Template
Compare commits
76 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f983d3771b | |||
| 9ed5e2a6ed | |||
| 0f72a807be | |||
| f117c0de0f | |||
| 27fc4dddcf | |||
| 5cea5c5b6b | |||
| 97183ea293 | |||
| 78cbb2704a | |||
| 5505a305cc | |||
| ab9112c234 | |||
| 5fe246908c | |||
| 1503cca367 | |||
| c5e5ca3261 | |||
| f8a105ec7a | |||
| d70de91d3d | |||
| 6fa062a61a | |||
| 36ce9234eb | |||
| 444d9fc732 | |||
| d4e3aa57d0 | |||
| 026e7266b6 | |||
| eff49e0260 | |||
| a2ad009425 | |||
| ba05fec731 | |||
| bdd843c8d3 | |||
| 256e45f092 | |||
| 77ca6c37d4 | |||
| d5714805f8 | |||
| 780bb86b1f | |||
| f323e69fe0 | |||
| 43670c9e22 | |||
| 0c60846ff6 | |||
| 0ce5dc1789 | |||
| 698b8e9b18 | |||
| 8af663df17 | |||
| 3e7f57c258 | |||
| e3e0a68a1c | |||
| f216bd0f7c | |||
| 4c23fc5ae5 | |||
| 6aee534334 | |||
| 8ecee813dd | |||
| d88e725cd3 | |||
| af60e0af7e | |||
| 1806f4f457 | |||
| 06a23f53cc | |||
| e8aea5bf6d | |||
| ab5dca295e | |||
| cf35adb1db | |||
| a5d777c62f | |||
| 5154d97bff | |||
| 591bfa76c3 | |||
| dd13aff38c | |||
| 2aaa79c0d2 | |||
| 9b15d342b1 | |||
| 521e4e4ba1 | |||
| edc3316ac8 | |||
| b9e4777d4a | |||
| 1e301e7401 | |||
| a9a01c322b | |||
| 79b6aedf76 | |||
| a91c05730e | |||
| 1c1b23c640 | |||
| 6f50658213 | |||
| 6a923039f8 | |||
| ee15d17974 | |||
| e558156b11 | |||
| 2a5aac40df | |||
| a254b02b86 | |||
| 5e20194dd0 | |||
| 5fdce27fe2 | |||
| 0de85a595f | |||
| 89c21dee45 | |||
| f2e3d2caa5 | |||
| 419504ee4b | |||
| 436fa138e8 | |||
| c606c3c453 | |||
| aad56fc91a |
@@ -8,10 +8,10 @@ contact_links:
|
|||||||
url: https://mokoconsulting.tech/
|
url: https://mokoconsulting.tech/
|
||||||
about: Get help or ask questions through our website
|
about: Get help or ask questions through our website
|
||||||
- name: 📚 MokoStandards Documentation
|
- name: 📚 MokoStandards Documentation
|
||||||
url: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
|
url: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
about: View our coding standards and best practices
|
about: View our coding standards and best practices
|
||||||
- name: 🔒 Report a Security Vulnerability
|
- name: 🔒 Report a Security Vulnerability
|
||||||
url: https://git.mokoconsulting.tech/mokoconsulting-tech/.github-private/security/advisories/new
|
url: https://git.mokoconsulting.tech/MokoConsulting/.github-private/security/advisories/new
|
||||||
about: Report security vulnerabilities privately (for critical issues)
|
about: Report security vulnerabilities privately (for critical issues)
|
||||||
- name: 💡 Community Discussions
|
- name: 💡 Community Discussions
|
||||||
url: https://github.com/orgs/mokoconsulting-tech/discussions
|
url: https://github.com/orgs/mokoconsulting-tech/discussions
|
||||||
|
|||||||
@@ -2,8 +2,8 @@
|
|||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: moko-platform.Automation
|
# INGROUP: mokocli.Automation
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
# PATH: /.gitea/workflows/branch-protection.yml
|
# PATH: /.gitea/workflows/branch-protection.yml
|
||||||
# BRIEF: Apply standardised branch protection rules to all governed repositories
|
# BRIEF: Apply standardised branch protection rules to all governed repositories
|
||||||
#
|
#
|
||||||
@@ -62,7 +62,7 @@ jobs:
|
|||||||
API="${GITEA_URL}/api/v1"
|
API="${GITEA_URL}/api/v1"
|
||||||
|
|
||||||
# Platform/standards/infra repos to exclude
|
# Platform/standards/infra repos to exclude
|
||||||
EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
|
EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards mokocli MokoTesting"
|
||||||
EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
|
EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
|
||||||
|
|
||||||
if [ -n "${{ inputs.repos }}" ]; then
|
if [ -n "${{ inputs.repos }}" ]; then
|
||||||
|
|||||||
@@ -1,24 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!--
|
|
||||||
MokoStandards Repository Manifest
|
|
||||||
Template: MCP Server
|
|
||||||
See: https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home
|
|
||||||
-->
|
|
||||||
<moko-platform xmlns="https://standards.mokoconsulting.tech/moko-platform/1.0" schema-version="1.0">
|
|
||||||
<identity>
|
|
||||||
<name>Template-MCP</name>
|
|
||||||
<org>MokoConsulting</org>
|
|
||||||
<description>Template repository for Model Context Protocol (MCP) servers</description>
|
|
||||||
<license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
|
|
||||||
</identity>
|
|
||||||
<governance>
|
|
||||||
<platform>mcp</platform>
|
|
||||||
<standards-version>05.00.00</standards-version>
|
|
||||||
<standards-source>https://git.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
|
|
||||||
</governance>
|
|
||||||
<build>
|
|
||||||
<language>TypeScript</language>
|
|
||||||
<package-type>mcp-server</package-type>
|
|
||||||
<entry-point>src/</entry-point>
|
|
||||||
</build>
|
|
||||||
</moko-platform>
|
|
||||||
@@ -1,76 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: GitHub.Workflow
|
|
||||||
# INGROUP: MokoStandards.Workflows.Shared
|
|
||||||
# REPO: https://github.com/mokoconsulting-tech/MokoStandards
|
|
||||||
# PATH: /.mokogitea/workflows/auto-assign.yml
|
|
||||||
# VERSION: 04.06.00
|
|
||||||
# BRIEF: Auto-assign jmiller to unassigned issues and PRs every 15 minutes
|
|
||||||
|
|
||||||
name: "Universal: Auto-Assign"
|
|
||||||
|
|
||||||
on:
|
|
||||||
issues:
|
|
||||||
types: [opened]
|
|
||||||
pull_request_target:
|
|
||||||
types: [opened]
|
|
||||||
schedule:
|
|
||||||
- cron: '0 */12 * * *'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
issues: write
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
auto-assign:
|
|
||||||
name: Assign unassigned issues and PRs
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Assign unassigned issues
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
REPO="${{ github.repository }}"
|
|
||||||
ASSIGNEE="jmiller"
|
|
||||||
|
|
||||||
echo "## 🏷️ Auto-Assign Report" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
ASSIGNED_ISSUES=0
|
|
||||||
ASSIGNED_PRS=0
|
|
||||||
|
|
||||||
# Assign unassigned open issues
|
|
||||||
ISSUES=$(gh api "repos/$REPO/issues?state=open&per_page=100&assignee=none" --jq '.[].number' 2>/dev/null || true)
|
|
||||||
for NUM in $ISSUES; do
|
|
||||||
# Skip PRs (the issues endpoint returns PRs too)
|
|
||||||
IS_PR=$(gh api "repos/$REPO/issues/$NUM" --jq '.pull_request // empty' 2>/dev/null || true)
|
|
||||||
if [ -z "$IS_PR" ]; then
|
|
||||||
gh api "repos/$REPO/issues/$NUM/assignees" -X POST -f "assignees[]=$ASSIGNEE" --silent 2>/dev/null && {
|
|
||||||
ASSIGNED_ISSUES=$((ASSIGNED_ISSUES + 1))
|
|
||||||
echo " Assigned issue #$NUM"
|
|
||||||
} || true
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Assign unassigned open PRs
|
|
||||||
PRS=$(gh api "repos/$REPO/pulls?state=open&per_page=100" --jq '.[] | select(.assignees | length == 0) | .number' 2>/dev/null || true)
|
|
||||||
for NUM in $PRS; do
|
|
||||||
gh api "repos/$REPO/issues/$NUM/assignees" -X POST -f "assignees[]=$ASSIGNEE" --silent 2>/dev/null && {
|
|
||||||
ASSIGNED_PRS=$((ASSIGNED_PRS + 1))
|
|
||||||
echo " Assigned PR #$NUM"
|
|
||||||
} || true
|
|
||||||
done
|
|
||||||
|
|
||||||
echo "| Type | Assigned |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "|------|----------|" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Issues | $ASSIGNED_ISSUES |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Pull Requests | $ASSIGNED_PRS |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
if [ "$ASSIGNED_ISSUES" -eq 0 ] && [ "$ASSIGNED_PRS" -eq 0 ]; then
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "✅ All issues and PRs already have assignees" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
@@ -4,8 +4,8 @@
|
|||||||
#
|
#
|
||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: moko-platform.Release
|
# INGROUP: mokocli.Release
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
# PATH: /.mokogitea/workflows/auto-bump.yml
|
# PATH: /.mokogitea/workflows/auto-bump.yml
|
||||||
# VERSION: 09.02.00
|
# VERSION: 09.02.00
|
||||||
# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
|
# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
|
||||||
@@ -22,7 +22,7 @@ on:
|
|||||||
|
|
||||||
env:
|
env:
|
||||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||||
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: write
|
||||||
@@ -43,19 +43,19 @@ jobs:
|
|||||||
token: ${{ secrets.MOKOGITEA_TOKEN }}
|
token: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
fetch-depth: 1
|
fetch-depth: 1
|
||||||
|
|
||||||
- name: Setup moko-platform tools
|
- name: Setup mokocli tools
|
||||||
run: |
|
run: |
|
||||||
if ! command -v composer &> /dev/null; then
|
if ! command -v composer &> /dev/null; then
|
||||||
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
|
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
if [ -d "/opt/moko-platform/cli" ]; then
|
if [ -d "/opt/mokocli/cli" ]; then
|
||||||
echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
|
echo "MOKO_CLI=/opt/mokocli/cli" >> "$GITHUB_ENV"
|
||||||
else
|
else
|
||||||
git clone --depth 1 --branch main --quiet \
|
git clone --depth 1 --branch main --quiet \
|
||||||
"https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
|
"https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/MokoCLI.git" \
|
||||||
/tmp/moko-platform-api
|
/tmp/mokocli
|
||||||
cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
|
cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
|
||||||
echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
|
echo "MOKO_CLI=/tmp/mokocli/cli" >> "$GITHUB_ENV"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Bump version
|
- name: Bump version
|
||||||
|
|||||||
@@ -1,207 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# This file is part of a Moko Consulting project.
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: GitHub.Workflow
|
|
||||||
# INGROUP: MokoStandards.Automation
|
|
||||||
# REPO: https://github.com/mokoconsulting-tech/MokoStandards
|
|
||||||
# PATH: /templates/workflows/shared/auto-dev-issue.yml.template
|
|
||||||
# VERSION: 04.06.00
|
|
||||||
# BRIEF: Auto-create tracking issue with sub-issues for dev/rc branch workflow
|
|
||||||
# NOTE: Synced via bulk-repo-sync to .mokogitea/workflows/auto-dev-issue.yml in all governed repos.
|
|
||||||
|
|
||||||
name: "Universal: Dev/RC Branch Issue"
|
|
||||||
|
|
||||||
on:
|
|
||||||
# Auto-create on RC branch creation
|
|
||||||
create:
|
|
||||||
# Manual trigger for dev branches
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
branch:
|
|
||||||
description: 'Branch name (e.g., dev/my-feature or dev/04.06)'
|
|
||||||
required: true
|
|
||||||
type: string
|
|
||||||
|
|
||||||
env:
|
|
||||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
issues: write
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
create-issue:
|
|
||||||
name: Create version tracking issue
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
if: >-
|
|
||||||
(github.event_name == 'workflow_dispatch') ||
|
|
||||||
(github.event.ref_type == 'branch' &&
|
|
||||||
(startsWith(github.event.ref, 'rc/') ||
|
|
||||||
startsWith(github.event.ref, 'alpha/') ||
|
|
||||||
startsWith(github.event.ref, 'beta/')))
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Create tracking issue and sub-issues
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
# For manual dispatch, use input; for auto, use event ref
|
|
||||||
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
||||||
BRANCH="${{ inputs.branch }}"
|
|
||||||
else
|
|
||||||
BRANCH="${{ github.event.ref }}"
|
|
||||||
fi
|
|
||||||
REPO="${{ github.repository }}"
|
|
||||||
ACTOR="${{ github.actor }}"
|
|
||||||
NOW=$(date -u '+%Y-%m-%d %H:%M UTC')
|
|
||||||
|
|
||||||
# Determine branch type and version
|
|
||||||
if [[ "$BRANCH" == rc/* ]]; then
|
|
||||||
VERSION="${BRANCH#rc/}"
|
|
||||||
BRANCH_TYPE="Release Candidate"
|
|
||||||
LABEL_TYPE="type: release"
|
|
||||||
TITLE_PREFIX="rc"
|
|
||||||
elif [[ "$BRANCH" == beta/* ]]; then
|
|
||||||
VERSION="${BRANCH#beta/}"
|
|
||||||
BRANCH_TYPE="Beta"
|
|
||||||
LABEL_TYPE="type: release"
|
|
||||||
TITLE_PREFIX="beta"
|
|
||||||
elif [[ "$BRANCH" == alpha/* ]]; then
|
|
||||||
VERSION="${BRANCH#alpha/}"
|
|
||||||
BRANCH_TYPE="Alpha"
|
|
||||||
LABEL_TYPE="type: release"
|
|
||||||
TITLE_PREFIX="alpha"
|
|
||||||
else
|
|
||||||
VERSION="${BRANCH#dev/}"
|
|
||||||
BRANCH_TYPE="Development"
|
|
||||||
LABEL_TYPE="type: feature"
|
|
||||||
TITLE_PREFIX="feat"
|
|
||||||
fi
|
|
||||||
|
|
||||||
TITLE="${TITLE_PREFIX}(${VERSION}): ${BRANCH_TYPE} tracking for ${BRANCH}"
|
|
||||||
|
|
||||||
# Check for existing issue with same title prefix
|
|
||||||
EXISTING=$(gh api "repos/${REPO}/issues?state=open&per_page=10" \
|
|
||||||
--jq ".[] | select(.title | startswith(\"${TITLE_PREFIX}(${VERSION})\")) | .number" 2>/dev/null | head -1)
|
|
||||||
|
|
||||||
if [ -n "$EXISTING" ]; then
|
|
||||||
echo "ℹ️ Issue #${EXISTING} already exists for ${VERSION}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── Define sub-issues for the workflow ─────────────────────────
|
|
||||||
if [[ "$BRANCH" == rc/* ]]; then
|
|
||||||
SUB_ISSUES=(
|
|
||||||
"RC Testing|Verify all features work on rc branch|type: test,release-candidate"
|
|
||||||
"Regression Testing|Run full regression suite before merge|type: test,release-candidate"
|
|
||||||
"Version Bump|Bump version in README.md and all headers|type: version,release-candidate"
|
|
||||||
"Changelog Update|Update CHANGELOG.md with release notes|documentation,release-candidate"
|
|
||||||
"Merge to Version Branch|Create PR to version/XX|type: release,needs-review"
|
|
||||||
)
|
|
||||||
elif [[ "$BRANCH" == alpha/* ]] || [[ "$BRANCH" == beta/* ]]; then
|
|
||||||
SUB_ISSUES=(
|
|
||||||
"Testing|Verify features on ${BRANCH_TYPE} branch|type: test,status: in-progress"
|
|
||||||
"Bug Fixes|Fix issues found during ${BRANCH_TYPE} testing|type: bug,status: pending"
|
|
||||||
"Promote to Next Stage|Create PR to promote to next release stage|type: release,needs-review"
|
|
||||||
)
|
|
||||||
else
|
|
||||||
SUB_ISSUES=(
|
|
||||||
"Development|Implement feature/fix on dev branch|type: feature,status: in-progress"
|
|
||||||
"Unit Testing|Write and pass unit tests|type: test,status: pending"
|
|
||||||
"Code Review|Request and complete code review|needs-review,status: pending"
|
|
||||||
"Version Bump|Bump version in README.md and all headers|type: version,status: pending"
|
|
||||||
"Changelog Update|Update CHANGELOG.md with release notes|documentation,status: pending"
|
|
||||||
"Create RC Branch|Promote dev to rc branch for final testing|type: release,status: pending"
|
|
||||||
"Merge to Main|Create PR from rc/dev to main|type: release,needs-review,status: pending"
|
|
||||||
)
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── Create sub-issues first ───────────────────────────────────────
|
|
||||||
SUB_LIST=""
|
|
||||||
SUB_NUMBERS=""
|
|
||||||
for SUB in "${SUB_ISSUES[@]}"; do
|
|
||||||
IFS='|' read -r SUB_TITLE SUB_DESC SUB_LABELS <<< "$SUB"
|
|
||||||
SUB_FULL_TITLE="${TITLE_PREFIX}(${VERSION}): ${SUB_TITLE}"
|
|
||||||
|
|
||||||
SUB_BODY=$(printf '### %s\n\n%s\n\n| Field | Value |\n|-------|-------|\n| **Parent Branch** | `%s` |\n| **Version** | `%s` |\n\n---\n*Sub-issue of the %s tracking issue for `%s`.*' \
|
|
||||||
"$SUB_TITLE" "$SUB_DESC" "$BRANCH" "$VERSION" "$BRANCH_TYPE" "$BRANCH")
|
|
||||||
|
|
||||||
SUB_URL=$(gh issue create \
|
|
||||||
--repo "$REPO" \
|
|
||||||
--title "$SUB_FULL_TITLE" \
|
|
||||||
--body "$SUB_BODY" \
|
|
||||||
--label "${SUB_LABELS}" \
|
|
||||||
--assignee "jmiller" 2>&1)
|
|
||||||
|
|
||||||
SUB_NUM=$(echo "$SUB_URL" | grep -oE '[0-9]+$')
|
|
||||||
if [ -n "$SUB_NUM" ]; then
|
|
||||||
SUB_LIST="${SUB_LIST}\n- [ ] ${SUB_TITLE} (#${SUB_NUM})"
|
|
||||||
SUB_NUMBERS="${SUB_NUMBERS} #${SUB_NUM}"
|
|
||||||
fi
|
|
||||||
sleep 0.3
|
|
||||||
done
|
|
||||||
|
|
||||||
# ── Create parent tracking issue ──────────────────────────────────
|
|
||||||
PARENT_BODY=$(printf '## %s Branch Created\n\n| Field | Value |\n|-------|-------|\n| **Branch** | `%s` |\n| **Version** | `%s` |\n| **Type** | %s |\n| **Created by** | @%s |\n| **Created at** | %s |\n| **Repository** | `%s` |\n\n## Workflow Sub-Issues\n\n%b\n\n---\n*Auto-created by [auto-dev-issue.yml](.github/workflows/auto-dev-issue.yml) on branch creation.*' \
|
|
||||||
"$BRANCH_TYPE" "$BRANCH" "$VERSION" "$BRANCH_TYPE" "$ACTOR" "$NOW" "$REPO" "$SUB_LIST")
|
|
||||||
|
|
||||||
PARENT_URL=$(gh issue create \
|
|
||||||
--repo "$REPO" \
|
|
||||||
--title "$TITLE" \
|
|
||||||
--body "$PARENT_BODY" \
|
|
||||||
--label "${LABEL_TYPE},version" \
|
|
||||||
--assignee "jmiller" 2>&1)
|
|
||||||
|
|
||||||
PARENT_NUM=$(echo "$PARENT_URL" | grep -oE '[0-9]+$')
|
|
||||||
|
|
||||||
# ── Link sub-issues back to parent ────────────────────────────────
|
|
||||||
if [ -n "$PARENT_NUM" ]; then
|
|
||||||
for SUB in "${SUB_ISSUES[@]}"; do
|
|
||||||
IFS='|' read -r SUB_TITLE _ _ <<< "$SUB"
|
|
||||||
SUB_FULL_TITLE="${TITLE_PREFIX}(${VERSION}): ${SUB_TITLE}"
|
|
||||||
SUB_NUM=$(gh api "repos/${REPO}/issues?state=open&per_page=20" \
|
|
||||||
--jq ".[] | select(.title == \"${SUB_FULL_TITLE}\") | .number" 2>/dev/null | head -1)
|
|
||||||
if [ -n "$SUB_NUM" ]; then
|
|
||||||
gh api "repos/${REPO}/issues/${SUB_NUM}" -X PATCH \
|
|
||||||
-f body="$(gh api "repos/${REPO}/issues/${SUB_NUM}" --jq '.body' 2>/dev/null)
|
|
||||||
|
|
||||||
> **Parent Issue:** #${PARENT_NUM}" --silent 2>/dev/null || true
|
|
||||||
fi
|
|
||||||
sleep 0.2
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── Create or update prerelease for alpha/beta/rc ────────────────
|
|
||||||
if [[ "$BRANCH" == rc/* ]] || [[ "$BRANCH" == alpha/* ]] || [[ "$BRANCH" == beta/* ]]; then
|
|
||||||
case "$BRANCH_TYPE" in
|
|
||||||
Alpha) RELEASE_TAG="alpha" ;;
|
|
||||||
Beta) RELEASE_TAG="beta" ;;
|
|
||||||
"Release Candidate") RELEASE_TAG="release-candidate" ;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
EXISTING=$(gh release view "$RELEASE_TAG" --json tagName -q .tagName 2>/dev/null || true)
|
|
||||||
if [ -z "$EXISTING" ]; then
|
|
||||||
gh release create "$RELEASE_TAG" \
|
|
||||||
--title "${RELEASE_TAG} (${VERSION})" \
|
|
||||||
--notes "## ${BRANCH_TYPE} ${VERSION}\n\nBranch: \`${BRANCH}\`\nTracking issue: ${PARENT_URL}" \
|
|
||||||
--prerelease \
|
|
||||||
--target main 2>/dev/null || true
|
|
||||||
echo "${BRANCH_TYPE} release created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
gh release edit "$RELEASE_TAG" \
|
|
||||||
--title "${RELEASE_TAG} (${VERSION})" --prerelease 2>/dev/null || true
|
|
||||||
echo "${BRANCH_TYPE} release updated: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── Summary ───────────────────────────────────────────────────────
|
|
||||||
echo "## Dev Workflow Issues Created" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Item | Issue |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "|------|-------|" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| **Parent** | ${PARENT_URL} |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| **Sub-issues** |${SUB_NUMBERS} |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
@@ -4,32 +4,41 @@
|
|||||||
#
|
#
|
||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: moko-platform.Release
|
# INGROUP: mokocli.Release
|
||||||
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
# PATH: /templates/workflows/universal/auto-release.yml.template
|
# PATH: /templates/workflows/universal/auto-release.yml.template
|
||||||
# VERSION: 05.00.00
|
# VERSION: 05.00.00
|
||||||
