chore: sync security-audit.yml from Template-MCP [skip ci]

chore: sync pre-release.yml from Template-MCP [skip ci]
chore: sync notify.yml from Template-MCP [skip ci]
2026-06-07 17:58:51 +00:00 · 2026-06-07 17:58:50 +00:00 · 2026-06-07 17:58:50 +00:00 · 2026-06-07 17:58:49 +00:00 · 2026-06-07 17:58:48 +00:00 · 2026-06-07 17:58:47 +00:00
12 changed files with 1479 additions and 570 deletions
@@ -0,0 +1,251 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 # SPDX-License-Identifier: GPL-3.0-or-later
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.gitea/workflows/branch-protection.yml
 # BRIEF: Apply standardised branch protection rules to all governed repositories
 #
 # +========================================================================+
 # |                   BRANCH PROTECTION SETUP                              |
 # +========================================================================+
 # |                                                                        |
 # |  Applies protection rules for: main, dev, rc, beta, alpha       |
 # |                                                                        |
 # |  main  — Require PR, block rejected reviews, no force push             |
 # |  dev   — Allow push, no force push, no delete                          |
 # |  rc  — Allow push, no force push, no delete                          |
 # |  beta — Allow push, no force push, no delete                         |
 # |  alpha — Allow push, no force push, no delete                        |
 # |                                                                        |
 # |  jmiller has override authority on all branches.                       |
 # |                                                                        |
 # +========================================================================+
 name: Branch Protection Setup
 on:
  schedule:
    - cron: '0 2 * * 1'  # Weekly Monday 02:00 UTC
  workflow_dispatch:
    inputs:
      dry_run:
        description: 'Preview mode (no changes)'
        required: false
        type: boolean
        default: false
      repos:
        description: 'Comma-separated repo names (empty = all governed repos)'
        required: false
        type: string
        default: ''
 env:
  GITEA_URL: https://git.mokoconsulting.tech
  GITEA_ORG: MokoConsulting
 permissions:
  contents: read
 jobs:
  protect:
    name: Apply Branch Protection Rules
    runs-on: ubuntu-latest
    steps:
      - name: Determine target repos
        id: repos
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"
          # Platform/standards/infra repos to exclude
          EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
          EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
          if [ -n "${{ inputs.repos }}" ]; then
            # User-specified repos
            REPOS=$(echo "${{ inputs.repos }}" | tr ',' ' ')
          else
            # Fetch all org repos
            PAGE=1
            REPOS=""
            while true; do
              BATCH=$(curl -sS \
                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
                | jq -r '.[].name // empty')
              [ -z "$BATCH" ] && break
              REPOS="$REPOS $BATCH"
              PAGE=$((PAGE + 1))
            done
            # Filter out excluded repos
            FILTERED=""
            for REPO in $REPOS; do
              SKIP=false
              for EX in $EXCLUDE; do
                if [ "$REPO" = "$EX" ]; then
                  SKIP=true
                  break
                fi
              done
              if [ "$SKIP" = "false" ]; then
                FILTERED="$FILTERED $REPO"
              fi
            done
            REPOS="$FILTERED"
          fi
          echo "repos=$REPOS" >> "$GITHUB_OUTPUT"
          COUNT=$(echo "$REPOS" | wc -w)
          echo "📋 Target repos (${COUNT}): $REPOS"
      - name: Apply protection rules
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
          REPOS="${{ steps.repos.outputs.repos }}"
          SUCCESS=0
          FAILED=0
          SKIPPED=0
          # ── Rule definitions ──────────────────────────────────────
          # Only the CI bot (jmiller token) can push directly.
          # All human contributors must use PRs.
          # Force push disabled on all branches.
          RULE_MAIN='{
            "rule_name": "main",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "dismiss_stale_approvals": true,
            "block_on_rejected_reviews": true,
            "block_on_outdated_branch": false,
            "priority": 1
          }'
          RULE_DEV='{
            "rule_name": "dev",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 2
          }'
          RULE_RC='{
            "rule_name": "rc",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 3
          }'
          RULE_BETA='{
            "rule_name": "beta",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 4
          }'
          RULE_ALPHA='{
            "rule_name": "alpha",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 5
          }'
          RULES=("$RULE_MAIN" "$RULE_DEV" "$RULE_RC" "$RULE_BETA" "$RULE_ALPHA")
          RULE_NAMES=("main" "dev" "rc" "beta" "alpha")
          # ── Apply rules to each repo ──────────────────────────────
          for REPO in $REPOS; do
            echo ""
            echo "═══ ${REPO} ═══"
            for i in "${!RULES[@]}"; do
              RULE="${RULES[$i]}"
              NAME="${RULE_NAMES[$i]}"
              if [ "$DRY_RUN" = "true" ]; then
                echo "  [DRY RUN] Would apply rule: ${NAME}"
                SKIPPED=$((SKIPPED + 1))
                continue
              fi
              # Delete existing rule if present (idempotent recreate)
              ENCODED_NAME=$(echo "$NAME" | sed 's|/|%2F|g')
              curl -sS -o /dev/null -w "" \
                -X DELETE \
                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections/${ENCODED_NAME}" 2>/dev/null || true
              # Create rule
              RESPONSE=$(curl -sS -w "\n%{http_code}" \
                -X POST \
                -H "Authorization: token ${GA_TOKEN}" \
                -H "Content-Type: application/json" \
                -d "$RULE" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections")
              HTTP=$(echo "$RESPONSE" | tail -1)
              BODY=$(echo "$RESPONSE" | sed '$d')
              if [ "$HTTP" = "201" ]; then
                echo "  ✅ ${NAME}"
                SUCCESS=$((SUCCESS + 1))
              else
                echo "  ❌ ${NAME} (HTTP ${HTTP}): $(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)"
                FAILED=$((FAILED + 1))
              fi
            done
          done
          # ── Summary ───────────────────────────────────────────────
          echo ""
          echo "════════════════════════════════════════"
          echo "  ✅ Success: ${SUCCESS}"
          echo "  ❌ Failed:  ${FAILED}"
          echo "  ⏭️  Skipped: ${SKIPPED}"
          echo "════════════════════════════════════════"
          if [ "$FAILED" -gt 0 ]; then
            echo "::warning::${FAILED} rule(s) failed to apply"
          fi
@@ -0,0 +1,66 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Release
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.mokogitea/workflows/auto-bump.yml
 # VERSION: 09.02.00
 # BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
 name: "Universal: Auto Version Bump"
 on:
  push:
    branches:
      - dev
      - rc
      - 'feature/**'
      - 'patch/**'
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
 permissions:
  contents: write
 jobs:
  bump:
    name: Version Bump
    runs-on: release
    if: >-
      !contains(github.event.head_commit.message, '[skip ci]') &&
      !contains(github.event.head_commit.message, '[skip bump]') &&
      !startsWith(github.event.head_commit.message, 'Merge pull request')
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 1
      - name: Setup moko-platform tools
        run: |
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
          if [ -d "/opt/moko-platform/cli" ]; then
            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
          else
            git clone --depth 1 --branch main --quiet \
              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
              /tmp/moko-platform-api
            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
          fi
      - name: Bump version
        run: |
          php ${MOKO_CLI}/version_auto_bump.php \
            --path . --branch "${GITHUB_REF_NAME}" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
@@ -1,324 +1,341 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
+#
-# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-License-Identifier: GPL-3.0-or-later
-#
+#
-# FILE INFORMATION
+# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
+# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
+# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
+# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 05.00.00
+# VERSION: 05.00.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
+# BRIEF: Universal build & release � detects platform from manifest.xml
-#
+#
-# +========================================================================+
+# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
+# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
+# +========================================================================+
-# |                                                                        |
+# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
+# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
+# |                                                                        |
-# |  Platform-specific:                                                    |
+# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, type-prefixed packages                      |
+# |    joomla:   XML manifest, type-prefixed packages                      |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
+# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
+# |    generic:  README-only, no update stream                             |
-# |                                                                        |
