diff --git a/.gitea/workflows/README.md b/.gitea/workflows/README.md new file mode 100644 index 00000000..49421371 --- /dev/null +++ b/.gitea/workflows/README.md @@ -0,0 +1,47 @@ +# .gitea/workflows + +Gitea Actions is the **canonical** CI for `d-bis/proxmox` per [AGENTS.md](../../AGENTS.md). These workflows run on `act_runner` hosts registered with Gitea, **not** GitHub Actions. + +## Runner readiness (required before any workflow here can run) + +At least one `act_runner` with the `ubuntu-latest` label must be registered against either this repo or the `d-bis` org. Check at: + +- https://gitea.d-bis.org/-/admin/actions/runners (admin view) +- https://gitea.d-bis.org/d-bis/settings/actions/runners (org view) + +If no runner is online, bootstrap one from the proxmox repo root: + +```bash +bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh +``` + +Full runbook: [`docs/04-configuration/GITEA_ACT_RUNNER_SETUP.md`](../../docs/04-configuration/GITEA_ACT_RUNNER_SETUP.md). + +## Workflows + +| File | Trigger | Purpose | +|---|---|---| +| `ai-review.yml` | pull_request: opened / synchronize | Claude AI code review comment via `markwylde/claude-code-gitea-action`. Requires `ANTHROPIC_API_KEY` + `GITEA_TOKEN` secrets. | +| `deploy-to-phoenix.yml` | push to `main` / `master` | POST to `PHOENIX_DEPLOY_URL` to trigger Phoenix deployment. Requires `PHOENIX_DEPLOY_URL` + `PHOENIX_DEPLOY_TOKEN` secrets. | +| `validate-config.yml` | pull_request / push on `config/**`, `scripts/validation/**`, `token-lists/**` | R14 config validation + completable-tasks dry-run + optional shellcheck. | +| `validate-omnl-rail.yml` | pull_request / push on `scripts/omnl/**` | OMNL rail `.gitignore` + resolve_ids + transaction-package smoke + shellcheck. | +| `validate-token-list.yml` | pull_request / push on `token-lists/**` | JSON-schema + checksum + logo + on-chain validation of `dbis-138.tokenlist.json`. | +| `release-token-list.yml` | tag `v*` or workflow_dispatch | Build + sign + release the dbis-138 token list as a **Gitea release** (not GitHub release). Requires `GITEA_TOKEN` + `MINISIGN_PRIVATE_KEY`. | + +## Phase 5 migration notes (2026-04-18) + +The first 4 validation / release workflows were ported here from `.github/workflows/` during Phase 5 of the [sequenced cleanup](https://gitea.d-bis.org/d-bis/proxmox/issues/1). GitHub mirrors of this repo do not exist (`d-bis/proxmox` on GitHub returns 403/404), so the `.github/workflows/` copies never ran — they were removed in the same PR. + +Key porting adjustments: +- `${{ github.* }}` → `${{ gitea.* }}` where the value differs (e.g. `gitea.event_name`, `gitea.event.inputs.*`). +- `$GITHUB_REF`, `$GITHUB_OUTPUT`, `$GITHUB_REPOSITORY` → `$GITEA_REF`, `$GITEA_OUTPUT`, `$GITEA_REPOSITORY`. +- `softprops/action-gh-release@v1` (GitHub-only) replaced with direct `curl` calls to Gitea's releases API in `release-token-list.yml`. +- `actions/github-script@v7` PR-comment step dropped from `validate-token-list.yml`; the in-tree `ai-review.yml` already posts PR comments. +- `pnpm install` steps now explicitly install `pnpm` via `pnpm/action-setup@v4` (no implicit `corepack` assumption). + +## Adding a new workflow + +1. Copy one of the existing files and adjust the `on:`, `name:`, and steps. +2. Verify it works on a feature branch before merging to `master` — Gitea will show the run under the PR's Checks tab. +3. If it needs secrets, add them under **Repository settings → Actions → Secrets**. +4. Update this README's workflow table. diff --git a/.gitea/workflows/release-token-list.yml b/.gitea/workflows/release-token-list.yml new file mode 100644 index 00000000..955f23a5 --- /dev/null +++ b/.gitea/workflows/release-token-list.yml @@ -0,0 +1,126 @@ +# Release the dbis-138 token list to a Gitea release when a v* tag is pushed. +# Ported from .github/workflows/release.yml during Phase 5 CI reconciliation (2026-04-18). +# The original workflow targeted `softprops/action-gh-release`, which only creates +# GitHub releases. This Gitea port uses the Gitea `POST /api/v1/repos/{owner}/{repo}/releases` +# API and uploads assets via `POST .../releases/{id}/assets`. +# +# Runner readiness: requires a Gitea act_runner with label `ubuntu-latest`. +# Bootstrap: `bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh`. +# +# Required secrets (set in Gitea repo or org actions settings): +# - GITEA_TOKEN — Gitea token with `write:repository` to this repo. +# - MINISIGN_PRIVATE_KEY — minisign private key used by token-lists/scripts/sign-list.sh. +name: Release Token List + +on: + push: + tags: + - 'v*' + workflow_dispatch: + inputs: + version: + description: 'Version tag (e.g., v1.2.0)' + required: true + type: string + +jobs: + release: + name: Release Token List + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + version: 9 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'pnpm' + + - name: Install dependencies + run: pnpm install + + - name: Validate token list + run: node token-lists/scripts/validate-token-list.js token-lists/lists/dbis-138.tokenlist.json + + - name: Validate address checksums + run: node token-lists/scripts/checksum-addresses.js token-lists/lists/dbis-138.tokenlist.json + + - name: Validate logos + run: node token-lists/scripts/validate-logos.js token-lists/lists/dbis-138.tokenlist.json + continue-on-error: true + + - name: On-chain verification (required) + run: node token-lists/scripts/verify-on-chain.js token-lists/lists/dbis-138.tokenlist.json --required + + - name: Determine version + id: version + run: | + if [ "${{ gitea.event_name }}" = "workflow_dispatch" ]; then + VERSION="${{ gitea.event.inputs.version }}" + VERSION=${VERSION#v} + else + VERSION=${GITEA_REF#refs/tags/v} + fi + echo "version=$VERSION" >> "$GITEA_OUTPUT" + echo "tag=v$VERSION" >> "$GITEA_OUTPUT" + echo "Version: $VERSION" + + - name: Generate checksums + run: | + cd token-lists/lists + sha256sum dbis-138.tokenlist.json > SHA256SUMS + cat SHA256SUMS + + - name: Sign token list + env: + MINISIGN_PRIVATE_KEY: ${{ secrets.MINISIGN_PRIVATE_KEY }} + run: | + cd token-lists + chmod +x scripts/sign-list.sh + ./scripts/sign-list.sh sign + continue-on-error: true + + - name: Create Gitea release + id: create_release + env: + GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + run: | + set -euo pipefail + TAG="${{ steps.version.outputs.tag }}" + BODY_FILE="token-lists/docs/CHANGELOG.md" + [ -f "$BODY_FILE" ] || BODY_FILE=/dev/null + BODY=$(python3 -c "import json,sys; print(json.dumps(open(sys.argv[1]).read()))" "$BODY_FILE") + RESP=$(curl -sSf -X POST \ + -H "Authorization: token ${GITEA_TOKEN}" \ + -H "Content-Type: application/json" \ + -d "{\"tag_name\":\"${TAG}\",\"name\":\"Release ${TAG}\",\"body\":${BODY},\"draft\":false,\"prerelease\":false}" \ + "${GITEA_SERVER_URL:-https://gitea.d-bis.org}/api/v1/repos/${GITEA_REPOSITORY}/releases") + RELEASE_ID=$(echo "$RESP" | python3 -c "import json,sys; print(json.load(sys.stdin)['id'])") + echo "release_id=$RELEASE_ID" >> "$GITEA_OUTPUT" + + - name: Upload release assets + env: + GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + run: | + set -euo pipefail + REL_ID="${{ steps.create_release.outputs.release_id }}" + for f in \ + token-lists/lists/dbis-138.tokenlist.json \ + token-lists/lists/dbis-138.tokenlist.json.sig \ + token-lists/lists/SHA256SUMS + do + [ -f "$f" ] || { echo "skip missing $f"; continue; } + curl -sSf -X POST \ + -H "Authorization: token ${GITEA_TOKEN}" \ + -F "attachment=@${f}" \ + "${GITEA_SERVER_URL:-https://gitea.d-bis.org}/api/v1/repos/${GITEA_REPOSITORY}/releases/${REL_ID}/assets?name=$(basename "$f")" + done diff --git a/.github/workflows/validate-config.yml b/.gitea/workflows/validate-config.yml similarity index 68% rename from .github/workflows/validate-config.yml rename to .gitea/workflows/validate-config.yml index 99c5ff20..a7be9710 100644 --- a/.github/workflows/validate-config.yml +++ b/.gitea/workflows/validate-config.yml @@ -1,4 +1,8 @@ # R14: Config and validation in pipeline. Run when config/ or scripts/validation/ or scripts/verify/ change. +# Ported