# BRIEF: Universal build & release � detects platform from manifest.xml
|
# BRIEF: Universal build & release � detects platform from manifest.xml
|
||||||
#
|
#
|
||||||
# +========================================================================+
|
# +=======================================================================+
|
||||||
# | UNIVERSAL BUILD & RELEASE PIPELINE |
|
# | UNIVERSAL BUILD & RELEASE PIPELINE |
|
||||||
# +========================================================================+
|
# +=======================================================================+
|
||||||
# | |
|
# | |
|
||||||
# | Reads manifest.xml (joomla|dolibarr|generic) to branch logic. |
|
# | Reads manifest.xml (joomla|dolibarr|generic) to branch logic. |
|
||||||
# | |
|
# | |
|
||||||
# | Platform-specific: |
|
# | Platform-specific: |
|
||||||
# | joomla: XML manifest, updates.xml, type-prefixed packages |
|
# | joomla: XML manifest, type-prefixed packages |
|
||||||
# | dolibarr: mod*.class.php, update.txt, dev version reset |
|
# | dolibarr: mod*.class.php, update.txt, dev version reset |
|
||||||
# | generic: README-only, no update stream |
|
# | generic: README-only, no update stream |
|
||||||
# | |
|
# | |
|
||||||
# +========================================================================+
|
# +=======================================================================+
|
||||||
|
|
||||||
name: "Universal: Build & Release"
|
name: "Universal: Build & Release"
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request:
|
pull_request:
|
||||||
types: [opened, closed]
|
types: [opened, synchronize, closed]
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
paths-ignore:
|
||||||
|
- '.mokogitea/workflows/**'
|
||||||
|
- '*.md'
|
||||||
|
- 'wiki/**'
|
||||||
|
- '.editorconfig'
|
||||||
|
- '.gitignore'
|
||||||
|
- '.gitattributes'
|
||||||
|
- '.gitmessage'
|
||||||
|
- 'LICENSE'
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
inputs:
|
inputs:
|
||||||
action:
|
action:
|
||||||
@@ -43,7 +52,7 @@ on:
|
|||||||
|
|
||||||
env:
|
env:
|
||||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||||
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
|
GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
|
||||||
GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
|
GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
|
||||||
|
|
||||||
@@ -51,12 +60,13 @@ permissions:
|
|||||||
contents: write
|
contents: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
# ── PR Opened → Rename branch to RC and build RC release ─────────────────────
|
# ── PR Opened → Rename branch to RC and build RC release ─────────────────────────
|
||||||
promote-rc:
|
promote-rc:
|
||||||
name: Promote to RC
|
name: Promote to RC
|
||||||
runs-on: release
|
runs-on: release
|
||||||
if: >-
|
if: >-
|
||||||
(github.event.action == 'opened' && github.event.pull_request.merged != true) ||
|
(github.event.action == 'opened' && github.event.pull_request.merged != true) ||
|
||||||
|
(github.event.action == 'synchronize' && github.event.pull_request.merged != true) ||
|
||||||
(github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
|
(github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
@@ -66,28 +76,33 @@ jobs:
|
|||||||
token: ${{ secrets.MOKOGITEA_TOKEN }}
|
token: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
fetch-depth: 1
|
fetch-depth: 1
|
||||||
|
|
||||||
- name: Setup moko-platform tools
|
- name: Setup mokocli tools
|
||||||
env:
|
env:
|
||||||
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
|
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
|
||||||
run: |
|
run: |
|
||||||
if ! command -v composer &> /dev/null; then
|
if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
|
||||||
|
echo Using pre-installed /opt/mokocli
|
||||||
|
echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
|
||||||
|
else
|
||||||
|
echo Falling back to fresh clone
|
||||||
|
if ! command -v composer > /dev/null 2>&1; then
|
||||||
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
|
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
# Always fetch latest CLI tools — never use stale cache from previous runs
|
rm -rf /tmp/mokocli
|
||||||
rm -rf /tmp/moko-platform-api
|
CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoCLI.git
|
||||||
git clone --depth 1 --branch main --quiet \
|
git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
|
||||||
"https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
|
cd /tmp/mokocli
|
||||||
/tmp/moko-platform-api
|
|
||||||
cd /tmp/moko-platform-api
|
|
||||||
composer install --no-dev --no-interaction --quiet
|
composer install --no-dev --no-interaction --quiet
|
||||||
|
echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Rename branch to rc
|
- name: Rename branch to rc
|
||||||
run: |
|
run: |
|
||||||
php /tmp/moko-platform-api/cli/branch_rename.php \
|
php ${MOKO_CLI}/branch_rename.php \
|
||||||
--from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
|
--from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
|
||||||
--token "${{ secrets.MOKOGITEA_TOKEN }}" \
|
--token "${{ secrets.MOKOGITEA_TOKEN }}" \
|
||||||
--api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
|
--api-base "${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
|
||||||
--pr "${{ github.event.pull_request.number }}"
|
--pr "${{ github.event.pull_request.number }}"
|
||||||
|
|
||||||
- name: Checkout rc and configure git
|
- name: Checkout rc and configure git
|
||||||
@@ -100,18 +115,51 @@ jobs:
|
|||||||
|
|
||||||
- name: Publish RC release
|
- name: Publish RC release
|
||||||
run: |
|
run: |
|
||||||
php /tmp/moko-platform-api/cli/release_publish.php \
|
php ${MOKO_CLI}/release_publish.php \
|
||||||
--path . --stability rc --bump minor --branch rc \
|
--path . --stability rc --bump minor --branch rc \
|
||||||
--token "${{ secrets.MOKOGITEA_TOKEN }}" \
|
--token "${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
--skip-update-stream
|
|
||||||
|
- name: Update RC release notes from CHANGELOG.md
|
||||||
|
run: |
|
||||||
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
|
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
|
|
||||||
|
# Extract [Unreleased] section from changelog
|
||||||
|
NOTES=""
|
||||||
|
if [ -f "CHANGELOG.md" ]; then
|
||||||
|
NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
|
||||||
|
fi
|
||||||
|
[ -z "$NOTES" ] && NOTES="Release candidate"
|
||||||
|
|
||||||
|
# Find the RC release and update its body
|
||||||
|
RELEASE_ID=$(curl -sf -H "Authorization: token ${TOKEN}" \
|
||||||
|
"${API_BASE}/releases/tags/release-candidate" \
|
||||||
|
| python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
|
||||||
|
|
||||||
|
if [ -n "$RELEASE_ID" ]; then
|
||||||
|
python3 -c "
|
||||||
|
import json, urllib.request
|
||||||
|
body = open('/dev/stdin').read()
|
||||||
|
payload = json.dumps({'body': body}).encode()
|
||||||
|
req = urllib.request.Request(
|
||||||
|
'${API_BASE}/releases/${RELEASE_ID}',
|
||||||
|
data=payload, method='PATCH',
|
||||||
|
headers={
|
||||||
|
'Authorization': 'token ${TOKEN}',
|
||||||
|
'Content-Type': 'application/json'
|
||||||
|
})
|
||||||
|
urllib.request.urlopen(req)
|
||||||
|
" <<< "$NOTES"
|
||||||
|
echo "RC release notes updated from CHANGELOG.md"
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Summary
|
- name: Summary
|
||||||
if: always()
|
if: always()
|
||||||
run: |
|
run: |
|
||||||
echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
|
echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
|
||||||
echo "Branch renamed to rc, minor bump, RC release built (updates.xml managed by Gitea Pages)" >> $GITHUB_STEP_SUMMARY
|
echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY
|
||||||
|
|
||||||
# ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
|
# ── Merged PR → Build & Release (or promote RC to stable) ─────────────────────────
|
||||||
release:
|
release:
|
||||||
name: Build & Release Pipeline
|
name: Build & Release Pipeline
|
||||||
runs-on: release
|
runs-on: release
|
||||||
@@ -145,31 +193,165 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
echo "No conflict markers found"
|
echo "No conflict markers found"
|
||||||
|
|
||||||
- name: Setup moko-platform tools
|
- name: Setup mokocli tools
|
||||||
env:
|
env:
|
||||||
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
|
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
|
||||||
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
|
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
|
||||||
run: |
|
run: |
|
||||||
# Ensure PHP + Composer are available
|
if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
|
||||||
if ! command -v composer &> /dev/null; then
|
echo Using pre-installed /opt/mokocli
|
||||||
|
echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
|
||||||
|
else
|
||||||
|
echo Falling back to fresh clone
|
||||||
|
if ! command -v composer > /dev/null 2>&1; then
|
||||||
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
|
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
# Always fetch latest CLI tools — never use stale cache from previous runs
|
rm -rf /tmp/mokocli
|
||||||
rm -rf /tmp/moko-platform-api
|
CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoCLI.git
|
||||||
git clone --depth 1 --branch main --quiet \
|
git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
|
||||||
"https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
|
cd /tmp/mokocli
|
||||||
/tmp/moko-platform-api
|
|
||||||
cd /tmp/moko-platform-api
|
|
||||||
composer install --no-dev --no-interaction --quiet
|
composer install --no-dev --no-interaction --quiet
|
||||||
|
echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: "Detect platform"
|
||||||
|
id: platform
|
||||||
|
run: |
|
||||||
|
php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
|
||||||
|
php ${MOKO_CLI}/manifest_read.php --path . --github-output 2>/dev/null || true
|
||||||
|
|
||||||
|
- name: "Determine version bump level"
|
||||||
|
id: bump
|
||||||
|
run: |
|
||||||
|
# Fix/patch branches: version was already bumped by pre-release, just strip suffix
|
||||||
|
# Feature/dev branches: bump minor for the new stable release
|
||||||
|
HEAD_REF="${{ github.event.pull_request.head.ref || 'dev' }}"
|
||||||
|
case "$HEAD_REF" in
|
||||||
|
fix/*|patch/*|hotfix/*|bugfix/*) BUMP="none" ;;
|
||||||
|
*) BUMP="minor" ;;
|
||||||
|
esac
|
||||||
|
echo "level=${BUMP}" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "Bump level: ${BUMP} (from branch: ${HEAD_REF})"
|
||||||
|
|
||||||
- name: "Publish stable release"
|
- name: "Publish stable release"
|
||||||
run: |
|
run: |
|
||||||
php /tmp/moko-platform-api/cli/release_publish.php \
|
BUMP_FLAG=""
|
||||||
--path . --stability stable --bump minor --branch main \
|
if [ "${{ steps.bump.outputs.level }}" != "none" ]; then
|
||||||
--token "${{ secrets.MOKOGITEA_TOKEN }}" \
|
BUMP_FLAG="--bump ${{ steps.bump.outputs.level }}"
|
||||||
--skip-update-stream
|
fi
|
||||||
|
php ${MOKO_CLI}/release_publish.php \
|
||||||
|
--path . --stability stable ${BUMP_FLAG} --branch main \
|
||||||
|
--token "${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
|
|
||||||
|
- name: "Read published version"
|
||||||
|
id: version
|
||||||
|
run: |
|
||||||
|
VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "")
|
||||||
|
VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
|
||||||
|
[ -z "$VERSION" ] && VERSION="00.00.00" && echo "skip=true" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
|
||||||
|
PLATFORM="${{ steps.platform.outputs.platform }}"
|
||||||
|
if [[ "$PLATFORM" == joomla* ]]; then
|
||||||
|
echo "tag=stable" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "release_tag=stable" >> "$GITHUB_OUTPUT"
|
||||||
|
else
|
||||||
|
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "release_tag=v${VERSION}" >> "$GITHUB_OUTPUT"
|
||||||
|
fi
|
||||||
|
echo "branch=main" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "Published version: ${VERSION}"
|
||||||
|
|
||||||
|
- name: "Create semver tag for non-Joomla repos"
|
||||||
|
id: semver
|
||||||
|
if: |
|
||||||
|
steps.version.outputs.skip != 'true' &&
|
||||||
|
!startsWith(steps.platform.outputs.platform, 'joomla')
|
||||||
|
run: |
|
||||||
|
VERSION="${{ steps.version.outputs.version }}"
|
||||||
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
|
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
|
SEMVER_TAG="v${VERSION}"
|
||||||
|
|
||||||
|
echo "Creating semver tag: ${SEMVER_TAG}"
|
||||||
|
|
||||||
|
# Create the git tag via API
|
||||||
|
HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
|
||||||
|
-X POST -H "Authorization: token ${TOKEN}" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
"${API_BASE}/tags" \
|
||||||
|
-d "{\"tag_name\":\"${SEMVER_TAG}\",\"target\":\"main\",\"message\":\"Release ${VERSION}\"}" 2>/dev/null || echo "000")
|
||||||
|
|
||||||
|
if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "200" ]; then
|
||||||
|
echo "Created semver tag: ${SEMVER_TAG}"
|
||||||
|
elif [ "$HTTP_CODE" = "409" ]; then
|
||||||
|
echo "Semver tag ${SEMVER_TAG} already exists (skipped)"
|
||||||
|
else
|
||||||
|
echo "::warning::Failed to create semver tag ${SEMVER_TAG} (HTTP ${HTTP_CODE})"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "semver_tag=${SEMVER_TAG}" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
- name: Update release notes and promote changelog
|
||||||
|
run: |
|
||||||
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
|
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
|
|
||||||
|
# Get the stable release info (version and ID)
|
||||||
|
RELEASE_JSON=$(curl -sf -H "Authorization: token ${TOKEN}" \
|
||||||
|
"${API_BASE}/releases/tags/stable" 2>/dev/null || echo '{}')
|
||||||
|
RELEASE_ID=$(python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" <<< "$RELEASE_JSON" 2>/dev/null || true)
|
||||||
|
# Extract version from release name (e.g. "06.17.00" or "v06.17.00")
|
||||||
|
VERSION=$(python3 -c "
|
||||||
|
import json, sys, re
|
||||||
|
r = json.load(sys.stdin)
|
||||||
|
name = r.get('name', '')
|
||||||
|
m = re.search(r'(\d+\.\d+\.\d+)', name)
|
||||||
|
print(m.group(1) if m else '')
|
||||||
|
" <<< "$RELEASE_JSON" 2>/dev/null || true)
|
||||||
|
|
||||||
|
# Extract [Unreleased] section from changelog
|
||||||
|
NOTES=""
|
||||||
|
if [ -f "CHANGELOG.md" ]; then
|
||||||
|
NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
|
||||||
|
fi
|
||||||
|
[ -z "$NOTES" ] && NOTES="Stable release"
|
||||||
|
|
||||||
|
# Update release body via API
|
||||||
|
if [ -n "$RELEASE_ID" ]; then
|
||||||
|
python3 -c "
|
||||||
|
import json, urllib.request
|
||||||
|
body = open('/dev/stdin').read()
|
||||||
|
payload = json.dumps({'body': body}).encode()
|
||||||
|
req = urllib.request.Request(
|
||||||
|
'${API_BASE}/releases/${RELEASE_ID}',
|
||||||
|
data=payload, method='PATCH',
|
||||||
|
headers={
|
||||||
|
'Authorization': 'token ${TOKEN}',
|
||||||
|
'Content-Type': 'application/json'
|
||||||
|
})
|
||||||
|
urllib.request.urlopen(req)
|
||||||
|
" <<< "$NOTES"
|
||||||
|
echo "Release notes updated from CHANGELOG.md"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Promote [Unreleased] → [version] in CHANGELOG.md and reset
|
||||||
|
if [ -n "$VERSION" ] && [ -f "CHANGELOG.md" ]; then
|
||||||
|
DATE=$(date +%Y-%m-%d)
|
||||||
|
python3 -c "
|
||||||
|
import sys
|
||||||
|
version, date = sys.argv[1], sys.argv[2]
|
||||||
|
content = open('CHANGELOG.md').read()
|
||||||
|
old = '## [Unreleased]'
|
||||||
|
new = f'## [Unreleased]\n\n## [{version}] --- {date}'
|
||||||
|
content = content.replace(old, new, 1)
|
||||||
|
open('CHANGELOG.md', 'w').write(content)
|
||||||
|
" "$VERSION" "$DATE"
|
||||||
|
git add CHANGELOG.md
|
||||||
|
git commit -m "chore: promote changelog [Unreleased] → [${VERSION}]" || true
|
||||||
|
git push origin main || true
|
||||||
|
echo "Changelog promoted: [Unreleased] → [${VERSION}]"
|
||||||
|
fi
|
||||||
|
|
||||||
# -- STEP 9: Mirror to GitHub (stable only) --------------------------------
|
# -- STEP 9: Mirror to GitHub (stable only) --------------------------------
|
||||||
- name: "Step 9: Mirror release to GitHub"
|
- name: "Step 9: Mirror release to GitHub"
|
||||||
@@ -181,8 +363,8 @@ jobs:
|
|||||||
VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
|
VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
|
||||||
RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
|
RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
|
||||||
GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
|
GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
|
||||||
API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
php /tmp/moko-platform-api/cli/release_mirror.php \
|
php ${MOKO_CLI}/release_mirror.php \
|
||||||
--version "$VERSION" --tag "$RELEASE_TAG" \
|
--version "$VERSION" --tag "$RELEASE_TAG" \
|
||||||
--token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
|
--token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
|
||||||
--gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
|
--gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
|
||||||
@@ -210,7 +392,7 @@ jobs:
|
|||||||
if: steps.version.outputs.skip != 'true'
|
if: steps.version.outputs.skip != 'true'
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
run: |
|
run: |
|
||||||
API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
|
|
||||||
# Delete rc branch (ephemeral — created by promote-rc)
|
# Delete rc branch (ephemeral — created by promote-rc)
|
||||||
@@ -234,7 +416,7 @@ jobs:
|
|||||||
if: steps.version.outputs.skip != 'true'
|
if: steps.version.outputs.skip != 'true'
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
run: |
|
run: |
|
||||||
API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
|
VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
|
||||||
BRANCH_NAME="version/${VERSION}"
|
BRANCH_NAME="version/${VERSION}"
|
||||||
@@ -255,8 +437,8 @@ jobs:
|
|||||||
if: steps.version.outputs.skip != 'true'
|
if: steps.version.outputs.skip != 'true'
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
run: |
|
run: |
|
||||||
API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
php /tmp/moko-platform-api/cli/version_reset_dev.php \
|
php ${MOKO_CLI}/version_reset_dev.php \
|
||||||
--token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
|
--token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
|
||||||
--branch dev --path . 2>&1 || true
|
--branch dev --path . 2>&1 || true
|
||||||
|
|
||||||
@@ -281,5 +463,5 @@ jobs:
|
|||||||
echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
|
echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
|
||||||
echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
|
echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
|
||||||
echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
|
echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
|
||||||
echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
|
echo "| Release | [View](${MOKOGITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: MokoStandards.Universal
|
# INGROUP: MokoStandards.Universal
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
# PATH: /.mokogitea/workflows/branch-cleanup.yml
|
# PATH: /.mokogitea/workflows/branch-cleanup.yml
|
||||||
# VERSION: 01.00.00
|
# VERSION: 01.00.00
|
||||||
# BRIEF: Delete feature branches after PR merge
|
# BRIEF: Delete feature branches after PR merge
|
||||||
|
|||||||
@@ -1,101 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# This file is part of a Moko Consulting project.
