit.a11y_links"}}"
data-label-readable="{{ctx.Locale.Tr "mokogit.a11y_readable"}}"
data-label-pause="{{ctx.Locale.Tr "mokogit.a11y_pause"}}"
data-label-resetall="{{ctx.Locale.Tr "mokogit.a11y_reset_all"}}">
<span class="flex-text-block"><i class="fa-solid fa-universal-access"></i></span>
</button>
{{/* MokoGIT: light/dark theme toggle */}}
<button type="button" class="item mokogit-theme-toggle" id="mokogit-theme-toggle"
data-tooltip-content="{{ctx.Locale.Tr "mokogit.theme_toggle"}}"
aria-label="{{ctx.Locale.Tr "mokogit.theme_toggle"}}">
<span class="flex-text-block"><i class="fa-solid fa-sun"></i><i class="fa-solid fa-moon"></i></span>
</button>
{{if .IsSigned}}
<form id="mokogit-theme-form" method="post" action="{{AppSubUrl}}/user/settings/appearance/theme" class="tw-hidden">
{{.CsrfTokenHtml}}
<input type="hidden" name="theme" value="">
</form>
{{end}}
{{if and .IsSigned .MustChangePassword}}
<div class="ui dropdown jump item" data-tooltip-content="{{ctx.Locale.Tr "user_profile_and_more"}}">
<span class="text">
+6
View File
@@ -0,0 +1,6 @@
{{/* MokoGIT brand override hook (ships by default).
Drop a stylesheet at custom/public/assets/css/mokogit-custom.css on any instance to re-skin the
MokoGIT brand tokens LIVE, with no rebuild -- Gitea serves /assets/ with custom/ taking precedence.
If no override file is present the link is a harmless 404 (no visual/functional impact).
Instance admins may still override this whole partial via custom/templates/custom/header.tmpl. */}}
<link rel="stylesheet" href="{{AppSubUrl}}/assets/css/mokogit-custom.css">
+2 -2
View File
@@ -68,11 +68,11 @@
<div class="field">
<div class="ui radio checkbox">
<input class="enable-system-radio" name="wiki_mode" type="radio" value="" data-context="#external_wiki_box" data-target="#internal_wiki_box" {{if eq .Org.WikiMode ""}}checked{{end}}>
<label>Internal wiki (uses <code>.profile</code> / <code>.profile-private</code> repo wikis)</label>
<label>Internal wiki (uses <code>.mokogit</code> / <code>.mokogit-private</code> repo wikis)</label>
</div>
</div>
<div id="internal_wiki_box" class="field tw-pl-4 {{if ne .Org.WikiMode ""}}disabled{{end}}">
<p class="help">Enable the wiki on <code>.profile</code> (public) and/or <code>.profile-private</code> (members-only) repos.</p>
<p class="help">Enable the wiki on <code>.mokogit</code> (public) and/or <code>.mokogit-private</code> (members-only) repos.</p>
</div>
<div class="field">
<div class="ui radio checkbox">
+2 -1
View File
@@ -166,7 +166,8 @@
</a>
{{end}}
{{if .Permission.CanRead ctx.Consts.RepoUnitTypeWiki}}
{{/* MokoGIT: the internal-wiki (.mokogit/.mokogit-private) surfaces as the org Overview, so hide its per-repo Wiki tab. */}}
{{if and (.Permission.CanRead ctx.Consts.RepoUnitTypeWiki) (not (or (eq .Repository.Name ".mokogit") (eq .Repository.Name ".mokogit-private")))}}
<a class="{{if .PageIsWiki}}active {{end}}item" href="{{.RepoLink}}/wiki">
{{svg "octicon-book"}} {{ctx.Locale.Tr "repo.wiki"}}
</a>
+1 -1
View File
@@ -92,7 +92,7 @@
<span class="status-button-text">{{ctx.Locale.Tr "repo.issues.reopen_issue"}}</span>
</button>
{{else}}
<select name="status_id" class="ui compact dropdown" style="min-width:140px;padding:7px 10px;border:1px solid var(--color-secondary);border-radius:4px;background:var(--color-body);">
<select name="status_id" class="issue-status-select">
<option value="">-- {{ctx.Locale.Tr "repo.issues.status"}} --</option>
{{range .IssueStatusDefs}}
{{if not .ClosesIssue}}
+140
View File
@@ -0,0 +1,140 @@
/* MokoGIT accessibility menu — panel UI + the effect classes toggled on <html>.
