From ffffecd074bfe756f84c429723330e7971500e55 Mon Sep 17 00:00:00 2001
From: Michael Seele <michael.seele@schmalz.de>
Date: Fri, 17 Apr 2026 12:33:21 +0000
Subject: [PATCH 1/5] Initial commit

---
 .gitignore | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b24d71e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,50 @@
+# These are some examples of commonly ignored file patterns.
+# You should customize this list as applicable to your project.
+# Learn more about .gitignore:
+#     https://www.atlassian.com/git/tutorials/saving-changes/gitignore
+
+# Node artifact files
+node_modules/
+dist/
+
+# Compiled Java class files
+*.class
+
+# Compiled Python bytecode
+*.py[cod]
+
+# Log files
+*.log
+
+# Package files
+*.jar
+
+# Maven
+target/
+dist/
+
+# JetBrains IDE
+.idea/
+
+# Unit test reports
+TEST*.xml
+
+# Generated by MacOS
+.DS_Store
+
+# Generated by Windows
+Thumbs.db
+
+# Applications
+*.app
+*.exe
+*.war
+
+# Large media files
+*.mp4
+*.tiff
+*.avi
+*.flv
+*.mov
+*.wmv
+

From 553786f00030b46ff7444325af11688024ce556d Mon Sep 17 00:00:00 2001
From: Michael Seele <michael.seele@schmalz.de>
Date: Fri, 17 Apr 2026 13:59:57 +0200
Subject: [PATCH 2/5] Add Forgejo shared actions migration working document

---
 ...-04-17-forgejo-shared-actions-migration.md | 1280 +++++++++++++++++
 1 file changed, 1280 insertions(+)
 create mode 100644 2026-04-17-forgejo-shared-actions-migration.md

diff --git a/2026-04-17-forgejo-shared-actions-migration.md b/2026-04-17-forgejo-shared-actions-migration.md
new file mode 100644
index 0000000..6837c71
--- /dev/null
+++ b/2026-04-17-forgejo-shared-actions-migration.md
@@ -0,0 +1,1280 @@
+# Forgejo Shared Actions Migration Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Migrate all Bitbucket + Jenkins CI/CD pipelines to STACKIT Git (Forgejo Actions) using a shared-actions repository with one reusable composite action per responsibility.
+
+**Architecture:** A single `schmalz/shared-actions` repository contains all reusable composite actions and reusable workflows. Consumer repositories call them via `uses: schmalz/shared-actions/.github/actions/<name>@v1`. Each action has exactly one responsibility and is fully self-contained. AWS authentication moves from EC2InstanceMetadata to OIDC federation.
+
+> **STACKIT Git URL:** `https://schmalz-git.git.onstackit.cloud` (DNS may move to `git.schmalzgroup.com` — update all `uses:` references and OIDC trust policies when it does).
+
+**Tech Stack:** Forgejo Actions (GitHub Actions-compatible YAML), OIDC AWS auth, pnpm, Maven/Jib, Terraform, Playwright, Rust/Cargo, JFrog Artifactory, Helm/Kubernetes
+
+---
+
+## Context & Background
+
+### Source Systems Being Replaced
+
+| System | Count | Details |
+|--------|-------|---------|
+| Jenkins pipelines | 18 | Java/Maven, Helm deploy to on-prem Kubernetes |
+| Bitbucket pipelines | ~53 | TypeScript Lambda, Terraform, Playwright, Rust |
+| Custom Bitbucket Pipes | 2 | Docker-based: SBOM upload, i18n translation sync |
+
+### Key Design Decisions
+
+| Decision | Choice | Reason |
+|----------|--------|--------|
+| Shared repo | `schmalz/shared-actions` (new repo) | Clean separation, versioned independently |
+| Version pinning | Semver tags `@v1` / `@v1.2.3` | Stability with explicit upgrade path |
+| Runners | STACKIT-hosted runners | No self-hosted infrastructure to maintain |
+| AWS auth | OIDC federation | EC2InstanceMetadata not available on STACKIT runners |
+| Custom pipes | Convert to composite actions (scripts) | No Docker overhead, easier to maintain |