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: GitHub.Workflow.Template
|
|
||||||
# INGROUP: MokoStandards.CI
|
|
||||||
# REPO: https://github.com/mokoconsulting-tech/MokoStandards
|
|
||||||
# PATH: /templates/workflows/shared/changelog-validation.yml.template
|
|
||||||
# VERSION: 04.06.00
|
|
||||||
# BRIEF: Validates CHANGELOG.md format and version consistency
|
|
||||||
# NOTE: Deployed to .mokogitea/workflows/changelog-validation.yml in governed repos.
|
|
||||||
|
|
||||||
name: "Universal: Changelog Validation"
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
env:
|
|
||||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
validate-changelog:
|
|
||||||
name: Validate CHANGELOG.md
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
||||||
|
|
||||||
- name: Check CHANGELOG.md exists
|
|
||||||
run: |
|
|
||||||
echo "### Changelog Validation" >> $GITHUB_STEP_SUMMARY
|
|
||||||
if [ ! -f "CHANGELOG.md" ]; then
|
|
||||||
echo "CHANGELOG.md not found in repository root." >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
echo "CHANGELOG.md exists." >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
- name: Check VERSION header matches README.md
|
|
||||||
run: |
|
|
||||||
# Extract version from README.md FILE INFORMATION block
|
|
||||||
README_VERSION=$(grep -oP '^\s*VERSION:\s*\K[0-9]{2}\.[0-9]{2}\.[0-9]{2}' README.md | head -1)
|
|
||||||
if [ -z "$README_VERSION" ]; then
|
|
||||||
echo "No VERSION found in README.md FILE INFORMATION block." >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check that CHANGELOG.md has a matching version header
|
|
||||||
CHANGELOG_VERSION=$(grep -oP '^\#\#\s*\[\K[0-9]{2}\.[0-9]{2}\.[0-9]{2}' CHANGELOG.md | head -1)
|
|
||||||
if [ -z "$CHANGELOG_VERSION" ]; then
|
|
||||||
echo "No version header found in CHANGELOG.md (expected \`## [XX.YY.ZZ] - YYYY-MM-DD\`)." >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$CHANGELOG_VERSION" != "$README_VERSION" ]; then
|
|
||||||
echo "CHANGELOG latest version \`${CHANGELOG_VERSION}\` does not match README VERSION \`${README_VERSION}\`." >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "CHANGELOG version \`${CHANGELOG_VERSION}\` matches README VERSION." >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
- name: Validate conventional changelog format
|
|
||||||
run: |
|
|
||||||
ERRORS=0
|
|
||||||
|
|
||||||
# Check that version entries follow ## [XX.YY.ZZ] - YYYY-MM-DD format
|
|
||||||
while IFS= read -r LINE; do
|
|
||||||
if ! echo "$LINE" | grep -qP '^\#\#\s*\[[0-9]{2}\.[0-9]{2}\.[0-9]{2}\]\s*-\s*[0-9]{4}-[0-9]{2}-[0-9]{2}'; then
|
|
||||||
echo "Malformed version header: \`${LINE}\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo " Expected format: \`## [XX.YY.ZZ] - YYYY-MM-DD\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
ERRORS=$((ERRORS + 1))
|
|
||||||
fi
|
|
||||||
done < <(grep -P '^\#\#\s*\[' CHANGELOG.md)
|
|
||||||
|
|
||||||
ENTRY_COUNT=$(grep -cP '^\#\#\s*\[' CHANGELOG.md || echo "0")
|
|
||||||
if [ "$ENTRY_COUNT" -eq 0 ]; then
|
|
||||||
echo "No version entries found in CHANGELOG.md." >> $GITHUB_STEP_SUMMARY
|
|
||||||
ERRORS=$((ERRORS + 1))
|
|
||||||
else
|
|
||||||
echo "Found ${ENTRY_COUNT} version entr(ies) in CHANGELOG.md." >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
if [ "${ERRORS}" -gt 0 ]; then
|
|
||||||
echo "**${ERRORS} format issue(s) found.**" >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 1
|
|
||||||
else
|
|
||||||
echo "**Changelog format validation passed.**" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
@@ -0,0 +1,197 @@
|
|||||||
|
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# FILE INFORMATION
|
||||||
|
# DEFGROUP: Gitea.Workflow
|
||||||
|
# INGROUP: MokoStandards.CI
|
||||||
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
|
||||||
|
# PATH: /.gitea/workflows/ci-generic.yml
|
||||||
|
# VERSION: 01.00.00
|
||||||
|
# BRIEF: CI pipeline — lint, validate, and test for generic projects (PHP + Node.js)
|
||||||
|
|
||||||
|
name: "Generic: Project CI"
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- dev
|
||||||
|
- dev/**
|
||||||
|
- rc/**
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
env:
|
||||||
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
# ── Lint & Validate ───────────────────────────────────────────────────
|
||||||
|
lint:
|
||||||
|
name: Lint & Validate
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Detect toolchain
|
||||||
|
id: detect
|
||||||
|
run: |
|
||||||
|
HAS_PHP=false
|
||||||
|
HAS_NODE=false
|
||||||
|
[ -f "composer.json" ] && HAS_PHP=true
|
||||||
|
[ -f "package.json" ] && HAS_NODE=true
|
||||||
|
echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "Toolchain: PHP=$HAS_PHP Node=$HAS_NODE"
|
||||||
|
|
||||||
|
- name: Setup PHP
|
||||||
|
if: steps.detect.outputs.has_php == 'true'
|
||||||
|
run: |
|
||||||
|
if ! command -v php &> /dev/null; then
|
||||||
|
sudo apt-get update -qq
|
||||||
|
sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
|
||||||
|
fi
|
||||||
|
php -v
|
||||||
|
|
||||||
|
- name: Setup Node.js
|
||||||
|
if: steps.detect.outputs.has_node == 'true'
|
||||||
|
uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version: '20'
|
||||||
|
|
||||||
|
- name: Install PHP dependencies
|
||||||
|
if: steps.detect.outputs.has_php == 'true'
|
||||||
|
run: |
|
||||||
|
if [ -f "composer.json" ]; then
|
||||||
|
composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Install Node.js dependencies
|
||||||
|
if: steps.detect.outputs.has_node == 'true'
|
||||||
|
run: |
|
||||||
|
if [ -f "package.json" ]; then
|
||||||
|
npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: PHP syntax check
|
||||||
|
if: steps.detect.outputs.has_php == 'true'
|
||||||
|
run: |
|
||||||
|
ERRORS=0
|
||||||
|
while IFS= read -r -d '' file; do
|
||||||
|
if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
|
||||||
|
echo "::error file=${file}::PHP syntax error"
|
||||||
|
ERRORS=$((ERRORS + 1))
|
||||||
|
fi
|
||||||
|
done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -not -path "./node_modules/*" -print0)
|
||||||
|
|
||||||
|
echo "## PHP Lint" >> $GITHUB_STEP_SUMMARY
|
||||||
|
if [ "$ERRORS" -eq 0 ]; then
|
||||||
|
echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
|
||||||
|
else
|
||||||
|
echo "${ERRORS} file(s) with syntax errors." >> $GITHUB_STEP_SUMMARY
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: TypeScript/JavaScript lint
|
||||||
|
if: steps.detect.outputs.has_node == 'true'
|
||||||
|
run: |
|
||||||
|
if [ -f "node_modules/.bin/eslint" ]; then
|
||||||
|
npx eslint src/ --quiet 2>&1 || { echo "::error::ESLint errors found"; exit 1; }
|
||||||
|
echo "## ESLint" >> $GITHUB_STEP_SUMMARY
|
||||||
|
echo "All files passed ESLint." >> $GITHUB_STEP_SUMMARY
|
||||||
|
elif [ -f ".eslintrc.json" ] || [ -f ".eslintrc.js" ] || [ -f "eslint.config.js" ]; then
|
||||||
|
echo "::warning::ESLint config found but eslint not installed"
|
||||||
|
else
|
||||||
|
echo "No ESLint configured — skipping"
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: TypeScript compile check
|
||||||
|
if: steps.detect.outputs.has_node == 'true'
|
||||||
|
run: |
|
||||||
|
if [ -f "tsconfig.json" ] && [ -f "node_modules/.bin/tsc" ]; then
|
||||||
|
npx tsc --noEmit 2>&1 || { echo "::error::TypeScript compilation errors"; exit 1; }
|
||||||
|
echo "## TypeScript" >> $GITHUB_STEP_SUMMARY
|
||||||
|
echo "TypeScript compilation passed." >> $GITHUB_STEP_SUMMARY
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: PHPStan static analysis
|
||||||
|
if: steps.detect.outputs.has_php == 'true'
|
||||||
|
run: |
|
||||||
|
if [ -f "phpstan.neon" ] && [ -f "vendor/bin/phpstan" ]; then
|
||||||
|
vendor/bin/phpstan analyse --no-progress 2>&1 || { echo "::warning::PHPStan found issues"; }
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ── Tests ─────────────────────────────────────────────────────────────
|
||||||
|
test:
|
||||||
|
name: Tests
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
needs: lint
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Detect toolchain
|
||||||
|
id: detect
|
||||||
|
run: |
|
||||||
|
HAS_PHP=false
|
||||||
|
HAS_NODE=false
|
||||||
|
[ -f "composer.json" ] && HAS_PHP=true
|
||||||
|
[ -f "package.json" ] && HAS_NODE=true
|
||||||
|
echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
|
||||||
|
|
||||||
|
- name: Setup PHP
|
||||||
|
if: steps.detect.outputs.has_php == 'true'
|
||||||
|
run: |
|
||||||
|
if ! command -v php &> /dev/null; then
|
||||||
|
sudo apt-get update -qq
|
||||||
|
sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Setup Node.js
|
||||||
|
if: steps.detect.outputs.has_node == 'true'
|
||||||
|
uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version: '20'
|
||||||
|
|
||||||
|
- name: Install dependencies
|
||||||
|
run: |
|
||||||
|
[ -f "composer.json" ] && composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
|
||||||
|
[ -f "package.json" ] && { npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true; }
|
||||||
|
|
||||||
|
- name: Run PHP tests
|
||||||
|
if: steps.detect.outputs.has_php == 'true'
|
||||||
|
run: |
|
||||||
|
if [ -f "vendor/bin/phpunit" ]; then
|
||||||
|
vendor/bin/phpunit --testdox 2>&1
|
||||||
|
echo "## PHPUnit" >> $GITHUB_STEP_SUMMARY
|
||||||
|
echo "Tests passed." >> $GITHUB_STEP_SUMMARY
|
||||||
|
elif [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
|
||||||
|
echo "::warning::PHPUnit config found but phpunit not installed"
|
||||||
|
else
|
||||||
|
echo "No PHPUnit configured — skipping"
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Run Node.js tests
|
||||||
|
if: steps.detect.outputs.has_node == 'true'
|
||||||
|
run: |
|
||||||
|
if jq -e '.scripts.test' package.json > /dev/null 2>&1; then
|
||||||
|
npm test 2>&1
|
||||||
|
echo "## Node.js Tests" >> $GITHUB_STEP_SUMMARY
|
||||||
|
echo "Tests passed." >> $GITHUB_STEP_SUMMARY
|
||||||
|
else
|
||||||
|
echo "No test script in package.json — skipping"
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Build check
|
||||||
|
run: |
|
||||||
|
if [ -f "Makefile" ]; then
|
||||||
|
make build 2>&1 || echo "::warning::Build failed or not configured"
|
||||||
|
elif [ -f "package.json" ] && jq -e '.scripts.build' package.json > /dev/null 2>&1; then
|
||||||
|
npm run build 2>&1 || echo "::warning::Build failed"
|
||||||
|
fi
|
||||||
@@ -0,0 +1,68 @@
|
|||||||
|
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# FILE INFORMATION
|
||||||
|
# DEFGROUP: Gitea.Workflow
|
||||||
|
# INGROUP: mokocli.Universal
|
||||||
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
|
# PATH: /.mokogitea/workflows/ci-issue-reporter.yml
|
||||||
|
# VERSION: 01.00.00
|
||||||
|
# BRIEF: Reusable workflow — creates/updates a Gitea issue when a CI gate fails.
|
||||||
|
# Clones MokoCLI and runs cli/ci_issue_reporter.sh.
|
||||||
|
|
||||||
|
name: "Universal: CI Issue Reporter"
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_call:
|
||||||
|
inputs:
|
||||||
|
gate:
|
||||||
|
description: "CI gate name (e.g. PR Validation, Repository Health)"
|
||||||
|
required: true
|
||||||
|
type: string
|
||||||
|
details:
|
||||||
|
description: "Human-readable failure description"
|
||||||
|
required: true
|
||||||
|
type: string
|
||||||
|
severity:
|
||||||
|
description: "error or warning"
|
||||||
|
required: false
|
||||||
|
type: string
|
||||||
|
default: "error"
|
||||||
|
workflow:
|
||||||
|
description: "Workflow name for the issue title"
|
||||||
|
required: false
|
||||||
|
type: string
|
||||||
|
default: ""
|
||||||
|
secrets:
|
||||||
|
MOKOGITEA_TOKEN:
|
||||||
|
required: true
|
||||||
|
|
||||||
|
env:
|
||||||
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
report:
|
||||||
|
name: "Report: ${{ inputs.gate }}"
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Clone MokoCLI
|
||||||
|
env:
|
||||||
|
MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
|
run: |
|
||||||
|
MOKOGITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
|
||||||
|
git clone --depth 1 --filter=blob:none --sparse "${MOKOGITEA_URL}/MokoConsulting/MokoCLI.git" /tmp/mokocli
|
||||||
|
cd /tmp/mokocli && git sparse-checkout set cli/ci_issue_reporter.sh
|
||||||
|
|
||||||
|
- name: Report CI failure
|
||||||
|
env:
|
||||||
|
MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
|
MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
|
run: |
|
||||||
|
chmod +x /tmp/mokocli/cli/ci_issue_reporter.sh
|
||||||
|
/tmp/mokocli/cli/ci_issue_reporter.sh \
|
||||||
|
--gate "${{ inputs.gate }}" \
|
||||||
|
--details "${{ inputs.details }}" \
|
||||||
|
--severity "${{ inputs.severity }}" \
|
||||||
|
--workflow "${{ inputs.workflow }}"
|
||||||
@@ -21,7 +21,7 @@ permissions:
|
|||||||
contents: write
|
contents: write
|
||||||
|
|
||||||
env:
|
env:
|
||||||
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
cleanup:
|
cleanup:
|
||||||
@@ -33,17 +33,17 @@ jobs:
|
|||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
token: ${{ secrets.GA_TOKEN }}
|
token: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
|
|
||||||
- name: Delete merged branches
|
- name: Delete merged branches
|
||||||
env:
|
env:
|
||||||
GA_TOKEN: ${{ secrets.GA_TOKEN }}
|
MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
echo "=== Merged Branch Cleanup ==="
|
echo "=== Merged Branch Cleanup ==="
|
||||||
API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
|
API="${MOKOGITEA_URL}/api/v1/repos/${{ github.repository }}"
|
||||||
|
|
||||||
# List branches via API
|
# List branches via API
|
||||||
BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
|
BRANCHES=$(curl -sS -H "Authorization: token ${MOKOGITEA_TOKEN}" \
|
||||||
"${API}/branches?limit=50" | jq -r '.[].name')
|
"${API}/branches?limit=50" | jq -r '.[].name')
|
||||||
|
|
||||||
DELETED=0
|
DELETED=0
|
||||||
@@ -56,7 +56,7 @@ jobs:
|
|||||||
# Check if branch is merged into main
|
# Check if branch is merged into main
|
||||||
if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
|
if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
|
||||||
echo " Deleting merged branch: ${BRANCH}"
|
echo " Deleting merged branch: ${BRANCH}"
|
||||||
curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
|
curl -sS -X DELETE -H "Authorization: token ${MOKOGITEA_TOKEN}" \
|
||||||
"${API}/branches/${BRANCH}" 2>/dev/null || true
|
"${API}/branches/${BRANCH}" 2>/dev/null || true
|
||||||
DELETED=$((DELETED + 1))
|
DELETED=$((DELETED + 1))
|
||||||
fi
|
fi
|
||||||
@@ -66,20 +66,20 @@ jobs:
|
|||||||
|
|
||||||
- name: Clean old workflow runs
|
- name: Clean old workflow runs
|
||||||
env:
|
env:
|
||||||
GA_TOKEN: ${{ secrets.GA_TOKEN }}
|
MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
run: |
|
run: |
|
||||||
echo "=== Workflow Run Cleanup ==="
|
echo "=== Workflow Run Cleanup ==="
|
||||||
API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
|
API="${MOKOGITEA_URL}/api/v1/repos/${{ github.repository }}"
|
||||||
CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
|
CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
|
||||||
|
|
||||||
# Get old completed runs
|
# Get old completed runs
|
||||||
RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
|
RUNS=$(curl -sS -H "Authorization: token ${MOKOGITEA_TOKEN}" \
|
||||||
"${API}/actions/runs?status=completed&limit=50" | \
|
"${API}/actions/runs?status=completed&limit=50" | \
|
||||||
jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
|
jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
|
||||||
|
|
||||||
DELETED=0
|
DELETED=0
|
||||||
for RUN_ID in $RUNS; do
|
for RUN_ID in $RUNS; do
|
||||||
curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
|
curl -sS -X DELETE -H "Authorization: token ${MOKOGITEA_TOKEN}" \
|
||||||
"${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
|
"${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
|
||||||
DELETED=$((DELETED + 1))
|
DELETED=$((DELETED + 1))
|
||||||
done
|
done
|
||||||
|
|||||||
@@ -1,115 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# This file is part of a Moko Consulting project.
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: GitHub.Workflow.Template
|
|
||||||
# INGROUP: MokoStandards.Security
|
|
||||||
# REPO: https://github.com/mokoconsulting-tech/MokoStandards
|
|
||||||
# PATH: /templates/workflows/generic/codeql-analysis.yml.template
|
|
||||||
# VERSION: 04.05.00
|
|
||||||
# BRIEF: CodeQL security scanning workflow (generic — all repo types)
|
|
||||||
# NOTE: Deployed to .mokogitea/workflows/codeql-analysis.yml in governed repos.
|
|
||||||
# CodeQL does not support PHP directly; JavaScript scans JSON/YAML/shell.
|
|
||||||
# For PHP-specific security scanning see standards-compliance.yml.
|
|
||||||
|
|
||||||
name: "Universal: CodeQL Analysis"
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- dev/**
|
|
||||||
- rc/**
|
|
||||||
- version/**
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- dev/**
|
|
||||||
- rc/**
|
|
||||||
schedule:
|
|
||||||
# Weekly on Monday at 06:00 UTC
|
|
||||||
- cron: '0 6 * * 1'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
actions: read
|
|
||||||
contents: read
|
|
||||||
security-events: write
|
|
||||||
pull-requests: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
analyze:
|
|
||||||
name: Analyze (${{ matrix.language }})
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
timeout-minutes: 360
|
|
||||||
|
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
# CodeQL does not support PHP. Use 'javascript' to scan JSON, YAML,
|
|
||||||
# and shell scripts. Add 'actions' to scan GitHub Actions workflows.
|
|
||||||
language: ['javascript', 'actions']
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
||||||
|
|
||||||
- name: Initialize CodeQL
|
|
||||||
uses: github/codeql-action/init@v3
|
|
||||||
with:
|
|
||||||
languages: ${{ matrix.language }}
|
|
||||||
queries: security-extended,security-and-quality
|
|
||||||
|
|
||||||
- name: Autobuild
|
|
||||||
uses: github/codeql-action/autobuild@v3
|
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
|
||||||
uses: github/codeql-action/analyze@v3
|
|
||||||
with:
|
|
||||||
category: "/language:${{ matrix.language }}"
|
|
||||||
upload: true
|
|
||||||
output: sarif-results
|
|
||||||
wait-for-processing: true
|
|
||||||
|
|
||||||
- name: Upload SARIF results
|
|
||||||
if: always()
|
|
||||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.5.0
|
|
||||||
with:
|
|
||||||
name: codeql-results-${{ matrix.language }}
|
|
||||||
path: sarif-results
|
|
||||||
retention-days: 30
|
|
||||||
|
|
||||||
- name: Step summary
|
|
||||||
if: always()
|
|
||||||
run: |
|
|
||||||
echo "### 🔍 CodeQL — ${{ matrix.language }}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
URL="https://github.com/${{ github.repository }}/security/code-scanning"
|
|
||||||
echo "See the [Security tab]($URL) for findings." >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Severity | SLA |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "|----------|-----|" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Critical | 7 days |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| High | 14 days |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Medium | 30 days |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Low | 60 days / next release |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
summary:
|
|
||||||
name: Security Scan Summary
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: analyze
|
|
||||||
if: always()
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Summary
|
|
||||||
run: |
|
|
||||||
echo "### 🛡️ CodeQL Complete" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "**Branch:** ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
SECURITY_URL="https://github.com/${{ github.repository }}/security"
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "📊 [View all security alerts]($SECURITY_URL)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
@@ -1,44 +0,0 @@
|
|||||||
# Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
# SPDX-LICENSE-IDENTIFIER: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# GitHub Actions workflow for Copilot coding agent
|
|
||||||
# This workflow demonstrates how to use the firewall configuration
|
|
||||||
|
|
||||||
name: "MCP: Copilot Agent"
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
types: [opened, synchronize, reopened]
|
|
||||||
issue_comment:
|
|
||||||
types: [created]
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
pull-requests: write
|
|
||||||
issues: write
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
copilot-agent:
|
|
||||||
name: Run Copilot Coding Agent
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
with:
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
- name: Configure Copilot Firewall
|
|
||||||
run: |
|
|
||||||
echo "Configuring firewall allowlist for enterprise-ready sites..."
|
|
||||||
bash .github/copilot/setup-firewall.sh
|
|
||||||
echo "Firewall configuration completed"
|
|
||||||
|
|
||||||
- name: Run Copilot Agent
|
|
||||||
uses: github/copilot-swe-agent@v1
|
|
||||||
with:
|
|
||||||
token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
issue_number: ${{ github.event.issue.number || github.event.pull_request.number }}
|
|
||||||
env:
|
|
||||||
# Environment variables are set by setup-firewall.sh
|
|
||||||
COPILOT_FIREWALL_ALLOWLIST: ${{ env.COPILOT_FIREWALL_ALLOWLIST }}
|
|
||||||
@@ -1,126 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: Gitea.Workflow
|
|
||||||
# INGROUP: MokoStandards.Deploy
|
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
|
|
||||||
# PATH: /templates/workflows/joomla/deploy-manual.yml.template
|
|
||||||
# VERSION: 04.07.00
|
|
||||||
# BRIEF: Manual SFTP deploy to dev server for Joomla repos
|
|
||||||
|
|
||||||
name: "Universal: Deploy to Dev (Manual)"
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
clear_remote:
|
|
||||||
description: 'Delete all remote files before uploading'
|
|
||||||
required: false
|
|
||||||
default: 'false'
|
|
||||||
type: boolean
|
|
||||||
|
|
||||||
env:
|
|
||||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
deploy:
|
|
||||||
name: SFTP Deploy to Dev
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
||||||
|
|
||||||
- name: Setup PHP
|
|
||||||
run: |
|
|
||||||
php -v && composer --version
|
|
||||||
|
|
||||||
- name: Setup MokoStandards tools
|
|
||||||
env:
|
|
||||||
GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
|
|
||||||
MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
|
|
||||||
MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
|
|
||||||
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
|
|
||||||
run: |
|
|
||||||
git clone --depth 1 --branch main --quiet \
|
|
||||||
"https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
|
|
||||||
/tmp/mokostandards-api 2>/dev/null || true
|
|
||||||
if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
|
|
||||||
cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Check FTP configuration
|
|
||||||
id: check
|
|
||||||
env:
|
|
||||||
HOST: ${{ vars.DEV_FTP_HOST }}
|
|
||||||
PATH_VAR: ${{ vars.DEV_FTP_PATH }}
|
|
||||||
PORT: ${{ vars.DEV_FTP_PORT }}
|
|
||||||
run: |
|
|
||||||
if [ -z "$HOST" ] || [ -z "$PATH_VAR" ]; then
|
|
||||||
echo "DEV_FTP_HOST or DEV_FTP_PATH not configured -- cannot deploy"
|
|
||||||
echo "skip=true" >> "$GITHUB_OUTPUT"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
echo "skip=false" >> "$GITHUB_OUTPUT"
|
|
||||||
echo "host=$HOST" >> "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
REMOTE="${PATH_VAR%/}"
|
|
||||||
echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
[ -z "$PORT" ] && PORT="22"
|
|
||||||
echo "port=$PORT" >> "$GITHUB_OUTPUT"
|
|
||||||
|
|
||||||
- name: Deploy via SFTP
|
|
||||||
if: steps.check.outputs.skip != 'true'
|
|
||||||
env:
|
|
||||||
SFTP_KEY: ${{ secrets.DEV_FTP_KEY }}
|
|
||||||
SFTP_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
|
|
||||||
SFTP_USER: ${{ vars.DEV_FTP_USERNAME }}
|
|
||||||
run: |
|
|
||||||
SOURCE_DIR="src"
|
|
||||||
[ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
|
|
||||||
[ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ -- nothing to deploy"; exit 0; }
|
|
||||||
|
|
||||||
printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
|
|
||||||
"${{ steps.check.outputs.host }}" "${{ steps.check.outputs.port }}" "$SFTP_USER" "${{ steps.check.outputs.remote }}" \
|
|
||||||
> /tmp/sftp-config.json
|
|
||||||
|
|
||||||
if [ -n "$SFTP_KEY" ]; then
|
|
||||||
echo "$SFTP_KEY" > /tmp/deploy_key
|
|
||||||
chmod 600 /tmp/deploy_key
|
|
||||||
printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
|
|
||||||
else
|
|
||||||
printf ',"password":"%s"}' "$SFTP_PASS" >> /tmp/sftp-config.json
|
|
||||||
fi
|
|
||||||
|
|
||||||
DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
|
|
||||||
[ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)
|
|
||||||
|
|
||||||
PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
|
|
||||||
if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
|
|
||||||
php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
|
|
||||||
else
|
|
||||||
php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -f /tmp/deploy_key /tmp/sftp-config.json
|
|
||||||
|
|
||||||
- name: Summary
|
|
||||||
if: always()
|
|
||||||
run: |
|
|
||||||
if [ "${{ steps.check.outputs.skip }}" = "true" ]; then
|
|
||||||
echo "### Deploy Skipped -- FTP not configured" >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "### Manual Dev Deploy Complete" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Host | \`${{ steps.check.outputs.host }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Remote | \`${{ steps.check.outputs.remote }}\` |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "| Clear | ${{ inputs.clear_remote }} |" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
@@ -1,758 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# This file is part of a Moko Consulting project.
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# This program is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: GitHub.Workflow
|
|
||||||
# INGROUP: MokoStandards.Firewall
|
|
||||||
# REPO: https://github.com/mokoconsulting-tech/MokoStandards
|
|
||||||
# PATH: /templates/workflows/shared/enterprise-firewall-setup.yml.template
|
|
||||||
# VERSION: 04.06.00
|
|
||||||
# BRIEF: Enterprise firewall configuration — generates outbound allow-rules including SFTP deployment server
|
|
||||||
# NOTE: Reads DEV_FTP_HOST / DEV_FTP_PORT variables to include SFTP egress rules alongside HTTPS rules.
|
|
||||||
|
|
||||||
name: "MCP: Enterprise Firewall"
|
|
||||||
|
|
||||||
# This workflow provides firewall configuration guidance for enterprise-ready sites
|
|
||||||
# It generates firewall rules for allowing outbound access to trusted domains
|
|
||||||
# including license providers, documentation sources, package registries,
|
|
||||||
# and the SFTP deployment server (DEV_FTP_HOST / DEV_FTP_PORT).
|
|
||||||
#
|
|
||||||
# Runs automatically when:
|
|
||||||
# - Coding agent workflows are triggered (pull requests with copilot/ prefix)
|
|
||||||
# - Manual workflow dispatch for custom configurations
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
firewall_type:
|
|
||||||
description: 'Target firewall type'
|
|
||||||
required: true
|
|
||||||
type: choice
|
|
||||||
options:
|
|
||||||
- 'iptables'
|
|
||||||
- 'ufw'
|
|
||||||
- 'firewalld'
|
|
||||||
- 'aws-security-group'
|
|
||||||
- 'azure-nsg'
|
|
||||||
- 'gcp-firewall'
|
|
||||||
- 'cloudflare'
|
|
||||||
- 'all'
|
|
||||||
default: 'all'
|
|
||||||
output_format:
|
|
||||||
description: 'Output format'
|
|
||||||
required: true
|
|
||||||
type: choice
|
|
||||||
options:
|
|
||||||
- 'shell-script'
|
|
||||||
- 'json'
|
|
||||||
- 'yaml'
|
|
||||||
- 'markdown'
|
|
||||||
- 'all'
|
|
||||||
default: 'markdown'
|
|
||||||
|
|
||||||
# Auto-run when coding agent creates or updates PRs
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- 'copilot/**'
|
|
||||||
- 'agent/**'
|
|
||||||
types: [opened, synchronize, reopened]
|
|
||||||
|
|
||||||
# Auto-run on push to coding agent branches
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- 'copilot/**'
|
|
||||||
- 'agent/**'
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
actions: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
generate-firewall-rules:
|
|
||||||
name: Generate Firewall Rules
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
||||||
|
|
||||||
- name: Set up Python
|
|
||||||
uses: actions/setup-python@v6
|
|
||||||
with:
|
|
||||||
python-version: '3.11'
|
|
||||||
|
|
||||||
- name: Apply Firewall Rules to Runner (Auto-run only)
|
|
||||||
if: github.event_name != 'workflow_dispatch'
|
|
||||||
env:
|
|
||||||
DEV_FTP_HOST: ${{ vars.DEV_FTP_HOST }}
|
|
||||||
DEV_FTP_PORT: ${{ vars.DEV_FTP_PORT }}
|
|
||||||
run: |
|
|
||||||
echo "🔥 Applying firewall rules for coding agent environment..."
|
|
||||||
echo ""
|
|
||||||
echo "This step ensures the GitHub Actions runner can access trusted domains"
|
|
||||||
echo "including license providers, package registries, and documentation sources."