+# |                                                                        |
-# +========================================================================+
+# +========================================================================+
-
+
-name: "Universal: Build & Release"
+name: "Universal: Build & Release"
-
+
-on:
+on:
-  pull_request:
+  pull_request:
-    types: [opened, closed]
+    types: [opened, closed]
-    branches:
+    branches:
-      - main
+      - main
-  workflow_dispatch:
+  workflow_dispatch:
-    inputs:
+    inputs:
-      action:
+      action:
-        description: 'Action to perform'
+        description: 'Action to perform'
-        required: false
+        required: false
-        type: choice
+        type: choice
-        default: release
+        default: release
-        options:
+        options:
-          - release
+          - release
-          - promote-rc
+          - promote-rc
-
+
-env:
+env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
+
-permissions:
+permissions:
-  contents: write
+  contents: write
-
+
-jobs:
+jobs:
-  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
-  promote-rc:
+  promote-rc:
-    name: Promote to RC
+    name: Promote to RC
-    runs-on: release
+    runs-on: release
-    if: >-
+    if: >-
-      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
+      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
-      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
+      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
-
+
-    steps:
+    steps:
-      - name: Checkout repository
+      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
+        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
+          fetch-depth: 1
-
+
-      - name: Setup moko-platform tools
+      - name: Setup moko-platform tools
-        env:
+        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
+        run: |
-          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
+          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
-            echo Using pre-installed /opt/moko-platform
+            echo Using pre-installed /opt/moko-platform
-            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
+            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
-          else
+          else
-            echo Falling back to fresh clone
+            echo Falling back to fresh clone
-            if ! command -v composer > /dev/null 2>&1; then
+            if ! command -v composer > /dev/null 2>&1; then
-              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
-            fi
+            fi
-            rm -rf /tmp/moko-platform-api
+            rm -rf /tmp/moko-platform-api
-            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
-            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
-            cd /tmp/moko-platform-api
+            cd /tmp/moko-platform-api
-            composer install --no-dev --no-interaction --quiet
+            composer install --no-dev --no-interaction --quiet
-            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
+            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
-          fi
+          fi
-
+
-      - name: Rename branch to rc
+      - name: Rename branch to rc
-        run: |
+        run: |
-          php ${MOKO_CLI}/branch_rename.php \
+          php ${MOKO_CLI}/branch_rename.php \
-            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
+            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
+            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
-            --pr "${{ github.event.pull_request.number }}"
+            --pr "${{ github.event.pull_request.number }}"
-
+
-      - name: Checkout rc and configure git
+      - name: Checkout rc and configure git
-        run: |
+        run: |
-          git fetch origin rc
+          git fetch origin rc
-          git checkout rc
+          git checkout rc
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
+          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
+
-      - name: Publish RC release
+      - name: Publish RC release
-        run: |
+        run: |
-          php ${MOKO_CLI}/release_publish.php \
+          php ${MOKO_CLI}/release_publish.php \
-            --path . --stability rc --bump minor --branch rc \
+            --path . --stability rc --bump minor --branch rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
+            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-
+
-      - name: Summary
+      - name: Summary
-        if: always()
+        if: always()
-        run: |
+        run: |
-          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
+          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-          echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY
+          echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY
-
+
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
+  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
-  release:
+  release:
-    name: Build & Release Pipeline
+    name: Build & Release Pipeline
-    runs-on: release
+    runs-on: release
-    if: >-
+    if: >-
-      github.event.pull_request.merged == true ||
+      github.event.pull_request.merged == true ||
-      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
+      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
-
+
-    steps:
+    steps:
-      - name: Checkout repository
+      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
+        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
+          fetch-depth: 0
-
+
-      - name: Configure git for bot pushes
+      - name: Configure git for bot pushes
-        run: |
+        run: |
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
+          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
+
-      - name: Check for merge conflict markers
+      - name: Check for merge conflict markers
-        run: |
+        run: |
-          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
+          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
-          if [ -n "$CONFLICTS" ]; then
+          if [ -n "$CONFLICTS" ]; then
-            echo "::error::Merge conflict markers found — aborting release"
+            echo "::error::Merge conflict markers found — aborting release"
-            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
+            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
-            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
+            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
-            exit 1
+            exit 1
-          fi
+          fi
-          echo "No conflict markers found"
+          echo "No conflict markers found"
-
+
-      - name: Setup moko-platform tools
+      - name: Setup moko-platform tools
-        env:
+        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
-        run: |
+        run: |
-          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
+          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
-            echo Using pre-installed /opt/moko-platform
+            echo Using pre-installed /opt/moko-platform
-            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
+            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
-          else
+          else
-            echo Falling back to fresh clone
+            echo Falling back to fresh clone
-            if ! command -v composer > /dev/null 2>&1; then
+            if ! command -v composer > /dev/null 2>&1; then
-              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
-            fi
+            fi
-            rm -rf /tmp/moko-platform-api
+            rm -rf /tmp/moko-platform-api
-            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
-            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
-            cd /tmp/moko-platform-api
+            cd /tmp/moko-platform-api
-            composer install --no-dev --no-interaction --quiet
+            composer install --no-dev --no-interaction --quiet
-            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
+            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
-          fi
+          fi
-
+
-      - name: "Publish stable release"
+      - name: "Determine version bump level"
-        run: |
+        id: bump
-          php ${MOKO_CLI}/release_publish.php \
+        run: |
-            --path . --stability stable --bump minor --branch main \
+          # Fix/patch branches: version was already bumped by pre-release, just strip suffix
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
+          # Feature/dev branches: bump minor for the new stable release
-
+          HEAD_REF="${{ github.event.pull_request.head.ref || 'dev' }}"
-      - name: Update release notes from CHANGELOG.md
+          case "$HEAD_REF" in
-        run: |
+            fix/*|patch/*|hotfix/*|bugfix/*) BUMP="none" ;;
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+            *)                               BUMP="minor" ;;
-
+          esac
-          # Extract [Unreleased] section from changelog
+          echo "level=${BUMP}" >> "$GITHUB_OUTPUT"
-          if [ -f "CHANGELOG.md" ]; then
+          echo "Bump level: ${BUMP} (from branch: ${HEAD_REF})"
-            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
+
-            [ -z "$NOTES" ] && NOTES="Stable release"
+      - name: "Publish stable release"
-          else
+        run: |
-            NOTES="Stable release"
+          BUMP_FLAG=""
-          fi
+          if [ "${{ steps.bump.outputs.level }}" != "none" ]; then
-
+            BUMP_FLAG="--bump ${{ steps.bump.outputs.level }}"
-          # Update release body via API
+          fi
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
+          php ${MOKO_CLI}/release_publish.php \
-            "${API_BASE}/releases/tags/stable" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+            --path . --stability stable ${BUMP_FLAG} --branch main \
-
+            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-          if [ -n "$RELEASE_ID" ]; then
+
-            python3 -c "