from .github/workflows/validate-config.yml during Phase 5 CI reconciliation (2026-04-18). +# Runner readiness: requires a Gitea act_runner with label `ubuntu-latest` registered against this repo +# or the `d-bis` org. Bootstrap with `bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh`. +# Verification checklist: see docs/04-configuration/GITEA_ACT_RUNNER_SETUP.md. name: Validate Config on: @@ -8,7 +12,7 @@ on: - 'scripts/validation/**' - 'scripts/verify/run-all-validation.sh' - 'scripts/run-completable-tasks-from-anywhere.sh' - - '.github/workflows/validate-config.yml' + - '.gitea/workflows/validate-config.yml' - 'token-lists/**' - 'explorer-monorepo/backend/api/rest/config/metamask/**' push: @@ -16,7 +20,7 @@ on: paths: - 'config/**' - 'scripts/validation/**' - - '.github/workflows/validate-config.yml' + - '.gitea/workflows/validate-config.yml' - 'token-lists/**' - 'explorer-monorepo/backend/api/rest/config/metamask/**' diff --git a/.github/workflows/validate-omnl-rail.yml b/.gitea/workflows/validate-omnl-rail.yml similarity index 73% rename from .github/workflows/validate-omnl-rail.yml rename to .gitea/workflows/validate-omnl-rail.yml index 10b3f42b..715125ab 100644 --- a/.github/workflows/validate-omnl-rail.yml +++ b/.gitea/workflows/validate-omnl-rail.yml @@ -1,4 +1,7 @@ # Validate OMNL operator rail: .gitignore, resolve_ids pattern, shellcheck on scripts/omnl. +# Ported from .github/workflows/validate-omnl-rail.yml during Phase 5 CI reconciliation (2026-04-18). +# Runner readiness: requires a Gitea act_runner with label `ubuntu-latest`. +# Bootstrap: `bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh`. name: Validate OMNL Rail on: @@ -7,14 +10,14 @@ on: - 'scripts/omnl/**' - 'docs/04-configuration/mifos-omnl-central-bank/**' - '.gitignore' - - '.github/workflows/validate-omnl-rail.yml' + - '.gitea/workflows/validate-omnl-rail.yml' push: branches: [master] paths: - 'scripts/omnl/**' - 'docs/04-configuration/mifos-omnl-central-bank/**' - '.gitignore' - - '.github/workflows/validate-omnl-rail.yml' + - '.gitea/workflows/validate-omnl-rail.yml' jobs: validate-omnl-rail: diff --git a/.gitea/workflows/validate-token-list.yml b/.gitea/workflows/validate-token-list.yml new file mode 100644 index 00000000..5e1349bd --- /dev/null +++ b/.gitea/workflows/validate-token-list.yml @@ -0,0 +1,54 @@ +# Validate the dbis-138 token list on every PR touching token-lists/. +# Ported from .github/workflows/validate-pr.yml during Phase 5 CI reconciliation (2026-04-18). +# Runner readiness: requires a Gitea act_runner with label `ubuntu-latest`. +# Bootstrap: `bash scripts/dev-vm/bootstrap-gitea-act-runner-site-wide.sh`. +name: Validate Token List + +on: + pull_request: + paths: + - 'token-lists/**' + - '.gitea/workflows/validate-token-list.yml' + push: + branches: + - '**' + paths: + - 'token-lists/**' + - '.gitea/workflows/validate-token-list.yml' + +jobs: + validate: + name: Validate Token List + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + version: 9 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '20' + cache: 'pnpm' + + - name: Install dependencies + run: pnpm install + + - name: Validate JSON schema + run: node token-lists/scripts/validate-token-list.js token-lists/lists/dbis-138.tokenlist.json + + - name: Validate address checksums + run: node token-lists/scripts/checksum-addresses.js token-lists/lists/dbis-138.tokenlist.json + + - name: Validate logos + run: node token-lists/scripts/validate-logos.js token-lists/lists/dbis-138.tokenlist.json + continue-on-error: true + + - name: On-chain verification (optional) + run: node token-lists/scripts/verify-on-chain.js token-lists/lists/dbis-138.tokenlist.json + continue-on-error: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index d291acbe..