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
# Note: GitHub Actions runners are ephemeral and run in controlled environments
|
|
||||||
# This step documents what domains are being accessed during the workflow
|
|
||||||
# Actual firewall configuration is managed by GitHub
|
|
||||||
|
|
||||||
cat > /tmp/trusted-domains.txt << 'EOF'
|
|
||||||
# Trusted domains for coding agent environment
|
|
||||||
# License Providers
|
|
||||||
www.gnu.org
|
|
||||||
opensource.org
|
|
||||||
choosealicense.com
|
|
||||||
spdx.org
|
|
||||||
creativecommons.org
|
|
||||||
apache.org
|
|
||||||
fsf.org
|
|
||||||
|
|
||||||
# Documentation & Standards
|
|
||||||
semver.org
|
|
||||||
keepachangelog.com
|
|
||||||
conventionalcommits.org
|
|
||||||
|
|
||||||
# GitHub & Related
|
|
||||||
github.com
|
|
||||||
api.github.com
|
|
||||||
docs.github.com
|
|
||||||
raw.githubusercontent.com
|
|
||||||
ghcr.io
|
|
||||||
|
|
||||||
# Package Registries
|
|
||||||
npmjs.com
|
|
||||||
registry.npmjs.org
|
|
||||||
pypi.org
|
|
||||||
files.pythonhosted.org
|
|
||||||
packagist.org
|
|
||||||
repo.packagist.org
|
|
||||||
rubygems.org
|
|
||||||
|
|
||||||
# Platform-Specific
|
|
||||||
joomla.org
|
|
||||||
downloads.joomla.org
|
|
||||||
docs.joomla.org
|
|
||||||
php.net
|
|
||||||
getcomposer.org
|
|
||||||
dolibarr.org
|
|
||||||
wiki.dolibarr.org
|
|
||||||
docs.dolibarr.org
|
|
||||||
|
|
||||||
# Moko Consulting
|
|
||||||
mokoconsulting.tech
|
|
||||||
|
|
||||||
# SFTP Deployment Server (DEV_FTP_HOST)
|
|
||||||
${DEV_FTP_HOST:-<not configured>}
|
|
||||||
|
|
||||||
# Google Services
|
|
||||||
drive.google.com
|
|
||||||
docs.google.com
|
|
||||||
sheets.google.com
|
|
||||||
accounts.google.com
|
|
||||||
storage.googleapis.com
|
|
||||||
fonts.googleapis.com
|
|
||||||
fonts.gstatic.com
|
|
||||||
|
|
||||||
# GitHub Extended
|
|
||||||
upload.github.com
|
|
||||||
objects.githubusercontent.com
|
|
||||||
user-images.githubusercontent.com
|
|
||||||
codeload.github.com
|
|
||||||
pkg.github.com
|
|
||||||
|
|
||||||
# Developer Reference
|
|
||||||
developer.mozilla.org
|
|
||||||
stackoverflow.com
|
|
||||||
git-scm.com
|
|
||||||
|
|
||||||
# CDN & Infrastructure
|
|
||||||
cdn.jsdelivr.net
|
|
||||||
unpkg.com
|
|
||||||
cdnjs.cloudflare.com
|
|
||||||
img.shields.io
|
|
||||||
|
|
||||||
# Container Registries
|
|
||||||
hub.docker.com
|
|
||||||
registry-1.docker.io
|
|
||||||
|
|
||||||
# CI & Code Quality
|
|
||||||
codecov.io
|
|
||||||
sonarcloud.io
|
|
||||||
|
|
||||||
# Terraform & Infrastructure
|
|
||||||
registry.terraform.io
|
|
||||||
releases.hashicorp.com
|
|
||||||
checkpoint-api.hashicorp.com
|
|
||||||
EOF
|
|
||||||
|
|
||||||
echo "✓ Trusted domains documented for this runner"
|
|
||||||
echo "✓ GitHub Actions runners have network access to these domains"
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
# Test connectivity to key domains
|
|
||||||
echo "Testing connectivity to key domains..."
|
|
||||||
for domain in "github.com" "www.gnu.org" "npmjs.com" "pypi.org"; do
|
|
||||||
if curl -s --max-time 3 -o /dev/null -w "%{http_code}" "https://$domain" | grep -q "200\|301\|302"; then
|
|
||||||
echo " ✓ $domain is accessible"
|
|
||||||
else
|
|
||||||
echo " ⚠️ $domain connectivity check failed (may be expected)"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Test SFTP server connectivity (TCP port check)
|
|
||||||
SFTP_HOST="${DEV_FTP_HOST:-}"
|
|
||||||
SFTP_PORT="${DEV_FTP_PORT:-22}"
|
|
||||||
if [ -n "$SFTP_HOST" ]; then
|
|
||||||
# Strip any embedded :port suffix
|
|
||||||
SFTP_HOST="${SFTP_HOST%%:*}"
|
|
||||||
echo ""
|
|
||||||
echo "Testing SFTP deployment server connectivity..."
|
|
||||||
if timeout 5 bash -c "echo >/dev/tcp/${SFTP_HOST}/${SFTP_PORT}" 2>/dev/null; then
|
|
||||||
echo " ✓ SFTP server ${SFTP_HOST}:${SFTP_PORT} is reachable"
|
|
||||||
else
|
|
||||||
echo " ⚠️ SFTP server ${SFTP_HOST}:${SFTP_PORT} is not reachable from runner (firewall rule needed)"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo ""
|
|
||||||
echo " ℹ️ DEV_FTP_HOST not configured — skipping SFTP connectivity check"
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Generate Firewall Configuration
|
|
||||||
id: generate
|
|
||||||
env:
|
|
||||||
DEV_FTP_HOST: ${{ vars.DEV_FTP_HOST }}
|
|
||||||
DEV_FTP_PORT: ${{ vars.DEV_FTP_PORT }}
|
|
||||||
run: |
|
|
||||||
cat > generate_firewall_config.py << 'PYTHON_EOF'
|
|
||||||
#!/usr/bin/env python3
|
|
||||||
"""
|
|
||||||
Enterprise Firewall Configuration Generator
|
|
||||||
|
|
||||||
Generates firewall rules for enterprise-ready deployments allowing
|
|
||||||
access to trusted domains including license providers, documentation
|
|
||||||
sources, package registries, and platform-specific sites.
|
|
||||||
"""
|
|
||||||
|
|
||||||
import json
|
|
||||||
import os
|
|
||||||
import yaml
|
|
||||||
import sys
|
|
||||||
from typing import List, Dict
|
|
||||||
|
|
||||||
# SFTP deployment server from org variables
|
|
||||||
_sftp_host_raw = os.environ.get("DEV_FTP_HOST", "").strip()
|
|
||||||
_sftp_port = os.environ.get("DEV_FTP_PORT", "").strip() or "22"
|
|
||||||
# Strip embedded :port suffix if present
|
|
||||||
_sftp_host = _sftp_host_raw.split(":")[0] if _sftp_host_raw else ""
|
|
||||||
if ":" in _sftp_host_raw and not _sftp_port:
|
|
||||||
_sftp_port = _sftp_host_raw.split(":")[1]
|
|
||||||
|
|
||||||
SFTP_HOST = _sftp_host
|
|
||||||
SFTP_PORT = int(_sftp_port) if _sftp_port.isdigit() else 22
|
|
||||||
|
|
||||||
# Trusted domains from .github/copilot.yml
|
|
||||||
TRUSTED_DOMAINS = {
|
|
||||||
"license_providers": [
|
|
||||||
"www.gnu.org",
|
|
||||||
"opensource.org",
|
|
||||||
"choosealicense.com",
|
|
||||||
"spdx.org",
|
|
||||||
"creativecommons.org",
|
|
||||||
"apache.org",
|
|
||||||
"fsf.org",
|
|
||||||
],
|
|
||||||
"documentation_standards": [
|
|
||||||
"semver.org",
|
|
||||||
"keepachangelog.com",
|
|
||||||
"conventionalcommits.org",
|
|
||||||
],
|
|
||||||
"github_related": [
|
|
||||||
"github.com",
|
|
||||||
"api.github.com",
|
|
||||||
"docs.github.com",
|
|
||||||
"raw.githubusercontent.com",
|
|
||||||
"ghcr.io",
|
|
||||||
],
|
|
||||||
"package_registries": [
|
|
||||||
"npmjs.com",
|
|
||||||
"registry.npmjs.org",
|
|
||||||
"pypi.org",
|
|
||||||
"files.pythonhosted.org",
|
|
||||||
"packagist.org",
|
|
||||||
"repo.packagist.org",
|
|
||||||
"rubygems.org",
|
|
||||||
],
|
|
||||||
"standards_organizations": [
|
|
||||||
"json-schema.org",
|
|
||||||
"w3.org",
|
|
||||||
"ietf.org",
|
|
||||||
],
|
|
||||||
"platform_specific": [
|
|
||||||
"joomla.org",
|
|
||||||
"downloads.joomla.org",
|
|
||||||
"docs.joomla.org",
|
|
||||||
"php.net",
|
|
||||||
"getcomposer.org",
|
|
||||||
"dolibarr.org",
|
|
||||||
"wiki.dolibarr.org",
|
|
||||||
"docs.dolibarr.org",
|
|
||||||
],
|
|
||||||
"moko_consulting": [
|
|
||||||
"mokoconsulting.tech",
|
|
||||||
],
|
|
||||||
"google_services": [
|
|
||||||
"drive.google.com",
|
|
||||||
"docs.google.com",
|
|
||||||
"sheets.google.com",
|
|
||||||
"accounts.google.com",
|
|
||||||
"storage.googleapis.com",
|
|
||||||
"fonts.googleapis.com",
|
|
||||||
"fonts.gstatic.com",
|
|
||||||
],
|
|
||||||
"github_extended": [
|
|
||||||
"upload.github.com",
|
|
||||||
"objects.githubusercontent.com",
|
|
||||||
"user-images.githubusercontent.com",
|
|
||||||
"codeload.github.com",
|
|
||||||
"pkg.github.com",
|
|
||||||
],
|
|
||||||
"developer_reference": [
|
|
||||||
"developer.mozilla.org",
|
|
||||||
"stackoverflow.com",
|
|
||||||
"git-scm.com",
|
|
||||||
],
|
|
||||||
"cdn_and_infrastructure": [
|
|
||||||
"cdn.jsdelivr.net",
|
|
||||||
"unpkg.com",
|
|
||||||
"cdnjs.cloudflare.com",
|
|
||||||
"img.shields.io",
|
|
||||||
],
|
|
||||||
"container_registries": [
|
|
||||||
"hub.docker.com",
|
|
||||||
"registry-1.docker.io",
|
|
||||||
],
|
|
||||||
"ci_code_quality": [
|
|
||||||
"codecov.io",
|
|
||||||
"sonarcloud.io",
|
|
||||||
],
|
|
||||||
"terraform_infrastructure": [
|
|
||||||
"registry.terraform.io",
|
|
||||||
"releases.hashicorp.com",
|
|
||||||
"checkpoint-api.hashicorp.com",
|
|
||||||
],
|
|
||||||
}
|
|
||||||
|
|
||||||
# Inject SFTP deployment server as a separate category (port 22, not 443)
|
|
||||||
if SFTP_HOST:
|
|
||||||
TRUSTED_DOMAINS["sftp_deployment_server"] = [SFTP_HOST]
|
|
||||||
print(f"ℹ️ SFTP deployment server: {SFTP_HOST}:{SFTP_PORT}")
|
|
||||||
|
|
||||||
def generate_sftp_iptables_rules(host: str, port: int) -> str:
|
|
||||||
"""Generate iptables rules specifically for SFTP egress"""
|
|
||||||
return (
|
|
||||||
f"# Allow SFTP to deployment server {host}:{port}\n"
|
|
||||||
f"iptables -A OUTPUT -p tcp -d $(dig +short {host} | head -1)"
|
|
||||||
f" --dport {port} -j ACCEPT # SFTP deploy\n"
|
|
||||||
)
|
|
||||||
|
|
||||||
def generate_sftp_ufw_rules(host: str, port: int) -> str:
|
|
||||||
"""Generate UFW rules for SFTP egress"""
|
|
||||||
return (
|
|
||||||
f"# Allow SFTP to deployment server\n"
|
|
||||||
f"ufw allow out to $(dig +short {host} | head -1)"
|
|
||||||
f" port {port} proto tcp comment 'SFTP deploy to {host}'\n"
|
|
||||||
)
|
|
||||||
|
|
||||||
def generate_sftp_firewalld_rules(host: str, port: int) -> str:
|
|
||||||
"""Generate firewalld rules for SFTP egress"""
|
|
||||||
return (
|
|
||||||
f"# Allow SFTP to deployment server\n"
|
|
||||||
f"firewall-cmd --permanent --add-rich-rule='"
|
|
||||||
f"rule family=ipv4 destination address=$(dig +short {host} | head -1)"
|
|
||||||
f" port port={port} protocol=tcp accept' # SFTP deploy\n"
|
|
||||||
)
|
|
||||||
|
|
||||||
def generate_iptables_rules(domains: List[str]) -> str:
|
|
||||||
"""Generate iptables firewall rules"""
|
|
||||||
rules = ["#!/bin/bash", "", "# Enterprise Firewall Rules - iptables", ""]
|
|
||||||
rules.append("# Allow outbound HTTPS to trusted domains")
|
|
||||||
rules.append("")
|
|
||||||
|
|
||||||
for domain in domains:
|
|
||||||
rules.append(f"# Allow {domain}")
|
|
||||||
rules.append(f"iptables -A OUTPUT -p tcp -d $(dig +short {domain} | head -1) --dport 443 -j ACCEPT")
|
|
||||||
|
|
||||||
rules.append("")
|
|
||||||
rules.append("# Allow DNS lookups")
|
|
||||||
rules.append("iptables -A OUTPUT -p udp --dport 53 -j ACCEPT")
|
|
||||||
rules.append("iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT")
|
|
||||||
|
|
||||||
return "\n".join(rules)
|
|
||||||
|
|
||||||
def generate_ufw_rules(domains: List[str]) -> str:
|
|
||||||
"""Generate UFW firewall rules"""
|
|
||||||
rules = ["#!/bin/bash", "", "# Enterprise Firewall Rules - UFW", ""]
|
|
||||||
rules.append("# Allow outbound HTTPS to trusted domains")
|
|
||||||
rules.append("")
|
|
||||||
|
|
||||||
for domain in domains:
|
|
||||||
rules.append(f"# Allow {domain}")
|
|
||||||
rules.append(f"ufw allow out to $(dig +short {domain} | head -1) port 443 proto tcp comment 'Allow {domain}'")
|
|
||||||
|
|
||||||
rules.append("")
|
|
||||||
rules.append("# Allow DNS")
|
|
||||||
rules.append("ufw allow out 53/udp comment 'Allow DNS UDP'")
|
|
||||||
rules.append("ufw allow out 53/tcp comment 'Allow DNS TCP'")
|
|
||||||
|
|
||||||
return "\n".join(rules)
|
|
||||||
|
|
||||||
def generate_firewalld_rules(domains: List[str]) -> str:
|
|
||||||
"""Generate firewalld rules"""
|
|
||||||
rules = ["#!/bin/bash", "", "# Enterprise Firewall Rules - firewalld", ""]
|
|
||||||
rules.append("# Add trusted domains to firewall")
|
|
||||||
rules.append("")
|
|
||||||
|
|
||||||
for domain in domains:
|
|
||||||
rules.append(f"# Allow {domain}")
|
|
||||||
rules.append(f"firewall-cmd --permanent --add-rich-rule='rule family=ipv4 destination address=$(dig +short {domain} | head -1) port port=443 protocol=tcp accept'")
|
|
||||||
|
|
||||||
rules.append("")
|
|
||||||
rules.append("# Reload firewall")
|
|
||||||
rules.append("firewall-cmd --reload")
|
|
||||||
|
|
||||||
return "\n".join(rules)
|
|
||||||
|
|
||||||
def generate_aws_security_group(domains: List[str]) -> Dict:
|
|
||||||
"""Generate AWS Security Group rules (JSON format)"""
|
|
||||||
rules = {
|
|
||||||
"SecurityGroupRules": {
|
|
||||||
"Egress": []
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
for domain in domains:
|
|
||||||
rules["SecurityGroupRules"]["Egress"].append({
|
|
||||||
"Description": f"Allow HTTPS to {domain}",
|
|
||||||
"IpProtocol": "tcp",
|
|
||||||
"FromPort": 443,
|
|
||||||
"ToPort": 443,
|
|
||||||
"CidrIp": "0.0.0.0/0", # In practice, resolve to specific IPs
|
|
||||||
"Tags": [{
|
|
||||||
"Key": "Domain",
|
|
||||||
"Value": domain
|
|
||||||
}]
|
|
||||||
})
|
|
||||||
|
|
||||||
# Add DNS
|
|
||||||
rules["SecurityGroupRules"]["Egress"].append({
|
|
||||||
"Description": "Allow DNS",
|
|
||||||
"IpProtocol": "udp",
|
|
||||||
"FromPort": 53,
|
|
||||||
"ToPort": 53,
|
|
||||||
"CidrIp": "0.0.0.0/0"
|
|
||||||
})
|
|
||||||
|
|
||||||
return rules
|
|
||||||
|
|
||||||
def generate_markdown_documentation(domains_by_category: Dict[str, List[str]]) -> str:
|
|
||||||
"""Generate markdown documentation"""
|
|
||||||
md = ["# Enterprise Firewall Configuration Guide", ""]
|
|
||||||
md.append("## Overview")
|
|
||||||
md.append("")
|
|
||||||
md.append("This document provides firewall configuration guidance for enterprise-ready deployments.")
|
|
||||||
md.append("It lists trusted domains that should be whitelisted for outbound access to ensure")
|
|
||||||
md.append("proper functionality of license validation, package management, and documentation access.")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("## Trusted Domains by Category")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
all_domains = []
|
|
||||||
for category, domains in domains_by_category.items():
|
|
||||||
category_name = category.replace("_", " ").title()
|
|
||||||
md.append(f"### {category_name}")
|
|
||||||
md.append("")
|
|
||||||
md.append("| Domain | Purpose |")
|
|
||||||
md.append("|--------|---------|")
|
|
||||||
|
|
||||||
for domain in domains:
|
|
||||||
all_domains.append(domain)
|
|
||||||
purpose = get_domain_purpose(domain)
|
|
||||||
md.append(f"| `{domain}` | {purpose} |")
|
|
||||||
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("## Implementation Examples")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("### iptables Example")
|
|
||||||
md.append("")
|
|
||||||
md.append("```bash")
|
|
||||||
md.append("# Allow HTTPS to trusted domain")
|
|
||||||
md.append(f"iptables -A OUTPUT -p tcp -d $(dig +short {all_domains[0]}) --dport 443 -j ACCEPT")
|
|
||||||
md.append("```")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("### UFW Example")
|
|
||||||
md.append("")
|
|
||||||
md.append("```bash")
|
|
||||||
md.append("# Allow HTTPS to trusted domain")
|
|
||||||
md.append(f"ufw allow out to {all_domains[0]} port 443 proto tcp")
|
|
||||||
md.append("```")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("### AWS Security Group Example")
|
|
||||||
md.append("")
|
|
||||||
md.append("```json")
|
|
||||||
md.append("{")
|
|
||||||
md.append(' "IpPermissions": [{')
|
|
||||||
md.append(' "IpProtocol": "tcp",')
|
|
||||||
md.append(' "FromPort": 443,')
|
|
||||||
md.append(' "ToPort": 443,')
|
|
||||||
md.append(' "IpRanges": [{"CidrIp": "0.0.0.0/0", "Description": "HTTPS to trusted domains"}]')
|
|
||||||
md.append(" }]")
|
|
||||||
md.append("}")
|
|
||||||
md.append("```")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("## Ports Required")
|
|
||||||
md.append("")
|
|
||||||
md.append("| Port | Protocol | Purpose |")
|
|
||||||
md.append("|------|----------|---------|")
|
|
||||||
md.append("| 443 | TCP | HTTPS (secure web access) |")
|
|
||||||
md.append("| 80 | TCP | HTTP (redirects to HTTPS) |")
|
|
||||||
md.append("| 53 | UDP/TCP | DNS resolution |")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("## Security Considerations")
|
|
||||||
md.append("")
|
|
||||||
md.append("1. **DNS Resolution**: Ensure DNS queries are allowed (port 53 UDP/TCP)")
|
|
||||||
md.append("2. **Certificate Validation**: HTTPS requires ability to reach certificate authorities")
|
|
||||||
md.append("3. **Dynamic IPs**: Some domains use CDNs with dynamic IPs - consider using FQDNs in rules")
|
|
||||||
md.append("4. **Regular Updates**: Review and update whitelist as services change")
|
|
||||||
md.append("5. **Logging**: Enable logging for blocked connections to identify missing rules")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
md.append("## Compliance Notes")
|
|
||||||
md.append("")
|
|
||||||
md.append("- All listed domains provide read-only access to public information")
|
|
||||||
md.append("- License providers enable GPL compliance verification")
|
|
||||||
md.append("- Package registries support dependency security scanning")
|
|
||||||
md.append("- No authentication credentials are transmitted to these domains")
|
|
||||||
md.append("")
|
|
||||||
|
|
||||||
return "\n".join(md)
|
|
||||||
|
|
||||||
def get_domain_purpose(domain: str) -> str:
|
|
||||||
"""Get human-readable purpose for a domain"""
|
|
||||||
purposes = {
|
|
||||||
"www.gnu.org": "GNU licenses and documentation",
|
|
||||||
"opensource.org": "Open Source Initiative resources",
|
|
||||||
"choosealicense.com": "GitHub license selection tool",
|
|
||||||
"spdx.org": "Software Package Data Exchange identifiers",
|
|
||||||
"creativecommons.org": "Creative Commons licenses",
|
|
||||||
"apache.org": "Apache Software Foundation licenses",
|
|
||||||
"fsf.org": "Free Software Foundation resources",
|
|
||||||
"semver.org": "Semantic versioning specification",
|
|
||||||
"keepachangelog.com": "Changelog format standards",
|
|
||||||
"conventionalcommits.org": "Commit message conventions",
|
|
||||||
"github.com": "GitHub platform access",
|
|
||||||
"api.github.com": "GitHub API access",
|
|
||||||
"docs.github.com": "GitHub documentation",
|
|
||||||
"raw.githubusercontent.com": "GitHub raw content access",
|
|
||||||
"npmjs.com": "npm package registry",
|
|
||||||
"pypi.org": "Python Package Index",
|
|
||||||
"packagist.org": "PHP Composer package registry",
|
|
||||||
"rubygems.org": "Ruby gems registry",
|
|
||||||
"joomla.org": "Joomla CMS platform",
|
|
||||||
"php.net": "PHP documentation and downloads",
|
|
||||||
"dolibarr.org": "Dolibarr ERP/CRM platform",
|
|
||||||
}
|
|
||||||
return purposes.get(domain, "Trusted resource")
|
|
||||||
|
|
||||||
def main():
|
|
||||||
# Use inputs if provided (manual dispatch), otherwise use defaults (auto-run)
|
|
||||||
firewall_type = "${{ github.event.inputs.firewall_type }}" or "all"
|
|
||||||
output_format = "${{ github.event.inputs.output_format }}" or "markdown"
|
|
||||||
|
|
||||||
print(f"Running in {'manual' if '${{ github.event.inputs.firewall_type }}' else 'automatic'} mode")
|
|
||||||
print(f"Firewall type: {firewall_type}")
|
|
||||||
print(f"Output format: {output_format}")
|
|
||||||
print("")
|
|
||||||
|
|
||||||
# Collect all domains
|
|
||||||
all_domains = []
|
|
||||||
for domains in TRUSTED_DOMAINS.values():
|
|
||||||
all_domains.extend(domains)
|
|
||||||
|
|
||||||
# Remove duplicates and sort
|
|
||||||
all_domains = sorted(set(all_domains))
|
|
||||||
|
|
||||||
print(f"Generating firewall rules for {len(all_domains)} trusted domains...")