+      - name: Update release notes from CHANGELOG.md
-          import json, urllib.request
+        run: |
-          body = open('/dev/stdin').read()
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          payload = json.dumps({'body': body}).encode()
+
-          req = urllib.request.Request(
+          # Extract [Unreleased] section from changelog
-              '${API_BASE}/releases/${RELEASE_ID}',
+          if [ -f "CHANGELOG.md" ]; then
-              data=payload, method='PATCH',
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
-              headers={
+            [ -z "$NOTES" ] && NOTES="Stable release"
-                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
+          else
-                  'Content-Type': 'application/json'
+            NOTES="Stable release"
-              })
+          fi
-          urllib.request.urlopen(req)
+
-          " <<< "$NOTES"
+          # Update release body via API
-            echo "Release notes updated from CHANGELOG.md"
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-          fi
+            "${API_BASE}/releases/tags/stable" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
+
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
+          if [ -n "$RELEASE_ID" ]; then
-      - name: "Step 9: Mirror release to GitHub"
+            python3 -c "
-        if: >-
+          import json, urllib.request
-          steps.version.outputs.skip != 'true' &&
+          body = open('/dev/stdin').read()
-          secrets.GH_MIRROR_TOKEN != ''
+          payload = json.dumps({'body': body}).encode()
-        continue-on-error: true
+          req = urllib.request.Request(
-        run: |
+              '${API_BASE}/releases/${RELEASE_ID}',
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+              data=payload, method='PATCH',
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+              headers={
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+                  'Content-Type': 'application/json'
-          php ${MOKO_CLI}/release_mirror.php \
+              })
-            --version "$VERSION" --tag "$RELEASE_TAG" \
+          urllib.request.urlopen(req)
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
+          " <<< "$NOTES"
-            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
+            echo "Release notes updated from CHANGELOG.md"
-            --branch main 2>&1 || true
+          fi
-          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
+
-
+      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
+      - name: "Step 9: Mirror release to GitHub"
-      - name: "Step 10: Push main to GitHub mirror"
+        if: >-
-        if: >-
+          steps.version.outputs.skip != 'true' &&
-          steps.version.outputs.skip != 'true' &&
+          secrets.GH_MIRROR_TOKEN != ''
-          secrets.GH_MIRROR_TOKEN != ''
+        continue-on-error: true
-        continue-on-error: true
+        run: |
-        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+          php ${MOKO_CLI}/release_mirror.php \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+            --version "$VERSION" --tag "$RELEASE_TAG" \
-          git fetch origin main --depth=1
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
+            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
-            && echo "main branch pushed to GitHub mirror" \
+            --branch main 2>&1 || true
-            || echo "WARNING: GitHub mirror push failed"
+          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
-
+
-      - name: "Step 11: Delete rc branch and recreate dev from main"
+      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-        if: steps.version.outputs.skip != 'true'
+      - name: "Step 10: Push main to GitHub mirror"
-        continue-on-error: true
+        if: >-
-        run: |
+          steps.version.outputs.skip != 'true' &&
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          secrets.GH_MIRROR_TOKEN != ''
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+        continue-on-error: true
-
+        run: |
-          # Delete rc branch (ephemeral — created by promote-rc)
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-            "${API_BASE}/branches/rc" 2>/dev/null \
+          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-            && echo "Deleted rc branch" || echo "rc branch not found"
+          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-
+            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          # Delete dev branch
+          git fetch origin main --depth=1
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
+            && echo "main branch pushed to GitHub mirror" \
-
+            || echo "WARNING: GitHub mirror push failed"
-          # Recreate dev from main (now includes version bump + changelog promotion)
+
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
+      - name: "Step 11: Delete rc branch and recreate dev from main"
-            -H "Content-Type: application/json" \
+        if: steps.version.outputs.skip != 'true'
-            "${API_BASE}/branches" \
+        continue-on-error: true
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
+        run: |
-
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
+
-      - name: "Step 12: Create version branch from main"
+          # Delete rc branch (ephemeral — created by promote-rc)
-        if: steps.version.outputs.skip != 'true'
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-        continue-on-error: true
+            "${API_BASE}/branches/rc" 2>/dev/null \
-        run: |
+            && echo "Deleted rc branch" || echo "rc branch not found"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+          # Delete dev branch
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-          BRANCH_NAME="version/${VERSION}"
+            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-          MAIN_SHA=$(git rev-parse HEAD)
+
-
+          # Recreate dev from main (now includes version bump + changelog promotion)
-          # Delete old version branch if it exists (same version re-release)
+          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
+            -H "Content-Type: application/json" \
-
+            "${API_BASE}/branches" \
-          # Create version/XX.YY.ZZ from main
+            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
+
-
+          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
-          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
+
-
+      - name: "Step 12: Create version branch from main"
-
+        if: steps.version.outputs.skip != 'true'
-
+        continue-on-error: true
-      # -- Dolibarr post-release: Reset dev version -----------------------------
+        run: |
-      - name: "Post-release: Reset dev version"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-        if: steps.version.outputs.skip != 'true'
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-        continue-on-error: true
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-        run: |
+          BRANCH_NAME="version/${VERSION}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          MAIN_SHA=$(git rev-parse HEAD)
-          php ${MOKO_CLI}/version_reset_dev.php \
+
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
+          # Delete old version branch if it exists (same version re-release)
-            --branch dev --path . 2>&1 || true
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-
+
-      # -- Summary --------------------------------------------------------------
+          # Create version/XX.YY.ZZ from main
-      - name: Pipeline Summary
+          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-        if: always()
+
-        run: |
+          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+
-          PLATFORM="${{ steps.platform.outputs.platform }}"
+
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
+
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
+      # -- Dolibarr post-release: Reset dev version -----------------------------
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
+      - name: "Post-release: Reset dev version"
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
+        if: steps.version.outputs.skip != 'true'
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
+        continue-on-error: true
-          else
+        run: |
-            echo "" >> $GITHUB_STEP_SUMMARY
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
+          php ${MOKO_CLI}/version_reset_dev.php \
-            echo "" >> $GITHUB_STEP_SUMMARY
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
+            --branch dev --path . 2>&1 || true
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
+
-            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
+      # -- Summary --------------------------------------------------------------
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+      - name: Pipeline Summary
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
+        if: always()
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
+        run: |
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          fi
+          PLATFORM="${{ steps.platform.outputs.platform }}"
          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
          else
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
          fi
@@ -0,0 +1,48 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.Universal
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.mokogitea/workflows/branch-cleanup.yml
 # VERSION: 01.00.00
 # BRIEF: Delete feature branches after PR merge
 name: "Branch Cleanup"
 on:
  pull_request:
    types: [closed]
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 jobs:
  cleanup:
    name: Delete merged branch
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request.merged == true &&
      github.event.pull_request.head.ref != 'dev' &&
      github.event.pull_request.head.ref != 'main'
    steps:
      - name: Delete source branch
        run: |
          BRANCH="${{ github.event.pull_request.head.ref }}"
          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API}/${ENCODED}" 2>/dev/null || true)