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,102 +0,0 @@ -name: Release Token List - -on: - push: - tags: - - 'v*' - workflow_dispatch: - inputs: - version: - description: 'Version tag (e.g., v1.2.0)' - required: true - type: string - -jobs: - release: - name: Release Token List - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '20' - cache: 'pnpm' - - - name: Install dependencies - run: pnpm install - working-directory: ${{ github.workspace }} - - - name: Validate token list - run: | - node token-lists/scripts/validate-token-list.js token-lists/lists/dbis-138.tokenlist.json - continue-on-error: false - - - name: Validate address checksums - run: | - node token-lists/scripts/checksum-addresses.js token-lists/lists/dbis-138.tokenlist.json - continue-on-error: false - - - name: Validate logos - run: | - node token-lists/scripts/validate-logos.js token-lists/lists/dbis-138.tokenlist.json - continue-on-error: true - - - name: On-chain verification (required) - run: | - node token-lists/scripts/verify-on-chain.js token-lists/lists/dbis-138.tokenlist.json --required - continue-on-error: false - - - name: Determine version - id: version - run: | - if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then - VERSION="${{ github.event.inputs.version }}" - # Remove 'v' prefix if present - VERSION=${VERSION#v} - else - # Extract version from tag - VERSION=${GITHUB_REF#refs/tags/v} - fi - echo "version=$VERSION" >> $GITHUB_OUTPUT - echo "tag=v$VERSION" >> $GITHUB_OUTPUT - echo "Version: $VERSION" - - - name: Generate checksums - id: checksums - run: | - cd token-lists/lists - sha256sum dbis-138.tokenlist.json > SHA256SUMS - echo "checksums_file=token-lists/lists/SHA256SUMS" >> $GITHUB_OUTPUT - cat SHA256SUMS - - - name: Sign token list - id: sign - run: | - cd token-lists - chmod +x scripts/sign-list.sh - export MINISIGN_PRIVATE_KEY="${{ secrets.MINISIGN_PRIVATE_KEY }}" - ./scripts/sign-list.sh sign - continue-on-error: true - - - name: Create release - uses: softprops/action-gh-release@v1 - with: - files: | - token-lists/lists/dbis-138.tokenlist.json - token-lists/lists/dbis-138.tokenlist.json.sig - token-lists/lists/SHA256SUMS - name: Release ${{ steps.version.outputs.tag }} - tag_name: ${{ steps.version.outputs.tag }} - body_path: token-lists/docs/CHANGELOG.md - generate_release_notes: true - draft: false - prerelease: false - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml deleted file mode 100644 index 75ec2294..00000000 --- a/.github/workflows/validate-pr.yml +++ /dev/null @@ -1,81 +0,0 @@ -name: Validate Token List - -on: - pull_request: - paths: - - 'token-lists/**' - - '.github/workflows/validate-pr.yml' - push: - branches: - - '**' - paths: - - 'token-lists/**' - - '.github/workflows/validate-pr.yml' - -jobs: - validate: - name: Validate Token List - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '20' - cache: 'pnpm' - - - name: Install dependencies - run: pnpm install - working-directory: ${{ github.workspace }} - - - name: Validate JSON schema - run: | - node token-lists/scripts/validate-token-list.js token-lists/lists/dbis-138.tokenlist.json - continue-on-error: false - - - name: Validate address checksums - run: | - node token-lists/scripts/checksum-addresses.js token-lists/lists/dbis-138.tokenlist.json - continue-on-error: false - - - name: Validate logos - run: | - node token-lists/scripts/validate-logos.js token-lists/lists/dbis-138.tokenlist.json - continue-on-error: true - - - name: On-chain verification (optional) - run: | - node token-lists/scripts/verify-on-chain.js token-lists/lists/dbis-138.tokenlist.json - continue-on-error: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Comment PR with results - if: github.event_name == 'pull_request' - uses: actions/github-script@v7 - with: - script: | - const fs = require('fs'); - const path = 'token-lists/lists/dbis-138.tokenlist.json'; - - if (fs.existsSync(path)) { - const tokenList = JSON.parse(fs.readFileSync(path, 'utf-8')); - const body = `## Token List Validation Results ✅ - - **List**: ${tokenList.name} - **Version**: ${tokenList.version.major}.${tokenList.version.minor}.${tokenList.version.patch} - **Tokens**: ${tokenList.tokens.length} - - All validation checks passed! 🎉`; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: body - }); - } -