|
|
||||||
print("")
|
|
||||||
|
|
||||||
# Exclude SFTP server from HTTPS rule generation (different port)
|
|
||||||
https_domains = [d for d in all_domains if d != SFTP_HOST]
|
|
||||||
|
|
||||||
# Generate based on firewall type
|
|
||||||
if firewall_type in ["iptables", "all"]:
|
|
||||||
rules = generate_iptables_rules(https_domains)
|
|
||||||
if SFTP_HOST:
|
|
||||||
rules += "\n# ── SFTP Deployment Server ──────────────────────────────\n"
|
|
||||||
rules += generate_sftp_iptables_rules(SFTP_HOST, SFTP_PORT)
|
|
||||||
with open("firewall-rules-iptables.sh", "w") as f:
|
|
||||||
f.write(rules)
|
|
||||||
print("✓ Generated iptables rules: firewall-rules-iptables.sh")
|
|
||||||
|
|
||||||
if firewall_type in ["ufw", "all"]:
|
|
||||||
rules = generate_ufw_rules(https_domains)
|
|
||||||
if SFTP_HOST:
|
|
||||||
rules += "\n# ── SFTP Deployment Server ──────────────────────────────\n"
|
|
||||||
rules += generate_sftp_ufw_rules(SFTP_HOST, SFTP_PORT)
|
|
||||||
with open("firewall-rules-ufw.sh", "w") as f:
|
|
||||||
f.write(rules)
|
|
||||||
print("✓ Generated UFW rules: firewall-rules-ufw.sh")
|
|
||||||
|
|
||||||
if firewall_type in ["firewalld", "all"]:
|
|
||||||
rules = generate_firewalld_rules(https_domains)
|
|
||||||
if SFTP_HOST:
|
|
||||||
rules += "\n# ── SFTP Deployment Server ──────────────────────────────\n"
|
|
||||||
rules += generate_sftp_firewalld_rules(SFTP_HOST, SFTP_PORT)
|
|
||||||
with open("firewall-rules-firewalld.sh", "w") as f:
|
|
||||||
f.write(rules)
|
|
||||||
print("✓ Generated firewalld rules: firewall-rules-firewalld.sh")
|
|
||||||
|
|
||||||
if firewall_type in ["aws-security-group", "all"]:
|
|
||||||
rules = generate_aws_security_group(all_domains)
|
|
||||||
with open("firewall-rules-aws-sg.json", "w") as f:
|
|
||||||
json.dump(rules, f, indent=2)
|
|
||||||
print("✓ Generated AWS Security Group rules: firewall-rules-aws-sg.json")
|
|
||||||
|
|
||||||
if output_format in ["yaml", "all"]:
|
|
||||||
with open("trusted-domains.yml", "w") as f:
|
|
||||||
yaml.dump(TRUSTED_DOMAINS, f, default_flow_style=False)
|
|
||||||
print("✓ Generated YAML domain list: trusted-domains.yml")
|
|
||||||
|
|
||||||
if output_format in ["json", "all"]:
|
|
||||||
with open("trusted-domains.json", "w") as f:
|
|
||||||
json.dump(TRUSTED_DOMAINS, f, indent=2)
|
|
||||||
print("✓ Generated JSON domain list: trusted-domains.json")
|
|
||||||
|
|
||||||
if output_format in ["markdown", "all"]:
|
|
||||||
md = generate_markdown_documentation(TRUSTED_DOMAINS)
|
|
||||||
with open("FIREWALL_CONFIGURATION.md", "w") as f:
|
|
||||||
f.write(md)
|
|
||||||
print("✓ Generated documentation: FIREWALL_CONFIGURATION.md")
|
|
||||||
|
|
||||||
print("")
|
|
||||||
print("Domain Categories:")
|
|
||||||
for category, domains in TRUSTED_DOMAINS.items():
|
|
||||||
print(f" - {category}: {len(domains)} domains")
|
|
||||||
|
|
||||||
print("")
|
|
||||||
print("Total unique domains: ", len(all_domains))
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
|
||||||
PYTHON_EOF
|
|
||||||
|
|
||||||
chmod +x generate_firewall_config.py
|
|
||||||
pip install PyYAML
|
|
||||||
python3 generate_firewall_config.py
|
|
||||||
|
|
||||||
- name: Upload Firewall Configuration Artifacts
|
|
||||||
uses: actions/upload-artifact@v6
|
|
||||||
with:
|
|
||||||
name: firewall-configurations
|
|
||||||
path: |
|
|
||||||
firewall-rules-*.sh
|
|
||||||
firewall-rules-*.json
|
|
||||||
trusted-domains.*
|
|
||||||
FIREWALL_CONFIGURATION.md
|
|
||||||
retention-days: 90
|
|
||||||
|
|
||||||
- name: Display Summary
|
|
||||||
run: |
|
|
||||||
echo "## Firewall Configuration" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
||||||
echo "**Mode**: Manual Execution" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "Firewall rules have been generated for enterprise-ready deployments." >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "**Mode**: Automatic Execution (Coding Agent Active)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "This workflow ran automatically because a coding agent (GitHub Copilot) is active." >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "Firewall configuration has been validated for the coding agent environment." >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "### Files Generated" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
if ls firewall-rules-* trusted-domains.* FIREWALL_CONFIGURATION.md 2>/dev/null; then
|
|
||||||
ls -lh firewall-rules-* trusted-domains.* FIREWALL_CONFIGURATION.md 2>/dev/null | awk '{print "- " $9 " (" $5 ")"}' >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "- Documentation generated" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
||||||
echo "### Download Artifacts" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "Download the generated firewall configurations from the workflow artifacts." >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "### Trusted Domains Active" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "The coding agent has access to:" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "- License providers (GPL, OSI, SPDX, Apache, etc.)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "- Package registries (npm, PyPI, Packagist, RubyGems)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "- Documentation sources (GitHub, Joomla, Dolibarr, PHP)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "- Standards organizations (W3C, IETF, JSON Schema)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Usage Instructions:
|
|
||||||
#
|
|
||||||
# This workflow runs in two modes:
|
|
||||||
#
|
|
||||||
# 1. AUTOMATIC MODE (Coding Agent):
|
|
||||||
# - Triggers when coding agent branches (copilot/**, agent/**) are pushed or PR'd
|
|
||||||
# - Validates firewall configuration for the coding agent environment
|
|
||||||
# - Documents accessible domains for compliance
|
|
||||||
# - Ensures license sources and package registries are available
|
|
||||||
#
|
|
||||||
# 2. MANUAL MODE (Enterprise Configuration):
|
|
||||||
# - Manually trigger from the Actions tab
|
|
||||||
# - Select desired firewall type and output format
|
|
||||||
# - Download generated artifacts
|
|
||||||
# - Apply firewall rules to your enterprise environment
|
|
||||||
#
|
|
||||||
# Configuration:
|
|
||||||
# - Trusted domains are sourced from .github/copilot.yml
|
|
||||||
# - Modify copilot.yml to add/remove trusted domains
|
|
||||||
# - Changes automatically propagate to firewall rules
|
|
||||||
#
|
|
||||||
# Important Notes:
|
|
||||||
# - Review generated rules before applying to production
|
|
||||||
# - Some domains may use CDNs with dynamic IPs
|
|
||||||
# - Consider using FQDN-based rules where supported
|
|
||||||
# - Test thoroughly in staging environment first
|
|
||||||
# - Monitor logs for blocked connections
|
|
||||||
# - Update rules as domains/services change
|
|
||||||
@@ -5,7 +5,7 @@
|
|||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: MokoStandards.Security
|
# INGROUP: MokoStandards.Security
|
||||||
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
|
||||||
# PATH: /templates/workflows/gitleaks.yml.template
|
# PATH: /templates/workflows/gitleaks.yml.template
|
||||||
# VERSION: 01.00.00
|
# VERSION: 01.00.00
|
||||||
# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
|
# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
|
||||||
@@ -25,10 +25,6 @@
|
|||||||
name: "Universal: Secret Scanning"
|
name: "Universal: Secret Scanning"
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'dev/**'
|
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 5 * * 1' # Weekly Monday 05:00 UTC
|
- cron: '0 5 * * 1' # Weekly Monday 05:00 UTC
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: moko-platform.Automation
|
# INGROUP: mokocli.Automation
|
||||||
# VERSION: 01.00.00
|
# VERSION: 01.00.00
|
||||||
# BRIEF: Auto-create feature branch when an issue is opened
|
# BRIEF: Auto-create feature branch when an issue is opened
|
||||||
|
|
||||||
@@ -19,7 +19,7 @@ permissions:
|
|||||||
issues: write
|
issues: write
|
||||||
|
|
||||||
env:
|
env:
|
||||||
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
create-branch:
|
create-branch:
|
||||||
@@ -28,8 +28,8 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Create branch and comment
|
- name: Create branch and comment
|
||||||
run: |
|
run: |
|
||||||
TOKEN="${{ secrets.GA_TOKEN }}"
|
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
|
API="${MOKOGITEA_URL}/api/v1/repos/${{ github.repository }}"
|
||||||
ISSUE_NUM="${{ github.event.issue.number }}"
|
ISSUE_NUM="${{ github.event.issue.number }}"
|
||||||
ISSUE_TITLE="${{ github.event.issue.title }}"
|
ISSUE_TITLE="${{ github.event.issue.title }}"
|
||||||
|
|
||||||
@@ -58,7 +58,7 @@ jobs:
|
|||||||
echo "Created branch: ${BRANCH}"
|
echo "Created branch: ${BRANCH}"
|
||||||
|
|
||||||
# Comment on issue with branch link
|
# Comment on issue with branch link
|
||||||
REPO_URL="${GITEA_URL}/${{ github.repository }}"
|
REPO_URL="${MOKOGITEA_URL}/${{ github.repository }}"
|
||||||
BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
|
BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
|
||||||
|
|
||||||
curl -sf -X POST \
|
curl -sf -X POST \
|
||||||
|
|||||||
@@ -32,7 +32,8 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: >-
|
if: >-
|
||||||
!contains(github.event.head_commit.message, '[skip ci]') &&
|
!contains(github.event.head_commit.message, '[skip ci]') &&
|
||||||
github.actor != 'github-actions[bot]'
|
github.actor != 'github-actions[bot]' &&
|
||||||
|
!startsWith(github.event.repository.name, 'Template-')
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
@@ -87,13 +88,13 @@ jobs:
|
|||||||
done
|
done
|
||||||
|
|
||||||
# ── Version ──────────────────────────────────────────────────────
|
# ── Version ──────────────────────────────────────────────────────
|
||||||
- name: Setup moko-platform tools
|
- name: Setup mokocli tools
|
||||||
env:
|
env:
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
||||||
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
|
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
|
||||||
run: |
|
run: |
|
||||||
git clone --depth 1 --branch version/04 --quiet \
|
git clone --depth 1 --branch version/04 --quiet \
|
||||||
"https://x-access-token:${GH_TOKEN}@github.com/MokoConsulting/moko-platform.git" \
|
"https://x-access-token:${GH_TOKEN}@github.com/MokoConsulting/MokoCLI.git" \
|
||||||
/tmp/mokostandards
|
/tmp/mokostandards
|
||||||
cd /tmp/mokostandards
|
cd /tmp/mokostandards
|
||||||
composer install --no-dev --no-interaction --quiet
|
composer install --no-dev --no-interaction --quiet
|
||||||
|
|||||||
@@ -22,6 +22,7 @@ permissions:
|
|||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
if: ${{ !startsWith(github.event.repository.name, 'Template-') }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
node-version: [20, 22]
|
node-version: [20, 22]
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ permissions:
|
|||||||
jobs:
|
jobs:
|
||||||
check-sdk:
|
check-sdk:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
if: ${{ !startsWith(github.event.repository.name, 'Template-') }}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: MokoStandards.Notifications
|
# INGROUP: MokoStandards.Notifications
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
|
||||||
# PATH: /.mokogitea/workflows/notify.yml
|
# PATH: /.gitea/workflows/notify.yml
|
||||||
# VERSION: 01.00.00
|
# VERSION: 01.00.00
|
||||||
# BRIEF: Push notifications via ntfy on release success or workflow failure
|
# BRIEF: Push notifications via ntfy on release success or workflow failure
|
||||||
|
|
||||||
@@ -18,7 +18,6 @@ on:
|
|||||||
- "Joomla Build & Release"
|
- "Joomla Build & Release"
|
||||||
- "Joomla Extension CI"
|
- "Joomla Extension CI"
|
||||||
- "Deploy"
|
- "Deploy"
|
||||||
- "Cascade Main → Dev"
|
|
||||||
types:
|
types:
|
||||||
- completed
|
- completed
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,114 @@
|
|||||||
|
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
name: "Publish to npm"
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
env:
|
||||||
|
MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
|
GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
|
||||||
|
GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
publish:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
if: >-
|
||||||
|
!contains(github.event.head_commit.message, '[skip ci]') &&
|
||||||
|
!contains(github.event.head_commit.message, '[skip publish]') &&
|
||||||
|
!startsWith(github.event.repository.name, 'Template-')
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Setup Node.js
|
||||||
|
uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version: '20'
|
||||||
|
registry-url: 'https://registry.npmjs.org'
|
||||||
|
|
||||||
|
- name: Install dependencies
|
||||||
|
run: npm install
|
||||||
|
|
||||||
|
- name: Build
|
||||||
|
run: npm run build
|
||||||
|
|
||||||
|
- name: Auto-bump patch version
|
||||||
|
run: |
|
||||||
|
API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
|
TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
|
||||||
|
|
||||||
|
PKG_NAME=$(node -p "require('./package.json').name")
|
||||||
|
CURRENT=$(node -p "require('./package.json').version")
|
||||||
|
PUBLISHED=$(npm view "${PKG_NAME}@latest" version 2>/dev/null || echo "0.0.0")
|
||||||
|
|
||||||
|
if [ "$CURRENT" != "$PUBLISHED" ]; then
|
||||||
|
echo "Version ${CURRENT} not yet published, using as-is."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Bump locally to get the new version
|
||||||
|
npm version patch --no-git-tag-version
|
||||||
|
NEW_VER=$(node -p "require('./package.json').version")
|
||||||
|
echo "Bumping ${CURRENT} -> ${NEW_VER}"
|
||||||
|
|
||||||
|
# Push via Gitea API: branch + PR + merge
|
||||||
|
BRANCH="chore/npm-version-bump"
|
||||||
|
FILEPATH="package.json"
|
||||||
|
CONTENT=$(base64 -w 0 < package.json)
|
||||||
|
COMMIT_MSG="chore: bump to ${NEW_VER} [skip ci]"
|
||||||
|
|
||||||
|
# Get current file SHA on main
|
||||||
|
FILE_SHA=$(curl -sf -H "Authorization: token ${TOKEN}" \
|
||||||
|
"${API_BASE}/contents/${FILEPATH}?ref=main" \
|
||||||
|
| python3 -c "import json,sys; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
|
||||||
|
|
||||||
|
# Create chore branch from main
|
||||||
|
curl -sf -X POST -H "Authorization: token ${TOKEN}" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
"${API_BASE}/branches" \
|
||||||
|
-d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"main\"}" 2>/dev/null || true
|
||||||
|
|
||||||
|
# Get file SHA on chore branch (may differ if branch already existed)
|
||||||
|
BRANCH_SHA=$(curl -sf -H "Authorization: token ${TOKEN}" \
|
||||||
|
"${API_BASE}/contents/${FILEPATH}?ref=${BRANCH}" \
|
||||||
|
| python3 -c "import json,sys; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
|
||||||
|
[ -n "$BRANCH_SHA" ] && FILE_SHA="$BRANCH_SHA"
|
||||||
|
|
||||||
|
# Push package.json to chore branch
|
||||||
|
PAYLOAD="{\"content\":\"${CONTENT}\",\"message\":\"${COMMIT_MSG}\",\"branch\":\"${BRANCH}\",\"sha\":\"${FILE_SHA}\"}"
|
||||||
|
HTTP=$(curl -sf -o /dev/null -w "%{http_code}" -X PUT \
|
||||||
|
-H "Authorization: token ${TOKEN}" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-d "$PAYLOAD" \
|
||||||
|
"${API_BASE}/contents/${FILEPATH}" 2>/dev/null || echo "ERR")
|
||||||
|
echo "File push: HTTP ${HTTP}"
|
||||||
|
|
||||||
|
# Create PR
|
||||||
|
PR_NUM=$(curl -sf -X POST -H "Authorization: token ${TOKEN}" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
"${API_BASE}/pulls" \
|
||||||
|
-d "{\"title\":\"${COMMIT_MSG}\",\"head\":\"${BRANCH}\",\"base\":\"main\"}" \
|
||||||
|
| python3 -c "import json,sys; print(json.load(sys.stdin).get('number',''))" 2>/dev/null || true)
|
||||||
|
|
||||||
|
if [ -n "$PR_NUM" ]; then
|
||||||
|
# Merge PR
|
||||||
|
curl -sf -X POST -H "Authorization: token ${TOKEN}" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
"${API_BASE}/pulls/${PR_NUM}/merge" \
|
||||||
|
-d "{\"Do\":\"merge\",\"merge_message_field\":\"${COMMIT_MSG}\"}" 2>/dev/null
|
||||||
|
echo "Version bumped via PR #${PR_NUM} (merged)"
|
||||||
|
else
|
||||||
|
echo "::warning::Could not create PR for version bump — publishing with current version"
|
||||||
|
fi
|
||||||
|
env:
|
||||||
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||||
|
|
||||||
|
- name: Publish
|
||||||
|
run: npm publish --access public
|
||||||
|
env:
|
||||||
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||||
@@ -4,8 +4,8 @@
|
|||||||
#
|
#
|
||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: moko-platform.CI
|
# INGROUP: mokocli.CI
|
||||||
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
# PATH: /templates/workflows/universal/pr-check.yml.template
|
# PATH: /templates/workflows/universal/pr-check.yml.template
|
||||||
# VERSION: 09.23.00
|
# VERSION: 09.23.00
|
||||||
# BRIEF: PR gate — branch policy + code validation before merge
|
# BRIEF: PR gate — branch policy + code validation before merge
|
||||||
@@ -96,6 +96,32 @@ jobs:
|
|||||||
echo "Branch policy: OK (${HEAD} → ${BASE})"
|
echo "Branch policy: OK (${HEAD} → ${BASE})"
|
||||||
echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
|
echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
|
||||||
|
|
||||||
|
# ── Secret Scanning ──────────────────────────────────────────────────
|
||||||
|
gitleaks:
|
||||||
|
name: Secret Scan
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
fetch-depth: 0
|
||||||
|
|
||||||
|
- name: Install Gitleaks
|
||||||
|
run: |
|
||||||
|
GITLEAKS_VERSION="8.21.2"
|
||||||
|
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
|
||||||
|
| tar -xz -C /usr/local/bin gitleaks
|
||||||
|
|
||||||
|
- name: Scan PR commits for secrets
|
||||||
|
run: |
|
||||||
|
if gitleaks detect --source . --verbose \
|
||||||
|
--log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} 2>&1; then
|
||||||
|
echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
|
||||||
|
else
|
||||||
|
echo "::error::Potential secrets detected in PR commits"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# ── Code Validation ────────────────────────────────────────────────────
|
# ── Code Validation ────────────────────────────────────────────────────
|
||||||
validate:
|
validate:
|
||||||
name: Validate PR
|
name: Validate PR
|
||||||
@@ -470,39 +496,26 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- name: Trigger RC pre-release
|
- name: Trigger RC pre-release
|
||||||
env:
|
env:
|
||||||
GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
REPO: ${{ github.repository }}
|
REPO: ${{ github.repository }}
|
||||||
BRANCH: ${{ github.head_ref }}
|
BRANCH: ${{ github.head_ref }}
|
||||||
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
run: |
|
run: |
|
||||||
curl -s -X POST "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
|
curl -s -X POST "${MOKOGITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches" -H "Authorization: token ${MOKOGITEA_TOKEN}" -H "Content-Type: application/json" -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
|
||||||
echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
|
echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
|
||||||
echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
|
echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
|
||||||
|
|
||||||
# ── Issue Reporter ──────────────────────────────────────────────────────
|
# ── Issue Reporter ──────────────────────────────────────────────────────
|
||||||
report-issues:
|
report-issues:
|
||||||
name: Report Issues
|
name: Report Issues
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: [branch-policy, validate]
|
needs: [branch-policy, validate]
|
||||||
if: >-
|
if: >-
|
||||||
always() &&
|
always() &&
|
||||||
needs.validate.result == 'failure'
|
needs.validate.result == 'failure'
|
||||||
|
uses: ./.mokogitea/workflows/ci-issue-reporter.yml
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
with:
|
with:
|
||||||
sparse-checkout: automation/ci-issue-reporter.sh
|
gate: "PR Validation"
|
||||||
sparse-checkout-cone-mode: false
|
workflow: "PR Check"
|
||||||
|
severity: error
|
||||||
- name: "File issue for PR validation failure"
|
details: "PR validation failed (syntax, manifest, changelog, or source checks). See the CI run for the specific check that failed."
|
||||||
env:
|
secrets: inherit
|
||||||
GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
|
||||||
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
|
||||||
run: |
|
|
||||||
chmod +x automation/ci-issue-reporter.sh
|
|
||||||
./automation/ci-issue-reporter.sh \
|
|
||||||
--gate "PR Validation" \
|
|
||||||
--workflow "PR Check" \
|
|
||||||
--severity error \
|
|
||||||
--details "PR validation failed (syntax, manifest, changelog, or source checks). See the CI run for the specific check that failed."
