platform/design-tokens
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: rework workflow for Gitea Actions (M0.2) #2

Merged
sharang merged 3 commits from fix/m0.2-gitea-friendly-ci into main 2026-05-18 19:42:35 +00:00
Conversation 0 Commits 3 Files Changed 2
+40 -15
sharang commented 2026-05-18 19:34:41 +00:00
Owner
Copy Link
Copy Source

What

  • Rewrites .gitea/workflows/ci.yaml to be Gitea Actions friendly.
  • commitlint is now a bash regex check over the PR commit range — no external action, no octokit.
  • gitleaks runs the official binary inline (downloaded from upstream releases).
  • Per-stack test/image/e2e jobs gated on the existence of real code so empty repos pass cleanly.

Why

The original workflow used wagoid/commitlint-github-action@v6 and gitleaks/gitleaks-action@v2. Both call the GitHub API and 404 on Gitea (error trying to get list of pull request's commits: not found). Without this fix, no PR can ever go green and branch protection (M0.2) cannot be turned on.

Linked milestone: M0.2

How

  • commitlint replacement: git log --format=%s base..head piped through a bash regex matching the Conventional Commits grammar (feat|fix|...|revert, optional scope, optional !, ≤72 char subject). Same enforcement, zero deps.
  • gitleaks replacement: curl ... | tar -xz; gitleaks detect --exit-code 1. Pins to v8.18.4.
  • Per-stack gates: if: hashFiles('go.sum') != '' / hashFiles('package.json') != '' / hashFiles('Dockerfile') != ''. Empty repos skip those jobs; they activate the moment real code lands.

Trivy is unchanged — it runs a local fs scan and never touched the GitHub API.

Test plan

  • Unit tests added/updated — n/a (CI-only change)
  • Integration tests added/updated — n/a
  • Playwright e2e added/updated — n/a
  • Manual smoke on stage after deploy — this PR IS the smoke; CI must go green
  • Regression test added — bug fix; the regression check is the green CI itself

Risk

Blast radius: repo-local; no services touched. Worst case: CI still fails for some other reason and we iterate again.

What could break: the bash regex is stricter than commitlint's full ruleset (no body/footer rules) — acceptable for M0.2; will revisit when we add a proper commitlint-via-npm path post-runner-tooling.

Rollback plan: revert the PR.

