MokoConsulting/mokocli
Public Access
1
0
Fork 0
Code Issues 2 Pull Requests Releases 8 Wiki Activity
Files
46a87d2a98e487357dfd8bbb6255b3076b565ecd
mokocli/docs/workflows/README.md
T
Jonathan Miller 65e3c6acb6 docs: update workflow architecture — .gitea only, stream tags, cascade, auto-detect [skip ci] 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-26 19:30:30 -05:00

600 lines
21 KiB
Markdown
Raw Blame History

[![MokoStandards](https://img.shields.io/badge/MokoStandards-04.06.00-orange)](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)
# GitHub Workflow Templates Documentation
**Status**: Active | **Version**: 04.00.04 | **Effective**: 2026-01-07
## Overview
> **Important (v2):** All workflows MUST be in `.gitea/workflows/` only. Gitea Actions does not run workflows from `.github/workflows/`. Having files in `.github/workflows/` creates ghost queued runs that block the runner. Releases use stream-based git tags (`stable`, `release-candidate`, `beta`, `alpha`, `development`). See [Release System](./release-system.md) for cascade logic, SHA-256 rules, and auto-detection.
This document provides comprehensive documentation for MokoStandards workflow templates. These templates provide standardized CI/CD configurations that ensure consistency, security, and compliance across all Moko Consulting repositories.
### Workflow Documentation
- [Workflow Architecture](./workflow-architecture.md) - Workflow hierarchy and design patterns
- [Workflow Inventory](./workflow-inventory.md) - Complete inventory of workflows
- [Reusable Workflows](./reusable-workflows.md) - Documentation for reusable GitHub Actions workflows
- [Standards Compliance](./standards-compliance.md) - **NEW**: Comprehensive standards validation workflow
- [Bulk Repository Sync](./bulk-repo-sync.md) - Automated standards deployment across organization repositories
- [Release System](./release-system.md) - Unified release system documentation
- [Changelog Management](./changelog-management.md) - Changelog management workflows and scripts
- [Dev Branch Tracking and Issue Coordination](./dev-branch-tracking.md) - Automated dev branch and PR tracking system
- [Dev Deployment](./dev-deployment.md) - Development deployment workflows
- [Reserve Dolibarr Module ID](./reserve-dolibarr-module-id.md) - Automated Dolibarr module ID reservation workflow
### Workflow Template Locations
MokoStandards provides workflow templates in two locations:
1. **`templates/workflows/`** - **Public workflow templates** for community adoption
- `build.yml.template` - Universal build workflow with automatic project detection
- `release-cycle.yml.template` - Automated release management workflow (v2.0 with auto-detect & manual modes)
- `generic/codeql-analysis.yml` - Security scanning with CodeQL
- `generic/dependency-review.yml.template` - Dependency vulnerability scanning
- `standards-compliance.yml.template` - MokoStandards compliance validation
- `flush-actions-cache.yml.template` - GitHub Actions cache management workflow
2. **`templates/workflows/`** - Platform-specific workflow examples
- `joomla/` - Joomla extension workflows
- `dolibarr/` - Dolibarr module workflows
- `generic/` - Generic project workflows
### Quick Start
To adopt MokoStandards workflows in your repository:
```bash
# Copy universal build workflow
cp templates/workflows/build.yml.template .gitea/workflows/build.yml
# Copy release management workflow
cp templates/workflows/release-cycle.yml.template .gitea/workflows/release.yml
# Copy security scanning workflows
cp templates/workflows/generic/codeql-analysis.yml .gitea/workflows/
cp templates/workflows/generic/dependency-review.yml.template .gitea/workflows/dependency-review.yml
# Copy standards compliance workflow
cp templates/workflows/standards-compliance.yml.template .gitea/workflows/standards-compliance.yml
# Optional: Copy cache management workflow
cp templates/workflows/flush-actions-cache.yml.template .gitea/workflows/flush-actions-cache.yml
```
Then customize the workflows for your project as needed.
## Public Workflow Templates (`templates/workflows/`)
### 1. Build Universal (`build.yml.template`)
**Location**: `templates/workflows/build.yml.template`
Universal build workflow with automatic project type detection and Makefile precedence system.