|
|
||||||
|
|||||||
@@ -4,23 +4,26 @@
|
|||||||
#
|
#
|
||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: moko-platform.Release
|
# INGROUP: mokocli.Release
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
# PATH: /templates/workflows/universal/pre-release.yml.template
|
# PATH: /templates/workflows/universal/pre-release.yml.template
|
||||||
# VERSION: 05.01.00
|
# VERSION: 05.02.00
|
||||||
# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
|
# BRIEF: Auto pre-release on push to dev/alpha/beta/rc branches
|
||||||
|
|
||||||
name: "Universal: Pre-Release"
|
name: "Universal: Pre-Release"
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request:
|
push:
|
||||||
types: [closed]
|
|
||||||
branches:
|
branches:
|
||||||
- dev
|
- dev
|
||||||
pull_request_target:
|
- 'fix/**'
|
||||||
types: [synchronize, opened, reopened]
|
- 'patch/**'
|
||||||
branches:
|
- 'hotfix/**'
|
||||||
- main
|
- 'bugfix/**'
|
||||||
|
- 'chore/**'
|
||||||
|
- alpha
|
||||||
|
- beta
|
||||||
|
- rc
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
inputs:
|
inputs:
|
||||||
stability:
|
stability:
|
||||||
@@ -43,12 +46,11 @@ env:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
|
name: "Build Pre-Release (${{ inputs.stability || github.ref_name }})"
|
||||||
runs-on: release
|
runs-on: release
|
||||||
if: >-
|
if: >-
|
||||||
github.event_name == 'workflow_dispatch' ||
|
github.event_name == 'workflow_dispatch' ||
|
||||||
(github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev') ||
|
github.event_name == 'push'
|
||||||
(github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main')
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
@@ -56,41 +58,64 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
token: ${{ secrets.MOKOGITEA_TOKEN }}
|
token: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
|
ref: ${{ github.ref_name }}
|
||||||
|
submodules: recursive
|
||||||
|
|
||||||
- name: Setup moko-platform tools
|
- name: Update submodules to main
|
||||||
|
run: |
|
||||||
|
git submodule foreach --quiet 'git checkout main && git pull --quiet origin main' 2>/dev/null || true
|
||||||
|
|
||||||
|
- name: Setup mokocli tools
|
||||||
env:
|
env:
|
||||||
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
|
MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
|
||||||
run: |
|
run: |
|
||||||
# Use pre-installed /opt/moko-platform if available (updated by cron every 6h)
|
# Use pre-installed /opt/mokocli if available (updated by cron every 6h)
|
||||||
if [ -f “/opt/moko-platform/cli/version_bump.php” ] && [ -f “/opt/moko-platform/vendor/autoload.php” ]; then
|
if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/cli/manifest_element.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
|
||||||
echo “Using pre-installed /opt/moko-platform”
|
echo Using pre-installed /opt/mokocli
|
||||||
echo “MOKO_CLI=/opt/moko-platform/cli” >> “$GITHUB_ENV”
|
echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
|
||||||
else
|
else
|
||||||
echo “Falling back to fresh clone”
|
echo Falling back to fresh clone
|
||||||
if ! command -v composer &> /dev/null; then
|
if ! command -v composer > /dev/null 2>&1; then
|
||||||
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
|
sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
|
||||||
fi
|
fi
|
||||||
rm -rf /tmp/moko-platform-api
|
rm -rf /tmp/mokocli
|
||||||
git clone --depth 1 --branch main --quiet \
|
CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoCLI.git
|
||||||
“https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git” \
|
git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
|
||||||
/tmp/moko-platform-api
|
cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
|
||||||
cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
|
echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
|
||||||
echo “MOKO_CLI=/tmp/moko-platform-api/cli” >> “$GITHUB_ENV”
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Detect platform
|
- name: Detect platform
|
||||||
id: platform
|
id: platform
|
||||||
run: |
|
run: |
|
||||||
|
# Auto-detect and update platform if not set in manifest
|
||||||
|
php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
|
||||||
php ${MOKO_CLI}/manifest_read.php --path . --github-output
|
php ${MOKO_CLI}/manifest_read.php --path . --github-output
|
||||||
|
|
||||||
|
- name: Check platform eligibility (Joomla only)
|
||||||
|
id: eligibility
|
||||||
|
run: |
|
||||||
|
PLATFORM="${{ steps.platform.outputs.platform }}"
|
||||||
|
if [[ "$PLATFORM" == joomla* ]] || [[ "$PLATFORM" == "joomla" ]]; then
|
||||||
|
echo "proceed=true" >> "$GITHUB_OUTPUT"
|
||||||
|
else
|
||||||
|
echo "proceed=false" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "::notice::Platform '$PLATFORM' — non-Joomla, skipping pre-release auto-bump"
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Resolve metadata and bump version
|
- name: Resolve metadata and bump version
|
||||||
id: meta
|
id: meta
|
||||||
|
if: steps.eligibility.outputs.proceed == 'true'
|
||||||
run: |
|
run: |
|
||||||
# Auto-detect stability: RC for PRs targeting main, else use input or default to development
|
# Auto-detect stability from branch name on push, or use input on dispatch
|
||||||
if [ "${{ github.event_name }}" = "pull_request_target" ] && [ "${{ github.event.pull_request.base.ref }}" = "main" ]; then
|
if [ "${{ github.event_name }}" = "push" ]; then
|
||||||
STABILITY="release-candidate"
|
case "${{ github.ref_name }}" in
|
||||||
|
rc) STABILITY="release-candidate" ;;
|
||||||
|
alpha) STABILITY="alpha" ;;
|
||||||
|
beta) STABILITY="beta" ;;
|
||||||
|
*) STABILITY="development" ;;
|
||||||
|
esac
|
||||||
else
|
else
|
||||||
STABILITY="${{ inputs.stability || 'development' }}"
|
STABILITY="${{ inputs.stability || 'development' }}"
|
||||||
fi
|
fi
|
||||||
@@ -118,6 +143,9 @@ jobs:
|
|||||||
--path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
|
--path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
|
||||||
php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
|
php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
|
||||||
|
|
||||||
|
# Ensure licensing tags (updateservers, dlid) if enabled in manifest.xml
|
||||||
|
php ${MOKO_CLI}/manifest_licensing.php --path . --fix 2>/dev/null || true
|
||||||
|
|
||||||
# Append suffix for output
|
# Append suffix for output
|
||||||
if [ -n "$SUFFIX" ]; then
|
if [ -n "$SUFFIX" ]; then
|
||||||
VERSION="${VERSION}${SUFFIX}"
|
VERSION="${VERSION}${SUFFIX}"
|
||||||
@@ -155,6 +183,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Create release
|
- name: Create release
|
||||||
id: release
|
id: release
|
||||||
|
if: steps.eligibility.outputs.proceed == 'true'
|
||||||
run: |
|
run: |
|
||||||
TAG="${{ steps.meta.outputs.tag }}"
|
TAG="${{ steps.meta.outputs.tag }}"
|
||||||
VERSION="${{ steps.meta.outputs.version }}"
|
VERSION="${{ steps.meta.outputs.version }}"
|
||||||
@@ -162,9 +191,10 @@ jobs:
|
|||||||
php ${MOKO_CLI}/release_create.php \
|
php ${MOKO_CLI}/release_create.php \
|
||||||
--path . --version "$VERSION" --tag "$TAG" \
|
--path . --version "$VERSION" --tag "$TAG" \
|
||||||
--token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
|
--token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
|
||||||
--repo "${GITEA_REPO}" --branch dev --prerelease
|
--repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
|
||||||
|
|
||||||
- name: Update release notes from CHANGELOG.md
|
- name: Update release notes from CHANGELOG.md
|
||||||
|
if: steps.eligibility.outputs.proceed == 'true'
|
||||||
run: |
|
run: |
|
||||||
TAG="${{ steps.meta.outputs.tag }}"
|
TAG="${{ steps.meta.outputs.tag }}"
|
||||||
VERSION="${{ steps.meta.outputs.version }}"
|
VERSION="${{ steps.meta.outputs.version }}"
|
||||||
@@ -201,6 +231,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Build package and upload
|
- name: Build package and upload
|
||||||
id: package
|
id: package
|
||||||
|
if: steps.eligibility.outputs.proceed == 'true'
|
||||||
run: |
|
run: |
|
||||||
VERSION="${{ steps.meta.outputs.version }}"
|
VERSION="${{ steps.meta.outputs.version }}"
|
||||||
TAG="${{ steps.meta.outputs.tag }}"
|
TAG="${{ steps.meta.outputs.tag }}"
|
||||||
@@ -214,6 +245,7 @@ jobs:
|
|||||||
# No need to build, commit, or sync updates.xml from workflows
|
# No need to build, commit, or sync updates.xml from workflows
|
||||||
|
|
||||||
- name: "Delete lesser pre-release channels (cascade)"
|
- name: "Delete lesser pre-release channels (cascade)"
|
||||||
|
if: steps.eligibility.outputs.proceed == 'true'
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
run: |
|
run: |
|
||||||
API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
|
||||||
|
|||||||
@@ -0,0 +1,71 @@
|
|||||||
|
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# FILE INFORMATION
|
||||||
|
# DEFGROUP: Gitea.Workflow
|
||||||
|
# INGROUP: mokocli.Universal
|
||||||
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
|
# PATH: /.mokogitea/workflows/rc-revert.yml
|
||||||
|
# VERSION: 09.23.00
|
||||||
|
# BRIEF: Rename rc/ branch back to dev/ when PR is closed without merge
|
||||||
|
|
||||||
|
name: "RC Revert"
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
types: [closed]
|
||||||
|
|
||||||
|
env:
|
||||||
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
revert:
|
||||||
|
name: Rename rc/ back to dev/
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
if: >-
|
||||||
|
github.event.pull_request.merged == false &&
|
||||||
|
startsWith(github.event.pull_request.head.ref, 'rc/')
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Rename branch
|
||||||
|
env:
|
||||||
|
BRANCH: ${{ github.event.pull_request.head.ref }}
|
||||||
|
REPO: ${{ github.repository }}
|
||||||
|
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
||||||
|
TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
# BRANCH is attacker-controlled (PR head ref). Strict allowlist before ANY use.
|
||||||
|
if ! printf '%s' "$BRANCH" | grep -Eq '^rc/[A-Za-z0-9._/-]+$'; then
|
||||||
|
echo "::error::Refusing unsafe branch name: $BRANCH"; exit 1
|
||||||
|
fi
|
||||||
|
SUFFIX="${BRANCH#rc/}"
|
||||||
|
DEV_BRANCH="dev/${SUFFIX}"
|
||||||
|
API="${GITEA_URL}/api/v1/repos/${REPO}/branches"
|
||||||
|
|
||||||
|
# Create dev/ branch from rc/ branch
|
||||||
|
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
|
||||||
|
-H "Authorization: token ${TOKEN}" \
|
||||||
|
-H "Content-Type: application/json" \
|
||||||
|
-d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
|
||||||
|
"${API}" 2>/dev/null || true)
|
||||||
|
if [ "$STATUS" = "201" ]; then
|
||||||
|
echo "Created branch: ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
|
||||||
|
else
|
||||||
|
echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"; exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Read BRANCH from the environment inside PHP (getenv, no string interpolation -> no PHP injection)
|
||||||
|
ENCODED=$(php -r 'echo rawurlencode(getenv("BRANCH"));')
|
||||||
|
STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
|
||||||
|
-H "Authorization: token ${TOKEN}" \
|
||||||
|
"${API}/${ENCODED}" 2>/dev/null || true)
|
||||||
|
if [ "$STATUS" = "204" ]; then
|
||||||
|
echo "Deleted branch: ${BRANCH}" >> "$GITHUB_STEP_SUMMARY"
|
||||||
|
else
|
||||||
|
echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "### RC Reverted" >> "$GITHUB_STEP_SUMMARY"
|
||||||
|
echo "${BRANCH} → ${DEV_BRANCH}" >> "$GITHUB_STEP_SUMMARY"
|
||||||
@@ -7,8 +7,8 @@
|
|||||||
#
|
#
|
||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
# DEFGROUP: Gitea.Workflow
|
# DEFGROUP: Gitea.Workflow
|
||||||
# INGROUP: moko-platform.Validation
|
# INGROUP: mokocli.Validation
|
||||||
# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
# PATH: /templates/workflows/joomla/repo_health.yml.template
|
# PATH: /templates/workflows/joomla/repo_health.yml.template
|
||||||
# VERSION: 09.23.00
|
# VERSION: 09.23.00
|
||||||
# BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
|
# BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
|
||||||
@@ -33,7 +33,8 @@ on:
|
|||||||
- scripts
|
- scripts
|
||||||
- repo
|
- repo
|
||||||
pull_request:
|
pull_request:
|
||||||
push:
|
branches:
|
||||||
|
- main
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
@@ -76,7 +77,7 @@ jobs:
|
|||||||
- name: Check actor permission (admin only)
|
- name: Check actor permission (admin only)
|
||||||
id: perm
|
id: perm
|
||||||
env:
|
env:
|
||||||
TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
|
TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
|
||||||
REPO: ${{ github.repository }}
|
REPO: ${{ github.repository }}
|
||||||
ACTOR: ${{ github.actor }}
|
ACTOR: ${{ github.actor }}
|
||||||
run: |
|
run: |
|
||||||
@@ -670,42 +671,30 @@ jobs:
|
|||||||
# ═══════════════════════════════════════════════════════════════════════
|
# ═══════════════════════════════════════════════════════════════════════
|
||||||
# Issue Reporter — file issues for failed gates
|
# Issue Reporter — file issues for failed gates
|
||||||
# ═══════════════════════════════════════════════════════════════════════
|
# ═══════════════════════════════════════════════════════════════════════
|
||||||
report-issues:
|
report-scripts:
|
||||||
name: "Report Issues"
|
name: "Report: Scripts Governance"
|
||||||
runs-on: ubuntu-latest
|
needs: [access_check, scripts_governance]
|
||||||
needs: [access_check, scripts_governance, repo_health]
|
|
||||||
if: >-
|
if: >-
|
||||||
always() &&
|
always() &&
|
||||||
(needs.scripts_governance.result == 'failure' ||
|
needs.scripts_governance.result == 'failure'
|
||||||
needs.repo_health.result == 'failure')
|
uses: ./.mokogitea/workflows/ci-issue-reporter.yml
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
with:
|
with:
|
||||||
sparse-checkout: automation/ci-issue-reporter.sh
|
gate: "Scripts Governance"
|
||||||
sparse-checkout-cone-mode: false
|
workflow: "Repo Health"
|
||||||
|
severity: error
|
||||||
|
details: "Scripts directory policy violations detected. Review required and allowed directories."
|
||||||
|
secrets: inherit
|
||||||
|
|
||||||
- name: "File issues for failed gates"
|
report-health:
|
||||||
env:
|
name: "Report: Repository Health"
|
||||||
GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
needs: [access_check, repo_health]
|
||||||
GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
|
if: >-
|
||||||
run: |
|
always() &&
|
||||||
chmod +x automation/ci-issue-reporter.sh
|
needs.repo_health.result == 'failure'
|
||||||
REPORTER="./automation/ci-issue-reporter.sh"
|
uses: ./.mokogitea/workflows/ci-issue-reporter.yml
|
||||||
WF="Repo Health"
|
with:
|
||||||
|
gate: "Repository Health"
|
||||||
report_gate() {
|
workflow: "Repo Health"
|
||||||
local gate="$1" result="$2" details="$3"
|
severity: error
|
||||||
if [ "$result" = "failure" ]; then
|
details: "Repository health checks failed — missing required artifacts, disallowed files, or content warnings. Check the CI run summary."
|
||||||
"$REPORTER" --gate "$gate" --details "$details" --workflow "$WF" --severity error
|
secrets: inherit
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
report_gate "Scripts Governance" \
|
|
||||||
"${{ needs.scripts_governance.result }}" \
|
|
||||||
"Scripts directory policy violations detected. Review required and allowed directories."
|
|
||||||
|
|
||||||
report_gate "Repository Health" \
|
|
||||||
"${{ needs.repo_health.result }}" \
|
|
||||||
"Repository health checks failed — missing required artifacts, disallowed files, or content warnings. Check the CI run summary."
|
|
||||||
|
|||||||
@@ -1,525 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# This file is part of a Moko Consulting project.
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: GitHub.Workflow
|
|
||||||
# INGROUP: MokoStandards.Maintenance
|
|
||||||
# REPO: https://github.com/mokoconsulting-tech/MokoStandards
|
|
||||||
# PATH: /templates/workflows/shared/repository-cleanup.yml.template
|
|
||||||
# VERSION: 04.06.00
|
|
||||||
# BRIEF: Recurring repository maintenance — labels, branches, workflows, logs, doc indexes
|
|
||||||
# NOTE: Synced via bulk-repo-sync to .mokogitea/workflows/repository-cleanup.yml in all governed repos.
|
|
||||||
# Runs on the 1st and 15th of each month at 6:00 AM UTC, and on manual dispatch.
|
|
||||||
|
|
||||||
name: "Universal: Repository Cleanup"
|
|
||||||
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 6 1,15 * *'
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
reset_labels:
|
|
||||||
description: 'Delete ALL existing labels and recreate the standard set'
|
|
||||||
type: boolean
|
|
||||||
default: false
|
|
||||||
clean_branches:
|
|
||||||
description: 'Delete old chore/sync-mokostandards-* branches'
|
|
||||||
type: boolean
|
|
||||||
default: true
|
|
||||||
clean_workflows:
|
|
||||||
description: 'Delete orphaned workflow runs (cancelled, stale)'
|
|
||||||
type: boolean
|
|
||||||
default: true
|
|
||||||
clean_logs:
|
|
||||||
description: 'Delete workflow run logs older than 30 days'
|
|
||||||
type: boolean
|
|
||||||
default: true
|
|
||||||
fix_templates:
|
|
||||||
description: 'Strip copyright comment blocks from issue templates'
|
|
||||||
type: boolean
|
|
||||||
default: true
|
|
||||||
rebuild_indexes:
|
|
||||||
description: 'Rebuild docs/ index files'
|
|
||||||
type: boolean
|
|
||||||
default: true
|
|
||||||
delete_closed_issues:
|
|
||||||
description: 'Delete issues that have been closed for more than 30 days'
|
|
||||||
type: boolean
|
|
||||||
default: false
|
|
||||||
|
|
||||||
env:
|
|
||||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
issues: write
|
|
||||||
actions: write
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
cleanup:
|
|
||||||
name: Repository Maintenance
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
||||||
with:
|
|
||||||
token: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
- name: Check actor permission
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
ACTOR="${{ github.actor }}"
|
|
||||||
# Schedule triggers use github-actions[bot]
|
|
||||||
if [ "${{ github.event_name }}" = "schedule" ]; then
|
|
||||||
echo "✅ Scheduled run — authorized"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
AUTHORIZED_USERS="jmiller github-actions[bot]"
|
|
||||||
for user in $AUTHORIZED_USERS; do
|
|
||||||
if [ "$ACTOR" = "$user" ]; then
|
|
||||||
echo "✅ ${ACTOR} authorized"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
PERMISSION=$(gh api "repos/${{ github.repository }}/collaborators/${ACTOR}/permission" \
|
|
||||||
--jq '.permission' 2>/dev/null)
|
|
||||||
case "$PERMISSION" in
|
|
||||||
admin|maintain) echo "✅ ${ACTOR} has ${PERMISSION}" ;;
|
|
||||||
*) echo "❌ Admin or maintain required"; exit 1 ;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
# ── Determine which tasks to run ─────────────────────────────────────
|
|
||||||
# On schedule: run all tasks with safe defaults (labels NOT reset)
|
|
||||||
# On dispatch: use input toggles
|
|
||||||
- name: Set task flags
|
|
||||||
id: tasks
|
|
||||||
run: |
|
|
||||||
if [ "${{ github.event_name }}" = "schedule" ]; then
|
|
||||||
echo "reset_labels=false" >> $GITHUB_OUTPUT
|
|
||||||
echo "clean_branches=true" >> $GITHUB_OUTPUT
|
|
||||||
echo "clean_workflows=true" >> $GITHUB_OUTPUT
|
|
||||||
echo "clean_logs=true" >> $GITHUB_OUTPUT
|
|
||||||
echo "fix_templates=true" >> $GITHUB_OUTPUT
|
|
||||||
echo "rebuild_indexes=true" >> $GITHUB_OUTPUT
|
|
||||||
echo "delete_closed_issues=false" >> $GITHUB_OUTPUT
|
|
||||||
else
|
|
||||||
echo "reset_labels=${{ inputs.reset_labels }}" >> $GITHUB_OUTPUT
|
|
||||||
echo "clean_branches=${{ inputs.clean_branches }}" >> $GITHUB_OUTPUT
|
|
||||||
echo "clean_workflows=${{ inputs.clean_workflows }}" >> $GITHUB_OUTPUT
|
|
||||||
echo "clean_logs=${{ inputs.clean_logs }}" >> $GITHUB_OUTPUT
|
|
||||||
echo "fix_templates=${{ inputs.fix_templates }}" >> $GITHUB_OUTPUT
|
|
||||||
echo "rebuild_indexes=${{ inputs.rebuild_indexes }}" >> $GITHUB_OUTPUT
|
|
||||||
echo "delete_closed_issues=${{ inputs.delete_closed_issues }}" >> $GITHUB_OUTPUT
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── DELETE RETIRED WORKFLOWS (always runs) ────────────────────────────
|
|
||||||
- name: Delete retired workflow files
|
|
||||||
run: |
|
|
||||||
echo "## 🗑️ Retired Workflow Cleanup" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
RETIRED=(
|
|
||||||
".github/workflows/build.yml"
|
|
||||||
".github/workflows/code-quality.yml"
|
|
||||||
".github/workflows/release-cycle.yml"
|
|
||||||
".github/workflows/release-pipeline.yml"
|
|
||||||
".github/workflows/branch-cleanup.yml"
|
|
||||||
".github/workflows/auto-update-changelog.yml"
|
|
||||||
".github/workflows/enterprise-issue-manager.yml"
|
|
||||||
".github/workflows/flush-actions-cache.yml"
|
|
||||||
".github/workflows/mokostandards-script-runner.yml"
|
|
||||||
".github/workflows/unified-ci.yml"
|
|
||||||
".github/workflows/unified-platform-testing.yml"
|
|
||||||
".github/workflows/reusable-build.yml"
|
|
||||||
".github/workflows/reusable-ci-validation.yml"
|
|
||||||
".github/workflows/reusable-deploy.yml"
|
|
||||||
".github/workflows/reusable-php-quality.yml"
|
|
||||||
".github/workflows/reusable-platform-testing.yml"
|
|
||||||
".github/workflows/reusable-project-detector.yml"
|
|
||||||
".github/workflows/reusable-release.yml"
|
|
||||||
".github/workflows/reusable-script-executor.yml"
|
|
||||||
".github/workflows/rebuild-docs-indexes.yml"
|
|
||||||
".github/workflows/setup-project-v2.yml"
|
|
||||||
".github/workflows/sync-docs-to-project.yml"
|
|
||||||
".github/workflows/release.yml"
|
|
||||||
".github/workflows/sync-changelogs.yml"
|
|
||||||
".github/workflows/version_branch.yml"
|
|
||||||
"update.json"
|
|
||||||
".github/workflows/auto-version-branch.yml"
|
|
||||||
".github/workflows/publish-to-mokodolibarr.yml"
|
|
||||||
".github/workflows/ci.yml"
|
|
||||||
".github/workflows/deploy-rs.yml"
|
|
||||||
"sftp-config.json"
|
|
||||||
"sftp-config.json.template"
|
|
||||||
"scripts/sftp-config"
|
|
||||||
)
|
|
||||||
|
|
||||||
DELETED=0
|
|
||||||
for wf in "${RETIRED[@]}"; do
|
|
||||||
if [ -f "$wf" ]; then
|
|
||||||
git rm "$wf" 2>/dev/null || rm -f "$wf"
|
|
||||||
echo " Deleted: \`$(basename $wf)\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
DELETED=$((DELETED+1))
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ "$DELETED" -gt 0 ]; then
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git add -A
|
|
||||||
git commit -m "chore: delete ${DELETED} retired workflow file(s) [skip ci]" \
|
|
||||||
--author="github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
|
|
||||||
git push
|
|
||||||
echo "✅ ${DELETED} retired workflow(s) deleted" >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "✅ No retired workflows found" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── LABEL RESET ──────────────────────────────────────────────────────
|
|
||||||
- name: Reset labels to standard set
|
|
||||||
if: steps.tasks.outputs.reset_labels == 'true'
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
REPO="${{ github.repository }}"
|
|
||||||
echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
gh api "repos/${REPO}/labels?per_page=100" --paginate --jq '.[].name' | while read -r label; do
|
|
||||||
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$label', safe=''))")
|
|
||||||
gh api -X DELETE "repos/${REPO}/labels/${ENCODED}" --silent 2>/dev/null || true
|
|
||||||
done
|
|
||||||
|
|
||||||
while IFS='|' read -r name color description; do
|
|
||||||
[ -z "$name" ] && continue
|
|
||||||
gh api "repos/${REPO}/labels" \
|
|
||||||
-f name="$name" -f color="$color" -f description="$description" \
|
|
||||||
--silent 2>/dev/null || true
|
|
||||||
done << 'LABELS'
|
|
||||||
joomla|7F52FF|Joomla extension or component
|
|
||||||
dolibarr|FF6B6B|Dolibarr module or extension
|
|
||||||
generic|808080|Generic project or library
|
|
||||||
php|4F5D95|PHP code changes
|
|
||||||
javascript|F7DF1E|JavaScript code changes
|
|
||||||
typescript|3178C6|TypeScript code changes
|
|
||||||
python|3776AB|Python code changes
|
|
||||||
css|1572B6|CSS/styling changes
|
|
||||||
html|E34F26|HTML template changes
|
|
||||||
documentation|0075CA|Documentation changes
|
|
||||||
ci-cd|000000|CI/CD pipeline changes
|
|
||||||
docker|2496ED|Docker configuration changes
|
|
||||||
tests|00FF00|Test suite changes
|
|
||||||
security|FF0000|Security-related changes
|
|
||||||
dependencies|0366D6|Dependency updates
|
|
||||||
config|F9D0C4|Configuration file changes
|
|
||||||
build|FFA500|Build system changes
|
|
||||||
automation|8B4513|Automated processes or scripts
|
|
||||||
mokostandards|B60205|MokoStandards compliance
|
|
||||||
needs-review|FBCA04|Awaiting code review
|
|
||||||
work-in-progress|D93F0B|Work in progress, not ready for merge
|
|
||||||
breaking-change|D73A4A|Breaking API or functionality change
|
|
||||||
priority: critical|B60205|Critical priority, must be addressed immediately
|
|
||||||
priority: high|D93F0B|High priority
|
|
||||||
priority: medium|FBCA04|Medium priority
|
|
||||||
priority: low|0E8A16|Low priority
|
|
||||||
type: bug|D73A4A|Something isn't working
|
|
||||||
type: feature|A2EEEF|New feature or request
|
|
||||||
type: enhancement|84B6EB|Enhancement to existing feature
|
|
||||||
type: refactor|F9D0C4|Code refactoring
|
|
||||||
type: chore|FEF2C0|Maintenance tasks
|
|
||||||
type: version|0E8A16|Version-related change
|
|
||||||
status: pending|FBCA04|Pending action or decision
|
|
||||||
status: in-progress|0E8A16|Currently being worked on
|
|
||||||
status: blocked|B60205|Blocked by another issue or dependency
|
|
||||||
status: on-hold|D4C5F9|Temporarily on hold
|
|
||||||
status: wontfix|FFFFFF|This will not be worked on
|
|
||||||
size/xs|C5DEF5|Extra small change (1-10 lines)
|
|
||||||
size/s|6FD1E2|Small change (11-30 lines)
|
|
||||||
size/m|F9DD72|Medium change (31-100 lines)
|
|
||||||
size/l|FFA07A|Large change (101-300 lines)
|
|
||||||
size/xl|FF6B6B|Extra large change (301-1000 lines)
|
|
||||||
size/xxl|B60205|Extremely large change (1000+ lines)
|
|
||||||
health: excellent|0E8A16|Health score 90-100
|
|
||||||
health: good|FBCA04|Health score 70-89
|
|
||||||
health: fair|FFA500|Health score 50-69
|
|
||||||
health: poor|FF6B6B|Health score below 50
|
|
||||||
standards-update|B60205|MokoStandards sync update
|
|
||||||
standards-drift|FBCA04|Repository drifted from MokoStandards
|
|
||||||
sync-report|0075CA|Bulk sync run report
|
|
||||||
sync-failure|D73A4A|Bulk sync failure requiring attention
|
|
||||||
push-failure|D73A4A|File push failure requiring attention
|
|
||||||
health-check|0E8A16|Repository health check results
|
|
||||||
version-drift|FFA500|Version mismatch detected
|
|
||||||
deploy-failure|CC0000|Automated deploy failure tracking
|
|
||||||
template-validation-failure|D73A4A|Template workflow validation failure
|
|
||||||
version|0E8A16|Version bump or release
|
|
||||||
LABELS
|
|
||||||
|
|
||||||