Ported from the mokoconsulting.tech / MokoOnyx accessibility widget. */
/* ---- navbar toggle button ---- */
.mokogit-a11y-toggle,
.mokogit-theme-toggle {
background: none;
border: none;
cursor: pointer;
color: inherit;
}
/* theme toggle: show sun in dark mode (click -> go light), moon in light mode */
.mokogit-theme-toggle .fa-moon { display: inline-block; }
.mokogit-theme-toggle .fa-sun { display: none; }
.mokogit-theme-toggle.is-dark .fa-moon { display: none; }
.mokogit-theme-toggle.is-dark .fa-sun { display: inline-block; }
/* ---- panel ---- */
.a11y-panel {
position: fixed;
z-index: 1000;
min-width: 260px;
max-width: 320px;
padding: 12px;
background: var(--color-body);
color: var(--color-text);
border: 1px solid var(--color-secondary);
border-radius: var(--border-radius, 4px);
box-shadow: 0 0.5rem 1rem rgba(0, 0, 0, 0.15);
}
.a11y-panel-title {
font-weight: 600;
margin-bottom: 8px;
padding-bottom: 8px;
border-bottom: 1px solid var(--color-secondary);
}
.a11y-row {
display: flex;
align-items: center;
justify-content: space-between;
gap: 8px;
padding: 6px 0;
}
.a11y-row-label { font-size: 0.95em; }
.a11y-size-controls { display: flex; align-items: center; gap: 4px; }
.a11y-size-btn {
min-width: 28px;
height: 28px;
padding: 0 8px;
border: 1px solid var(--color-secondary);
border-radius: var(--border-radius, 4px);
background: var(--color-secondary-bg, var(--color-box-body));
color: inherit;
cursor: pointer;
}
.a11y-size-value { min-width: 44px; text-align: center; font-variant-numeric: tabular-nums; }
/* toggle switch */
.a11y-switch {
position: relative;
width: 40px;
height: 22px;
border-radius: 11px;
border: 1px solid var(--color-secondary);
background: var(--color-secondary);
cursor: pointer;
transition: background 0.15s ease;
flex: 0 0 auto;
}
.a11y-switch::after {
content: "";
position: absolute;
top: 2px;
left: 2px;
width: 16px;
height: 16px;
border-radius: 50%;
background: #fff;
transition: transform 0.15s ease;
}
.a11y-switch.is-on { background: var(--color-primary); border-color: var(--color-primary); }
.a11y-switch.is-on::after { transform: translateX(18px); }
.a11y-reset-all {
margin-top: 10px;
width: 100%;
padding: 6px 10px;
border: 1px solid var(--color-secondary);
border-radius: var(--border-radius, 4px);
background: var(--color-secondary-bg, var(--color-box-body));
color: inherit;
cursor: pointer;
}
/* ==== effect classes toggled on <html> ==== */
/* invert colors (keep media upright) */
html.a11y-inverted { filter: invert(1) hue-rotate(180deg); }
html.a11y-inverted img,
html.a11y-inverted video,
html.a11y-inverted picture,
html.a11y-inverted canvas,
html.a11y-inverted [style*="background-image"] { filter: invert(1) hue-rotate(180deg); }
/* high contrast */
html.a11y-high-contrast { filter: contrast(1.3); }
html.a11y-high-contrast a { text-decoration: underline; }
/* highlight links */
html.a11y-highlight-links a {
text-decoration: underline !important;
outline: 1px solid currentcolor;
outline-offset: 1px;
background: rgba(255, 235, 59, 0.25);
}
/* readable font */
html.a11y-readable-font,
html.a11y-readable-font * {
font-family: Verdana, Tahoma, "Segoe UI", Arial, sans-serif !important;
letter-spacing: 0.02em;
line-height: 1.7;
}
/* pause animations */
html.a11y-pause-animations *,
html.a11y-pause-animations *::before,
html.a11y-pause-animations *::after {
animation-duration: 0s !important;
animation-iteration-count: 1 !important;
transition-duration: 0s !important;
scroll-behavior: auto !important;
}
+9
View File
@@ -1,6 +1,10 @@
@import "./modules/normalize.css";
@import "./modules/animations.css";
/* Vendored Font Awesome 7 Free (unmodified). Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT.
License + attribution: web_src/css/vendor/fontawesome/LICENSE.txt and THIRD-PARTY-NOTICES.md. */
@import "./vendor/fontawesome/css/all.min.css";
/* fomantic replacements */
@import "./modules/button.css";
@import "./modules/container.css";
@@ -49,6 +53,7 @@
@import "./features/cropper.css";
@import "./features/console.css";
@import "./features/captcha.css";
@import "./features/a11y-menu.css";
@import "./markup/content.css";
@import "./markup/codeblock.css";
@@ -65,6 +70,7 @@
@import "./repo/issue-card.css";
@import "./repo/issue-label.css";
@import "./repo/issue-list.css";
@import "./repo/issue-status.css";
@import "./repo/list-header.css";
@import "./repo/file-view.css";
@import "./repo/wiki.css";
@@ -87,4 +93,7 @@
@import "./helpers.css";
/* MokoGIT brand reskin — last so it overrides component modules (Tailwind utilities still win). */
@import "./mokogit-brand.css";
@tailwind utilities;
+87
View File
@@ -0,0 +1,87 @@
/* MokoGIT brand reskin layer
*
* Applies the mokoconsulting.tech design language on top of Gitea's component
* modules, using theme tokens (theme-mokogit-{light,dark}.css) wherever a
* variable exists so light/dark and runtime overrides "just work".
*
* Sourced from A:\MokoOnyx (the mokoconsulting.tech template):
* - fonts: system stack + Roboto (Gitea's --fonts-proportional already matches)
* - radius: .25rem base (Gitea --border-radius is already 4px)
* - soft elevation on cards/dropdowns/modals
* - buttons: weight 400, .6rem/1rem padding
* - deep-navy nav + footer (set via --color-nav-bg in the theme files)
*
* Load order: imported last in index.css so it overrides component modules;
* Tailwind utilities still win (declared after this).