Checklist

  • Docs updated (CHANGELOG entry under "Fixed")
  • Audit events — n/a
  • Secrets via Infisical — n/a (no new secrets)
  • Migration — n/a
  • Tenant scoping — n/a
  • OpenAPI spec — n/a
  • featureFlags.evaluate() — n/a
  • CHANGELOG entry under "Unreleased"
## What - Rewrites `.gitea/workflows/ci.yaml` to be Gitea Actions friendly. - `commitlint` is now a bash regex check over the PR commit range — no external action, no octokit. - `gitleaks` runs the official binary inline (downloaded from upstream releases). - Per-stack `test`/`image`/`e2e` jobs gated on the existence of real code so empty repos pass cleanly. ## Why The original workflow used `wagoid/commitlint-github-action@v6` and `gitleaks/gitleaks-action@v2`. Both call the GitHub API and 404 on Gitea (`error trying to get list of pull request's commits: not found`). Without this fix, no PR can ever go green and branch protection (M0.2) cannot be turned on. Linked milestone: **M0.2** ## How - commitlint replacement: `git log --format=%s base..head` piped through a bash regex matching the Conventional Commits grammar (`feat|fix|...|revert`, optional scope, optional `!`, ≤72 char subject). Same enforcement, zero deps. - gitleaks replacement: `curl ... | tar -xz; gitleaks detect --exit-code 1`. Pins to v8.18.4. - Per-stack gates: `if: hashFiles('go.sum') != ''` / `hashFiles('package.json') != ''` / `hashFiles('Dockerfile') != ''`. Empty repos skip those jobs; they activate the moment real code lands. Trivy is unchanged — it runs a local fs scan and never touched the GitHub API. ## Test plan - [x] Unit tests added/updated — n/a (CI-only change) - [x] Integration tests added/updated — n/a - [x] Playwright e2e added/updated — n/a - [x] Manual smoke on stage after deploy — this PR IS the smoke; CI must go green - [x] Regression test added — bug fix; the regression check is the green CI itself ## Risk **Blast radius:** repo-local; no services touched. Worst case: CI still fails for some other reason and we iterate again. **What could break:** the bash regex is stricter than commitlint's full ruleset (no body/footer rules) — acceptable for M0.2; will revisit when we add a proper commitlint-via-npm path post-runner-tooling. **Rollback plan:** revert the PR. ## Checklist - [x] Docs updated (CHANGELOG entry under "Fixed") - [ ] Audit events — n/a - [x] Secrets via Infisical — n/a (no new secrets) - [ ] Migration — n/a - [ ] Tenant scoping — n/a - [ ] OpenAPI spec — n/a - [ ] featureFlags.evaluate() — n/a - [x] CHANGELOG entry under "Unreleased"
sharang added 1 commit 2026-05-18 19:34:42 +00:00
ci: rework workflow for Gitea Actions (M0.2)
ci / shared (pull_request) Failing after 41s
Details
ci / test (pull_request) Has been skipped
Details
ci / e2e (pull_request) Has been skipped
Details
ci / image (pull_request) Has been skipped
Details
ca046f3ddb 
The original ci.yaml used wagoid/commitlint-github-action and
gitleaks/gitleaks-action, both of which hit GitHub-specific API
endpoints that 404 on Gitea ("error trying to get list of pull
request's commits: not found").

Changes:
- commitlint: bash regex against Conventional Commits, scoped to the
  PR commit range. Zero external deps.
- gitleaks: inline tarball download + binary run, exit-code 1 on
  any finding.
- trivy: unchanged (works fine; uses local fs scan).
- Per-stack test/image/e2e jobs now gated on hashFiles(go.sum) /
  hashFiles(package.json) / hashFiles(Dockerfile) so they skip
  cleanly on empty repos and light up automatically when real code
  lands (M4.1, M5.1, etc.).

Refs: M0.2
CODEOWNERS rules requested review from Benjamin_Boenisch 2026-05-18 19:34:42 +00:00
sharang added 1 commit 2026-05-18 19:36:14 +00:00
ci: replace aquasecurity/trivy-action with inline binary
ci / shared (pull_request) Failing after 3s
Details
ci / test (pull_request) Has been skipped
Details
ci / e2e (pull_request) Has been skipped
Details
ci / image (pull_request) Has been skipped
Details
aabe7cd60b 
The trivy-action does an internal actions/checkout against
github.com/aquasecurity/trivy, which fails on Gitea (act_runner
injects Gitea creds; clone returns exit 128). Switch to the same
inline-download pattern we use for gitleaks.

Refs: M0.2
sharang added 1 commit 2026-05-18 19:40:37 +00:00
ci: bump trivy to 0.70.0 (M0.2)
ci / shared (pull_request) Successful in 6s
Details
ci / test (pull_request) Has been skipped
Details
ci / e2e (pull_request) Has been skipped
Details
ci / image (pull_request) Has been skipped
Details
65d0ec0d34 
v0.50.0 release tarball doesn't exist on GitHub releases (404).
Pin to v0.70.0 which is the current latest.

Refs: M0.2
sharang merged commit 1220533c36 into main 2026-05-18 19:42:35 +00:00
sharang deleted branch fix/m0.2-gitea-friendly-ci 2026-05-18 19:42:36 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Benjamin_Boenisch
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Benjamin_Boenisch sharang (Sharang Parnerkar)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: platform/design-tokens#2
Delete Branch "fix/m0.2-gitea-friendly-ci"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?