          if [ "$STATUS" = "204" ]; then
            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
          elif [ "$STATUS" = "404" ]; then
            echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
          else
            echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
          fi
@@ -0,0 +1,10 @@
 # DISABLED — auto-release Step 11 recreates dev from main after every release.
 # Cascade-dev is redundant and causes version conflicts when both main and dev
 # have different version numbers in templateDetails.xml / manifest.xml.
 name: "Cascade Main → Dev (DISABLED)"
 on: workflow_dispatch
 jobs:
  noop:
    runs-on: ubuntu-latest
    steps:
      - run: echo "Cascade disabled — auto-release handles dev recreation"
@@ -0,0 +1,204 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.CI
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
 # PATH: /.gitea/workflows/ci-generic.yml
 # VERSION: 01.00.00
 # BRIEF: CI pipeline — lint, validate, and test for generic projects (PHP + Node.js)
 name: "Generic: Project CI"
 on:
  push:
    branches:
      - main
      - dev
      - dev/**
      - rc/**
      - version/**
  pull_request:
    branches:
      - main
      - dev
      - dev/**
      - rc/**
  workflow_dispatch:
 permissions:
  contents: read
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 jobs:
  # ── Lint & Validate ───────────────────────────────────────────────────
  lint:
    name: Lint & Validate
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Detect toolchain
        id: detect
        run: |
          HAS_PHP=false
          HAS_NODE=false
          [ -f "composer.json" ] && HAS_PHP=true
          [ -f "package.json" ] && HAS_NODE=true
          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
          echo "Toolchain: PHP=$HAS_PHP Node=$HAS_NODE"
      - name: Setup PHP
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if ! command -v php &> /dev/null; then
            sudo apt-get update -qq
            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
          fi
          php -v
      - name: Setup Node.js
        if: steps.detect.outputs.has_node == 'true'
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install PHP dependencies
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
          fi
      - name: Install Node.js dependencies
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if [ -f "package.json" ]; then
            npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true
          fi
      - name: PHP syntax check
        if: steps.detect.outputs.has_php == 'true'
        run: |
          ERRORS=0
          while IFS= read -r -d '' file; do
            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
              echo "::error file=${file}::PHP syntax error"
              ERRORS=$((ERRORS + 1))
            fi
          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -not -path "./node_modules/*" -print0)
          echo "## PHP Lint" >> $GITHUB_STEP_SUMMARY
          if [ "$ERRORS" -eq 0 ]; then
            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
          else
            echo "${ERRORS} file(s) with syntax errors." >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
      - name: TypeScript/JavaScript lint
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if [ -f "node_modules/.bin/eslint" ]; then
            npx eslint src/ --quiet 2>&1 || { echo "::error::ESLint errors found"; exit 1; }
            echo "## ESLint" >> $GITHUB_STEP_SUMMARY
            echo "All files passed ESLint." >> $GITHUB_STEP_SUMMARY
          elif [ -f ".eslintrc.json" ] || [ -f ".eslintrc.js" ] || [ -f "eslint.config.js" ]; then
            echo "::warning::ESLint config found but eslint not installed"
          else
            echo "No ESLint configured — skipping"
          fi
      - name: TypeScript compile check
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if [ -f "tsconfig.json" ] && [ -f "node_modules/.bin/tsc" ]; then
            npx tsc --noEmit 2>&1 || { echo "::error::TypeScript compilation errors"; exit 1; }
            echo "## TypeScript" >> $GITHUB_STEP_SUMMARY
            echo "TypeScript compilation passed." >> $GITHUB_STEP_SUMMARY
          fi
      - name: PHPStan static analysis
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if [ -f "phpstan.neon" ] && [ -f "vendor/bin/phpstan" ]; then
            vendor/bin/phpstan analyse --no-progress 2>&1 || { echo "::warning::PHPStan found issues"; }
          fi
  # ── Tests ─────────────────────────────────────────────────────────────
  test:
    name: Tests
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Detect toolchain
        id: detect
        run: |
          HAS_PHP=false
          HAS_NODE=false
          [ -f "composer.json" ] && HAS_PHP=true
          [ -f "package.json" ] && HAS_NODE=true
          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
      - name: Setup PHP
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if ! command -v php &> /dev/null; then
            sudo apt-get update -qq
            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
          fi
      - name: Setup Node.js
        if: steps.detect.outputs.has_node == 'true'
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install dependencies
        run: |
          [ -f "composer.json" ] && composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
          [ -f "package.json" ] && { npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true; }
      - name: Run PHP tests
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if [ -f "vendor/bin/phpunit" ]; then
            vendor/bin/phpunit --testdox 2>&1
            echo "## PHPUnit" >> $GITHUB_STEP_SUMMARY
            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
          elif [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
            echo "::warning::PHPUnit config found but phpunit not installed"
          else
            echo "No PHPUnit configured — skipping"
          fi
      - name: Run Node.js tests
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if jq -e '.scripts.test' package.json > /dev/null 2>&1; then
            npm test 2>&1
            echo "## Node.js Tests" >> $GITHUB_STEP_SUMMARY
            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
          else
            echo "No test script in package.json — skipping"
          fi
      - name: Build check
        run: |
          if [ -f "Makefile" ]; then
            make build 2>&1 || echo "::warning::Build failed or not configured"
          elif [ -f "package.json" ] && jq -e '.scripts.build' package.json > /dev/null 2>&1; then
            npm run build 2>&1 || echo "::warning::Build failed"
          fi
@@ -0,0 +1,73 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
 # VERSION: 01.00.00
 # BRIEF: Auto-create feature branch when an issue is opened
 name: "Universal: Issue Branch"
 on:
  issues:
    types: [opened]
 permissions:
  contents: write
  issues: write
 env:
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
 jobs:
  create-branch:
    name: Create feature branch
    runs-on: ubuntu-latest
    steps:
      - name: Create branch and comment
        run: |
          TOKEN="${{ secrets.GA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
          # Build slug from title: lowercase, replace non-alnum with dash, trim
          SLUG=$(echo "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40)
          BRANCH="feature/${ISSUE_NUM}-${SLUG}"
          # Check dev branch exists
          DEV_EXISTS=$(curl -sf -o /dev/null -w '%{http_code}' \
            -H "Authorization: token ${TOKEN}" \
            "${API}/branches/dev" 2>/dev/null || echo "000")
          if [ "${DEV_EXISTS}" != "200" ]; then
            echo "No dev branch -- skipping"
            exit 0
          fi
          # Create branch from dev
          HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
            -H "Authorization: token ${TOKEN}" \
            -H "Content-Type: application/json" \
            "${API}/branches" \
            -d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"dev\"}" 2>/dev/null || echo "000")
          if [ "${HTTP}" = "201" ]; then
            echo "Created branch: ${BRANCH}"
            # Comment on issue with branch link
            REPO_URL="${GITEA_URL}/${{ github.repository }}"
            BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
            curl -sf -X POST \
              -H "Authorization: token ${TOKEN}" \
              -H "Content-Type: application/json" \
              "${API}/issues/${ISSUE_NUM}/comments" \
              -d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
            echo "Commented on issue #${ISSUE_NUM}"
          else
            echo "Failed to create branch (HTTP ${HTTP}) -- may already exist"
          fi
@@ -6,7 +6,7 @@
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.Notifications
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.mokogitea/workflows/notify.yml
+# PATH: /.gitea/workflows/notify.yml
 # VERSION: 01.00.00
 # BRIEF: Push notifications via ntfy on release success or workflow failure
@@ -18,7 +18,6 @@ on:
      - "Joomla Build & Release"
      - "Joomla Extension CI"
      - "Deploy"
      - "Cascade Main → Dev"
    types:
      - completed
@@ -1,243 +1,11 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
+#
-# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-License-Identifier: GPL-3.0-or-later
-#
+#
-# FILE INFORMATION
+# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
+# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
+# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/universal/pre-release.yml.template
+# PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 05.01.00
+# VERSION: 05.01.00
-# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
+# BRIEF: Auto pre-release on push to dev/alpha/beta/rc branches
 name: "Universal: Pre-Release"
 on:
  pull_request:
    types: [closed]
    branches:
      - dev
  pull_request_target:
    types: [synchronize, opened, reopened]
    branches:
      - main
  workflow_dispatch:
    inputs:
      stability:
        description: 'Pre-release channel'
        required: true
        type: choice
        options:
          - development
          - alpha
          - beta
          - release-candidate
 permissions:
  contents: write
 env:
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
 jobs:
  build:
    name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
    runs-on: release
    if: >-
      github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev') ||
      (github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main')
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
      - name: Setup moko-platform tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
        run: |
          # Use pre-installed /opt/moko-platform if available (updated by cron every 6h)
          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/cli/manifest_element.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
            echo Using pre-installed /opt/moko-platform
            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
          else
            echo Falling back to fresh clone
            if ! command -v composer > /dev/null 2>&1; then
              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
            fi
            rm -rf /tmp/moko-platform-api
            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
          fi
      - name: Detect platform
        id: platform
        run: |
          php ${MOKO_CLI}/manifest_read.php --path . --github-output
      - name: Resolve metadata and bump version
        id: meta
        run: |
          # Auto-detect stability: RC for PRs targeting main, else use input or default to development
          if [ "${{ github.event_name }}" = "pull_request_target" ] && [ "${{ github.event.pull_request.base.ref }}" = "main" ]; then
            STABILITY="release-candidate"
          else
            STABILITY="${{ inputs.stability || 'development' }}"
          fi
          case "$STABILITY" in
            development)        SUFFIX="-dev";   TAG="development" ;;
            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
            beta)               SUFFIX="-beta";  TAG="beta" ;;