*/
:root {
/* Exact mokoconsulting.tech font stack for parity (Gitea falls back to this). */
--fonts-override: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans";
/* mokoconsulting soft-elevation shadow scale (referenced by the rules below
* and available for custom overrides). */
--mokogit-shadow-sm: 0 .125rem .25rem rgba(0, 0, 0, .075);
--mokogit-shadow: 0 .5rem 1rem rgba(0, 0, 0, .15);
--mokogit-shadow-lg: 0 1rem 3rem rgba(0, 0, 0, .175);
}
/* Heavier elevation on dark surfaces — explicit dark theme + auto-following-system. */
:root[data-theme="mokogit-dark"] {
--mokogit-shadow-sm: 0 .125rem .25rem rgba(0, 0, 0, .25);
--mokogit-shadow: 0 .5rem 1rem rgba(0, 0, 0, .5);
--mokogit-shadow-lg: 0 1rem 3rem rgba(0, 0, 0, .6);
}
@media (prefers-color-scheme: dark) {
:root[data-theme="mokogit-auto"] {
--mokogit-shadow-sm: 0 .125rem .25rem rgba(0, 0, 0, .25);
--mokogit-shadow: 0 .5rem 1rem rgba(0, 0, 0, .5);
--mokogit-shadow-lg: 0 1rem 3rem rgba(0, 0, 0, .6);
}
}
/* ---- Buttons: mokoconsulting weight + padding ---- */
.ui.button,
.ui.buttons .button {
font-weight: 400;
}
/* ---- Soft elevation on floating surfaces ---- */
.ui.card,
.ui.cards > .card,
.ui.segment {
box-shadow: var(--mokogit-shadow-sm);
}
.ui.dropdown .menu,
.ui.menu .dropdown.item .menu {
box-shadow: var(--mokogit-shadow);
}
.ui.modal {
box-shadow: var(--mokogit-shadow-lg);
}
/* ---- Navbar: brand weight for the site title ---- */
#navbar .navbar-brand,
#navbar .brand {
font-weight: 600;
}
/* ---- Footer: navy brand band (color already via --color-footer) ---- */
.page-footer,
footer.page-footer {
color: var(--color-nav-text);
}
.page-footer a {
color: var(--color-nav-text);
opacity: .85;
}
.page-footer a:hover {
opacity: 1;
}
/* ---- Links: mokoconsulting underline affordance in prose ---- */
.markup a:not(.btn):not([class^="ui "]) {
text-decoration-thickness: from-font;
}
+17
View File
@@ -0,0 +1,17 @@
/* Custom issue-status control.
Kept as a plain native <select> (NOT a fomantic ".ui dropdown"): when this
element carried the "ui compact dropdown" class, fomantic enhanced it into an
overlay menu that rendered mispositioned and behind .issue-content, so the
status options were present in the DOM but invisible. A native <select>
renders its option list via the browser, so the options always show.
Styles moved here from an inline style= attribute on the element. */
.issue-status-select {
min-width: 140px;
padding: 7px 10px;
color: var(--color-text);
border: 1px solid var(--color-secondary);
border-radius: 4px;
background: var(--color-body);
}
@@ -1,8 +0,0 @@
@import "./theme-gitea-light-protanopia-deuteranopia.css" (prefers-color-scheme: light);
@import "./theme-gitea-dark-protanopia-deuteranopia.css" (prefers-color-scheme: dark);
gitea-theme-meta-info {
--theme-display-name: "Auto";
--theme-colorblind-type: "red-green";
--theme-color-scheme: "auto";
}
@@ -1,8 +0,0 @@
@import "./theme-gitea-light-tritanopia.css" (prefers-color-scheme: light);
@import "./theme-gitea-dark-tritanopia.css" (prefers-color-scheme: dark);
gitea-theme-meta-info {
--theme-display-name: "Auto";
--theme-colorblind-type: "blue-yellow";
--theme-color-scheme: "auto";
}
-7
View File
@@ -1,7 +0,0 @@
@import "./theme-gitea-light.css" (prefers-color-scheme: light);
@import "./theme-gitea-dark.css" (prefers-color-scheme: dark);
gitea-theme-meta-info {
--theme-display-name: "Auto";
--theme-color-scheme: "auto";
}
@@ -1,19 +0,0 @@
@import "./theme-gitea-dark.css";
gitea-theme-meta-info {
--theme-display-name: "Dark";
--theme-colorblind-type: "red-green";
--theme-color-scheme: "dark";
}
/* red/green colorblind-friendly colors */
:root {
--color-diff-added-fg: #58a6ff;
--color-diff-added-linenum-bg: #243d5d;
--color-diff-added-row-bg: #132339;
--color-diff-added-word-bg: #214d87;
--color-diff-removed-fg: #f0883e;
--color-diff-removed-linenum-bg: #5b361c;
--color-diff-removed-row-bg: #3c2419;
--color-diff-removed-word-bg: #824e1f;
}
@@ -1,15 +0,0 @@
@import "./theme-gitea-dark.css";
gitea-theme-meta-info {
--theme-display-name: "Dark";
--theme-colorblind-type: "blue-yellow";
--theme-color-scheme: "dark";
}
/* blue/yellow colorblind-friendly colors */
:root {
--color-diff-added-fg: #58a6ff;
--color-diff-added-linenum-bg: #243d5d;
--color-diff-added-row-bg: #132339;
--color-diff-added-word-bg: #214d87;
}
@@ -1,19 +0,0 @@
@import "./theme-gitea-light.css";
gitea-theme-meta-info {
--theme-display-name: "Light";
--theme-colorblind-type: "red-green";
--theme-color-scheme: "light";
}
/* red/green colorblind-friendly colors */
:root {
--color-diff-added-fg: #2185d0;
--color-diff-added-linenum-bg: #b6e3ff;