+| K8s target (Jenkins) | On-prem — services stay on `dsp1.schmalzgroup.net` / `dsp1-stage.schmalzgroup.net`; `helm-deploy` is permanent | |
+| Third-party actions | Use fully qualified `https://data.forgejo.org/` URLs | Avoids `DEFAULT_ACTIONS_URL` misconfiguration on the STACKIT instance |
+
+### AWS Accounts (preserved from existing pipelines)
+
+| Environment | Account ID | IAM Role |
+|-------------|-----------|----------|
+| Stage | `953815822701` | `arn:aws:iam::953815822701:role/deployment-role` |
+| Prod | `409901728745` | `arn:aws:iam::409901728745:role/deployment-role` |
+| Dev | `916033256208` | `arn:aws:iam::916033256208:role/deployment-role` |
+
+### JFrog Artifactory (preserved)
+
+- npm registry: `https://schmalz.jfrog.io/artifactory/api/npm/default-npm/`
+- Docker registry: `schmalz.jfrog.io/default-docker`
+- Terraform modules: `https://schmalz.jfrog.io/artifactory/terraform/`
+- Cargo registry: `schmalz.jfrog.io`
+- Auth: `JFROG_TOKEN` secret (set per-repo or at org level)
+
+---
+
+## Repository Structure: `schmalz/shared-actions`
+
+```
+schmalz/shared-actions/
+├── .github/
+│   ├── actions/
+│   │   ├── aws-configure/
+│   │   │   └── action.yml
+│   │   ├── maven-build/
+│   │   │   └── action.yml
+│   │   ├── helm-deploy/
+│   │   │   └── action.yml
+│   │   ├── secrets-inject/
+│   │   │   └── action.yml
+│   │   ├── pnpm-build/
+│   │   │   └── action.yml
+│   │   ├── terraform-validate/
+│   │   │   └── action.yml
+│   │   ├── terraform-apply/
+│   │   │   └── action.yml
+│   │   ├── aws-s3-sync/
+│   │   │   └── action.yml
+│   │   ├── aws-lambda-update/
+│   │   │   └── action.yml
+│   │   ├── playwright-e2e/
+│   │   │   └── action.yml
+│   │   ├── rust-build/
+│   │   │   └── action.yml
+│   │   ├── publish-npm-package/
+│   │   │   └── action.yml
+│   │   ├── sbom-upload/
+│   │   │   └── action.yml
+│   │   ├── terraform-module-publish/
+│   │   │   └── action.yml
+│   │   ├── docker-build-push/
+│   │   │   └── action.yml
+│   │   ├── publish-rust-crate/
+│   │   │   └── action.yml
+│   │   └── cloudfront-invalidate/
+│   │       └── action.yml
+│   └── workflows/
+│       └── (reusable workflows if needed later)
+└── README.md
+```
+
+---
+
+## One-Time Infrastructure Setup (Before Any Migration)
+
+### OIDC Setup in AWS (required — blocks all migration work)
+
+1. In AWS IAM console for **both** accounts (stage `953815822701`, prod `409901728745`):
+   - Add an OIDC Identity Provider for the STACKIT Git instance
+   - URL: `https://schmalz-git.git.onstackit.cloud`
+   - Audience: `sts.amazonaws.com`
+2. Update the trust policy on `deployment-role` in each account to allow the OIDC provider:
+   ```json
+   {
+     "Effect": "Allow",
+     "Principal": {
+       "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/schmalz-git.git.onstackit.cloud"
+     },
+     "Action": "sts:AssumeRoleWithWebIdentity",
+     "Condition": {
+       "StringLike": {
+         "schmalz-git.git.onstackit.cloud:sub": "repo:schmalz/*:*"
+       },
+       "StringEquals": {
+         "schmalz-git.git.onstackit.cloud:aud": "sts.amazonaws.com"
+       }
+     }
+   }
+   ```
+   > **Note:** The Forgejo OIDC `iss` claim is `https://schmalz-git.git.onstackit.cloud/api/actions`. AWS uses the hostname only (without `/api/actions`) as the IdP identifier.
+   >
+   > If the DNS moves to `git.schmalzgroup.com`, a new OIDC provider entry must be added in AWS and both `sub` + `aud` conditions must be updated.
