From a53edd1e48aa4918b913f014d5e74fa9873d8449 Mon Sep 17 00:00:00 2001 From: master <> Date: Sun, 1 Feb 2026 21:58:00 +0200 Subject: [PATCH] tests pipeline run attempt --- .gitea/README.md | 65 ++++++++- .../advisory-ai-release.yml | 0 .../airgap-sealed-ci.yml | 0 .../aoc-backfill-release.yml | 0 .../aoc-guard.yml | 0 .../api-governance.yml | 0 .../artifact-signing.yml | 0 .../attestation-bundle.yml | 0 .../attestation-linkage.yml | 0 .../authority-key-rotation.yml | 0 .../bench-determinism.yml | 0 .../benchmark-vs-competitors.yml | 0 .../build-test-deploy.yml | 0 .../cli-build.yml | 0 .../cli-chaos-parity.yml | 0 .../cold-warm-latency.yml | 0 .../competitor-parity.yml | 0 .../concelier-attestation-tests.yml | 0 .../concelier-store-aoc-19-005.yml | 0 .../connector-fixture-drift.yml | 0 .../console-ci.yml | 0 .../console-runner-image.yml | 0 .../container-scan.yml | 0 .../containers-multiarch.yml | 0 .../control-plane-chaos.yml | 0 .../cross-platform-determinism.yml | 0 .../crypto-compliance.yml | 0 .../crypto-sim-smoke.yml | 0 .../cryptopro-linux-csp.yml | 0 .../cryptopro-optin.yml | 0 .../dead-path-detection.yml | 0 .../dependency-license-gate.yml | 0 .../dependency-security-scan.yml | 0 .../deploy-keyless-verify.yml | 0 .../determinism-gate.yml | 0 .../devportal-offline.yml | 0 .../docker-regional-builds.yml | 0 .../docs.yml | 0 .../e2e-reproducibility.yml | 0 .../ebpf-reachability-determinism.yml | 0 .../epss-ingest-perf.yml | 0 .../evidence-locker.yml | 0 .../export-ci.yml | 0 .../export-compat.yml | 0 .../exporter-ci.yml | 0 .../federation-multisite.yml | 0 .../findings-ledger-ci.yml | 0 .../golden-corpus-bench.yaml | 0 .../golden-set-validation.yml | 0 .../graph-load.yml | 0 .../graph-ui-sim.yml | 0 .../hlc-distributed.yml | 0 .../icscisa-kisa-refresh.yml | 0 .../integration-tests-gate.yml | 0 .../interop-e2e.yml | 0 .../ledger-oas-ci.yml | 0 .../ledger-packs-ci.yml | 0 .../license-audit.yml | 0 .../lighthouse-ci.yml | 0 .../lnm-backfill.yml | 0 .../lnm-migration-ci.yml | 0 .../lnm-vex-backfill.yml | 0 .../manifest-integrity.yml | 0 .../migration-test.yml | 0 .../mirror-sign.yml | 0 .../mock-dev-release.yml | 0 .../module-publish.yml | 0 .../nightly-regression.yml | 0 .../notify-smoke-test.yml | 0 .../oas-ci.yml | 0 .../obs-slo.yml | 0 .../obs-stream.yml | 0 .../offline-e2e.yml | 0 .../parity-tests.yml | 0 .../policy-lint.yml | 0 .../policy-simulate.yml | 0 .../promote.yml | 0 .../provenance-check.yml | 0 .../reachability-bench.yaml | 0 .../reachability-corpus-ci.yml | 0 .../registry-compatibility.yml | 0 .../release-evidence-pack.yml | 0 .../release-keyless-sign.yml | 0 .../release-manifest-verify.yml | 0 .../release-suite.yml | 0 .../release-validation.yml | 0 .../release.yml | 0 .../renovate.yml | 0 .../replay-verification.yml | 0 .../risk-bundle-ci.yml | 0 .../rollback-lag.yml | 0 .../rollback.yml | 0 .../router-chaos.yml | 0 .../sast-scan.yml | 0 .../scanner-analyzers-release.yml | 0 .../scanner-analyzers.yml | 0 .../scanner-determinism.yml | 0 .../schema-evolution.yml | 0 .../schema-validation.yml | 0 .../sdk-generator.yml | 0 .../sdk-publish.yml | 0 .../secrets-bundle-release.yml | 0 .../secrets-scan.yml | 0 .../service-release.yml | 0 .../signals-ci.yml | 0 .../signals-dsse-sign.yml | 0 .../signals-evidence-locker.yml | 0 .../signals-reachability.yml | 0 .../sm-remote-ci.yml | 0 .../spec-diff-gate.yml | 0 .../symbols-ci.yml | 0 .../symbols-release.yml | 0 .../test-blast-radius.yml | 0 .../test-infrastructure.yml | 0 .../test-lanes.yml | 0 .../test-matrix.yml | 0 .../unknowns-budget-gate.yml | 0 .../verify-reproducibility.yml | 0 .../vex-proof-bundles.yml | 0 .gitea/workflows/local-ci-verify.yml | 137 ++++++++++++++++++ devops/ci-local/README.md | 48 ++++-- ...0201_005_CICD_act_local_ci_verification.md | 35 +++++ 122 files changed, 274 insertions(+), 11 deletions(-) rename .gitea/{workflows => workflows-archived}/advisory-ai-release.yml (100%) rename .gitea/{workflows => workflows-archived}/airgap-sealed-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/aoc-backfill-release.yml (100%) rename .gitea/{workflows => workflows-archived}/aoc-guard.yml (100%) rename .gitea/{workflows => workflows-archived}/api-governance.yml (100%) rename .gitea/{workflows => workflows-archived}/artifact-signing.yml (100%) rename .gitea/{workflows => workflows-archived}/attestation-bundle.yml (100%) rename .gitea/{workflows => workflows-archived}/attestation-linkage.yml (100%) rename .gitea/{workflows => workflows-archived}/authority-key-rotation.yml (100%) rename .gitea/{workflows => workflows-archived}/bench-determinism.yml (100%) rename .gitea/{workflows => workflows-archived}/benchmark-vs-competitors.yml (100%) rename .gitea/{workflows => workflows-archived}/build-test-deploy.yml (100%) rename .gitea/{workflows => workflows-archived}/cli-build.yml (100%) rename .gitea/{workflows => workflows-archived}/cli-chaos-parity.yml (100%) rename .gitea/{workflows => workflows-archived}/cold-warm-latency.yml (100%) rename .gitea/{workflows => workflows-archived}/competitor-parity.yml (100%) rename .gitea/{workflows => workflows-archived}/concelier-attestation-tests.yml (100%) rename .gitea/{workflows => workflows-archived}/concelier-store-aoc-19-005.yml (100%) rename .gitea/{workflows => workflows-archived}/connector-fixture-drift.yml (100%) rename .gitea/{workflows => workflows-archived}/console-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/console-runner-image.yml (100%) rename .gitea/{workflows => workflows-archived}/container-scan.yml (100%) rename .gitea/{workflows => workflows-archived}/containers-multiarch.yml (100%) rename .gitea/{workflows => workflows-archived}/control-plane-chaos.yml (100%) rename .gitea/{workflows => workflows-archived}/cross-platform-determinism.yml (100%) rename .gitea/{workflows => workflows-archived}/crypto-compliance.yml (100%) rename .gitea/{workflows => workflows-archived}/crypto-sim-smoke.yml (100%) rename .gitea/{workflows => workflows-archived}/cryptopro-linux-csp.yml (100%) rename .gitea/{workflows => workflows-archived}/cryptopro-optin.yml (100%) rename .gitea/{workflows => workflows-archived}/dead-path-detection.yml (100%) rename .gitea/{workflows => workflows-archived}/dependency-license-gate.yml (100%) rename .gitea/{workflows => workflows-archived}/dependency-security-scan.yml (100%) rename .gitea/{workflows => workflows-archived}/deploy-keyless-verify.yml (100%) rename .gitea/{workflows => workflows-archived}/determinism-gate.yml (100%) rename .gitea/{workflows => workflows-archived}/devportal-offline.yml (100%) rename .gitea/{workflows => workflows-archived}/docker-regional-builds.yml (100%) rename .gitea/{workflows => workflows-archived}/docs.yml (100%) mode change 100755 => 100644 rename .gitea/{workflows => workflows-archived}/e2e-reproducibility.yml (100%) rename .gitea/{workflows => workflows-archived}/ebpf-reachability-determinism.yml (100%) rename .gitea/{workflows => workflows-archived}/epss-ingest-perf.yml (100%) rename .gitea/{workflows => workflows-archived}/evidence-locker.yml (100%) rename .gitea/{workflows => workflows-archived}/export-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/export-compat.yml (100%) rename .gitea/{workflows => workflows-archived}/exporter-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/federation-multisite.yml (100%) rename .gitea/{workflows => workflows-archived}/findings-ledger-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/golden-corpus-bench.yaml (100%) rename .gitea/{workflows => workflows-archived}/golden-set-validation.yml (100%) rename .gitea/{workflows => workflows-archived}/graph-load.yml (100%) rename .gitea/{workflows => workflows-archived}/graph-ui-sim.yml (100%) rename .gitea/{workflows => workflows-archived}/hlc-distributed.yml (100%) rename .gitea/{workflows => workflows-archived}/icscisa-kisa-refresh.yml (100%) rename .gitea/{workflows => workflows-archived}/integration-tests-gate.yml (100%) rename .gitea/{workflows => workflows-archived}/interop-e2e.yml (100%) rename .gitea/{workflows => workflows-archived}/ledger-oas-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/ledger-packs-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/license-audit.yml (100%) rename .gitea/{workflows => workflows-archived}/lighthouse-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/lnm-backfill.yml (100%) rename .gitea/{workflows => workflows-archived}/lnm-migration-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/lnm-vex-backfill.yml (100%) rename .gitea/{workflows => workflows-archived}/manifest-integrity.yml (100%) rename .gitea/{workflows => workflows-archived}/migration-test.yml (100%) rename .gitea/{workflows => workflows-archived}/mirror-sign.yml (100%) rename .gitea/{workflows => workflows-archived}/mock-dev-release.yml (100%) rename .gitea/{workflows => workflows-archived}/module-publish.yml (100%) rename .gitea/{workflows => workflows-archived}/nightly-regression.yml (100%) rename .gitea/{workflows => workflows-archived}/notify-smoke-test.yml (100%) rename .gitea/{workflows => workflows-archived}/oas-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/obs-slo.yml (100%) rename .gitea/{workflows => workflows-archived}/obs-stream.yml (100%) rename .gitea/{workflows => workflows-archived}/offline-e2e.yml (100%) rename .gitea/{workflows => workflows-archived}/parity-tests.yml (100%) rename .gitea/{workflows => workflows-archived}/policy-lint.yml (100%) rename .gitea/{workflows => workflows-archived}/policy-simulate.yml (100%) rename .gitea/{workflows => workflows-archived}/promote.yml (100%) rename .gitea/{workflows => workflows-archived}/provenance-check.yml (100%) rename .gitea/{workflows => workflows-archived}/reachability-bench.yaml (100%) rename .gitea/{workflows => workflows-archived}/reachability-corpus-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/registry-compatibility.yml (100%) rename .gitea/{workflows => workflows-archived}/release-evidence-pack.yml (100%) rename .gitea/{workflows => workflows-archived}/release-keyless-sign.yml (100%) rename .gitea/{workflows => workflows-archived}/release-manifest-verify.yml (100%) rename .gitea/{workflows => workflows-archived}/release-suite.yml (100%) rename .gitea/{workflows => workflows-archived}/release-validation.yml (100%) rename .gitea/{workflows => workflows-archived}/release.yml (100%) rename .gitea/{workflows => workflows-archived}/renovate.yml (100%) rename .gitea/{workflows => workflows-archived}/replay-verification.yml (100%) rename .gitea/{workflows => workflows-archived}/risk-bundle-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/rollback-lag.yml (100%) rename .gitea/{workflows => workflows-archived}/rollback.yml (100%) rename .gitea/{workflows => workflows-archived}/router-chaos.yml (100%) rename .gitea/{workflows => workflows-archived}/sast-scan.yml (100%) rename .gitea/{workflows => workflows-archived}/scanner-analyzers-release.yml (100%) rename .gitea/{workflows => workflows-archived}/scanner-analyzers.yml (100%) rename .gitea/{workflows => workflows-archived}/scanner-determinism.yml (100%) rename .gitea/{workflows => workflows-archived}/schema-evolution.yml (100%) rename .gitea/{workflows => workflows-archived}/schema-validation.yml (100%) rename .gitea/{workflows => workflows-archived}/sdk-generator.yml (100%) rename .gitea/{workflows => workflows-archived}/sdk-publish.yml (100%) rename .gitea/{workflows => workflows-archived}/secrets-bundle-release.yml (100%) rename .gitea/{workflows => workflows-archived}/secrets-scan.yml (100%) rename .gitea/{workflows => workflows-archived}/service-release.yml (100%) rename .gitea/{workflows => workflows-archived}/signals-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/signals-dsse-sign.yml (100%) rename .gitea/{workflows => workflows-archived}/signals-evidence-locker.yml (100%) rename .gitea/{workflows => workflows-archived}/signals-reachability.yml (100%) rename .gitea/{workflows => workflows-archived}/sm-remote-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/spec-diff-gate.yml (100%) rename .gitea/{workflows => workflows-archived}/symbols-ci.yml (100%) rename .gitea/{workflows => workflows-archived}/symbols-release.yml (100%) rename .gitea/{workflows => workflows-archived}/test-blast-radius.yml (100%) rename .gitea/{workflows => workflows-archived}/test-infrastructure.yml (100%) rename .gitea/{workflows => workflows-archived}/test-lanes.yml (100%) rename .gitea/{workflows => workflows-archived}/test-matrix.yml (100%) rename .gitea/{workflows => workflows-archived}/unknowns-budget-gate.yml (100%) rename .gitea/{workflows => workflows-archived}/verify-reproducibility.yml (100%) rename .gitea/{workflows => workflows-archived}/vex-proof-bundles.yml (100%) create mode 100644 .gitea/workflows/local-ci-verify.yml diff --git a/.gitea/README.md b/.gitea/README.md index 6b414fb21..851cc64a6 100644 --- a/.gitea/README.md +++ b/.gitea/README.md @@ -2,17 +2,78 @@ Comprehensive CI/CD infrastructure for the StellaOps platform using Gitea Actions. +> **Note (2026-02-01):** All 118 original workflow files have been moved to +> `.gitea/workflows-archived/`. Only the `local-ci-verify.yml` verification +> pipeline remains active. See [Archived