--color-diff-added-row-bg: #ddf4ff;
--color-diff-added-word-bg: #b6e3ff;
--color-diff-removed-fg: #fc6500;
--color-diff-removed-linenum-bg: #ffd8b5;
--color-diff-removed-row-bg: #fff1e5;
--color-diff-removed-word-bg: #ffd8b5;
}
@@ -1,15 +0,0 @@
@import "./theme-gitea-light.css";
gitea-theme-meta-info {
--theme-display-name: "Light";
--theme-colorblind-type: "blue-yellow";
--theme-color-scheme: "light";
}
/* blue/yellow colorblind-friendly colors */
:root {
--color-diff-added-fg: #2185d0;
--color-diff-added-linenum-bg: #b6e3ff;
--color-diff-added-row-bg: #ddf4ff;
--color-diff-added-word-bg: #b6e3ff;
}
@@ -0,0 +1,7 @@
@import "./theme-mokogit-light.css" (prefers-color-scheme: light);
@import "./theme-mokogit-dark.css" (prefers-color-scheme: dark);
gitea-theme-meta-info {
--theme-display-name: "MokoGIT Auto";
--theme-color-scheme: "auto";
}
@@ -1,37 +1,38 @@
gitea-theme-meta-info {
--theme-display-name: "Dark";
--theme-display-name: "MokoGIT Dark";
--theme-color-scheme: "dark";
}
:root {
--is-dark-theme: true;
--color-primary: #4183c4;
/* MokoGIT brand primary (dark): bright sky-blue accent (mokoconsulting.tech --accent-color-primary #3f8ff0), readable on dark bg. Nav uses #112855 below. */
--color-primary: #3f8ff0;
--color-primary-contrast: #ffffff;
--color-primary-dark-1: #548fca;
--color-primary-dark-2: #679cd0;
--color-primary-dark-3: #7aa8d6;
--color-primary-dark-4: #8db5dc;
--color-primary-dark-5: #b3cde7;
--color-primary-dark-6: #d9e6f3;
--color-primary-dark-7: #f4f8fb;
--color-primary-light-1: #3876b3;
--color-primary-light-2: #31699f;
--color-primary-light-3: #2b5c8b;
--color-primary-light-4: #254f77;
--color-primary-light-5: #193450;
--color-primary-light-6: #0c1a28;
--color-primary-light-7: #04080c;
--color-primary-alpha-10: #4183c419;
--color-primary-alpha-20: #4183c433;
--color-primary-alpha-30: #4183c44b;
--color-primary-alpha-40: #4183c466;
--color-primary-alpha-50: #4183c480;
--color-primary-alpha-60: #4183c499;
--color-primary-alpha-70: #4183c4b3;
--color-primary-alpha-80: #4183c4cc;
--color-primary-alpha-90: #4183c4e1;
--color-primary-hover: var(--color-primary-light-1);
--color-primary-active: var(--color-primary-light-2);
--color-primary-dark-1: #58a0f5;
--color-primary-dark-2: #71b0f8;
--color-primary-dark-3: #8bbffa;
--color-primary-dark-4: #a5cffb;
--color-primary-dark-5: #c5e0fd;
--color-primary-dark-6: #e0eefe;
--color-primary-dark-7: #f3f8ff;
--color-primary-light-1: #3579cf;
--color-primary-light-2: #2c66b0;
--color-primary-light-3: #234f88;
--color-primary-light-4: #1a3a63;
--color-primary-light-5: #14304f;
--color-primary-light-6: #0c1c30;
--color-primary-light-7: #060e18;
--color-primary-alpha-10: #3f8ff019;
--color-primary-alpha-20: #3f8ff033;
--color-primary-alpha-30: #3f8ff04b;
--color-primary-alpha-40: #3f8ff066;
--color-primary-alpha-50: #3f8ff080;
--color-primary-alpha-60: #3f8ff099;
--color-primary-alpha-70: #3f8ff0b3;
--color-primary-alpha-80: #3f8ff0cc;
--color-primary-alpha-90: #3f8ff0e1;
--color-primary-hover: var(--color-primary-dark-1);
--color-primary-active: var(--color-primary-dark-2);
--color-secondary: #3f4248;
--color-secondary-dark-1: #46494f;
--color-secondary-dark-2: #4f5259;
@@ -72,14 +73,14 @@ gitea-theme-meta-info {
--color-console-menu-bg: #292b2e;
--color-console-menu-border: #46494f;
--color-console-link: #969aa1;
/* named colors */
--color-red: #cc4848;
--color-orange: #cc580c;
--color-yellow: #cc9903;
/* named colors - MokoGIT/mokoconsulting.tech brand palette (dark tuned) */
--color-red: #ff7a73;
--color-orange: #ff9c4d;
--color-yellow: #ffd166;
--color-olive: #91a313;
--color-green: #87ab63;
--color-teal: #00918a;
--color-blue: #3a8ac6;
--color-green: #78d694;
--color-teal: #76e3ff;
--color-blue: #91a4ff;
--color-violet: #906ae1;
--color-purple: #b259d0;
--color-pink: #d22e8b;
@@ -207,11 +208,11 @@ gitea-theme-meta-info {
--color-orange-badge-hover-bg: #f2711c4d;
--color-git: #f05133;
--color-logo: #609926;
/* target-based colors */
--color-body: #1e1f20;
--color-box-header: #1b1c1e;
--color-box-body: #161718;
--color-box-body-highlight: #202124;
/* target-based colors - MokoGIT navy-dark surfaces (mokoconsulting.tech) */
--color-body: #0e1318;
--color-box-header: #151b22;
--color-box-body: #10151b;
--color-box-body-highlight: #151b22;
--color-text-dark: #f8f8f8;
--color-text: #d2d4d8;
--color-text-light: #c0c2c7;
@@ -238,7 +239,7 @@ gitea-theme-meta-info {
--color-code-bg: #161718;
--color-shadow: #0b0b0c58;
--color-shadow-opaque: #0b0b0c;
--color-secondary-bg: #2e3033;
--color-secondary-bg: #151b22;
--color-expand-button: #333539;
--color-placeholder-text: var(--color-text-light-3);