**Features**:
- **Automatic project detection** - Detects Joomla, Dolibarr, or Generic projects
- **Makefile precedence system** - Repository Makefile → MokoStandards Makefile → Default builds
- **Multi-language support** - PHP, Node.js, and mixed projects
- **Build artifacts** - Automatic artifact upload
- **Customizable** - Extensive inline documentation for customization
**Trigger Patterns**:
```yaml
on:
push:
branches: [main, dev/**, rc/**, version/**]
pull_request:
branches: [main, dev/**, rc/**]
workflow_dispatch:
```
**Usage**: Copy to `.gitea/workflows/build.yml` and customize as needed.
See [Build System Documentation](../build-system/README.md) for details on the Makefile precedence system.
### 2. Release Cycle (`release-cycle.yml.template`)
**Location**: `templates/workflows/release-cycle.yml.template`
**Version 02.00.00** - Merged unified-release and release-cycle workflows with auto-detection and manual dispatch modes
Automated release management workflow implementing the MokoStandards release cycle: main → dev → rc → version → main.
**Features**:
- **Auto-detection** - Detects version changes from CITATION.cff, pyproject.toml, package.json, CHANGELOG.md
- **Manual dispatch** - Full control over release actions
- **Semantic versioning** - Automatic validation of version format
- **Branch management** - Automated branch creation and merging
- **Release actions** - start-release, create-rc, finalize-release, hotfix, simple-release
- **Release notes** - Automated generation from commits
- **GitHub releases** - Automatic creation with artifacts
**Actions**:
- `start-release` - Create development branch and update version
- `create-rc` - Create release candidate from dev branch
- `finalize-release` - Create version branch, merge to main, create release
- `hotfix` - Create hotfix branch for emergency fixes
**Trigger Pattern**:
```yaml
on:
workflow_dispatch:
inputs:
action:
type: choice
options: [start-release, create-rc, finalize-release, hotfix]
version:
type: string
required: true
```
**Usage**: Copy to `.gitea/workflows/release.yml` for automated release management.
See [Release Management Documentation](../release-management/README.md) for complete release procedures.
### 3. Dependency Review (`dependency-review.yml.template`)
**Location**: `templates/workflows/generic/dependency-review.yml.template`
Comprehensive dependency vulnerability scanning for pull requests.
**Features**:
- **GitHub Dependency Review** - Scans dependencies in PRs
- **npm audit** - Node.js dependency security checks
- **Composer audit** - PHP dependency security checks
- **Python Safety** - Python dependency vulnerability scanning
- **License compliance** - Validates dependency licenses
**Trigger Pattern**:
```yaml
on:
pull_request:
branches: [main, dev/**, rc/**]
```
**Usage**: Copy to `.gitea/workflows/dependency-review.yml` to enable dependency scanning on PRs.
### 4. Standards Compliance (`standards-compliance.yml.template`)
**Location**: `templates/workflows/standards-compliance.yml.template`
MokoStandards compliance validation workflow.
**Features**:
- **Repository structure** - Validates required directories and files
- **Documentation quality** - Checks README, CHANGELOG, and other docs
- **Coding standards** - Tab detection, encoding, line endings
- **License compliance** - SPDX header validation
- **Git hygiene** - .gitignore, large files, etc.
- **Workflow validation** - YAML syntax and required workflows
**Trigger Pattern**:
```yaml
on:
push:
branches: [main, dev/**, rc/**]
pull_request:
branches: [main, dev/**, rc/**]
workflow_dispatch:
```
**Usage**: Copy to `.gitea/workflows/standards-compliance.yml` to enable compliance checks.
### 5. Flush Actions Cache (`flush-actions-cache.yml.template`)
**Location**: `templates/workflows/flush-actions-cache.yml.template`
Cache management workflow for flushing GitHub Actions caches on demand.
**Features**:
- **Manual trigger** - Run from Actions tab when needed
- **Filter by branch** - Target specific branch caches
- **Filter by key pattern** - Target specific dependency caches (composer, node)
- **Dry-run mode** - Preview deletions before executing
- **Comprehensive reporting** - Shows cache details before deletion
- **Automatic script download** - Downloads latest flush script from MokoStandards
**Trigger Pattern**:
```yaml
on:
workflow_dispatch:
inputs:
branch:
description: 'Branch to filter caches (leave empty for all branches)'
key-pattern:
description: 'Key pattern to filter caches (e.g., composer, node)'
dry-run:
description: 'Dry run mode (show what would be deleted without deleting)'
type: boolean
```
**Common Use Cases**:
- Clear all caches when corrupted
- Clear branch-specific caches after branch deletion
- Clear dependency caches after major updates (Composer, npm)
- Preview cache usage with dry-run mode
**Usage**: Copy to `.gitea/workflows/flush-actions-cache.yml` to enable cache management.
See [flush_actions_cache.py documentation](/docs/api/maintenance/flush-actions-cache-py.md) for detailed script usage.