echo "✅ Standard labels created" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
# ── BRANCH CLEANUP ───────────────────────────────────────────────────
|
|
||||||
- name: Delete old sync branches
|
|
||||||
if: steps.tasks.outputs.clean_branches == 'true'
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
REPO="${{ github.repository }}"
|
|
||||||
CURRENT="chore/sync-mokostandards-v04.05"
|
|
||||||
echo "## 🌿 Branch Cleanup" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
FOUND=false
|
|
||||||
gh api "repos/${REPO}/branches?per_page=100" --jq '.[].name' | \
|
|
||||||
grep "^chore/sync-mokostandards" | \
|
|
||||||
grep -v "^${CURRENT}$" | while read -r branch; do
|
|
||||||
gh pr list --repo "$REPO" --head "$branch" --state open --json number --jq '.[].number' 2>/dev/null | while read -r pr; do
|
|
||||||
gh pr close "$pr" --repo "$REPO" --comment "Superseded by \`${CURRENT}\`" 2>/dev/null || true
|
|
||||||
echo " Closed PR #${pr}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
done
|
|
||||||
gh api -X DELETE "repos/${REPO}/git/refs/heads/${branch}" --silent 2>/dev/null || true
|
|
||||||
echo " Deleted: \`${branch}\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
FOUND=true
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ "$FOUND" != "true" ]; then
|
|
||||||
echo "✅ No old sync branches found" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── WORKFLOW RUN CLEANUP ─────────────────────────────────────────────
|
|
||||||
- name: Clean up workflow runs
|
|
||||||
if: steps.tasks.outputs.clean_workflows == 'true'
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
REPO="${{ github.repository }}"
|
|
||||||
echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
DELETED=0
|
|
||||||
# Delete cancelled and stale workflow runs
|
|
||||||
for status in cancelled stale; do
|
|
||||||
gh api "repos/${REPO}/actions/runs?status=${status}&per_page=100" \
|
|
||||||
--jq '.workflow_runs[].id' 2>/dev/null | while read -r run_id; do
|
|
||||||
gh api -X DELETE "repos/${REPO}/actions/runs/${run_id}" --silent 2>/dev/null || true
|
|
||||||
DELETED=$((DELETED+1))
|
|
||||||
done
|
|
||||||
done
|
|
||||||
|
|
||||||
echo "✅ Cleaned cancelled/stale workflow runs" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
# ── LOG CLEANUP ──────────────────────────────────────────────────────
|
|
||||||
- name: Delete old workflow run logs
|
|
||||||
if: steps.tasks.outputs.clean_logs == 'true'
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
REPO="${{ github.repository }}"
|
|
||||||
CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
|
|
||||||
echo "## 📋 Log Cleanup" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "Deleting logs older than: ${CUTOFF}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
DELETED=0
|
|
||||||
gh api "repos/${REPO}/actions/runs?created=<${CUTOFF}&per_page=100" \
|
|
||||||
--jq '.workflow_runs[].id' 2>/dev/null | while read -r run_id; do
|
|
||||||
gh api -X DELETE "repos/${REPO}/actions/runs/${run_id}/logs" --silent 2>/dev/null || true
|
|
||||||
DELETED=$((DELETED+1))
|
|
||||||
done
|
|
||||||
|
|
||||||
echo "✅ Cleaned old workflow run logs" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
# ── ISSUE TEMPLATE FIX ──────────────────────────────────────────────
|
|
||||||
- name: Strip copyright headers from issue templates
|
|
||||||
if: steps.tasks.outputs.fix_templates == 'true'
|
|
||||||
run: |
|
|
||||||
echo "## 📋 Issue Template Cleanup" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
FIXED=0
|
|
||||||
for f in .github/ISSUE_TEMPLATE/*.md; do
|
|
||||||
[ -f "$f" ] || continue
|
|
||||||
if grep -q '^<!--$' "$f"; then
|
|
||||||
sed -i '/^<!--$/,/^-->$/d' "$f"
|
|
||||||
echo " Cleaned: \`$(basename $f)\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
FIXED=$((FIXED+1))
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ "$FIXED" -gt 0 ]; then
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git add .github/ISSUE_TEMPLATE/
|
|
||||||
git commit -m "fix: strip copyright comment blocks from issue templates [skip ci]" \
|
|
||||||
--author="github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
|
|
||||||
git push
|
|
||||||
echo "✅ ${FIXED} template(s) cleaned and committed" >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "✅ No templates need cleaning" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── REBUILD DOC INDEXES ─────────────────────────────────────────────
|
|
||||||
- name: Rebuild docs/ index files
|
|
||||||
if: steps.tasks.outputs.rebuild_indexes == 'true'
|
|
||||||
run: |
|
|
||||||
echo "## 📚 Documentation Index Rebuild" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
if [ ! -d "docs" ]; then
|
|
||||||
echo "⏭️ No docs/ directory — skipping" >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
UPDATED=0
|
|
||||||
# Generate index.md for each docs/ subdirectory
|
|
||||||
find docs -type d | while read -r dir; do
|
|
||||||
INDEX="${dir}/index.md"
|
|
||||||
FILES=$(find "$dir" -maxdepth 1 -name "*.md" ! -name "index.md" -printf "- [%f](./%f)\n" 2>/dev/null | sort)
|
|
||||||
if [ -z "$FILES" ]; then
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat > "$INDEX" << INDEXEOF
|
|
||||||
# $(basename "$dir")
|
|
||||||
|
|
||||||
## Documents
|
|
||||||
|
|
||||||
${FILES}
|
|
||||||
|
|
||||||
---
|
|
||||||
*Auto-generated by repository-cleanup workflow*
|
|
||||||
INDEXEOF
|
|
||||||
# Dedent
|
|
||||||
sed -i 's/^ //' "$INDEX"
|
|
||||||
UPDATED=$((UPDATED+1))
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ "$UPDATED" -gt 0 ]; then
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git add docs/
|
|
||||||
if ! git diff --cached --quiet; then
|
|
||||||
git commit -m "docs: rebuild documentation indexes [skip ci]" \
|
|
||||||
--author="github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
|
|
||||||
git push
|
|
||||||
echo "✅ ${UPDATED} index file(s) rebuilt and committed" >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "✅ All indexes already up to date" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "✅ No indexes to rebuild" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── VERSION DRIFT DETECTION ──────────────────────────────────────────
|
|
||||||
- name: Check for version drift
|
|
||||||
run: |
|
|
||||||
echo "## 📦 Version Drift Check" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
if [ ! -f "README.md" ]; then
|
|
||||||
echo "⏭️ No README.md — skipping" >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
README_VERSION=$(grep -oP '^\s*VERSION:\s*\K[0-9]{2}\.[0-9]{2}\.[0-9]{2}' README.md 2>/dev/null | head -1)
|
|
||||||
if [ -z "$README_VERSION" ]; then
|
|
||||||
echo "⚠️ No VERSION found in README.md FILE INFORMATION block" >> $GITHUB_STEP_SUMMARY
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "**README version:** \`${README_VERSION}\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
DRIFT=0
|
|
||||||
CHECKED=0
|
|
||||||
|
|
||||||
# Check all files with FILE INFORMATION blocks
|
|
||||||
while IFS= read -r -d '' file; do
|
|
||||||
FILE_VERSION=$(grep -oP '^\s*\*?\s*VERSION:\s*\K[0-9]{2}\.[0-9]{2}\.[0-9]{2}' "$file" 2>/dev/null | head -1)
|
|
||||||
[ -z "$FILE_VERSION" ] && continue
|
|
||||||
CHECKED=$((CHECKED+1))
|
|
||||||
if [ "$FILE_VERSION" != "$README_VERSION" ]; then
|
|
||||||
echo " ⚠️ \`${file}\`: \`${FILE_VERSION}\` (expected \`${README_VERSION}\`)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
DRIFT=$((DRIFT+1))
|
|
||||||
fi
|
|
||||||
done < <(find . -maxdepth 4 -type f \( -name "*.php" -o -name "*.md" -o -name "*.yml" \) ! -path "./.git/*" ! -path "./vendor/*" ! -path "./node_modules/*" -print0 2>/dev/null)
|
|
||||||
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
if [ "$DRIFT" -gt 0 ]; then
|
|
||||||
echo "⚠️ **${DRIFT}** file(s) out of ${CHECKED} have version drift" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "Run \`sync-version-on-merge\` workflow or update manually" >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "✅ All ${CHECKED} file(s) match README version \`${README_VERSION}\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── PROTECT CUSTOM WORKFLOWS ────────────────────────────────────────
|
|
||||||
- name: Ensure custom workflow directory exists
|
|
||||||
run: |
|
|
||||||
echo "## 🔧 Custom Workflows" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
if [ ! -d ".github/workflows/custom" ]; then
|
|
||||||
mkdir -p .github/workflows/custom
|
|
||||||
cat > .github/workflows/custom/README.md << 'CWEOF'
|
|
||||||
# Custom Workflows
|
|
||||||
|
|
||||||
Place repo-specific workflows here. Files in this directory are:
|
|
||||||
- **Never overwritten** by MokoStandards bulk sync
|
|
||||||
- **Never deleted** by the repository-cleanup workflow
|
|
||||||
- Safe for custom CI, notifications, or repo-specific automation
|
|
||||||
|
|
||||||
Synced workflows live in `.github/workflows/` (parent directory).
|
|
||||||
CWEOF
|
|
||||||
sed -i 's/^ //' .github/workflows/custom/README.md
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git add .github/workflows/custom/
|
|
||||||
if ! git diff --cached --quiet; then
|
|
||||||
git commit -m "chore: create .github/workflows/custom/ for repo-specific workflows [skip ci]" \
|
|
||||||
--author="github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
|
|
||||||
git push
|
|
||||||
echo "✅ Created \`.github/workflows/custom/\` directory" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
CUSTOM_COUNT=$(find .github/workflows/custom -name "*.yml" -o -name "*.yaml" 2>/dev/null | wc -l)
|
|
||||||
echo "✅ Custom workflow directory exists (${CUSTOM_COUNT} workflow(s))" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── DELETE CLOSED ISSUES ──────────────────────────────────────────────
|
|
||||||
- name: Delete old closed issues
|
|
||||||
if: steps.tasks.outputs.delete_closed_issues == 'true'
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
run: |
|
|
||||||
REPO="${{ github.repository }}"
|
|
||||||
CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
|
|
||||||
echo "## 🗑️ Closed Issue Cleanup" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "Deleting issues closed before: ${CUTOFF}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
|
|
||||||
DELETED=0
|
|
||||||
gh api "repos/${REPO}/issues?state=closed&since=1970-01-01T00:00:00Z&per_page=100&sort=updated&direction=asc" \
|
|
||||||
--jq ".[] | select(.closed_at < \"${CUTOFF}\") | .number" 2>/dev/null | while read -r num; do
|
|
||||||
# Lock and close with "not_planned" to mark as cleaned up
|
|
||||||
gh api "repos/${REPO}/issues/${num}/lock" -X PUT -f lock_reason="resolved" --silent 2>/dev/null || true
|
|
||||||
echo " Locked issue #${num}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
DELETED=$((DELETED+1))
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ "$DELETED" -eq 0 ] 2>/dev/null; then
|
|
||||||
echo "✅ No old closed issues found" >> $GITHUB_STEP_SUMMARY
|
|
||||||
else
|
|
||||||
echo "✅ Locked ${DELETED} old closed issue(s)" >> $GITHUB_STEP_SUMMARY
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Summary
|
|
||||||
if: always()
|
|
||||||
run: |
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "---" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "*Run by @${{ github.actor }} — trigger: ${{ github.event_name }}*" >> $GITHUB_STEP_SUMMARY
|
|
||||||
@@ -1,82 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: Gitea.Workflow
|
|
||||||
# INGROUP: MokoStandards.Security
|
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
|
|
||||||
# PATH: /.mokogitea/workflows/security-audit.yml
|
|
||||||
# VERSION: 01.00.00
|
|
||||||
# BRIEF: Dependency vulnerability scanning for composer and npm packages
|
|
||||||
|
|
||||||
name: "Universal: Security Audit"
|
|
||||||
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
- cron: '0 6 * * 1' # Weekly on Monday at 06:00 UTC
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
paths:
|
|
||||||
- 'composer.json'
|
|
||||||
- 'composer.lock'
|
|
||||||
- 'package.json'
|
|
||||||
- 'package-lock.json'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
env:
|
|
||||||
NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
|
|
||||||
NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
audit:
|
|
||||||
name: Dependency Audit
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Composer audit
|
|
||||||
if: hashFiles('composer.lock') != ''
|
|
||||||
run: |
|
|
||||||
echo "=== Composer Security Audit ==="
|
|
||||||
if ! command -v composer &> /dev/null; then
|
|
||||||
sudo apt-get update -qq
|
|
||||||
sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
|
|
||||||
fi
|
|
||||||
composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
|
|
||||||
RESULT=$?
|
|
||||||
if [ $RESULT -ne 0 ]; then
|
|
||||||
echo "::warning::Composer vulnerabilities found"
|
|
||||||
echo "composer_vulnerable=true" >> "$GITHUB_ENV"
|
|
||||||
else
|
|
||||||
echo "No known vulnerabilities in composer dependencies"
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: NPM audit
|
|
||||||
if: hashFiles('package-lock.json') != ''
|
|
||||||
run: |
|
|
||||||
echo "=== NPM Security Audit ==="
|
|
||||||
npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
|
|
||||||
if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
|
|
||||||
echo "No known vulnerabilities in npm dependencies"
|
|
||||||
else
|
|
||||||
echo "::warning::NPM vulnerabilities found"
|
|
||||||
echo "npm_vulnerable=true" >> "$GITHUB_ENV"
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: Notify on vulnerabilities
|
|
||||||
if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
|
|
||||||
run: |
|
|
||||||
REPO="${{ github.event.repository.name }}"
|
|
||||||
curl -sS \
|
|
||||||
-H "Title: ${REPO} has vulnerable dependencies" \
|
|
||||||
-H "Tags: lock,warning" \
|
|
||||||
-H "Priority: high" \
|
|
||||||
-d "Security audit found vulnerabilities. Review dependency updates." \
|
|
||||||
"${NTFY_URL}/${NTFY_TOPIC}" || true
|
|
||||||
File diff suppressed because it is too large
Load Diff
@@ -1,133 +0,0 @@
|
|||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# This file is part of a Moko Consulting project.
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: GitHub.Workflow
|
|
||||||
# INGROUP: MokoStandards.Automation
|
|
||||||
# REPO: https://github.com/mokoconsulting-tech/MokoStandards
|
|
||||||
# PATH: /templates/workflows/shared/sync-version-on-merge.yml.template
|
|
||||||
# VERSION: 04.06.00
|
|
||||||
# BRIEF: Auto-bump patch version on every push to main and propagate to all file headers
|
|
||||||
# NOTE: Synced via bulk-repo-sync to .mokogitea/workflows/sync-version-on-merge.yml in all governed repos.
|
|
||||||
# README.md is the single source of truth for the repository version.
|
|
||||||
|
|
||||||
name: "Universal: Sync Version on Merge"
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- master
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
dry_run:
|
|
||||||
description: 'Dry run (preview only, no commit)'
|
|
||||||
type: boolean
|
|
||||||
default: false
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
issues: write
|
|
||||||
|
|
||||||
env:
|
|
||||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
sync-version:
|
|
||||||
name: Propagate README version
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout repository
|
|
||||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
||||||
with:
|
|
||||||
token: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
- name: Set up PHP
|
|
||||||
uses: shivammathur/setup-php@fcafdd6392932010c2bd5094439b8e33be2a8a09 # v2.37.0
|
|
||||||
with:
|
|
||||||
php-version: '8.1'
|
|
||||||
tools: composer
|
|
||||||
|
|
||||||
- name: Setup MokoStandards tools
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
|
|
||||||
run: |
|
|
||||||
git clone --depth 1 --branch version/04 --quiet \
|
|
||||||
"https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
|
|
||||||
/tmp/mokostandards
|
|
||||||
cd /tmp/mokostandards
|
|
||||||
composer install --no-dev --no-interaction --quiet
|
|
||||||
|
|
||||||
- name: Auto-bump patch version
|
|
||||||
if: ${{ github.event_name == 'push' && github.actor != 'github-actions[bot]' }}
|
|
||||||
run: |
|
|
||||||
if git diff --name-only HEAD~1 HEAD 2>/dev/null | grep -q '^README\.md$'; then
|
|
||||||
echo "README.md changed in this push — skipping auto-bump"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
RESULT=$(php /tmp/mokostandards/api/cli/version_bump.php --path .) || {
|
|
||||||
echo "⚠️ Could not bump version — skipping"
|
|
||||||
exit 0
|
|
||||||
}
|
|
||||||
echo "Auto-bumping patch: $RESULT"
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git add README.md
|
|
||||||
git commit -m "chore(version): auto-bump patch ${RESULT} [skip ci]" \
|
|
||||||
--author="github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
|
|
||||||
git push
|
|
||||||
|
|
||||||
- name: Extract version from README.md
|
|
||||||
id: readme_version
|
|
||||||
run: |
|
|
||||||
git pull --ff-only 2>/dev/null || true
|
|
||||||
VERSION=$(php /tmp/mokostandards/api/cli/version_read.php --path . 2>/dev/null)
|
|
||||||
if [ -z "$VERSION" ]; then
|
|
||||||
echo "⚠️ No VERSION in README.md — skipping propagation"
|
|
||||||
echo "skip=true" >> $GITHUB_OUTPUT
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
||||||
echo "skip=false" >> $GITHUB_OUTPUT
|
|
||||||
echo "✅ README.md version: $VERSION"
|
|
||||||
|
|
||||||
- name: Run version sync
|
|
||||||
if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}
|
|
||||||
run: |
|
|
||||||
php /tmp/mokostandards/api/maintenance/update_version_from_readme.php \
|
|
||||||
--path . \
|
|
||||||
--create-issue \
|
|
||||||
--repo "${{ github.repository }}"
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
|
|
||||||
|
|
||||||
- name: Commit updated files
|
|
||||||
if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}
|
|
||||||
run: |
|
|
||||||
git pull --ff-only 2>/dev/null || true
|
|
||||||
if git diff --quiet; then
|
|
||||||
echo "ℹ️ No version changes needed — already up to date"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
VERSION="${{ steps.readme_version.outputs.version }}"
|
|
||||||
git config --local user.email "github-actions[bot]@users.noreply.github.com"
|
|
||||||
git config --local user.name "github-actions[bot]"
|
|
||||||
git add -A
|
|
||||||
git commit -m "chore(version): sync badges and headers to ${VERSION} [skip ci]" \
|
|
||||||
--author="github-actions[bot] <github-actions[bot]@users.noreply.github.com>"
|
|
||||||
git push
|
|
||||||
|
|
||||||
- name: Summary
|
|
||||||
run: |
|
|
||||||
VERSION="${{ steps.readme_version.outputs.version }}"
|
|
||||||
echo "## 📦 Version Sync — ${VERSION}" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "**Source:** \`README.md\` FILE INFORMATION block" >> $GITHUB_STEP_SUMMARY
|
|
||||||
echo "**Version:** \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
|
|
||||||
@@ -0,0 +1,130 @@
|
|||||||
|
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# FILE INFORMATION
|
||||||
|
# DEFGROUP: Gitea.Workflow.Template
|
||||||
|
# INGROUP: MokoStandards.CI
|
||||||
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Joomla
|
||||||
|
# PATH: /.mokogitea/workflows/version-set.yml
|
||||||
|
# VERSION: 01.00.00
|
||||||
|
# BRIEF: Set or reset the extension version across all version-bearing files
|
||||||
|
|
||||||
|
name: "Joomla: Set Version"
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
version:
|
||||||
|
description: "Version number (e.g. 01.00.00)"
|
||||||
|
required: true
|
||||||
|
type: string
|
||||||
|
branch:
|
||||||
|
description: "Branch to update (default: current)"
|
||||||
|
required: false
|
||||||
|
type: string
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
|
||||||
|
env:
|
||||||
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
set-version:
|
||||||
|
name: Set Version to ${{ inputs.version }}
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Validate version format
|
||||||
|
run: |
|
||||||
|
VERSION="${{ inputs.version }}"
|
||||||
|
if ! echo "$VERSION" | grep -qP '^\d{2}\.\d{2}\.\d{2}$'; then
|
||||||
|
echo "::error::Invalid version format '${VERSION}' — expected XX.YY.ZZ (e.g. 01.00.00)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
|
||||||
|
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
token: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
|
||||||
|
ref: ${{ inputs.branch || github.ref }}
|
||||||
|
fetch-depth: 1
|
||||||
|
|
||||||
|
- name: Update manifest version
|
||||||
|
run: |
|
||||||
|
MANIFEST=""
|
||||||
|
for XML_FILE in $(find . -maxdepth 3 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
|
||||||
|
if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
|
||||||
|
MANIFEST="$XML_FILE"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "$MANIFEST" ]; then
|
||||||
|
echo "::warning::No Joomla extension manifest found — skipping manifest update"
|
||||||
|
else
|
||||||
|
OLD_VER=$(grep -oP '<version>\K[^<]+' "$MANIFEST" | head -1)
|
||||||
|
sed -i "s|<version>${OLD_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
|
||||||
|
echo "Manifest: ${OLD_VER} → ${VERSION} (${MANIFEST})"
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Update README.md version
|
||||||
|
run: |
|
||||||
|
if [ -f "README.md" ]; then
|
||||||
|
if grep -qP '^\s*VERSION:\s*\d' README.md; then
|
||||||
|
sed -i -E "s/(VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" README.md
|
||||||
|
echo "README.md version updated to ${VERSION}"
|
||||||
|
else
|
||||||
|
echo "::warning::No VERSION line found in README.md — skipping"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Update CHANGELOG.md
|
||||||
|
run: |
|
||||||
|
if [ -f "CHANGELOG.md" ]; then
|
||||||
|
DATE=$(date +%Y-%m-%d)
|
||||||
|
# Check if this version already has an entry
|
||||||
|
if grep -q "^\#\# \[${VERSION}\]" CHANGELOG.md; then
|
||||||
|
echo "CHANGELOG.md already has entry for ${VERSION} — skipping"
|
||||||
|
else
|
||||||
|
# Insert new version entry after [Unreleased] or at the top after header
|
||||||
|
if grep -q '^\#\# \[Unreleased\]' CHANGELOG.md; then
|
||||||
|
sed -i "/^\#\# \[Unreleased\]/a\\\\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
|
||||||
|
else
|
||||||
|
sed -i "/^\# Changelog/a\\\\n## [Unreleased]\n\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
|
||||||
|
fi
|
||||||
|
echo "CHANGELOG.md: added entry for ${VERSION}"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "::warning::No CHANGELOG.md found — skipping"
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Update FILE INFORMATION blocks
|
||||||
|
run: |
|
||||||
|
# Update VERSION in file header blocks (# VERSION: XX.YY.ZZ)
|
||||||
|
find . -maxdepth 1 -type f \( -name "*.yml" -o -name "*.yaml" -o -name "*.php" -o -name "*.md" \) \
|
||||||
|
-not -path "./.git/*" -not -path "./vendor/*" -print0 2>/dev/null | \
|
||||||
|
while IFS= read -r -d '' FILE; do
|
||||||
|
if head -20 "$FILE" | grep -qP '^\s*#?\s*VERSION:\s*\d{2}\.\d{2}\.\d{2}'; then
|
||||||
|
sed -i -E "s/(#?\s*VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" "$FILE"
|
||||||
|
echo "Updated FILE INFORMATION VERSION in ${FILE}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
- name: Commit and push
|
||||||
|
run: |
|
||||||
|
git config user.name "Moko Consulting [bot]"
|
||||||
|
git config user.email "hello@mokoconsulting.tech"
|
||||||
|
git add -A
|
||||||
|
if git diff --cached --quiet; then
|
||||||
|
echo "No version changes detected — nothing to commit"
|
||||||
|
else
|
||||||
|
git commit -m "chore: set version to ${VERSION} [skip bump]
|
||||||
|
|
||||||
|
Authored-by: Moko Consulting"
|
||||||
|
git push
|
||||||
|
echo "### Version Set" >> $GITHUB_STEP_SUMMARY
|
||||||
|
echo "Version updated to \`${VERSION}\` on branch \`${GITHUB_REF_NAME}\`" >> $GITHUB_STEP_SUMMARY
|
||||||
|
fi
|
||||||
@@ -0,0 +1,82 @@
|
|||||||
|
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
#
|
||||||
|
# FILE INFORMATION
|
||||||
|
# DEFGROUP: Gitea.Workflow
|
||||||
|
# INGROUP: mokocli.Universal
|
||||||
|
# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoCLI
|
||||||
|
# PATH: /.mokogitea/workflows/workflow-sync-trigger.yml
|
||||||
|
# VERSION: 01.01.00
|
||||||
|
# BRIEF: Trigger workflow sync to live repos when a PR is merged to main
|
||||||
|
|
||||||
|
name: "Universal: Workflow Sync Trigger"
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
pull_request:
|
||||||
|
types: [closed]
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
|
||||||
|
env:
|
||||||
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
sync:
|
||||||
|
name: Sync workflows to live repos
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
if: >-
|
||||||
|
startsWith(github.event.repository.name, 'Template-') &&
|
||||||
|
(github.event_name == 'workflow_dispatch' ||
|
||||||
|
(github.event.pull_request.merged == true &&
|
||||||
|
!contains(github.event.pull_request.title, '[skip sync]')))
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Determine platform from repo name
|
||||||
|
id: platform
|
||||||
|
run: |
|
||||||
|
REPO="${{ github.event.repository.name }}"
|
||||||
|
case "$REPO" in
|
||||||
|
Template-Joomla) PLATFORM="joomla" ;;
|
||||||
|
Template-Dolibarr) PLATFORM="dolibarr" ;;
|
||||||
|
Template-Go) PLATFORM="go" ;;
|
||||||
|
Template-MCP) PLATFORM="mcp" ;;
|
||||||
|
Template-Generic) PLATFORM="" ;;
|
||||||
|
*) PLATFORM="" ;;
|
||||||
|
esac
|
||||||
|
echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "Platform: ${PLATFORM:-all}"
|
||||||
|
|
||||||
|
- name: Clone mokocli
|
||||||
|
env:
|
||||||
|
MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
|
run: |
|
||||||
|
MOKOGITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
|
||||||
|
git clone --depth 1 "${MOKOGITEA_URL}/MokoConsulting/MokoCLI.git" /tmp/mokocli
|
||||||
|
|
||||||
|
- name: Install PHP
|
||||||
|
run: |
|
||||||
|
if ! command -v php &> /dev/null; then
|
||||||
|
apt-get update -qq && apt-get install -y -qq php-cli php-json php-curl > /dev/null 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Install dependencies
|
||||||
|
run: |
|
||||||
|
cd /tmp/mokocli
|
||||||
|
composer install --no-dev --no-interaction --quiet 2>/dev/null || true
|
||||||
|
|
||||||
|
- name: Run workflow sync
|
||||||
|
env:
|
||||||
|
MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
|
||||||
|
run: |
|
||||||
|
ARGS="--token ${MOKOGITEA_TOKEN}"
|
||||||
|
ARGS="${ARGS} --org ${{ vars.GITEA_ORG || github.repository_owner }}"
|
||||||
|
ARGS="${ARGS} --phase repos"
|
||||||
|
|
||||||
|
PLATFORM="${{ steps.platform.outputs.platform }}"
|
||||||
|
if [ -n "$PLATFORM" ]; then
|
||||||
|
ARGS="${ARGS} --platform-filter ${PLATFORM}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
php /tmp/mokocli/cli/workflow_sync.php ${ARGS}
|
||||||
@@ -2,10 +2,14 @@
|
|||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
- CI: stripped GitHub-only workflows (DEFGROUP GitHub.Workflow), which do not run on MokoGitea Actions: auto-dev-issue.yml changelog-validation.yml standards-compliance.yml sync-version-on-merge.yml.