--color-editor-line-highlight: var(--color-secondary-alpha-40);
@@ -250,9 +251,10 @@ gitea-theme-meta-info {
--color-reaction-active-bg: var(--color-primary-light-5);
--color-tooltip-text: #fafafa;
--color-tooltip-bg: #0b0b0cf0;
--color-nav-bg: #18191b;
--color-nav-hover-bg: var(--color-secondary-light-1);
--color-nav-text: var(--color-text);
/* MokoGIT brand: signature deep-navy top nav + footer (matches mokoconsulting.tech) */
--color-nav-bg: #112855;
--color-nav-hover-bg: rgba(255, 255, 255, 0.12);
--color-nav-text: #ffffff;
--color-secondary-nav-bg: #1a1b1e;
--color-label-text: var(--color-text);
--color-label-bg: #7a7f8a4b;
@@ -1,35 +1,36 @@
gitea-theme-meta-info {
--theme-display-name: "Light";
--theme-display-name: "MokoGIT Light";
--theme-color-scheme: "light";
}
:root {
--is-dark-theme: false;
--color-primary: #4183c4;
/* MokoGIT brand primary: deep navy (mokoconsulting.tech --primary #010156). Nav uses #112855 below. */
--color-primary: #010156;
--color-primary-contrast: #ffffff;
--color-primary-dark-1: #3876b3;
--color-primary-dark-2: #31699f;
--color-primary-dark-3: #2b5c8b;
--color-primary-dark-4: #254f77;
--color-primary-dark-5: #193450;
--color-primary-dark-6: #0c1a28;
--color-primary-dark-7: #04080c;
--color-primary-light-1: #548fca;
--color-primary-light-2: #679cd0;
--color-primary-light-3: #7aa8d6;
--color-primary-light-4: #8db5dc;
--color-primary-light-5: #b3cde7;
--color-primary-light-6: #d9e6f3;
--color-primary-light-7: #f4f8fb;
--color-primary-alpha-10: #4183c419;
--color-primary-alpha-20: #4183c433;
--color-primary-alpha-30: #4183c44b;
--color-primary-alpha-40: #4183c466;
--color-primary-alpha-50: #4183c480;
--color-primary-alpha-60: #4183c499;
--color-primary-alpha-70: #4183c4b3;
--color-primary-alpha-80: #4183c4cc;
--color-primary-alpha-90: #4183c4e1;
--color-primary-dark-1: #010149;
--color-primary-dark-2: #010141;
--color-primary-dark-3: #010139;
--color-primary-dark-4: #010130;
--color-primary-dark-5: #010122;
--color-primary-dark-6: #010114;
--color-primary-dark-7: #01010a;
--color-primary-light-1: #12137a;
--color-primary-light-2: #2a2c99;
--color-primary-light-3: #4548b8;
--color-primary-light-4: #6b6ecf;
--color-primary-light-5: #b3b4de;
--color-primary-light-6: #d9daf0;
--color-primary-light-7: #f3f3fb;
--color-primary-alpha-10: #01015619;
--color-primary-alpha-20: #01015633;
--color-primary-alpha-30: #0101564b;
--color-primary-alpha-40: #01015666;
--color-primary-alpha-50: #01015680;
--color-primary-alpha-60: #01015699;
--color-primary-alpha-70: #010156b3;
--color-primary-alpha-80: #010156cc;
--color-primary-alpha-90: #010156e1;
--color-primary-hover: var(--color-primary-dark-1);
--color-primary-active: var(--color-primary-dark-2);
--color-secondary: #d0d7de;
@@ -72,14 +73,14 @@ gitea-theme-meta-info {
--color-console-menu-bg: #f8f9fb;
--color-console-menu-border: #d0d7de;
--color-console-link: #5c656d;
/* named colors */
--color-red: #db2828;
--color-orange: #f2711c;
--color-yellow: #fbbd08;
/* named colors - MokoGIT/mokoconsulting.tech brand palette */
--color-red: #a51f18;
--color-orange: #fd7e17;
--color-yellow: #ad6200;
--color-olive: #b5cc18;
--color-green: #21ba45;
--color-teal: #00b5ad;
--color-blue: #2185d0;
--color-green: #448344;
--color-teal: #5abfdd;
--color-blue: #010156;
--color-violet: #6435c9;
--color-purple: #a333c8;
--color-pink: #e03997;
@@ -238,7 +239,7 @@ gitea-theme-meta-info {
--color-code-bg: #fafdff;
--color-shadow: #00001726;
--color-shadow-opaque: #c7ced5;
--color-secondary-bg: #f2f5f8;
--color-secondary-bg: #eaedf0;
--color-expand-button: #cfe8fa;
--color-placeholder-text: var(--color-text-light-3);
--color-editor-line-highlight: var(--color-secondary-alpha-30);
@@ -250,9 +251,10 @@ gitea-theme-meta-info {
--color-reaction-active-bg: var(--color-primary-light-6);
--color-tooltip-text: #fbfdff;
--color-tooltip-bg: #000017f0;
--color-nav-bg: #f6f7fa;
--color-nav-hover-bg: var(--color-secondary-light-1);
--color-nav-text: var(--color-text);
/* MokoGIT brand: signature deep-navy top nav + footer (matches mokoconsulting.tech) */
--color-nav-bg: #112855;
--color-nav-hover-bg: rgba(255, 255, 255, 0.12);
--color-nav-text: #ffffff;
--color-secondary-nav-bg: #f9fafb;
--color-label-text: var(--color-text);
--color-label-bg: #949da64b;
+165
View File
@@ -0,0 +1,165 @@
Fonticons, Inc. (https://fontawesome.com)
--------------------------------------------------------------------------------
Font Awesome Free License
Font Awesome Free is free, open source, and GPL friendly. You can use it for
commercial projects, open source projects, or really almost whatever you want.