### 6. CodeQL Analysis (`codeql-analysis.yml`)
**Location**: `templates/workflows/generic/codeql-analysis.yml`
Security scanning with GitHub's CodeQL engine (also available in `.gitea/workflows/`).
See section below for complete details.
## Platform-Specific Workflow Templates (`templates/workflows/`)
The following templates are organized by platform in `templates/workflows/`.
### 1. CI Template (`ci.yml`)
**Location**: `.gitea/workflows/ci.yml` (MokoStandards root)
Continuous Integration workflow that enforces repository standards through automated validation.
**Features**:
- **Manifest validation** - Validates project manifests (Joomla XML, Dolibarr descriptors)
- **XML well-formedness** - Ensures all XML files are properly formatted
- **PHP syntax validation** - Checks PHP code across multiple versions
- **CHANGELOG structure** - Validates changelog formatting and completeness
- **License headers** - Verifies SPDX headers in all source files
- **Version alignment** - Ensures version numbers are consistent across files
- **Path separator checks** - Validates file paths
- **Tab detection** - Enforces space-over-tabs policy
- **Secret scanning** - Prevents accidental secret commits
**Trigger Patterns**:
```yaml
on:
push:
branches: [main, dev/**, rc/**, version/**]
pull_request:
branches: [main, dev/**, rc/**, version/**]
```
**Usage**: Copy from MokoStandards `.gitea/workflows/ci.yml` to your repository.
### 2. CodeQL Analysis Template (`codeql-analysis.yml`)
**Location**: `.gitea/workflows/codeql-analysis.yml` (MokoStandards root)
Security scanning workflow using GitHub's CodeQL engine for vulnerability detection.
**Features**:
- **Multi-language support** - Analyzes Python, JavaScript, PHP, Go, etc.
- **Security-extended queries** - Uses comprehensive security query packs
- **Quality analysis** - Includes code quality checks
- **Scheduled scans** - Weekly automated security scans (Monday 6:00 AM UTC)
- **PR integration** - Scans all pull requests automatically
**Trigger Patterns**:
```yaml
on:
push:
branches: [main, dev/**, rc/**]
pull_request:
branches: [main, dev/**, rc/**]
schedule:
- cron: '0 6 * * 1' # Weekly Monday 6:00 AM UTC
workflow_dispatch:
```
**Usage**: Copy from MokoStandards `.gitea/workflows/codeql-analysis.yml` to your repository.
### 3. Dependency Review
**Purpose**: Automated dependency vulnerability scanning
Dependency scanning in MokoStandards repositories is handled through:
- **Dependabot configuration** - `.github/dependabot.yml` (configure for your project)
- **CodeQL analysis** - Includes dependency checks
- **Generic code quality workflow** - `templates/workflows/generic/code-quality.yml`
**Recommended Approach**:
1. Enable Dependabot in repository settings
2. Create `.github/dependabot.yml` configuration
3. Use CodeQL for comprehensive security analysis
### 4. Standards Compliance Template (`repo_health.yml`)
**Location**: `templates/workflows/generic/repo_health.yml`
Repository health and governance validation workflow that enforces MokoStandards compliance.
**Features**:
- **Admin-only execution** - Requires admin permissions
- **Release configuration checks** - Validates SFTP deployment variables
- **SFTP connectivity testing** - Tests remote server access
- **Scripts governance** - Validates script directory structure
- **Repository artifacts** - Checks required files (README, LICENSE, CONTRIBUTING, etc.)
