platform/docs
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: bootstrap repo scaffolding (M0.1)
ci / shared (pull_request) Failing after 2m12s
Details

Browse Source 
Adds the §1.2 scaffolding required by IMPLEMENTATION_PLAN.md M0.1:
README, CONTRIBUTING, CODEOWNERS, CHANGELOG, PR + issue templates,
CI workflow, release workflow, LICENSE, commitlint, cliff config,
.editorconfig, .gitignore, .env.example.

Refs: M0.1
This commit is contained in:
Sharang Parnerkar
2026-05-18 21:07:15 +02:00
parent 8537fd69dd
commit d816ba2b22
20 changed files with 4761 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/issue_template/bug.md
+50
View File
@@ -0,0 +1,50 @@
---
name: Bug report
about: Something works incorrectly or breaks
labels: bug
---
## What happened
<!-- One sentence. The observable symptom, not the root cause. -->
## What I expected
<!-- One sentence. -->
## Steps to reproduce
1.
2.
3.
## Environment
- **Env:** dev / stage / prod
- **Tenant slug:** <!-- e.g. acme, demo, leave blank if platform-wide -->
- **Product:** <!-- portal / certifai / compliance / tenant-registry / orca-proxy / ... -->
- **Release tag / commit SHA:**
- **Browser (if portal):**
## Evidence
<!-- Trace ID from SigNoz, log excerpts, screenshots, request/response bodies.
STRIP PII before pasting. -->
```
<paste here>
```
**SigNoz trace:** <!-- link -->
## Blast radius
- [ ] Affects a single tenant
- [ ] Affects multiple tenants
- [ ] Affects all tenants on this env
- [ ] Data loss or corruption risk
- [ ] Security / authz implication
## Suspected cause (optional)
<!-- Leave blank if you don't know. Speculation here is welcome but not required. -->
.gitea/issue_template/feature.md
+41
View File
@@ -0,0 +1,41 @@
---
name: Feature / change request
about: Propose a new capability or behavior change
labels: enhancement
---
## Problem
<!-- What is the customer / operator / developer trying to do today, and why is it painful?
Lead with the WHY. -->
## Proposed solution
<!-- One paragraph. The shape of the change, not the implementation detail. -->
## Acceptance criteria
<!-- A reviewer should be able to read these and say "shipped" or "not shipped". -->
- [ ]
- [ ]
- [ ]
## Alternatives considered
<!-- 12 sentences each. "Do nothing" is always one alternative — say why it's worse. -->
## Linked milestone
<!-- Optional. If this maps to an existing milestone in IMPLEMENTATION_PLAN.md, link it.
If it doesn't, that's a signal the plan needs an update. -->
M0.1 — or **new milestone needed**
## Out of scope
<!-- Things this issue explicitly does NOT cover, so reviewers don't expand the scope. -->
## Open questions
<!-- Things to resolve before implementation can start. -->
.gitea/pull_request_template.md
+66
View File
@@ -0,0 +1,66 @@
<!--
PR title MUST be a Conventional Commit, e.g.:
feat(api): add POST /v1/tenants/:id/cancel
fix(auth): reject JWT when org_id missing
Mark draft if not ready for review.
-->
## What
<!-- 13 bullets. What does this PR change? -->
-
## Why
<!-- Link the architecture section, milestone ID, or issue this addresses. -->
Linked milestone: **M0.1**
<!-- Optional: closes #123, refs #456 -->
## How
<!-- Notes for the reviewer: the interesting design choices, the tricky bits, what NOT to focus on. Skip if obvious from the diff. -->
## Test plan
- [ ] Unit tests added/updated
- [ ] Integration tests added/updated (real DB via testcontainers)
- [ ] Playwright e2e added/updated (only if user-facing flow changed)
- [ ] Manual smoke on stage after deploy
- [ ] Regression test added (only if this PR fixes a bug — must fail before the fix)
<!-- If a row is genuinely n/a, leave it unchecked and explain below. -->
## Risk
**Blast radius:** <!-- single tenant / all tenants / single product / portal-wide / data-plane / infra -->
**What could break:**
-
**Rollback plan:**
<!-- e.g. `orca rollout undo {service} --env=prod`, or "revert the PR and redeploy" -->
## Checklist
- [ ] Docs updated (or n/a — explain)
- [ ] Audit events emitted for state changes (or n/a)
- [ ] Secrets via Infisical, never in repo
- [ ] Migration is forward-only + idempotent (or no migration)
- [ ] Tenant scoping enforced on every DB query (or no DB access)
- [ ] OpenAPI spec updated (or no API change)
- [ ] `featureFlags.evaluate()` used for any toggleable behavior (or n/a)
- [ ] CHANGELOG entry under "Unreleased" (or n/a)
## Screenshots / recordings
<!-- For UI changes. Drop a screenshot or a Loom link. -->
---
<!--
Reviewer reminder: in this order — risk → tests → security → correctness → style.