            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
          esac
          # Bump version via CLI: patch for dev/alpha/beta, minor for RC
          case "$STABILITY" in
            release-candidate) BUMP="minor" ;;
            *)                 BUMP="patch" ;;
          esac
          php ${MOKO_CLI}/version_bump.php --path . $([ "$BUMP" = "minor" ] && echo "--minor") 2>/dev/null || true
          # Set stability suffix and verify consistency
          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "00.00.01")
          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
          php ${MOKO_CLI}/version_set_platform.php \
            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
          # Ensure licensing tags (updateservers, dlid) if enabled in manifest.xml
          php ${MOKO_CLI}/manifest_licensing.php --path . --fix 2>/dev/null || true
          # Append suffix for output
          if [ -n "$SUFFIX" ]; then
            VERSION="${VERSION}${SUFFIX}"
          fi
          # Commit version bump
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
            git push origin HEAD 2>&1
          }
          # Auto-detect element via manifest_element.php
          php ${MOKO_CLI}/manifest_element.php \
            --path . --version "$VERSION" --stability "$STABILITY" \
            --repo "${GITEA_REPO}" --github-output
          # Read back element outputs
          EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
          ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
      - name: Create release
        id: release
        run: |
          TAG="${{ steps.meta.outputs.tag }}"
          VERSION="${{ steps.meta.outputs.version }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/release_create.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch dev --prerelease
      - name: Update release notes from CHANGELOG.md
        run: |
          TAG="${{ steps.meta.outputs.tag }}"
          VERSION="${{ steps.meta.outputs.version }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Extract [Unreleased] section from changelog (everything between [Unreleased] and next ## heading)
          if [ -f "CHANGELOG.md" ]; then
            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
            [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
          else
            NOTES="Release ${VERSION}"
          fi
          # Update release body via API
          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/releases/tags/${TAG}" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
          if [ -n "$RELEASE_ID" ]; then
            python3 -c "
          import json, urllib.request
          body = open('/dev/stdin').read()
          payload = json.dumps({'body': body}).encode()
          req = urllib.request.Request(
              '${API_BASE}/releases/${RELEASE_ID}',
              data=payload, method='PATCH',
              headers={
                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
                  'Content-Type': 'application/json'
              })
          urllib.request.urlopen(req)
          " <<< "$NOTES"
            echo "Release notes updated from CHANGELOG.md"
          fi
      - name: Build package and upload
        id: package
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          TAG="${{ steps.meta.outputs.tag }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/release_package.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true
      # updates.xml is generated dynamically by MokoGitea license server
      # No need to build, commit, or sync updates.xml from workflows
      - name: "Delete lesser pre-release channels (cascade)"
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          php ${MOKO_CLI}/release_cascade.php \
            --stability "${{ steps.meta.outputs.stability }}" \
            --token "${TOKEN}" \
            --api-base "${API_BASE}"
      - name: Summary
        if: always()
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
          SHA256="${{ steps.package.outputs.sha256_zip }}"
          echo "## Pre-Release Complete" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| Channel | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
          echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| SHA-256 | \`${SHA256:-n/a}\` |" >> $GITHUB_STEP_SUMMARY
@@ -6,7 +6,7 @@
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.Security
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.mokogitea/workflows/security-audit.yml
+# PATH: /.gitea/workflows/security-audit.yml
 # VERSION: 01.00.00
 # BRIEF: Dependency vulnerability scanning for composer and npm packages
@@ -0,0 +1,312 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Universal
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /templates/workflows/update-server.yml
 # VERSION: 05.00.00
 # BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
 #
 # Thin wrapper around moko-platform CLI tools.
 # Builds packages, updates updates.xml, and optionally deploys via SFTP.
 #
 # Joomla filters update entries by the user's "Minimum Stability" setting.
 name: "Update Server"
 on:
  push:
    branches:
      - 'dev'
      - 'dev/**'
      - 'alpha/**'
      - 'beta/**'
      - 'rc/**'
    paths:
      - 'src/**'
      - 'htdocs/**'
  pull_request:
    types: [closed]
    branches:
      - 'dev'
      - 'dev/**'
      - 'alpha/**'
      - 'beta/**'
      - 'rc/**'
    paths:
      - 'src/**'
      - 'htdocs/**'
  workflow_dispatch:
    inputs:
      stability:
        description: 'Stability tag'
        required: true
        default: 'development'
        type: choice
        options:
          - development
          - alpha
          - beta
          - rc
          - stable
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
 permissions:
  contents: write
 jobs:
  update-xml:
    name: Update Server
    runs-on: release
    if: >-
      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0
      - name: Setup moko-platform tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
        run: |
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
          # Always fetch latest CLI tools — never use stale cache from previous runs
          rm -rf /tmp/moko-platform
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
            /tmp/moko-platform 2>/dev/null || true
          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
          fi
          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
      - name: Detect platform
        id: platform
        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
      - name: Resolve stability and bump version
        id: meta
        run: |
          BRANCH="${{ github.ref_name }}"
          # Configure git for bot pushes
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          # Auto-bump patch version
          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
          # Strip any existing suffix before applying stability
          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
          # Determine stability from branch or manual input
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            STABILITY="${{ inputs.stability }}"
          elif [[ "$BRANCH" == rc/* ]]; then
            STABILITY="rc"
          elif [[ "$BRANCH" == beta/* ]]; then
            STABILITY="beta"
          elif [[ "$BRANCH" == alpha/* ]]; then
            STABILITY="alpha"
          else
            STABILITY="development"
          fi
          # Version suffix per stability stream
          case "$STABILITY" in
            development) SUFFIX="-dev";  TAG="development" ;;
            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
            beta)        SUFFIX="-beta";  TAG="beta" ;;
            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
            *)           SUFFIX="";       TAG="stable" ;;
          esac
          # Propagate version with stability suffix to all manifest files
          php ${MOKO_CLI}/version_set_platform.php \
            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
          # Re-read version (now includes suffix from version_set_platform)
          if [ -n "$SUFFIX" ]; then
            VERSION="${VERSION}${SUFFIX}"
          fi
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
          # Commit version bump if changed
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
            git push
          }
      - name: Create release and upload package
        id: package
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          TAG="${{ steps.meta.outputs.tag }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Create or update Gitea release
          php ${MOKO_CLI}/release_create.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
          # Build package and upload
          php ${MOKO_CLI}/release_package.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true
      - name: Update updates.xml
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          SHA256="${{ steps.package.outputs.sha256_zip }}"
          if [ ! -f "updates.xml" ]; then
            echo "No updates.xml — skipping"
            exit 0
          fi
          SHA_FLAG=""
          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
          php ${MOKO_CLI}/updates_xml_build.php \
            --path . --version "${VERSION}" --stability "${STABILITY}" \
            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            ${SHA_FLAG}
          # Commit and push updates.xml
          git add updates.xml
          git diff --cached --quiet || {
            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
            git push
          }
      - name: Sync updates.xml to main
        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
            python3 -c "
          import base64, json, urllib.request, sys
          with open('updates.xml', 'rb') as f:
              content = base64.b64encode(f.read()).decode()
          payload = json.dumps({
              'content': content,
              'sha': '${FILE_SHA}',
              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
              'branch': 'main'
          }).encode()
          req = urllib.request.Request(
              '${API_BASE}/contents/updates.xml',
              data=payload, method='PUT',
              headers={
                  'Authorization': 'token ${GITEA_TOKEN}',
                  'Content-Type': 'application/json'
              })
          try:
              urllib.request.urlopen(req)
              print('updates.xml synced to main')
          except Exception as e:
              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
          "
          fi
      - name: SFTP deploy to dev server
        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
        env:
          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
        run: |
          # Permission check: admin or maintain role required
          ACTOR="${{ github.actor }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
          case "$PERMISSION" in
            admin|maintain|write) ;;
            *)
              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
              exit 0
              ;;
          esac
          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
          [ ! -d "$SOURCE_DIR" ] && exit 0
          PORT="${DEV_PORT:-22}"
          REMOTE="${DEV_PATH%/}"
          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
          if [ -n "$DEV_KEY" ]; then
            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
          else
            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
          fi
          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
          fi
          rm -f /tmp/deploy_key /tmp/sftp-config.json
          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
      - name: Summary
        if: always()
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          DISPLAY="${{ steps.meta.outputs.display_version }}"
          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,161 @@
 # Contributing to Moko Consulting Projects
 Thank you for your interest in contributing. All Moko Consulting repositories follow this universal workflow and version policy.