- **Content heuristics** - Validates document content and structure
- **Extended checks** (optional):
- CODEOWNERS presence
- Workflow action version pinning
- Documentation link integrity
- ShellCheck validation
- SPDX header compliance
- Git hygiene (stale branches)
**Profiles**:
- `all` - Run all checks (default)
- `release` - Release configuration only
- `scripts` - Scripts governance only
- `repo` - Repository health only
**Trigger Pattern**:
```yaml
on:
workflow_dispatch:
inputs:
profile:
type: choice
options: [all, release, scripts, repo]
```
**Usage**: Copy from `templates/workflows/generic/repo_health.yml` and customize for your project.
### 5. Platform-Specific Workflows
#### Joomla Workflows (`templates/workflows/joomla/`)
**ci.yml** - Joomla extension CI workflow:
- Joomla manifest validation
- Extension structure checks
- PHP 7.4-8.2 compatibility
- XML schema validation
**test.yml** - Comprehensive Joomla testing:
- PHPUnit tests with Joomla framework
- Code quality (PHPCS, PHPStan, Psalm)
- Matrix testing: PHP 7.4-8.2, Joomla 4.4-5.0
- Code coverage with Codecov
**release.yml** - Automated Joomla package creation:
- Version bumping in manifests
- ZIP package creation with proper structure
- Checksum generation (SHA256, MD5)
- GitHub release creation with changelog
- Release artifact upload
#### Dolibarr Workflows (`templates/workflows/dolibarr/`)
**ci.yml** - Dolibarr module CI workflow:
- Module structure validation
- PHP syntax checking (7.4-8.2)
- Dolibarr API usage validation (16.0-18.0)
- Database schema validation
- Security scanning (SQL injection, XSS, credentials)
**test.yml** - Dolibarr module testing:
- PHPUnit tests with Dolibarr environment
- Automatic Dolibarr installation
- MySQL database integration
- Module linking and installation
- Code coverage reporting
#### Generic Workflows (`templates/workflows/generic/`)
**ci.yml** - Multi-language CI with auto-detection:
- Supports: Node.js, Python, PHP, Go, Ruby, Rust
- Automatic language detection
- Parallel testing across language matrices
- Language-specific linting
- Security scanning with Trivy
**test.yml** - Comprehensive testing framework:
- Unit tests with coverage
- Integration tests (PostgreSQL, Redis)
- End-to-end tests with Playwright
- Codecov integration
- Test result summaries
**deploy.yml** - Multi-environment deployment:
- Automatic environment detection
- Multi-language build support
- Staging and production deployment jobs
- Smoke tests after deployment
- Automatic rollback on failure
- Deployment notifications
**code-quality.yml** - Advanced code analysis:
- Multi-language linting (ESLint, Flake8, PHPCS, golangci-lint, clippy)
- Code formatting validation
- Static analysis (CodeQL, PHPStan, Pylint)
- Dependency security (Snyk, npm audit, pip safety)
- Code complexity analysis
## Platform Detection
Workflows use automatic project type detection based on file presence. See [Project Type Detection](../reference/project-types.md) for complete details.
### Quick Reference
- **Joomla**: Detected by `joomla.xml` manifest file
- **Dolibarr**: Detected by `htdocs/` directory or `core/modules/` structure
- **Generic**: Fallback for all other projects
## Usage Instructions
### For New Projects
1. **Choose appropriate templates**:
- Joomla → `templates/workflows/joomla/`
- Dolibarr → `templates/workflows/dolibarr/`
- Other → `templates/workflows/generic/`
2. **Copy workflow files**:
```bash
mkdir -p .github/workflows
cp /path/to/MokoStandards/templates/workflows/joomla/ci.yml .gitea/workflows/
```
3. **Customize for your project**:
- Update FILE INFORMATION headers with correct paths
- Adjust branch patterns if needed
- Configure environment-specific settings
- Add/remove validation scripts as appropriate
4. **Commit and enable**:
```bash
git add .gitea/workflows/
git commit -m "Add MokoStandards workflows"
git push
```
### For Existing Projects
1. Review current workflows against templates
2. Identify gaps or outdated patterns
3. Update workflows incrementally
4. Test on feature branch before merging to main
## Required Workflows
All MokoStandards-governed repositories **MUST** implement:
1. **CI workflow** - For build validation and testing
2. **Security scanning** - CodeQL or equivalent
Recommended workflows:
- Repository health workflow
- Platform-specific test workflows
- Automated release workflows (for libraries/extensions)
- Deployment workflows (for applications)
- Code quality workflows
## Workflow Dependencies
### Common Requirements (All Workflows)
- Git repository with proper branching structure
- Python 3.x for validation scripts
- Proper permissions configured in repository settings
### CI Workflows Require
**For Joomla**:
- `api/validate/manifest.sh`
- `api/validate/xml_wellformed.sh`
- Joomla XML manifest file
**For Dolibarr**:
- Module descriptor (`core/modules/modMyModule.class.php`)
- Proper Dolibarr directory structure
**For Generic**:
- Language-specific package managers (npm, pip, composer, etc.)