Full Font Awesome Free license: https://fontawesome.com/license/free.
--------------------------------------------------------------------------------
# Icons: CC BY 4.0 License (https://creativecommons.org/licenses/by/4.0/)
The Font Awesome Free download is licensed under a Creative Commons
Attribution 4.0 International License and applies to all icons packaged
as SVG and JS file types.
--------------------------------------------------------------------------------
# Fonts: SIL OFL 1.1 License
In the Font Awesome Free download, the SIL OFL license applies to all icons
packaged as web and desktop font files.
Copyright (c) 2025 Fonticons, Inc. (https://fontawesome.com)
with Reserved Font Name: "Font Awesome".
This Font Software is licensed under the SIL Open Font License, Version 1.1.
This license is copied below, and is also available with a FAQ at:
http://scripts.sil.org/OFL
SIL OPEN FONT LICENSE
Version 1.1 - 26 February 2007
PREAMBLE
The goals of the Open Font License (OFL) are to stimulate worldwide
development of collaborative font projects, to support the font creation
efforts of academic and linguistic communities, and to provide a free and
open framework in which fonts may be shared and improved in partnership
with others.
The OFL allows the licensed fonts to be used, studied, modified and
redistributed freely as long as they are not sold by themselves. The
fonts, including any derivative works, can be bundled, embedded,
redistributed and/or sold with any software provided that any reserved
names are not used by derivative works. The fonts and derivatives,
however, cannot be released under any other type of license. The
requirement for fonts to remain under this license does not apply
to any document created using the fonts or their derivatives.
DEFINITIONS
"Font Software" refers to the set of files released by the Copyright
Holder(s) under this license and clearly marked as such. This may
include source files, build scripts and documentation.
"Reserved Font Name" refers to any names specified as such after the
copyright statement(s).
"Original Version" refers to the collection of Font Software components as
distributed by the Copyright Holder(s).
"Modified Version" refers to any derivative made by adding to, deleting,
or substituting — in part or in whole — any of the components of the
Original Version, by changing formats or by porting the Font Software to a
new environment.
"Author" refers to any designer, engineer, programmer, technical
writer or other person who contributed to the Font Software.
PERMISSION & CONDITIONS
Permission is hereby granted, free of charge, to any person obtaining
a copy of the Font Software, to use, study, copy, merge, embed, modify,
redistribute, and sell modified and unmodified copies of the Font
Software, subject to the following conditions:
1) Neither the Font Software nor any of its individual components,
in Original or Modified Versions, may be sold by itself.
2) Original or Modified Versions of the Font Software may be bundled,
redistributed and/or sold with any software, provided that each copy
contains the above copyright notice and this license. These can be
included either as stand-alone text files, human-readable headers or
in the appropriate machine-readable metadata fields within text or
binary files as long as those fields can be easily viewed by the user.
3) No Modified Version of the Font Software may use the Reserved Font
Name(s) unless explicit written permission is granted by the corresponding
Copyright Holder. This restriction only applies to the primary font name as
presented to the users.
4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
Software shall not be used to promote, endorse or advertise any
Modified Version, except to acknowledge the contribution(s) of the
Copyright Holder(s) and the Author(s) or with their explicit written
permission.
5) The Font Software, modified or unmodified, in part or in whole,
must be distributed entirely under this license, and must not be
distributed under any other license. The requirement for fonts to
remain under this license does not apply to any document created
using the Font Software.
TERMINATION
This license becomes null and void if any of the above conditions are
not met.
DISCLAIMER
THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
OTHER DEALINGS IN THE FONT SOFTWARE.
--------------------------------------------------------------------------------
# Code: MIT License (https://opensource.org/licenses/MIT)
In the Font Awesome Free download, the MIT license applies to all non-font and
non-icon files.
Copyright 2025 Fonticons, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in the
Software without restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so, subject to the
following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
# Attribution
Attribution is required by MIT, SIL OFL, and CC BY licenses. Downloaded Font
Awesome Free files already contain embedded comments with sufficient
attribution, so you shouldn't need to do anything additional when using these
files normally.
We've kept attribution comments terse, so we ask that you do not actively work
to remove them from files, especially code. They're a great way for folks to
learn about Font Awesome.
--------------------------------------------------------------------------------
# Brand Icons
All brand icons are trademarks of their respective owners. The use of these
trademarks does not indicate endorsement of the trademark holder by Font
Awesome, nor vice versa. **Please do not use brand logos for any purpose except
to represent the company, product, or service to which they refer.**
File diff suppressed because one or more lines are too long
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
+183
View File
@@ -0,0 +1,183 @@
// MokoGIT accessibility menu (ported from MokoOnyx / mokoconsulting.tech).