Workflows](#archived-workflows) below +> for details and restoration instructions. + ## Quick Reference | Resource | Location | |----------|----------| -| Workflows | `.gitea/workflows/` (96 workflows) | +| Active workflows | `.gitea/workflows/` (1 workflow) | +| Archived workflows | `.gitea/workflows-archived/` (118 workflows) | +| Reusable templates | `.gitea/workflows/templates/` | | Scripts | `.gitea/scripts/` | | Documentation | `.gitea/docs/` | | DevOps Configs | `devops/` | | Release Manifests | `devops/releases/` | -## Workflow Categories +## Active Workflows + +| Workflow | File | Trigger | Description | +|----------|------|---------|-------------| +| Local CI Verification | `local-ci-verify.yml` | `workflow_dispatch` | Validates local CI scaffolding, builds the CI image, and smoke-tests archived workflows using act | + +### How to run + +Trigger from the Gitea UI (**Actions > Local CI Verification > Run workflow**) or via API: + +```bash +curl -X POST \ + -H "Authorization: token $GITEA_TOKEN" \ + "https://git.stella-ops.org/api/v1/repos///actions/workflows/local-ci-verify.yml/dispatches" \ + -d '{"ref":"main","inputs":{"workflow":"test-matrix.yml","dry_run":"true"}}' +``` + +Inputs: +- **workflow** (optional): archived workflow file to dry-run (e.g. `test-matrix.yml`) +- **dry_run** (default `true`): pass `-n` to act + +## Archived Workflows + +All 118 production workflows have been moved to `.gitea/workflows-archived/` to +decouple active CI from the large workflow catalog while the local CI +scaffolding is validated. + +### Restoring a workflow + +To reactivate an archived workflow, move it back to `.gitea/workflows/`: + +```bash +# Restore a single workflow +mv .gitea/workflows-archived/test-matrix.yml .gitea/workflows/ + +# Restore all workflows +mv .gitea/workflows-archived/*.yml .gitea/workflows/ +mv .gitea/workflows-archived/*.yaml .gitea/workflows/ +``` + +### Running archived workflows locally with act + +Archived workflows can still be run locally — act accepts any path: + +```bash +act -l -W .gitea/workflows-archived/test-matrix.yml +act -W .gitea/workflows-archived/test-matrix.yml -n +``` + +Or use the `local-ci-verify.yml` pipeline with the `workflow` input to dry-run +an archived workflow via Gitea Actions. + +## Archived Workflow Reference + +The following tables document all 118 archived workflows by category. ### Core Build & Test diff --git a/.gitea/workflows/advisory-ai-release.yml b/.gitea/workflows-archived/advisory-ai-release.yml similarity index 100% rename from .gitea/workflows/advisory-ai-release.yml rename to .gitea/workflows-archived/advisory-ai-release.yml diff --git a/.gitea/workflows/airgap-sealed-ci.yml b/.gitea/workflows-archived/airgap-sealed-ci.yml similarity index 100% rename from .gitea/workflows/airgap-sealed-ci.yml rename to .gitea/workflows-archived/airgap-sealed-ci.yml diff --git a/.gitea/workflows/aoc-backfill-release.yml b/.gitea/workflows-archived/aoc-backfill-release.yml similarity index 100% rename from .gitea/workflows/aoc-backfill-release.yml rename to .gitea/workflows-archived/aoc-backfill-release.yml diff --git a/.gitea/workflows/aoc-guard.yml b/.gitea/workflows-archived/aoc-guard.yml similarity index 100% rename from .gitea/workflows/aoc-guard.yml rename to .gitea/workflows-archived/aoc-guard.yml diff --git a/.gitea/workflows/api-governance.yml b/.gitea/workflows-archived/api-governance.yml similarity index 100% rename from .gitea/workflows/api-governance.yml rename to .gitea/workflows-archived/api-governance.yml diff --git a/.gitea/workflows/artifact-signing.yml b/.gitea/workflows-archived/artifact-signing.yml similarity index 100% rename from .gitea/workflows/artifact-signing.yml rename to .gitea/workflows-archived/artifact-signing.yml diff --git a/.gitea/workflows/attestation-bundle.yml b/.gitea/workflows-archived/attestation-bundle.yml similarity index 100% rename from .gitea/workflows/attestation-bundle.yml rename to .gitea/workflows-archived/attestation-bundle.yml diff --git a/.gitea/workflows/attestation-linkage.yml b/.gitea/workflows-archived/attestation-linkage.yml similarity index 100% rename from .gitea/workflows/attestation-linkage.yml rename to .gitea/workflows-archived/attestation-linkage.yml diff --git a/.gitea/workflows/authority-key-rotation.yml b/.gitea/workflows-archived/authority-key-rotation.yml similarity index 100% rename from .gitea/workflows/authority-key-rotation.yml rename to .gitea/workflows-archived/authority-key-rotation.yml diff --git a/.gitea/workflows/bench-determinism.yml b/.gitea/workflows-archived/bench-determinism.yml similarity index 100% rename from .gitea/workflows/bench-determinism.yml rename to .gitea/workflows-archived/bench-determinism.yml diff --git a/.gitea/workflows/benchmark-vs-competitors.yml b/.gitea/workflows-archived/benchmark-vs-competitors.yml similarity index 100% rename from .gitea/workflows/benchmark-vs-competitors.yml rename to .gitea/workflows-archived/benchmark-vs-competitors.yml diff --git a/.gitea/workflows/build-test-deploy.yml b/.gitea/workflows-archived/build-test-deploy.yml similarity index 100% rename from .gitea/workflows/build-test-deploy.yml rename to .gitea/workflows-archived/build-test-deploy.yml diff --git a/.gitea/workflows/cli-build.yml b/.gitea/workflows-archived/cli-build.yml similarity index 100% rename from .gitea/workflows/cli-build.yml rename to .gitea/workflows-archived/cli-build.yml diff --git a/.gitea/workflows/cli-chaos-parity.yml b/.gitea/workflows-archived/cli-chaos-parity.yml similarity index 100% rename from .gitea/workflows/cli-chaos-parity.yml rename to .gitea/workflows-archived/cli-chaos-parity.yml diff --git a/.gitea/workflows/cold-warm-latency.yml b/.gitea/workflows-archived/cold-warm-latency.yml similarity index 100% rename from .gitea/workflows/cold-warm-latency.yml rename to .gitea/workflows-archived/cold-warm-latency.yml diff --git a/.gitea/workflows/competitor-parity.yml b/.gitea/workflows-archived/competitor-parity.yml similarity index 100% rename from .gitea/workflows/competitor-parity.yml rename to .gitea/workflows-archived/competitor-parity.yml diff --git a/.gitea/workflows/concelier-attestation-tests.yml b/.gitea/workflows-archived/concelier-attestation-tests.yml similarity index 100% rename from .gitea/workflows/concelier-attestation-tests.yml rename to .gitea/workflows-archived/concelier-attestation-tests.yml diff --git a/.gitea/workflows/concelier-store-aoc-19-005.yml b/.gitea/workflows-archived/concelier-store-aoc-19-005.yml similarity index 100% rename from .gitea/workflows/concelier-store-aoc-19-005.yml rename to .gitea/workflows-archived/concelier-store-aoc-19-005.yml diff --git a/.gitea/workflows/connector-fixture-drift.yml b/.gitea/workflows-archived/connector-fixture-drift.yml similarity index 100% rename from .gitea/workflows/connector-fixture-drift.yml rename to .gitea/workflows-archived/connector-fixture-drift.yml diff --git a/.gitea/workflows/console-ci.yml b/.gitea/workflows-archived/console-ci.yml similarity index 100% rename from .gitea/workflows/console-ci.yml rename to .gitea/workflows-archived/console-ci.yml diff --git a/.gitea/workflows/console-runner-image.yml b/.gitea/workflows-archived/console-runner-image.yml similarity index 100% rename from .gitea/workflows/console-runner-image.yml rename to .gitea/workflows-archived/console-runner-image.yml diff --git a/.gitea/workflows/container-scan.yml b/.gitea/workflows-archived/container-scan.yml similarity index 100% rename from .gitea/workflows/container-scan.yml rename to .gitea/workflows-archived/container-scan.yml diff --git a/.gitea/workflows/containers-multiarch.yml b/.gitea/workflows-archived/containers-multiarch.yml similarity index 100% rename from .gitea/workflows/containers-multiarch.yml rename to .gitea/workflows-archived/containers-multiarch.yml diff --git a/.gitea/workflows/control-plane-chaos.yml b/.gitea/workflows-archived/control-plane-chaos.yml similarity index 100% rename from .gitea/workflows/control-plane-chaos.yml rename to .gitea/workflows-archived/control-plane-chaos.yml diff --git a/.gitea/workflows/cross-platform-determinism.yml b/.gitea/workflows-archived/cross-platform-determinism.yml similarity index 100% rename from .gitea/workflows/cross-platform-determinism.yml rename to .gitea/workflows-archived/cross-platform-determinism.yml diff --git a/.gitea/workflows/crypto-compliance.yml b/.gitea/workflows-archived/crypto-compliance.yml similarity index 100% rename from .gitea/workflows/crypto-compliance.yml rename to .gitea/workflows-archived/crypto-compliance.yml diff --git a/.gitea/workflows/crypto-sim-smoke.yml b/.gitea/workflows-archived/crypto-sim-smoke.yml similarity index 100% rename from .gitea/workflows/crypto-sim-smoke.yml rename to .gitea/workflows-archived/crypto-sim-smoke.yml diff --git a/.gitea/workflows/cryptopro-linux-csp.yml b/.gitea/workflows-archived/cryptopro-linux-csp.yml similarity index 100% rename from .gitea/workflows/cryptopro-linux-csp.yml rename to .gitea/workflows-archived/cryptopro-linux-csp.yml diff --git a/.gitea/workflows/cryptopro-optin.yml b/.gitea/workflows-archived/cryptopro-optin.yml similarity index 100% rename from .gitea/workflows/cryptopro-optin.yml rename to .gitea/workflows-archived/cryptopro-optin.yml diff --git a/.gitea/workflows/dead-path-detection.yml b/.gitea/workflows-archived/dead-path-detection.yml similarity index 100% rename from .gitea/workflows/dead-path-detection.yml rename to .gitea/workflows-archived/dead-path-detection.yml diff --git a/.gitea/workflows/dependency-license-gate.yml b/.gitea/workflows-archived/dependency-license-gate.yml similarity index 100% rename from .gitea/workflows/dependency-license-gate.yml rename to .gitea/workflows-archived/dependency-license-gate.yml diff --git a/.gitea/workflows/dependency-security-scan.yml b/.gitea/workflows-archived/dependency-security-scan.yml similarity index 100% rename from .gitea/workflows/dependency-security-scan.yml rename to .gitea/workflows-archived/dependency-security-scan.yml diff --git a/.gitea/workflows/deploy-keyless-verify.yml b/.gitea/workflows-archived/deploy-keyless-verify.yml similarity index 100% rename from .gitea/workflows/deploy-keyless-verify.yml rename to .gitea/workflows-archived/deploy-keyless-verify.yml diff --git a/.gitea/workflows/determinism-gate.yml b/.gitea/workflows-archived/determinism-gate.yml similarity index 100% rename from .gitea/workflows/determinism-gate.yml rename to .gitea/workflows-archived/determinism-gate.yml diff --git a/.gitea/workflows/devportal-offline.yml b/.gitea/workflows-archived/devportal-offline.yml similarity index 100% rename from .gitea/workflows/devportal-offline.yml rename to .gitea/workflows-archived/devportal-offline.yml diff --git a/.gitea/workflows/docker-regional-builds.yml b/.gitea/workflows-archived/docker-regional-builds.yml similarity index 100% rename from .gitea/workflows/docker-regional-builds.yml rename to .gitea/workflows-archived/docker-regional-builds.yml diff --git a/.gitea/workflows/docs.yml b/.gitea/workflows-archived/docs.yml old mode 100755 new mode 100644 similarity index 100% rename from .gitea/workflows/docs.yml rename to .gitea/workflows-archived/docs.yml diff --git a/.gitea/workflows/e2e-reproducibility.yml b/.gitea/workflows-archived/e2e-reproducibility.yml similarity index 100% rename from .gitea/workflows/e2e-reproducibility.yml rename to .gitea/workflows-archived/e2e-reproducibility.yml diff --git a/.gitea/workflows/ebpf-reachability-determinism.yml b/.gitea/workflows-archived/ebpf-reachability-determinism.yml similarity index 100% rename from .gitea/workflows/ebpf-reachability-determinism.yml rename to .gitea/workflows-archived/ebpf-reachability-determinism.yml diff --git a/.gitea/workflows/epss-ingest-perf.yml b/.gitea/workflows-archived/epss-ingest-perf.yml similarity index 100% rename from .gitea/workflows/epss-ingest-perf.yml rename to .gitea/workflows-archived/epss-ingest-perf.yml diff --git a/.gitea/workflows/evidence-locker.yml b/.gitea/workflows-archived/evidence-locker.yml similarity index 100% rename from .gitea/workflows/evidence-locker.yml rename to .gitea/workflows-archived/evidence-locker.yml diff --git a/.gitea/workflows/export-ci.yml b/.gitea/workflows-archived/export-ci.yml similarity index 100% rename from .gitea/workflows/export-ci.yml rename to .gitea/workflows-archived/export-ci.yml diff --git a/.gitea/workflows/export-compat.yml b/.gitea/workflows-archived/export-compat.yml similarity index 100% rename from .gitea/workflows/export-compat.yml rename to .gitea/workflows-archived/export-compat.yml diff --git a/.gitea/workflows/exporter-ci.yml b/.gitea/workflows-archived/exporter-ci.yml similarity index 100% rename from .gitea/workflows/exporter-ci.yml rename to .gitea/workflows-archived/exporter-ci.yml diff --git a/.gitea/workflows/federation-multisite.yml b/.gitea/workflows-archived/federation-multisite.yml similarity index 100% rename from .gitea/workflows/federation-multisite.yml rename to .gitea/workflows-archived/federation-multisite.yml diff --git a/.gitea/workflows/findings-ledger-ci.yml b/.gitea/workflows-archived/findings-ledger-ci.yml similarity index 100% rename from .gitea/workflows/findings-ledger-ci.yml