- Test configurations
### Test Workflows Require
- Test framework configuration (Jest, pytest, PHPUnit, etc.)
- Optional: Database services (configured in workflow)
- Optional: Browser testing tools (Playwright)
### Deployment Workflows Require
- Environment secrets in GitHub repository settings
- Deployment target configuration
- For SFTP deployments: See [SFTP Deployment Guide](../deployment/sftp.md)
## Standards Compliance
All workflows follow MokoStandards requirements:
- ✅ SPDX license headers (GPL-3.0-or-later)
- ✅ Proper error handling and reporting
- ✅ Step summaries for GitHub Actions UI
- ✅ Audit trail generation
- ✅ Secure secret handling
- ✅ Versioned action dependencies
## Best Practices
1. **Pin action versions** - Use `@v4` not `@main`
2. **Test in feature branches** - Never merge untested workflows
3. **Use workflow concurrency** - Prevent duplicate runs
4. **Set appropriate timeouts** - Avoid hanging workflows
5. **Configure secrets properly** - Use GitHub repository secrets
6. **Monitor costs** - Track GitHub Actions minutes usage
7. **Document customizations** - Add comments for deviations
8. **Review step summaries** - Check GitHub Actions UI after runs
9. **Use matrix strategies** - Test across multiple versions
10. **Keep workflows DRY** - Use reusable workflows when possible
## Integration with Health Scoring
These workflows contribute to the [Health Scoring System](../policy/health-scoring.md):
- **CI/CD Status**: 15 points - CI workflow passing
- **Workflows**: 10 points - Required workflows present
- **Security**: 15 points - CodeQL and dependency scanning enabled
## Support and Troubleshooting
### Common Issues
**Workflow fails to find scripts**:
- Ensure scripts exist in expected locations
- Verify script permissions (`chmod +x`)
- Check FILE INFORMATION paths match actual structure
**SFTP connectivity fails**:
- Verify all required secrets are configured
- Test credentials manually
- Check firewall/network access
- See [SFTP Deployment Guide](../deployment/sftp.md)
**CodeQL fails**:
- Ensure language matrix includes project languages
- Remove languages with no code to analyze
- Review CodeQL queries configuration
### Getting Help
1. Review workflow logs in GitHub Actions UI
2. Check step summaries for detailed errors
3. Validate scripts locally before CI
4. Refer to [Project Types Documentation](../reference/project-types.md)
5. Consult [SFTP Deployment Guide](../deployment/sftp.md)
For issues with templates:
- Open issue in MokoStandards repository
- Tag with `workflow-template` label
- Include workflow name and error details
## Metadata
| Field | Value |
|---|---|
| Document | Workflow Templates Documentation |
| Path | /docs/workflows/README.md |
| Repository | https://git.mokoconsulting.tech/MokoConsulting/MokoStandards |
| Owner | Moko Consulting |
| Status | Active |
| Version | 04.00.04 |
| Effective | 2026-01-07 |
## Version History
| Version | Date | Changes |
|---|---|---|
| 04.00.04 | 2026-02-08 | Consolidated workflow templates: removed duplicate build-universal (use build.yml.template), removed superseded release-cycle-simple (use release-cycle v2.0) |
| 04.00.04 | 2026-01-07 | Added public workflow templates documentation (build-universal, release-cycle, dependency-review, standards-compliance) |
| 01.00.00 | 2026-01-07 | Initial comprehensive workflow documentation |
## See Also
- [Build System Documentation](../build-system/README.md)
- [Release Management Documentation](../release-management/README.md)
- [Health Scoring System](../policy/health-scoring.md)
- [SFTP Deployment Guide](../deployment/sftp.md)
- [Project Type Detection](../reference/project-types.md)
- [Repository Structure Schema](../guide/repository-structure-schema.md)
- [Workflow Templates (Technical)](../../templates/workflows/README.md)
- [Public Workflow Templates](../../templates/workflows/)
Reference in New Issue View Git Blame Copy Permalink