// Client-side, persisted in localStorage["moko-a11y"]. Each option toggles a
// class on <html> (except text size, which sets root font-size). Labels are read
// from data-* attributes on the toggle button so they stay localized.
type A11yState = {
fontStep: number; // index into FONT_STEPS
invert: boolean;
contrast: boolean;
links: boolean;
readable: boolean;
pauseAnim: boolean;
};
const LS_KEY = 'moko-a11y';
const FONT_STEPS = [85, 90, 100, 110, 120, 130];
const DEFAULT_STEP = 2; // 100%
const DEFAULT_STATE: A11yState = {
fontStep: DEFAULT_STEP, invert: false, contrast: false, links: false, readable: false, pauseAnim: false,
};
function load(): A11yState {
try {
return {...DEFAULT_STATE, ...JSON.parse(localStorage.getItem(LS_KEY) || '{}')};
} catch {
return {...DEFAULT_STATE};
}
}
function save(s: A11yState): void {
try {
localStorage.setItem(LS_KEY, JSON.stringify(s));
} catch {}
}
function apply(s: A11yState): void {
const el = document.documentElement;
el.style.fontSize = `${FONT_STEPS[s.fontStep] ?? 100}%`;
el.classList.toggle('a11y-inverted', s.invert);
el.classList.toggle('a11y-high-contrast', s.contrast);
el.classList.toggle('a11y-highlight-links', s.links);
el.classList.toggle('a11y-readable-font', s.readable);
el.classList.toggle('a11y-pause-animations', s.pauseAnim);
}
// Apply persisted prefs as early as this module runs, to minimize flash.
apply(load());
function makeSwitch(labelText: string, checked: boolean, onChange: (v: boolean) => void): HTMLElement {
const row = document.createElement('div');
row.className = 'a11y-row';
const label = document.createElement('span');
label.className = 'a11y-row-label';
label.textContent = labelText;
const btn = document.createElement('button');
btn.type = 'button';
btn.className = 'a11y-switch';
btn.setAttribute('role', 'switch');
btn.setAttribute('aria-checked', String(checked));
btn.setAttribute('aria-label', labelText);
const setVisual = (v: boolean) => {
btn.setAttribute('aria-checked', String(v));
btn.classList.toggle('is-on', v);
};
setVisual(checked);
btn.addEventListener('click', () => {
const v = btn.getAttribute('aria-checked') !== 'true';
setVisual(v);
onChange(v);
});
row.append(label, btn);
return row;
}
function buildPanel(btn: HTMLElement, state: A11yState): HTMLElement {
const d = btn.dataset;
const panel = document.createElement('div');
panel.className = 'a11y-panel';
panel.id = 'mokogit-a11y-panel';
panel.setAttribute('role', 'dialog');
panel.setAttribute('aria-label', d.labelTitle || 'Accessibility');
panel.hidden = true;
const title = document.createElement('div');
title.className = 'a11y-panel-title';
title.textContent = d.labelTitle || 'Accessibility';
panel.append(title);
// Text size group: - [nnn%] + reset
const sizeRow = document.createElement('div');
sizeRow.className = 'a11y-row a11y-size-row';
const sizeLabel = document.createElement('span');
sizeLabel.className = 'a11y-row-label';
sizeLabel.textContent = d.labelTextsize || 'Text size';
const controls = document.createElement('div');
controls.className = 'a11y-size-controls';
const dec = document.createElement('button');
dec.type = 'button'; dec.className = 'a11y-size-btn'; dec.textContent = '';
dec.setAttribute('aria-label', d.labelDecrease || 'Decrease text size');
const pct = document.createElement('span');
pct.className = 'a11y-size-value';
const inc = document.createElement('button');
inc.type = 'button'; inc.className = 'a11y-size-btn'; inc.textContent = '+';
inc.setAttribute('aria-label', d.labelIncrease || 'Increase text size');
const rst = document.createElement('button');
rst.type = 'button'; rst.className = 'a11y-size-btn a11y-size-reset';
rst.textContent = d.labelReset || 'Reset';
const renderPct = () => { pct.textContent = `${FONT_STEPS[state.fontStep]}%`; };
renderPct();
dec.addEventListener('click', () => { state.fontStep = Math.max(0, state.fontStep - 1); renderPct(); apply(state); save(state); });
inc.addEventListener('click', () => { state.fontStep = Math.min(FONT_STEPS.length - 1, state.fontStep + 1); renderPct(); apply(state); save(state); });
rst.addEventListener('click', () => { state.fontStep = DEFAULT_STEP; renderPct(); apply(state); save(state); });
controls.append(dec, pct, inc, rst);
sizeRow.append(sizeLabel, controls);
panel.append(sizeRow);
const commit = (k: 'invert' | 'contrast' | 'links' | 'readable' | 'pauseAnim', v: boolean) => { state[k] = v; apply(state); save(state); };
panel.append(makeSwitch(d.labelInvert || 'Invert colors', state.invert, (v) => commit('invert', v)));
panel.append(makeSwitch(d.labelContrast || 'High contrast', state.contrast, (v) => commit('contrast', v)));
panel.append(makeSwitch(d.labelLinks || 'Highlight links', state.links, (v) => commit('links', v)));
panel.append(makeSwitch(d.labelReadable || 'Readable font', state.readable, (v) => commit('readable', v)));
panel.append(makeSwitch(d.labelPause || 'Pause animations', state.pauseAnim, (v) => commit('pauseAnim', v)));
const resetAll = document.createElement('button');
resetAll.type = 'button';
resetAll.className = 'a11y-reset-all';
resetAll.textContent = d.labelResetall || 'Reset all';
resetAll.addEventListener('click', () => {
Object.assign(state, DEFAULT_STATE);
apply(state); save(state);
// rebuild to reflect reset state
panel.replaceWith(buildPanel(btn, state));
(document.querySelector('#mokogit-a11y-panel') as HTMLElement).hidden = false;
});
panel.append(resetAll);
return panel;
}
export function initA11yMenu(): void {
const btn = document.querySelector<HTMLButtonElement>('#mokogit-a11y-toggle');
if (!btn) return;
const state = load();
apply(state);
let panel = buildPanel(btn, state);
document.body.append(panel);
const positionPanel = () => {
const r = btn.getBoundingClientRect();
panel.style.top = `${Math.round(r.bottom + 6)}px`;
panel.style.right = `${Math.round(window.innerWidth - r.right)}px`;
};
const open = () => {
panel = document.querySelector('#mokogit-a11y-panel') as HTMLElement;
positionPanel();
panel.hidden = false;
btn.setAttribute('aria-expanded', 'true');
document.addEventListener('click', onDocClick, true);
document.addEventListener('keydown', onKey, true);
};
const close = () => {
(document.querySelector('#mokogit-a11y-panel') as HTMLElement).hidden = true;
btn.setAttribute('aria-expanded', 'false');
document.removeEventListener('click', onDocClick, true);
document.removeEventListener('keydown', onKey, true);
};
const onDocClick = (e: MouseEvent) => {
const p = document.querySelector('#mokogit-a11y-panel') as HTMLElement;
if (p.contains(e.target as Node) || btn.contains(e.target as Node)) return;
close();
};
const onKey = (e: KeyboardEvent) => {
if (e.key === 'Escape') { close(); btn.focus(); }
};
btn.addEventListener('click', (e) => {
e.preventDefault();
const p = document.querySelector('#mokogit-a11y-panel') as HTMLElement;
p.hidden ? open() : close();
});
}
+43
View File
@@ -0,0 +1,43 @@
// MokoGIT navbar light/dark toggle.