rename to .gitea/workflows-archived/findings-ledger-ci.yml diff --git a/.gitea/workflows/golden-corpus-bench.yaml b/.gitea/workflows-archived/golden-corpus-bench.yaml similarity index 100% rename from .gitea/workflows/golden-corpus-bench.yaml rename to .gitea/workflows-archived/golden-corpus-bench.yaml diff --git a/.gitea/workflows/golden-set-validation.yml b/.gitea/workflows-archived/golden-set-validation.yml similarity index 100% rename from .gitea/workflows/golden-set-validation.yml rename to .gitea/workflows-archived/golden-set-validation.yml diff --git a/.gitea/workflows/graph-load.yml b/.gitea/workflows-archived/graph-load.yml similarity index 100% rename from .gitea/workflows/graph-load.yml rename to .gitea/workflows-archived/graph-load.yml diff --git a/.gitea/workflows/graph-ui-sim.yml b/.gitea/workflows-archived/graph-ui-sim.yml similarity index 100% rename from .gitea/workflows/graph-ui-sim.yml rename to .gitea/workflows-archived/graph-ui-sim.yml diff --git a/.gitea/workflows/hlc-distributed.yml b/.gitea/workflows-archived/hlc-distributed.yml similarity index 100% rename from .gitea/workflows/hlc-distributed.yml rename to .gitea/workflows-archived/hlc-distributed.yml diff --git a/.gitea/workflows/icscisa-kisa-refresh.yml b/.gitea/workflows-archived/icscisa-kisa-refresh.yml similarity index 100% rename from .gitea/workflows/icscisa-kisa-refresh.yml rename to .gitea/workflows-archived/icscisa-kisa-refresh.yml diff --git a/.gitea/workflows/integration-tests-gate.yml b/.gitea/workflows-archived/integration-tests-gate.yml similarity index 100% rename from .gitea/workflows/integration-tests-gate.yml rename to .gitea/workflows-archived/integration-tests-gate.yml diff --git a/.gitea/workflows/interop-e2e.yml b/.gitea/workflows-archived/interop-e2e.yml similarity index 100% rename from .gitea/workflows/interop-e2e.yml rename to .gitea/workflows-archived/interop-e2e.yml diff --git a/.gitea/workflows/ledger-oas-ci.yml b/.gitea/workflows-archived/ledger-oas-ci.yml similarity index 100% rename from .gitea/workflows/ledger-oas-ci.yml rename to .gitea/workflows-archived/ledger-oas-ci.yml diff --git a/.gitea/workflows/ledger-packs-ci.yml b/.gitea/workflows-archived/ledger-packs-ci.yml similarity index 100% rename from .gitea/workflows/ledger-packs-ci.yml rename to .gitea/workflows-archived/ledger-packs-ci.yml diff --git a/.gitea/workflows/license-audit.yml b/.gitea/workflows-archived/license-audit.yml similarity index 100% rename from .gitea/workflows/license-audit.yml rename to .gitea/workflows-archived/license-audit.yml diff --git a/.gitea/workflows/lighthouse-ci.yml b/.gitea/workflows-archived/lighthouse-ci.yml similarity index 100% rename from .gitea/workflows/lighthouse-ci.yml rename to .gitea/workflows-archived/lighthouse-ci.yml diff --git a/.gitea/workflows/lnm-backfill.yml b/.gitea/workflows-archived/lnm-backfill.yml similarity index 100% rename from .gitea/workflows/lnm-backfill.yml rename to .gitea/workflows-archived/lnm-backfill.yml diff --git a/.gitea/workflows/lnm-migration-ci.yml b/.gitea/workflows-archived/lnm-migration-ci.yml similarity index 100% rename from .gitea/workflows/lnm-migration-ci.yml rename to .gitea/workflows-archived/lnm-migration-ci.yml diff --git a/.gitea/workflows/lnm-vex-backfill.yml b/.gitea/workflows-archived/lnm-vex-backfill.yml similarity index 100% rename from .gitea/workflows/lnm-vex-backfill.yml rename to .gitea/workflows-archived/lnm-vex-backfill.yml diff --git a/.gitea/workflows/manifest-integrity.yml b/.gitea/workflows-archived/manifest-integrity.yml similarity index 100% rename from .gitea/workflows/manifest-integrity.yml rename to .gitea/workflows-archived/manifest-integrity.yml diff --git a/.gitea/workflows/migration-test.yml b/.gitea/workflows-archived/migration-test.yml similarity index 100% rename from .gitea/workflows/migration-test.yml rename to .gitea/workflows-archived/migration-test.yml diff --git a/.gitea/workflows/mirror-sign.yml b/.gitea/workflows-archived/mirror-sign.yml similarity index 100% rename from .gitea/workflows/mirror-sign.yml rename to .gitea/workflows-archived/mirror-sign.yml diff --git a/.gitea/workflows/mock-dev-release.yml b/.gitea/workflows-archived/mock-dev-release.yml similarity index 100% rename from .gitea/workflows/mock-dev-release.yml rename to .gitea/workflows-archived/mock-dev-release.yml diff --git a/.gitea/workflows/module-publish.yml b/.gitea/workflows-archived/module-publish.yml similarity index 100% rename from .gitea/workflows/module-publish.yml rename to .gitea/workflows-archived/module-publish.yml diff --git a/.gitea/workflows/nightly-regression.yml b/.gitea/workflows-archived/nightly-regression.yml similarity index 100% rename from .gitea/workflows/nightly-regression.yml rename to .gitea/workflows-archived/nightly-regression.yml diff --git a/.gitea/workflows/notify-smoke-test.yml b/.gitea/workflows-archived/notify-smoke-test.yml similarity index 100% rename from .gitea/workflows/notify-smoke-test.yml rename to .gitea/workflows-archived/notify-smoke-test.yml diff --git a/.gitea/workflows/oas-ci.yml b/.gitea/workflows-archived/oas-ci.yml similarity index 100% rename from .gitea/workflows/oas-ci.yml rename to .gitea/workflows-archived/oas-ci.yml diff --git a/.gitea/workflows/obs-slo.yml b/.gitea/workflows-archived/obs-slo.yml similarity index 100% rename from .gitea/workflows/obs-slo.yml rename to .gitea/workflows-archived/obs-slo.yml diff --git a/.gitea/workflows/obs-stream.yml b/.gitea/workflows-archived/obs-stream.yml similarity index 100% rename from .gitea/workflows/obs-stream.yml rename to .gitea/workflows-archived/obs-stream.yml diff --git a/.gitea/workflows/offline-e2e.yml b/.gitea/workflows-archived/offline-e2e.yml similarity index 100% rename from .gitea/workflows/offline-e2e.yml rename to .gitea/workflows-archived/offline-e2e.yml diff --git a/.gitea/workflows/parity-tests.yml b/.gitea/workflows-archived/parity-tests.yml similarity index 100% rename from .gitea/workflows/parity-tests.yml rename to .gitea/workflows-archived/parity-tests.yml diff --git a/.gitea/workflows/policy-lint.yml b/.gitea/workflows-archived/policy-lint.yml similarity index 100% rename from .gitea/workflows/policy-lint.yml rename to .gitea/workflows-archived/policy-lint.yml diff --git a/.gitea/workflows/policy-simulate.yml b/.gitea/workflows-archived/policy-simulate.yml similarity index 100% rename from .gitea/workflows/policy-simulate.yml rename to .gitea/workflows-archived/policy-simulate.yml diff --git a/.gitea/workflows/promote.yml b/.gitea/workflows-archived/promote.yml similarity index 100% rename from .gitea/workflows/promote.yml rename to .gitea/workflows-archived/promote.yml diff --git a/.gitea/workflows/provenance-check.yml b/.gitea/workflows-archived/provenance-check.yml similarity index 100% rename from .gitea/workflows/provenance-check.yml rename to .gitea/workflows-archived/provenance-check.yml diff --git a/.gitea/workflows/reachability-bench.yaml b/.gitea/workflows-archived/reachability-bench.yaml similarity index 100% rename from .gitea/workflows/reachability-bench.yaml rename to .gitea/workflows-archived/reachability-bench.yaml diff --git a/.gitea/workflows/reachability-corpus-ci.yml b/.gitea/workflows-archived/reachability-corpus-ci.yml similarity index 100% rename from .gitea/workflows/reachability-corpus-ci.yml rename to .gitea/workflows-archived/reachability-corpus-ci.yml diff --git a/.gitea/workflows/registry-compatibility.yml b/.gitea/workflows-archived/registry-compatibility.yml similarity index 100% rename from .gitea/workflows/registry-compatibility.yml rename to .gitea/workflows-archived/registry-compatibility.yml diff --git a/.gitea/workflows/release-evidence-pack.yml b/.gitea/workflows-archived/release-evidence-pack.yml similarity index 100% rename from .gitea/workflows/release-evidence-pack.yml rename to .gitea/workflows-archived/release-evidence-pack.yml diff --git a/.gitea/workflows/release-keyless-sign.yml b/.gitea/workflows-archived/release-keyless-sign.yml similarity index 100% rename from .gitea/workflows/release-keyless-sign.yml rename to .gitea/workflows-archived/release-keyless-sign.yml diff --git a/.gitea/workflows/release-manifest-verify.yml b/.gitea/workflows-archived/release-manifest-verify.yml similarity index 100% rename from .gitea/workflows/release-manifest-verify.yml rename to .gitea/workflows-archived/release-manifest-verify.yml diff --git a/.gitea/workflows/release-suite.yml b/.gitea/workflows-archived/release-suite.yml similarity index 100% rename from .gitea/workflows/release-suite.yml rename to .gitea/workflows-archived/release-suite.yml diff --git a/.gitea/workflows/release-validation.yml b/.gitea/workflows-archived/release-validation.yml similarity index 100% rename from .gitea/workflows/release-validation.yml rename to .gitea/workflows-archived/release-validation.yml diff --git a/.gitea/workflows/release.yml b/.gitea/workflows-archived/release.yml similarity index 100% rename from .gitea/workflows/release.yml rename to .gitea/workflows-archived/release.yml diff --git a/.gitea/workflows/renovate.yml b/.gitea/workflows-archived/renovate.yml similarity index 100% rename from .gitea/workflows/renovate.yml rename to .gitea/workflows-archived/renovate.yml diff --git a/.gitea/workflows/replay-verification.yml b/.gitea/workflows-archived/replay-verification.yml similarity index 100% rename from .gitea/workflows/replay-verification.yml rename to .gitea/workflows-archived/replay-verification.yml diff --git a/.gitea/workflows/risk-bundle-ci.yml b/.gitea/workflows-archived/risk-bundle-ci.yml similarity index 100% rename from .gitea/workflows/risk-bundle-ci.yml rename to .gitea/workflows-archived/risk-bundle-ci.yml diff --git a/.gitea/workflows/rollback-lag.yml b/.gitea/workflows-archived/rollback-lag.yml similarity index 100% rename from .gitea/workflows/rollback-lag.yml rename to .gitea/workflows-archived/rollback-lag.yml diff --git a/.gitea/workflows/rollback.yml b/.gitea/workflows-archived/rollback.yml similarity index 100% rename from .gitea/workflows/rollback.yml rename to .gitea/workflows-archived/rollback.yml diff --git a/.gitea/workflows/router-chaos.yml b/.gitea/workflows-archived/router-chaos.yml similarity index 100% rename from .gitea/workflows/router-chaos.yml rename to .gitea/workflows-archived/router-chaos.yml diff --git a/.gitea/workflows/sast-scan.yml b/.gitea/workflows-archived/sast-scan.yml similarity index 100% rename from .gitea/workflows/sast-scan.yml rename to .gitea/workflows-archived/sast-scan.yml diff --git a/.gitea/workflows/scanner-analyzers-release.yml b/.gitea/workflows-archived/scanner-analyzers-release.yml similarity index 100% rename from .gitea/workflows/scanner-analyzers-release.yml rename to .gitea/workflows-archived/scanner-analyzers-release.yml diff --git a/.gitea/workflows/scanner-analyzers.yml b/.gitea/workflows-archived/scanner-analyzers.yml similarity index 100% rename from .gitea/workflows/scanner-analyzers.yml rename to .gitea/workflows-archived/scanner-analyzers.yml diff --git a/.gitea/workflows/scanner-determinism.yml b/.gitea/workflows-archived/scanner-determinism.yml similarity index 100% rename from .gitea/workflows/scanner-determinism.yml rename to .gitea/workflows-archived/scanner-determinism.yml diff --git a/.gitea/workflows/schema-evolution.yml b/.gitea/workflows-archived/schema-evolution.yml similarity index 100% rename from .gitea/workflows/schema-evolution.yml rename to .gitea/workflows-archived/schema-evolution.yml diff --git a/.gitea/workflows/schema-validation.yml b/.gitea/workflows-archived/schema-validation.yml similarity index 100% rename from .gitea/workflows/schema-validation.yml rename to .gitea/workflows-archived/schema-validation.yml diff --git a/.gitea/workflows/sdk-generator.yml b/.gitea/workflows-archived/sdk-generator.yml similarity index 100% rename from .gitea/workflows/sdk-generator.yml rename to .gitea/workflows-archived/sdk-generator.yml diff --git a/.gitea/workflows/sdk-publish.yml b/.gitea/workflows-archived/sdk-publish.yml similarity index 100% rename from .gitea/workflows/sdk-publish.yml rename to .gitea/workflows-archived/sdk-publish.yml diff --git a/.gitea/workflows/secrets-bundle-release.yml b/.gitea/workflows-archived/secrets-bundle-release.yml similarity index 100% rename from .gitea/workflows/secrets-bundle-release.yml rename to .gitea/workflows-archived/secrets-bundle-release.yml diff --git a/.gitea/workflows/secrets-scan.yml b/.gitea/workflows-archived/secrets-scan.yml similarity index 100% rename from .gitea/workflows/secrets-scan.yml rename to .gitea/workflows-archived/secrets-scan.yml diff --git a/.gitea/workflows/service-release.yml b/.gitea/workflows-archived/service-release.yml similarity index 100% rename from .gitea/workflows/service-release.yml rename to .gitea/workflows-archived/service-release.yml diff --git a/.gitea/workflows/signals-ci.yml b/.gitea/workflows-archived/signals-ci.yml similarity index 100% rename from .gitea/workflows/signals-ci.yml rename to .gitea/workflows-archived/signals-ci.yml diff --git a/.gitea/workflows/signals-dsse-sign.yml b/.gitea/workflows-archived/signals-dsse-sign.yml similarity index 100% rename from .gitea/workflows/signals-dsse-sign.yml