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
- Migrated all workflow and template paths from `.github/` to `.mokogitea/`
|
- Migrated all workflow and template paths from `.github/` to `.mokogitea/`
|
||||||
- Template source paths updated: `templates/gitea/` to `templates/mokogitea/`
|
- Template source paths updated: `templates/gitea/` to `templates/mokogitea/`
|
||||||
- HCL definition files removed -- Template repos are now the canonical source
|
- HCL definition files removed -- Template repos are now the canonical source
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
- CI: gate build/CI/release/version workflows so they skip template repos; smart-gate the sync workflows to run only on Template-* repos; normalize mokocli/MokoCLI refs and drop the stale mokoconsulting-tech org slug.
|
||||||
- `branch-cleanup.yml`: auto-delete merged feature branches after PR merge
|
- `branch-cleanup.yml`: auto-delete merged feature branches after PR merge
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ This file provides guidance to Claude Code when working with this repository.
|
|||||||
| **Default branch** | main |
|
| **Default branch** | main |
|
||||||
| **License** | GPL-3.0-or-later |
|
| **License** | GPL-3.0-or-later |
|
||||||
| **Wiki** | [Template-MCP Wiki](https://git.mokoconsulting.tech/MokoConsulting/Template-MCP/wiki) |
|
| **Wiki** | [Template-MCP Wiki](https://git.mokoconsulting.tech/MokoConsulting/Template-MCP/wiki) |
|
||||||
| **Standards** | [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home) |
|
| **Standards** | [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoCLI/wiki/Home) |
|
||||||
|
|
||||||
## Common Commands
|
## Common Commands
|
||||||
|
|
||||||
@@ -49,4 +49,4 @@ This is an MCP (Model Context Protocol) server. Key files:
|
|||||||
- **Branch strategy**: develop on `dev`, merge to `main` for release
|
- **Branch strategy**: develop on `dev`, merge to `main` for release
|
||||||
- **Minification**: handled at build time (CI) and runtime (MokoMinifyHelper for Joomla templates)
|
- **Minification**: handled at build time (CI) and runtime (MokoMinifyHelper for Joomla templates)
|
||||||
- **Wiki**: documentation lives in the Gitea wiki, not in `docs/` files
|
- **Wiki**: documentation lives in the Gitea wiki, not in `docs/` files
|
||||||
- **Standards**: this repo follows [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home)
|
- **Standards**: this repo follows [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoCLI/wiki/Home)
|
||||||
|
|||||||
+1
-1
@@ -13,7 +13,7 @@
|
|||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
DEFGROUP:
|
DEFGROUP:
|
||||||
INGROUP: Project.Documentation
|
INGROUP: Project.Documentation
|
||||||
REPO: mokoconsulting-tech/MokoStandards-Template-Generic
|
REPO: MokoConsulting/Template-MCP
|
||||||
VERSION: 00.00.01
|
VERSION: 00.00.01
|
||||||
PATH: ./CODE_OF_CONDUCT.md
|
PATH: ./CODE_OF_CONDUCT.md
|
||||||
BRIEF: Contributor Covenant Code of Conduct version 1.3.0
|
BRIEF: Contributor Covenant Code of Conduct version 1.3.0
|
||||||
|
|||||||
+2
-2
@@ -13,13 +13,13 @@
|
|||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
DEFGROUP:
|
DEFGROUP:
|
||||||
INGROUP: Project.Documentation
|
INGROUP: Project.Documentation
|
||||||
REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-Template-Generic
|
REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-MCP
|
||||||
VERSION: 00.00.01
|
VERSION: 00.00.01
|
||||||
PATH: ./CONTRIBUTING.md
|
PATH: ./CONTRIBUTING.md
|
||||||
BRIEF: Contribution guidelines for the project
|
BRIEF: Contribution guidelines for the project
|
||||||
-->
|
-->
|
||||||
|
|
||||||
# Contributing to MokoStandards-Template-Generic
|
# Contributing to Template-MCP
|
||||||
|
|
||||||
We appreciate your interest in contributing to this project! This document provides guidelines for contributing.
|
We appreciate your interest in contributing to this project! This document provides guidelines for contributing.
|
||||||
|
|
||||||
|
|||||||
@@ -13,7 +13,7 @@
|
|||||||
# FILE INFORMATION
|
# FILE INFORMATION
|
||||||
DEFGROUP: MokoStandards
|
DEFGROUP: MokoStandards
|
||||||
INGROUP: MokoStandards.Documentation
|
INGROUP: MokoStandards.Documentation
|
||||||
REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards/
|
REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards/
|
||||||
VERSION: 05.00.00
|
VERSION: 05.00.00
|
||||||
PATH: ./LICENSE
|
PATH: ./LICENSE
|
||||||
BRIEF: Project license (GPL-3.0-or-later)
|
BRIEF: Project license (GPL-3.0-or-later)
|
||||||
|
|||||||
@@ -23,7 +23,7 @@ install-deps: ## Install dependencies
|
|||||||
@$(NPM) install
|
@$(NPM) install
|
||||||
@echo "$(COLOR_GREEN)✓ Dependencies installed$(COLOR_RESET)"
|
@echo "$(COLOR_GREEN)✓ Dependencies installed$(COLOR_RESET)"
|
||||||
|
|
||||||
MOKO_PLATFORM ?= $(or $(wildcard ../moko-platform),$(wildcard $(HOME)/moko-platform),$(wildcard /opt/moko-platform))
|
MOKO_PLATFORM ?= $(or $(wildcard ../mokocli),$(wildcard $(HOME)/mokocli),$(wildcard /opt/mokocli))
|
||||||
MINIFY_SCRIPT := $(MOKO_PLATFORM)/build/minify.js
|
MINIFY_SCRIPT := $(MOKO_PLATFORM)/build/minify.js
|
||||||
|
|
||||||
.PHONY: minify
|
.PHONY: minify
|
||||||
|
|||||||
@@ -77,4 +77,8 @@ This project is licensed under the GNU General Public License v3.0 or later -- s
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
*[Moko Consulting](https://mokoconsulting.tech) -- [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home)*
|
*[Moko Consulting](https://mokoconsulting.tech) -- [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoCLI/wiki/Home)*
|
||||||
|
|
||||||
|
## Template CI Notes
|
||||||
|
|
||||||
|
Build/CI/release/version workflows are guarded to skip template repos (Template-*) and only run in repos created from them.
|
||||||
|
|||||||
@@ -1,237 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
# ============================================================================
|
|
||||||
# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
||||||
#
|
|
||||||
# FILE INFORMATION
|
|
||||||
# DEFGROUP: Automation.CI
|
|
||||||
# INGROUP: moko-platform.Automation
|
|
||||||
# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
|
|
||||||
# PATH: /automation/ci-issue-reporter.sh
|
|
||||||
# VERSION: 09.23.00
|
|
||||||
# BRIEF: Creates or updates a Gitea issue when a CI gate fails.
|
|
||||||
# Deduplicates by searching open issues with the "ci-auto" label
|
|
||||||
# whose title matches the gate. If a matching issue exists, a comment
|
|
||||||
# is appended instead of opening a duplicate.
|
|
||||||
# ============================================================================
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
# ── Defaults ────────────────────────────────────────────────────────────────
|
|
||||||
GITEA_URL="${GITEA_URL:-https://git.mokoconsulting.tech}"
|
|
||||||
GITEA_TOKEN="${GITEA_TOKEN:-}"
|
|
||||||
REPO="${GITHUB_REPOSITORY:-}"
|
|
||||||
RUN_URL="${GITHUB_SERVER_URL:-${GITEA_URL}}/${REPO}/actions/runs/${GITHUB_RUN_ID:-0}"
|
|
||||||
LABEL_NAME="ci-auto"
|
|
||||||
LABEL_COLOR="#e11d48"
|
|
||||||
|
|
||||||
GATE=""
|
|
||||||
DETAILS=""
|
|
||||||
SEVERITY="error"
|
|
||||||
WORKFLOW=""
|
|
||||||
|
|
||||||
# ── Parse arguments ─────────────────────────────────────────────────────────
|
|
||||||
usage() {
|
|
||||||
cat <<EOF
|
|
||||||
Usage: ci-issue-reporter.sh --gate NAME --details TEXT [OPTIONS]
|
|
||||||
|
|
||||||
Required:
|
|
||||||
--gate CI gate name (e.g. "Code Quality", "Self-Health")
|
|
||||||
--details Human-readable failure description
|
|
||||||
|
|
||||||
Optional:
|
|
||||||
--severity "error" (default) or "warning"
|
|
||||||
--workflow Workflow name for the issue title
|
|
||||||
--repo owner/repo (default: \$GITHUB_REPOSITORY)
|
|
||||||
--run-url URL to the CI run (auto-detected from env)
|
|
||||||
--token Gitea API token (default: \$GITEA_TOKEN)
|
|
||||||
--url Gitea base URL (default: \$GITEA_URL)
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
while [[ $# -gt 0 ]]; do
|
|
||||||
case "$1" in
|
|
||||||
--gate) GATE="$2"; shift 2 ;;
|
|
||||||
--details) DETAILS="$2"; shift 2 ;;
|
|
||||||
--severity) SEVERITY="$2"; shift 2 ;;
|
|
||||||
--workflow) WORKFLOW="$2"; shift 2 ;;
|
|
||||||
--repo) REPO="$2"; shift 2 ;;
|
|
||||||
--run-url) RUN_URL="$2"; shift 2 ;;
|
|
||||||
--token) GITEA_TOKEN="$2"; shift 2 ;;
|
|
||||||
--url) GITEA_URL="$2"; shift 2 ;;
|
|
||||||
-h|--help) usage ;;
|
|
||||||
*) echo "Unknown option: $1"; usage ;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
[[ -z "$GATE" ]] && { echo "ERROR: --gate is required"; usage; }
|
|
||||||
[[ -z "$DETAILS" ]] && { echo "ERROR: --details is required"; usage; }
|
|
||||||
[[ -z "$GITEA_TOKEN" ]] && { echo "ERROR: GITEA_TOKEN not set"; exit 1; }
|
|
||||||
[[ -z "$REPO" ]] && { echo "ERROR: GITHUB_REPOSITORY not set"; exit 1; }
|
|
||||||
|
|
||||||
API="${GITEA_URL}/api/v1/repos/${REPO}"
|
|
||||||
|
|
||||||
# ── Build title ─────────────────────────────────────────────────────────────
|
|
||||||
if [[ -n "$WORKFLOW" ]]; then
|
|
||||||
TITLE="[CI] ${WORKFLOW}: ${GATE} failed"
|
|
||||||
else
|
|
||||||
TITLE="[CI] ${GATE} failed"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ── Ensure label exists ─────────────────────────────────────────────────────
|
|
||||||
ensure_label() {
|
|
||||||
local exists
|
|
||||||
exists=$(curl -sf -o /dev/null -w '%{http_code}' \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
"${API}/labels" 2>/dev/null || echo "000")
|
|
||||||
|
|
||||||
if [[ "$exists" == "200" ]]; then
|
|
||||||
# Check if label already exists
|
|
||||||
local found
|
|
||||||
found=$(curl -sf \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
"${API}/labels" 2>/dev/null \
|
|
||||||
| grep -o "\"name\":\"${LABEL_NAME}\"" || true)
|
|
||||||
|
|
||||||
if [[ -z "$found" ]]; then
|
|
||||||
curl -sf -X POST \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
-H "Content-Type: application/json" \
|
|
||||||
"${API}/labels" \
|
|
||||||
-d "{\"name\":\"${LABEL_NAME}\",\"color\":\"${LABEL_COLOR}\",\"description\":\"Auto-created by CI issue reporter\"}" \
|
|
||||||
> /dev/null 2>&1 || true
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# ── Search for existing open issue ──────────────────────────────────────────
|
|
||||||
find_existing_issue() {
|
|
||||||
# URL-encode the gate name for the query
|
|
||||||
local query
|
|
||||||
query=$(printf '%s' "[CI] ${GATE}" | sed 's/ /%20/g; s/\[/%5B/g; s/\]/%5D/g')
|
|
||||||
|
|
||||||
local response
|
|
||||||
response=$(curl -sf \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
"${API}/issues?type=issues&state=open&labels=${LABEL_NAME}&q=${query}&limit=5" \
|
|
||||||
2>/dev/null || echo "[]")
|
|
||||||
|
|
||||||
# Extract the first matching issue number
|
|
||||||
echo "$response" \
|
|
||||||
| grep -oP '"number":\s*\K[0-9]+' \
|
|
||||||
| head -1
|
|
||||||
}
|
|
||||||
|
|
||||||
# ── Build issue body ────────────────────────────────────────────────────────
|
|
||||||
build_body() {
|
|
||||||
local severity_badge
|
|
||||||
if [[ "$SEVERITY" == "error" ]]; then
|
|
||||||
severity_badge="**Severity:** Error"
|
|
||||||
else
|
|
||||||
severity_badge="**Severity:** Warning"
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat <<BODY
|
|
||||||
## CI Gate Failure: ${GATE}
|
|
||||||
|
|
||||||
${severity_badge}
|
|
||||||
**Workflow:** ${WORKFLOW:-unknown}
|
|
||||||
**Branch:** ${GITHUB_REF_NAME:-unknown}
|
|
||||||
**Commit:** \`${GITHUB_SHA:0:8}\`
|
|
||||||
**Run:** [View CI run](${RUN_URL})
|
|
||||||
|
|
||||||
### Details
|
|
||||||
|
|
||||||
${DETAILS}
|
|
||||||
|
|
||||||
### Resolution
|
|
||||||
|
|
||||||
Fix the issue described above and push a new commit. This issue will be closed automatically when the gate passes, or can be closed manually.
|
|
||||||
|
|
||||||
---
|
|
||||||
*Auto-created by [ci-issue-reporter](${GITEA_URL}/${REPO}/src/branch/main/automation/ci-issue-reporter.sh)*
|
|
||||||
BODY
|
|
||||||
}
|
|
||||||
|
|
||||||
# ── Build comment body (for existing issues) ────────────────────────────────
|
|
||||||
build_comment() {
|
|
||||||
cat <<COMMENT
|
|
||||||
### CI failure recurrence
|
|
||||||
|
|
||||||
**Branch:** ${GITHUB_REF_NAME:-unknown}
|
|
||||||
**Commit:** \`${GITHUB_SHA:0:8}\`
|
|
||||||
**Run:** [View CI run](${RUN_URL})
|
|
||||||
|
|
||||||
${DETAILS}
|
|
||||||
COMMENT
|
|
||||||
}
|
|
||||||
|
|
||||||
# ── Main ────────────────────────────────────────────────────────────────────
|
|
||||||
ensure_label
|
|
||||||
|
|
||||||
EXISTING=$(find_existing_issue)
|
|
||||||
|
|
||||||
if [[ -n "$EXISTING" ]]; then
|
|
||||||
# Append comment to existing issue
|
|
||||||
COMMENT_BODY=$(build_comment)
|
|
||||||
COMMENT_JSON=$(printf '%s' "$COMMENT_BODY" | python3 -c "
|
|
||||||
import sys, json
|
|
||||||
print(json.dumps({'body': sys.stdin.read()}))" 2>/dev/null)
|
|
||||||
|
|
||||||
HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
-H "Content-Type: application/json" \
|
|
||||||
"${API}/issues/${EXISTING}/comments" \
|
|
||||||
-d "${COMMENT_JSON}" 2>/dev/null || echo "000")
|
|
||||||
|
|
||||||
if [[ "$HTTP" == "201" ]]; then
|
|
||||||
echo "Commented on existing issue #${EXISTING}"
|
|
||||||
else
|
|
||||||
echo "WARNING: Failed to comment on issue #${EXISTING} (HTTP ${HTTP})"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# Create new issue
|
|
||||||
ISSUE_BODY=$(build_body)
|
|
||||||
ISSUE_JSON=$(python3 -c "
|
|
||||||
import sys, json
|
|
||||||
body = sys.stdin.read()
|
|
||||||
print(json.dumps({
|
|
||||||
'title': sys.argv[1],
|
|
||||||
'body': body,
|
|
||||||
'labels': []
|
|
||||||
}))" "$TITLE" <<< "$ISSUE_BODY" 2>/dev/null)
|
|
||||||
|
|
||||||
# Create the issue
|
|
||||||
RESPONSE=$(curl -sf -X POST \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
-H "Content-Type: application/json" \
|
|
||||||
"${API}/issues" \
|
|
||||||
-d "${ISSUE_JSON}" 2>/dev/null || echo "{}")
|
|
||||||
|
|
||||||
ISSUE_NUM=$(echo "$RESPONSE" | grep -oP '"number":\s*\K[0-9]+' | head -1)
|
|
||||||
|
|
||||||
if [[ -n "$ISSUE_NUM" ]]; then
|
|
||||||
# Apply label (separate call — more reliable across Gitea versions)
|
|
||||||
LABEL_ID=$(curl -sf \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
"${API}/labels" 2>/dev/null \
|
|
||||||
| grep -oP "\"id\":\s*\K[0-9]+(?=[^}]*\"name\":\s*\"${LABEL_NAME}\")" \
|
|
||||||
| head -1 || true)
|
|
||||||
|
|
||||||
if [[ -n "$LABEL_ID" ]]; then
|
|
||||||
curl -sf -X POST \
|
|
||||||
-H "Authorization: token ${GITEA_TOKEN}" \
|
|
||||||
-H "Content-Type: application/json" \
|
|
||||||
"${API}/issues/${ISSUE_NUM}/labels" \
|
|
||||||
-d "{\"labels\":[${LABEL_ID}]}" \
|
|
||||||
> /dev/null 2>&1 || true
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Created issue #${ISSUE_NUM}: ${TITLE}"
|
|
||||||
else
|
|
||||||
echo "WARNING: Failed to create issue"
|
|
||||||
echo "Response: ${RESPONSE}"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
Reference in New Issue
Block a user