// Signed-in users: persists to the account via the existing
// /user/settings/appearance/theme endpoint (a hidden CSRF-protected form is
// rendered in the navbar), so the choice syncs across devices; the page reloads
// with the new theme. Anonymous users: best-effort data-theme flip + localStorage
// (only the server-served theme CSS is loaded for anon, so effect is limited).
const LIGHT = 'mokogit-light';
const DARK = 'mokogit-dark';
const LS_KEY = 'mokogit-theme';
function currentIsDark(): boolean {
const t = document.documentElement.getAttribute('data-theme') || '';
if (t.includes('dark')) return true;
if (t.includes('light')) return false;
// auto / unknown -> follow the OS preference
return window.matchMedia?.('(prefers-color-scheme: dark)').matches ?? false;
}
export function initThemeToggle(): void {
const btn = document.querySelector<HTMLButtonElement>('#mokogit-theme-toggle');
if (!btn) return;
const sync = () => btn.classList.toggle('is-dark', currentIsDark());
sync();
btn.addEventListener('click', () => {
const target = currentIsDark() ? LIGHT : DARK;
const form = document.querySelector<HTMLFormElement>('#mokogit-theme-form');
if (form) {
const input = form.querySelector<HTMLInputElement>('input[name="theme"]');
if (input) input.value = target;
form.submit(); // server persists + redirects back, re-rendering with the new theme
return;
}
// anonymous best-effort
document.documentElement.setAttribute('data-theme', target);
try {
localStorage.setItem(LS_KEY, target);
} catch {}
sync();
});
}
+5
View File
@@ -39,6 +39,8 @@ import {initInstall} from './features/install.ts';
import {initCompWebHookEditor} from './features/comp/WebHookEditor.ts';
import {initRepoBranchButton} from './features/repo-branch.ts';
import {initCommonOrganization} from './features/common-organization.ts';
import {initThemeToggle} from './features/theme-toggle.ts';
import {initA11yMenu} from './features/a11y-menu.ts';
import {initRepoWikiForm} from './features/repo-wiki.ts';
import {initRepository, initBranchSelectorTabs} from './features/repo-legacy.ts';
import {initCopyContent} from './features/copycontent.ts';
@@ -163,6 +165,9 @@ const initPerformanceTracer = callInitFunctions([
initActionsPermissionsForm,
initDevtest,
initThemeToggle,
initA11yMenu,
]);
// it must be the last one, then the "querySelectorAll" only needs to be executed once for global init functions.
+30
View File
@@ -0,0 +1,30 @@
# Third-Party & Vendored Assets
MokoGIT bundles a small number of third-party assets. Each is redistributed under
its own license, with attribution retained here, in the repository
[`THIRD-PARTY-NOTICES.md`](https://git.mokoconsulting.tech/MokoConsulting/MokoGIT/src/branch/main/THIRD-PARTY-NOTICES.md),
and alongside the vendored files.
> **White-labeling note:** these attribution obligations survive rebranding. When
> producing a white-labeled build, keep this page (or the `THIRD-PARTY-NOTICES.md`
> file) accessible to end users. You may keep attribution out of the visible UI, but
> it must remain reachable in the product's documentation or licenses listing.
## Font Awesome Free 7.1.0
- **Author / Copyright:** (c) 2025 Fonticons, Inc. -- <https://fontawesome.com>
- **Upstream license:** <https://fontawesome.com/license/free>
- **Vendored at:** `web_src/css/vendor/fontawesome/` (CSS + `.woff2` webfonts, unmodified)
- **License text shipped at:** `web_src/css/vendor/fontawesome/LICENSE.txt`
Font Awesome Free is multi-licensed by file type:
| Component | License |
| --- | --- |
| Icons (glyph designs) | CC BY 4.0 -- attribution to Fonticons, Inc. required |
| Fonts (`.woff2`) | SIL OFL 1.1 -- shipped with the OFL text; font files unmodified; reserved font name "Font Awesome" retained |
| Code (CSS) | MIT -- copyright header retained in `all.min.css` |
**Do not** subset, regenerate, or rename the vendored font files -- modifying them
triggers the SIL OFL Reserved Font Name restriction. Keep the license header comment
in `all.min.css` intact.