 ## Branching Workflow
 ```
 feature/* ──PR──> dev ──draft PR──> (renamed to rc) ──merge──> main
 ```
 ### Step by step
 1. **Create a feature branch** from `dev`:
   ```bash
   git checkout dev && git pull
   git checkout -b feature/my-change
   ```
 2. **Work and commit** on your feature branch. Push to origin.
 3. **Open a PR**: `feature/my-change` → `dev`. After review and checks, merge it.
 4. **When ready for release**, open a **draft PR**: `dev` → `main`.
   - This automatically renames the source branch to `rc` (release candidate)
   - An RC pre-release is built and uploaded
 5. **Alpha and beta branches** are created by manually renaming the branch before the RC stage:
   - Rename `dev` to `alpha` for early testing → alpha pre-release is built
   - Rename `alpha` to `beta` for feature-complete testing → beta pre-release is built
   - When the draft PR is created, the branch is renamed to `rc`
 6. **Once PR checks pass** on the `rc` branch, mark the PR as ready and merge to `main`.
 7. **Merging to main** triggers the stable release pipeline:
   - Minor version bump (e.g., `02.09.xx` → `02.10.00`)
   - Stability suffix stripped (clean version)
   - Gitea release created with ZIP/tar.gz packages
   - `updates.xml` updated (Joomla extensions)
   - `dev` branch recreated from `main`
 ### Branch summary
 | Branch | Purpose | Created by |
 |--------|---------|-----------|
 | `feature/*` | New features and fixes | Developer |
 | `dev` | Integration branch | Auto-recreated after release |
 | `alpha` | Alpha pre-release testing | Manual rename from `dev` |
 | `beta` | Beta pre-release testing | Manual rename from `alpha` |
 | `rc` | Release candidate | Auto-renamed on draft PR to main |
 | `main` | Stable releases | Protected, merge only |
 | `version/XX.YY.ZZ` | Archived release snapshots | Auto-created by CI |
 ### Protected branches
 | Branch | Direct push | Merge via |
 |--------|------------|-----------|
 | `main` | Blocked (CI bot whitelisted) | PR merge only |
 | `dev` | Blocked (CI bot whitelisted) | PR merge from feature/* |
 | `rc` | Blocked (CI bot whitelisted) | Auto-created on draft PR |
 | `alpha` | Blocked (CI bot whitelisted) | Manual rename |
 | `beta` | Blocked (CI bot whitelisted) | Manual rename |
 | `feature/*` | Open | N/A (source branch) |
 ## Version Policy
 ### Format
 All versions use `XX.YY.ZZ` — three two-digit segments, zero-padded:
 - **XX** — Major version (breaking changes)
 - **YY** — Minor version (new features, bumped on release to main)
 - **ZZ** — Patch version (auto-incremented on every push to dev/feature branches)
 Rollover: patch `99` → `00` increments minor; minor `99` → `00` increments major.
 ### Stability suffixes
 Each branch appends a suffix to indicate stability:
 | Branch | Suffix | Example |
 |--------|--------|---------|
 | `main` | (none) | `02.09.00` |
 | `dev` | `-dev` | `02.09.01-dev` |
 | `feature/*` | `-dev` | `02.09.01-dev` |
 | `alpha` | `-alpha` | `02.09.01-alpha` |
 | `beta` | `-beta` | `02.09.01-beta` |
 | `rc` | `-rc` | `02.09.01-rc` |
 ### Auto version bump
 On every push to `dev`, `feature/*`, or `patch/*`:
 1. Patch version incremented
 2. Stability suffix `-dev` applied
 3. All version-bearing files updated (manifests, CHANGELOG, PHP headers, etc.)
 4. Commit created with `[skip ci]` to avoid loops
 ### Release version flow
 Version bumps happen at specific release events:
 | Event | Bump | Example |
 |-------|------|---------|
 | Feature merged to dev | Patch bump after dev release | `02.09.01-dev` → release → `02.09.02-dev` |
 | Dev promoted to RC | Minor bump | `02.09.02-dev` → `02.10.00-rc` |
 | RC merged to main | Minor bump | `02.10.00-rc` → `02.11.00` (stable) |
 | Dev recreated from main | Patch bump | `02.11.00` → `02.11.01-dev` |
 ### Release stream copies
 When a higher-stability release is published, copies are created for all lesser streams with the same base version:
 - **RC `02.10.00-rc`** also creates: `02.10.00-dev`, `02.10.00-alpha`, `02.10.00-beta`
 - **Stable `02.11.00`** also creates: `02.11.00-dev`, `02.11.00-alpha`, `02.11.00-beta`, `02.11.00-rc`
 This ensures Joomla sites on ANY stability channel see the update (Joomla only shows versions higher than what's installed).
 ### Version files
 The version tools update all files containing version stamps:
 - `.mokogitea/manifest.xml` (canonical source)
 - Joomla XML manifests (`<version>` tag)
 - `README.md`, `CHANGELOG.md` (`VERSION:` pattern)
 - `package.json`, `pyproject.toml`
 - Any text file with a `VERSION: XX.YY.ZZ` label
 Files synced from other repos (with a `# REPO:` header) are not touched.
 ## Code Standards
 - **PHP**: PSR-12, tabs for indentation
 - **Copyright**: all files must include the Moko Consulting copyright header
 - **License**: SPDX identifier `GPL-3.0-or-later` (or as specified per repo)
 - **Attribution**: use `Authored-by: Moko Consulting` in commits, not individual names
 ## Commit Messages
 Use conventional commit format:
 ```
 type(scope): short description
 Optional body with context.
 Authored-by: Moko Consulting
 ```
 Types: `feat`, `fix`, `chore`, `docs`, `style`, `refactor`, `test`, `ci`
 Special flags in commit messages:
 - `[skip ci]` — skip all CI workflows
 - `[skip bump]` — skip auto version bump only
 ## Reporting Issues
 Use the repository's issue tracker with the appropriate template.