rename to .gitea/workflows-archived/signals-dsse-sign.yml diff --git a/.gitea/workflows/signals-evidence-locker.yml b/.gitea/workflows-archived/signals-evidence-locker.yml similarity index 100% rename from .gitea/workflows/signals-evidence-locker.yml rename to .gitea/workflows-archived/signals-evidence-locker.yml diff --git a/.gitea/workflows/signals-reachability.yml b/.gitea/workflows-archived/signals-reachability.yml similarity index 100% rename from .gitea/workflows/signals-reachability.yml rename to .gitea/workflows-archived/signals-reachability.yml diff --git a/.gitea/workflows/sm-remote-ci.yml b/.gitea/workflows-archived/sm-remote-ci.yml similarity index 100% rename from .gitea/workflows/sm-remote-ci.yml rename to .gitea/workflows-archived/sm-remote-ci.yml diff --git a/.gitea/workflows/spec-diff-gate.yml b/.gitea/workflows-archived/spec-diff-gate.yml similarity index 100% rename from .gitea/workflows/spec-diff-gate.yml rename to .gitea/workflows-archived/spec-diff-gate.yml diff --git a/.gitea/workflows/symbols-ci.yml b/.gitea/workflows-archived/symbols-ci.yml similarity index 100% rename from .gitea/workflows/symbols-ci.yml rename to .gitea/workflows-archived/symbols-ci.yml diff --git a/.gitea/workflows/symbols-release.yml b/.gitea/workflows-archived/symbols-release.yml similarity index 100% rename from .gitea/workflows/symbols-release.yml rename to .gitea/workflows-archived/symbols-release.yml diff --git a/.gitea/workflows/test-blast-radius.yml b/.gitea/workflows-archived/test-blast-radius.yml similarity index 100% rename from .gitea/workflows/test-blast-radius.yml rename to .gitea/workflows-archived/test-blast-radius.yml diff --git a/.gitea/workflows/test-infrastructure.yml b/.gitea/workflows-archived/test-infrastructure.yml similarity index 100% rename from .gitea/workflows/test-infrastructure.yml rename to .gitea/workflows-archived/test-infrastructure.yml diff --git a/.gitea/workflows/test-lanes.yml b/.gitea/workflows-archived/test-lanes.yml similarity index 100% rename from .gitea/workflows/test-lanes.yml rename to .gitea/workflows-archived/test-lanes.yml diff --git a/.gitea/workflows/test-matrix.yml b/.gitea/workflows-archived/test-matrix.yml similarity index 100% rename from .gitea/workflows/test-matrix.yml rename to .gitea/workflows-archived/test-matrix.yml diff --git a/.gitea/workflows/unknowns-budget-gate.yml b/.gitea/workflows-archived/unknowns-budget-gate.yml similarity index 100% rename from .gitea/workflows/unknowns-budget-gate.yml rename to .gitea/workflows-archived/unknowns-budget-gate.yml diff --git a/.gitea/workflows/verify-reproducibility.yml b/.gitea/workflows-archived/verify-reproducibility.yml similarity index 100% rename from .gitea/workflows/verify-reproducibility.yml rename to .gitea/workflows-archived/verify-reproducibility.yml diff --git a/.gitea/workflows/vex-proof-bundles.yml b/.gitea/workflows-archived/vex-proof-bundles.yml similarity index 100% rename from .gitea/workflows/vex-proof-bundles.yml rename to .gitea/workflows-archived/vex-proof-bundles.yml diff --git a/.gitea/workflows/local-ci-verify.yml b/.gitea/workflows/local-ci-verify.yml new file mode 100644 index 000000000..bc7f543c5 --- /dev/null +++ b/.gitea/workflows/local-ci-verify.yml @@ -0,0 +1,137 @@ +# Local CI Verification Pipeline +# Manual-dispatch only — validates devops/ci-local/ scaffolding and CI image. +# Triggers: workflow_dispatch (Gitea UI or API). +name: Local CI Verification + +on: + workflow_dispatch: + inputs: + workflow: + description: 'Archived workflow file to dry-run (e.g. test-matrix.yml). Leave empty to skip.' + required: false + default: '' + dry_run: + description: 'Pass -n (dry-run) to act' + required: false + default: 'true' + +jobs: + validate-scaffolding: + name: Validate CI scaffolding + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Check devops/ci-local files exist + run: | + echo "::group::Checking required files" + errors=0 + + for f in \ + devops/ci-local/.env.local.template \ + devops/ci-local/run-act.sh \ + devops/ci-local/run-act.ps1 \ + devops/ci-local/README.md \ + devops/ci-local/events/push.json \ + devops/ci-local/events/pull-request.json \ + devops/docker/Dockerfile.ci \ + .actrc; do + if [ -f "$f" ]; then + echo "✓ $f" + else + echo "✗ MISSING: $f" + errors=$((errors + 1)) + fi + done + + echo "::endgroup::" + if [ "$errors" -gt 0 ]; then + echo "::error::$errors required file(s) missing" + exit 1 + fi + + - name: Lint event JSON files + run: | + echo "::group::Validating JSON payloads" + for f in devops/ci-local/events/*.json; do + if python3 -m json.tool "$f" > /dev/null 2>&1; then + echo "✓ $f — valid JSON" + else + echo "✗ $f — invalid JSON" + exit 1 + fi + done + echo "::endgroup::" + + - name: Verify runner scripts are executable + run: | + if [ ! -x devops/ci-local/run-act.sh ]; then + echo "::warning::run-act.sh is not executable (chmod +x recommended)" + fi + + build-ci-image: + name: Build stellaops-ci image + runs-on: ubuntu-latest + needs: validate-scaffolding + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Build CI image + run: | + docker build \ + -t stellaops-ci:local \ + -f devops/docker/Dockerfile.ci \ + . + + - name: Verify image exists + run: | + docker image inspect stellaops-ci:local > /dev/null 2>&1 + echo "stellaops-ci:local built successfully" + docker image ls stellaops-ci:local + + dry-run-smoke: + name: Dry-run smoke test + runs-on: ubuntu-latest + needs: build-ci-image + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install act + run: | + curl -sSL https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash + + - name: List jobs from archived test-matrix + run: | + act -l -W .gitea/workflows-archived/test-matrix.yml \ + -P ubuntu-latest=stellaops-ci:local \ + --env-file devops/ci-local/.env.local.template + + - name: Dry-run archived test-matrix + run: | + act -W .gitea/workflows-archived/test-matrix.yml -n \ + -P ubuntu-latest=stellaops-ci:local \ + --env-file devops/ci-local/.env.local.template \ + -e devops/ci-local/events/push.json + + - name: Dry-run user-specified workflow + if: ${{ github.event.inputs.workflow != '' }} + run: | + WORKFLOW="${{ github.event.inputs.workflow }}" + ARCHIVE_PATH=".gitea/workflows-archived/${WORKFLOW}" + + if [ ! -f "$ARCHIVE_PATH" ]; then + echo "::error::Workflow not found: $ARCHIVE_PATH" + exit 1 + fi + + ACT_ARGS="-W $ARCHIVE_PATH -P ubuntu-latest=stellaops-ci:local --env-file devops/ci-local/.env.local.template -e devops/ci-local/events/push.json" + + if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then + ACT_ARGS="$ACT_ARGS -n" + fi + + echo "Running: act $ACT_ARGS" + act $ACT_ARGS diff --git a/devops/ci-local/README.md b/devops/ci-local/README.md index 9c5ae4d6d..0356e46b2 100644 --- a/devops/ci-local/README.md +++ b/devops/ci-local/README.md @@ -23,8 +23,8 @@ cp devops/ci-local/.env.local.template devops/ci-local/.env.local # 3. List available jobs act -l -# 4. Dry-run a workflow -act -W .gitea/workflows/test-matrix.yml -n +# 4. Dry-run a workflow (archived workflows) +act -W .gitea/workflows-archived/test-matrix.yml -n ``` ### Windows (PowerShell) @@ -54,17 +54,47 @@ The `local-ci.sh` script supports additional modes beyond raw act invocation: ./devops/scripts/local-ci.sh module --module Scanner ``` +## Gitea CI verification pipeline + +The `local-ci-verify.yml` workflow (in `.gitea/workflows/`) provides a one-click +way to validate your local CI setup from within Gitea Actions itself. + +**Trigger:** Manual dispatch only (Gitea UI: **Actions > Local CI Verification > Run workflow**). + +**Inputs:** +| Input | Default | Description | +|-------|---------|-------------| +| `workflow` | _(empty)_ | Archived workflow file to dry-run (e.g. `test-matrix.yml`) | +| `dry_run` | `true` | Pass `-n` (dry-run) to act | + +**Jobs:** +1. **validate-scaffolding** — Checks that all `devops/ci-local/` files exist and event JSON is valid. +2. **build-ci-image** — Builds `stellaops-ci:local` from `devops/docker/Dockerfile.ci`. +3. **dry-run-smoke** — Runs `act -l` and `act -n` against `test-matrix.yml` from the archive, plus an optional user-specified workflow. + +**API trigger example:** + +```bash +curl -X POST \ + -H "Authorization: token $GITEA_TOKEN" \ + "https://git.stella-ops.org/api/v1/repos///actions/workflows/local-ci-verify.yml/dispatches" \ + -d '{"ref":"main","inputs":{"workflow":"test-matrix.yml","dry_run":"true"}}' +``` + ## Common workflows +> **Note:** Workflows have been archived to `.gitea/workflows-archived/`. The +> paths below reflect the archive location. + | Workflow | What it tests | Example | |----------|--------------|---------| -| `test-matrix.yml` | Unit + integration test matrix | `act -W .gitea/workflows/test-matrix.yml -n` | -| `build-test-deploy.yml` | Full build/test/deploy pipeline | `act -W .gitea/workflows/build-test-deploy.yml -n` | -| `scanner-analyzers.yml` | Scanner analyzer suite | `act -W .gitea/workflows/scanner-analyzers.yml -n` | -| `parity-tests.yml` | Cross-platform parity checks | `act -W .gitea/workflows/parity-tests.yml -n` | -| `integration-tests-gate.yml` | Integration test gate | `act -W .gitea/workflows/integration-tests-gate.yml -n` | -| `schema-validation.yml` | JSON/OAS schema validation | `act -W .gitea/workflows/schema-validation.yml -n` | -| `determinism-gate.yml` | Deterministic output checks | `act -W .gitea/workflows/determinism-gate.yml -n` | +| `test-matrix.yml` | Unit + integration test matrix | `act -W .gitea/workflows-archived/test-matrix.yml -n` | +| `build-test-deploy.yml` | Full build/test/deploy pipeline | `act -W .gitea/workflows-archived/build-test-deploy.yml -n` | +| `scanner-analyzers.yml` | Scanner analyzer suite | `act -W .gitea/workflows-archived/scanner-analyzers.yml -n` | +| `parity-tests.yml` | Cross-platform parity checks | `act -W .gitea/workflows-archived/parity-tests.yml -n` | +| `integration-tests-gate.yml` | Integration test gate | `act -W .gitea/workflows-archived/integration-tests-gate.yml -n` | +| `schema-validation.yml` | JSON/OAS schema validation | `act -W .gitea/workflows-archived/schema-validation.yml -n` | +| `determinism-gate.yml` | Deterministic output checks | `act -W .gitea/workflows-archived/determinism-gate.yml -n` | ## Environment variables diff --git a/docs/implplan/SPRINT_20260201_005_CICD_act_local_ci_verification.md b/docs/implplan/SPRINT_20260201_005_CICD_act_local_ci_verification.md index a22c4d5c7..672f57ee6 100644 --- a/docs/implplan/SPRINT_20260201_005_CICD_act_local_ci_verification.md +++ b/docs/implplan/SPRINT_20260201_005_CICD_act_local_ci_verification.md @@ -97,6 +97,38 @@ Completion criteria: - [x] Sprint file follows the standard template - [x] All tasks tracked +### T7 - Create local-ci-verify.yml pipeline +Status: DONE +Dependency: T1-T5 +Owners: Developer +Task description: +- Create `.gitea/workflows/local-ci-verify.yml` — a `workflow_dispatch`-only pipeline that validates the local CI scaffolding. +- Three jobs: `validate-scaffolding` (check files exist, lint JSON), `build-ci-image` (build Dockerfile.ci), `dry-run-smoke` (act list + dry-run against archived workflows). +- Inputs: `workflow` (optional archived workflow to dry-run), `dry_run` (boolean, default true). + +Completion criteria: +- [x] Workflow file exists at `.gitea/workflows/local-ci-verify.yml` +- [x] Only triggered by `workflow_dispatch` +- [x] Three jobs with correct dependency chain +- [x] Supports optional dry-run of user-specified archived workflow + +### T8 - Archive all existing workflow files +Status: DONE +Dependency: T7 +Owners: Developer +Task description: +- Move all 118 `.yml`/`.yaml` workflow files from `.gitea/workflows/` to `.gitea/workflows-archived/`. +- Keep only `local-ci-verify.yml` and `templates/` subdirectory in `.gitea/workflows/`. +- Update `.gitea/README.md` to document the archive state, active workflows, and restoration instructions. +- Update `devops/ci-local/README.md` with pipeline trigger instructions. + +Completion criteria: +- [x] 118 files moved to `.gitea/workflows-archived/` +- [x] Only `local-ci-verify.yml` remains in `.gitea/workflows/` +- [x] `templates/` subdirectory preserved in `.gitea/workflows/` +- [x] `.gitea/README.md` updated with archive note, active workflows section, and restoration instructions +- [x] `devops/ci-local/README.md` updated with pipeline section + ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | @@ -125,6 +157,9 @@ Completion criteria: | 15 | `run-act.sh` syntax check (`bash -n`) | PASS | No syntax errors | | 16 | `.env.local` auto-creation | PASS | Copied from template on first `run-act.ps1` run | +| 2026-02-01 | T7: Created `local-ci-verify.yml` with 3-job pipeline (validate-scaffolding, build-ci-image, dry-run-smoke). | Developer | +| 2026-02-01 | T8: Archived 118 workflow files to `.gitea/workflows-archived/`. Updated `.gitea/README.md` and `devops/ci-local/README.md`. | Developer | + ## Decisions & Risks - Event payloads use minimal fields; some workflows may expect additional fields (e.g., `repository`, `sender`). Developers can extend the JSON files as needed. - `.env.local.template` covers the most commonly referenced vars; module-specific vars may need to be added over time.