Squash-merge after approval. PR title becomes the commit message.
-->
.gitea/workflows/ci.yaml
+31
View File
@@ -0,0 +1,31 @@
# CI skeleton (TypeScript shape; no app code yet).
# Lights up to commitlint + gitleaks + trivy fs scan. Add lint/test/build jobs
# when this repo grows real package code.
name: ci
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
shared:
runs-on: docker
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- name: commitlint (PR only)
if: github.event_name == 'pull_request'
uses: wagoid/commitlint-github-action@v6
- name: gitleaks
uses: gitleaks/gitleaks-action@v2
- name: trivy fs scan
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
severity: HIGH,CRITICAL
exit-code: 1
.gitea/workflows/release.yaml
+85
View File
@@ -0,0 +1,85 @@
# release.yaml — production release on git tag vX.Y.Z.
# Promotes the image already on stage to prod, gated by manual sign-off.
name: release
on:
push:
tags: ['v*.*.*']
jobs:
promote:
runs-on: docker
environment:
name: production # Gitea Environments — requires sign-off per branch protection
url: https://yourplatform.com
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- name: extract version
id: v
run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: verify stage soak (>= 24h on this image)
run: |
IMG=registry.yourplatform.com/${{ github.event.repository.name }}:env-stage
SOAK_SECONDS=$(orca image-age --env=stage --image $IMG)
if [ "$SOAK_SECONDS" -lt 86400 ]; then
echo "Stage soak only $SOAK_SECONDS s, < 24h. Aborting."
exit 1
fi
env:
ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}
- name: re-tag image as semver + env-prod
uses: docker/login-action@v3
with:
registry: registry.yourplatform.com
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASS }}
- run: |
IMG=registry.yourplatform.com/${{ github.event.repository.name }}
docker pull $IMG:env-stage
docker tag $IMG:env-stage $IMG:v${{ steps.v.outputs.version }}
docker tag $IMG:env-stage $IMG:env-prod
docker push $IMG:v${{ steps.v.outputs.version }}
docker push $IMG:env-prod
- name: deploy to prod
run: orca apply --env=prod --image-tag=v${{ steps.v.outputs.version }}
env:
ORCA_TOKEN: ${{ secrets.ORCA_PROD_TOKEN }}
- name: post-deploy smoke
run: orca exec --env=prod smoke-runner
- name: generate release notes from conventional commits
uses: orhun/git-cliff-action@v3
with:
config: cliff.toml
args: --latest --strip header
env:
OUTPUT: RELEASE_NOTES.md
- name: create Gitea release
run: |
curl -X POST -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
-H "Content-Type: application/json" \
-d "$(jq -Rs '{tag_name:"v${{ steps.v.outputs.version }}", name:"v${{ steps.v.outputs.version }}", body:.}' < RELEASE_NOTES.md)" \
https://gitea.meghsakha.com/api/v1/repos/${{ github.repository }}/releases
rollback-on-failure:
needs: promote
if: failure()
runs-on: docker
steps:
- name: orca rollback prod
run: orca rollout undo ${{ github.event.repository.name }} --env=prod
env:
ORCA_TOKEN: ${{ secrets.ORCA_PROD_TOKEN }}
- name: page on-call
run: |
curl -X POST -H "Content-Type: application/json" \
-d '{"text":"Release of ${{ github.event.repository.name }} ${{ github.ref }} FAILED. Rolled back. See Gitea Actions run."}' \
${{ secrets.ONCALL_WEBHOOK }}