 ---
 *Moko Consulting <hello@mokoconsulting.tech>*
Author	SHA1	Message	Date
jmiller	1ca4e7dab6	chore: sync security-audit.yml from Template-MCP [skip ci]	2026-06-07 17:58:51 +00:00
jmiller	eca24b196d	chore: sync pre-release.yml from Template-MCP [skip ci]	2026-06-07 17:58:50 +00:00
jmiller	e810346af6	chore: sync notify.yml from Template-MCP [skip ci]	2026-06-07 17:58:50 +00:00
jmiller	8ee23e2805	chore: sync issue-branch.yml from Template-MCP [skip ci]	2026-06-07 17:58:49 +00:00
jmiller	923161598c	chore: sync ci-generic.yml from Template-MCP [skip ci]	2026-06-07 17:58:48 +00:00
jmiller	9c0ac13fda	chore: sync auto-release.yml from Template-MCP [skip ci]	2026-06-07 17:58:47 +00:00
jmiller	1339f6a4bf	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:58:47 +00:00
jmiller	e3df79c7f3	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:41:34 +00:00
jmiller	61fb670b25	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:32:48 +00:00
jmiller	eb1c38930c	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:19:37 +00:00
jmiller	6061e634f1	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-06-04 14:23:56 +00:00
jmiller	c762ef329b	chore: sync .mokogitea/workflows/repo-health.yml from moko-platform [skip ci]	2026-06-04 13:47:40 +00:00
Moko Consulting	a6f8728580	chore(ci): add CI issue reporter for auto-filing gate failures Universal: Changelog Validation / Validate CHANGELOG.md (push) Failing after 10s Details Generic: Repo Health / Access control (push) Successful in 1s Details Generic: Repo Health / Site Health (push) Has been skipped Details Universal: CodeQL Analysis / Analyze (actions) (push) Failing after 57s Details Universal: CodeQL Analysis / Analyze (javascript) (push) Failing after 59s Details MCP: Standards Compliance / Secret Scanning (push) Successful in 5s Details MCP: Standards Compliance / License Header Validation (push) Failing after 5s Details MCP: Standards Compliance / Repository Structure Validation (push) Failing after 4s Details MCP: Standards Compliance / Coding Standards Check (push) Failing after 4s Details MCP: Standards Compliance / Workflow Configuration Check (push) Failing after 4s Details MCP: Standards Compliance / Documentation Quality Check (push) Successful in 4s Details MCP: Standards Compliance / README Completeness Check (push) Failing after 4s Details MCP: Standards Compliance / Git Repository Hygiene (push) Successful in 4s Details MCP: Standards Compliance / File Naming Standards (push) Successful in 4s Details MCP: Standards Compliance / Script Integrity Validation (push) Successful in 7s Details MCP: Standards Compliance / Line Length Check (push) Failing after 6s Details MCP: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 6s Details MCP: Standards Compliance / File Size Limits (push) Successful in 5s Details MCP: Standards Compliance / Dead Code Detection (push) Successful in 7s Details MCP: Standards Compliance / Binary File Detection (push) Successful in 5s Details MCP: Standards Compliance / TODO/FIXME Tracking (push) Successful in 4s Details MCP: Standards Compliance / Broken Link Detection (push) Successful in 5s Details MCP: Standards Compliance / API Documentation Coverage (push) Successful in 4s Details MCP: Standards Compliance / Accessibility Check (push) Successful in 4s Details MCP: Standards Compliance / Performance Metrics (push) Successful in 5s Details MCP: Standards Compliance / Terraform Configuration Validation (push) Successful in 8s Details MCP: Standards Compliance / Version Consistency Check (push) Successful in 50s Details MCP: Standards Compliance / Code Complexity Analysis (push) Successful in 50s Details MCP: Standards Compliance / Code Duplication Detection (push) Successful in 49s Details MCP: Standards Compliance / Unused Dependencies Check (push) Successful in 50s Details MCP: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 51s Details MCP: Standards Compliance / Enterprise Readiness Check (push) Successful in 44s Details MCP: Standards Compliance / Repository Health Check (push) Successful in 44s Details Universal: Sync Version on Merge / Propagate README version (push) Failing after 37s Details Universal: CodeQL Analysis / Security Scan Summary (push) Has been cancelled Details Generic: Repo Health / Release configuration (push) Has been cancelled Details Generic: Repo Health / Scripts governance (push) Has been cancelled Details Generic: Repo Health / Repository health (push) Has been cancelled Details Generic: Repo Health / Report Issues (push) Has been cancelled Details MCP: Standards Compliance / Compliance Summary (push) Has been cancelled Details	2026-06-02 20:38:35 +00:00
Moko Consulting	5fa5bdeef3	chore(ci): add CI issue reporter for auto-filing gate failures Universal: Changelog Validation / Validate CHANGELOG.md (push) Failing after 4s Details Generic: Repo Health / Site Health (push) Has been skipped Details Generic: Repo Health / Access control (push) Successful in 7s Details Universal: CodeQL Analysis / Analyze (actions) (push) Failing after 53s Details Universal: CodeQL Analysis / Analyze (javascript) (push) Failing after 56s Details MCP: Standards Compliance / Secret Scanning (push) Successful in 5s Details MCP: Standards Compliance / License Header Validation (push) Failing after 5s Details MCP: Standards Compliance / Repository Structure Validation (push) Failing after 5s Details MCP: Standards Compliance / Coding Standards Check (push) Failing after 5s Details MCP: Standards Compliance / Workflow Configuration Check (push) Failing after 8s Details MCP: Standards Compliance / README Completeness Check (push) Failing after 5s Details MCP: Standards Compliance / Documentation Quality Check (push) Successful in 6s Details MCP: Standards Compliance / Git Repository Hygiene (push) Successful in 5s Details MCP: Standards Compliance / Script Integrity Validation (push) Successful in 6s Details MCP: Standards Compliance / Line Length Check (push) Failing after 5s Details MCP: Standards Compliance / File Naming Standards (push) Successful in 5s Details MCP: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 3s Details MCP: Standards Compliance / File Size Limits (push) Successful in 5s Details MCP: Standards Compliance / Dead Code Detection (push) Successful in 8s Details MCP: Standards Compliance / TODO/FIXME Tracking (push) Successful in 3s Details MCP: Standards Compliance / Binary File Detection (push) Successful in 5s Details MCP: Standards Compliance / Broken Link Detection (push) Successful in 3s Details MCP: Standards Compliance / Accessibility Check (push) Successful in 4s Details MCP: Standards Compliance / API Documentation Coverage (push) Successful in 5s Details MCP: Standards Compliance / Performance Metrics (push) Successful in 5s Details MCP: Standards Compliance / Version Consistency Check (push) Successful in 51s Details MCP: Standards Compliance / Terraform Configuration Validation (push) Successful in 9s Details MCP: Standards Compliance / Code Duplication Detection (push) Successful in 54s Details MCP: Standards Compliance / Code Complexity Analysis (push) Successful in 56s Details MCP: Standards Compliance / Unused Dependencies Check (push) Successful in 52s Details MCP: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 54s Details MCP: Standards Compliance / Enterprise Readiness Check (push) Successful in 53s Details MCP: Standards Compliance / Repository Health Check (push) Successful in 53s Details Universal: Sync Version on Merge / Propagate README version (push) Failing after 38s Details Universal: CodeQL Analysis / Security Scan Summary (push) Has been cancelled Details Generic: Repo Health / Release configuration (push) Has been cancelled Details Generic: Repo Health / Scripts governance (push) Has been cancelled Details Generic: Repo Health / Repository health (push) Has been cancelled Details Generic: Repo Health / Report Issues (push) Has been cancelled Details MCP: Standards Compliance / Compliance Summary (push) Has been cancelled Details	2026-06-02 20:38:34 +00:00
Moko Consulting	3fdaa2f3f6	chore(ci): add CI issue reporter for auto-filing gate failures Universal: Changelog Validation / Validate CHANGELOG.md (push) Failing after 4s Details Generic: Repo Health / Access control (push) Successful in 1s Details Generic: Repo Health / Site Health (push) Has been skipped Details MCP: Standards Compliance / Secret Scanning (push) Successful in 7s Details MCP: Standards Compliance / License Header Validation (push) Failing after 7s Details MCP: Standards Compliance / Repository Structure Validation (push) Failing after 7s Details MCP: Standards Compliance / Coding Standards Check (push) Failing after 5s Details MCP: Standards Compliance / Workflow Configuration Check (push) Failing after 3s Details MCP: Standards Compliance / Documentation Quality Check (push) Successful in 4s Details MCP: Standards Compliance / README Completeness Check (push) Failing after 3s Details Universal: CodeQL Analysis / Analyze (actions) (push) Failing after 45s Details MCP: Standards Compliance / Git Repository Hygiene (push) Successful in 4s Details MCP: Standards Compliance / Line Length Check (push) Failing after 5s Details MCP: Standards Compliance / Script Integrity Validation (push) Successful in 6s Details Universal: CodeQL Analysis / Analyze (javascript) (push) Failing after 50s Details MCP: Standards Compliance / File Naming Standards (push) Successful in 5s Details MCP: Standards Compliance / Insecure Code Pattern Detection (push) Successful in 4s Details MCP: Standards Compliance / Binary File Detection (push) Successful in 5s Details MCP: Standards Compliance / File Size Limits (push) Successful in 6s Details MCP: Standards Compliance / Dead Code Detection (push) Successful in 8s Details MCP: Standards Compliance / TODO/FIXME Tracking (push) Successful in 4s Details MCP: Standards Compliance / Broken Link Detection (push) Successful in 4s Details MCP: Standards Compliance / API Documentation Coverage (push) Successful in 4s Details MCP: Standards Compliance / Accessibility Check (push) Successful in 5s Details MCP: Standards Compliance / Performance Metrics (push) Successful in 4s Details MCP: Standards Compliance / Terraform Configuration Validation (push) Failing after 24s Details MCP: Standards Compliance / Version Consistency Check (push) Successful in 57s Details MCP: Standards Compliance / Code Complexity Analysis (push) Successful in 52s Details MCP: Standards Compliance / Code Duplication Detection (push) Successful in 59s Details MCP: Standards Compliance / Unused Dependencies Check (push) Successful in 58s Details MCP: Standards Compliance / Repository Health Check (push) Successful in 56s Details MCP: Standards Compliance / Enterprise Readiness Check (push) Successful in 57s Details MCP: Standards Compliance / Dependency Vulnerability Scanning (push) Successful in 1m2s Details Universal: Sync Version on Merge / Propagate README version (push) Failing after 34s Details Universal: CodeQL Analysis / Security Scan Summary (push) Has been cancelled Details Generic: Repo Health / Release configuration (push) Has been cancelled Details Generic: Repo Health / Scripts governance (push) Has been cancelled Details Generic: Repo Health / Repository health (push) Has been cancelled Details Generic: Repo Health / Report Issues (push) Has been cancelled Details MCP: Standards Compliance / Compliance Summary (push) Has been cancelled Details	2026-06-02 20:38:34 +00:00
jmiller	912bce0a9c	chore: sync .mokogitea/workflows/cascade-dev.yml from moko-platform [skip ci]	2026-05-31 01:42:50 +00:00
jmiller	b02712903a	chore: sync CONTRIBUTING.md from moko-platform [skip ci]	2026-05-31 01:10:52 +00:00
jmiller	79c94e1af5	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-05-30 16:02:15 +00:00
jmiller	61d95a94a3	chore: sync CONTRIBUTING.md from moko-platform [skip ci]	2026-05-30 15:00:25 +00:00
jmiller	b19bd810aa	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-30 14:56:53 +00:00
jmiller	1332817c9a	chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci]	2026-05-30 14:54:55 +00:00
jmiller	70c7833e7b	chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci]	2026-05-30 05:52:01 +00:00
jmiller	125a3f82e7	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-30 03:41:53 +00:00
jmiller	066a73a582	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-30 01:15:34 +00:00
jmiller	e99c623666	chore: add .mokogitea/branch-protection.yml from moko-platform [skip ci]	2026-05-29 10:30:48 +00:00
jmiller	4acc277ebb	chore: add CONTRIBUTING.md from moko-platform [skip ci]	2026-05-29 10:28:12 +00:00
jmiller	2dcb28543e	chore: add .mokogitea/workflows/branch-cleanup.yml from moko-platform [skip ci]	2026-05-29 10:26:35 +00:00
jmiller	9f26477521	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-29 10:25:08 +00:00
jmiller	0b62dd09bd	chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci]	2026-05-29 10:23:39 +00:00
jmiller	f7541d1253	chore: sync .mokogitea/workflows/pre-release.yml from moko-platform [skip ci]	2026-05-28 20:54:26 +00:00
jmiller	78973339a4	chore: sync .mokogitea/workflows/update-server.yml from moko-platform [skip ci]	2026-05-28 20:49:19 +00:00
jmiller	1639517652	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-28 20:44:38 +00:00
jmiller	93fe0456b7	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-28 20:38:41 +00:00
gitea-actions[bot]	8f6df9e01a	feat(ci): add version branch creation on stable release [skip ci]	2026-05-27 02:19:39 +00:00
jmiller	0043021c0d	chore(ci): update pre-release.yml from moko-platform [skip ci]	2026-05-26 22:51:29 +00:00
jmiller	8008615cd6	chore(ci): update auto-bump.yml from moko-platform [skip ci]	2026-05-26 22:50:18 +00:00
jmiller	e1143b50d3	chore(ci): update auto-release.yml from moko-platform [skip ci]	2026-05-26 22:49:06 +00:00
jmiller	5c18486d09	chore(ci): update pre-release.yml from moko-platform [skip ci]	2026-05-26 22:37:39 +00:00
jmiller	45e30536ac	chore(ci): update auto-release.yml from moko-platform [skip ci]	2026-05-26 22:36:12 +00:00
jmiller	07f6ba8b7b	chore(ci): update auto-bump.yml from moko-platform [skip ci]	2026-05-26 22:25:50 +00:00
jmiller	349a3c5eb6	chore(ci): update auto-release.yml from moko-platform [skip ci]	2026-05-26 22:24:34 +00:00
jmiller	efb4f94082	chore(ci): update pre-release.yml from moko-platform [skip ci]	2026-05-26 22:13:57 +00:00
jmiller	2bacfbdac6	chore(ci): add auto-bump.yml from moko-platform [skip ci]	2026-05-26 22:12:43 +00:00
jmiller	0f3b6d1541	chore: sync .mokogitea/workflows/update-server.yml from moko-platform [skip ci]	2026-05-26 20:13:26 +00:00
jmiller	a4dc760261	chore: sync .mokogitea/workflows/pre-release.yml from moko-platform [skip ci]	2026-05-26 20:11:32 +00:00
jmiller	006d11ec00	chore(ci): add update-server.yml universal workflow [skip ci]	2026-05-26 19:57:12 +00:00
jmiller	745b4c3567	chore(ci): update pre-release.yml from moko-platform [skip ci]	2026-05-26 19:36:51 +00:00
jmiller	b3e24b4047	chore(ci): update auto-release.yml from moko-platform [skip ci]	2026-05-26 19:36:50 +00:00
jmiller	568602a07e	chore: add .mokogitea/workflows/update-server.yml from moko-platform [skip ci]	2026-05-26 19:04:43 +00:00