+3. Set `JFROG_TOKEN` as an organization-level secret in STACKIT Git (avoid per-repo duplication).
+
+### Third-Party Action URLs (required — must be confirmed before Phase 1)
+
+Forgejo resolves bare action references like `actions/checkout@v4` by prepending `DEFAULT_ACTIONS_URL`, which defaults to `https://data.forgejo.org/` but can be overridden by the instance admin.
+
+**Action:** Confirm with the STACKIT instance admin what `DEFAULT_ACTIONS_URL` is set to on the managed instance.
+
+Until confirmed, all consumer workflows use **fully qualified URLs**:
+
+| Action | Qualified URL |
+|--------|---------------|
+| `actions/checkout@v4` | `https://data.forgejo.org/actions/checkout@v4` |
+| `actions/upload-artifact@v4` | `https://data.forgejo.org/actions/upload-artifact@v4` |
+| `actions/download-artifact@v4` | `https://data.forgejo.org/actions/download-artifact@v4` |
+
+The `aws-configure` action does **not** depend on `aws-actions/configure-aws-credentials`. It performs the OIDC token exchange directly via shell (see action spec below) — no external action required.
+
+### `enable-openid-connect` (required for all AWS workflows)
+
+Forgejo uses `enable-openid-connect: true` at the workflow or job level to enable OIDC token generation. This is **not** the same as GitHub's `permissions: id-token: write`. Every workflow or job that calls `aws-configure` must include this flag.
+
+---
+
+## Shared Action Specifications
+
+### Action 1: `aws-configure`
+
+**Responsibility:** Authenticate with AWS via OIDC. Called before any step that needs AWS CLI. Replaces all `aws configure --profile ... set credential_source Ec2InstanceMetadata` blocks.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `role-arn` | yes | — | Full IAM role ARN |
+| `aws-profile` | no | `default` | Profile name written to `~/.aws/config` |
+| `region` | no | `eu-central-1` | AWS region |
+
+**What it does** (pure shell, no external action dependency):
+```bash
+# Exchange Forgejo OIDC token for AWS credentials
+OIDC_TOKEN=$(curl -sf \
+  -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+  "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value)
+
+CREDS=$(aws sts assume-role-with-web-identity \
+  --role-arn "$INPUT_ROLE_ARN" \
+  --role-session-name forgejo-ci \
+  --web-identity-token "$OIDC_TOKEN" \
+  --region "$INPUT_REGION" \
+  --query 'Credentials' --output json)
+
+mkdir -p ~/.aws
+
+# Write environment credentials (used by AWS CLI/SDK by default)
+echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV
+echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV
+echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV
+echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV
+
+# Write named profile if requested
+if [ "$INPUT_AWS_PROFILE" != "default" ]; then
+  aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE"
+  aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE"
+  aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE"
+  aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE"
+fi
+```
+
+**Requires:** `enable-openid-connect: true` at the job or workflow level in the calling workflow (Forgejo-specific; injects `ACTIONS_ID_TOKEN_REQUEST_TOKEN` and `ACTIONS_ID_TOKEN_REQUEST_URL` into the runner environment).
+
+---
+
+### Action 2: `maven-build`
+
+**Responsibility:** Run Maven build for Java services — either verify-only (for PRs) or full package+jib push (for deploy branches). Replaces the duplicated Maven steps in all 18 Jenkinsfiles.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `java-version` | no | `8` | JDK version (8, 17, 25) |
+| `maven-image` | no | `maven:3.8.5-openjdk-8` | Full Docker image for the build |
+| `phase` | no | `verify` | `verify` (PR) or `package-and-push` (deploy) |
+| `verify-goals` | no | `spotless:check checkstyle:check compile` | Maven goals for `verify` phase. Override per service if needed (e.g., `employee` uses `spotless:check checkstyle:check test`) |
+| `maven-profile` | no | `test` | Maven `-P` profile (test, prod) |
+| `service-dir` | no | `.` | Subdirectory containing the service pom.xml (for ESB multi-service) |
+| `skip-tests` | no | `false` | Pass `-DskipTests` |
+| `image-tag` | no | `${{ github.sha }}-${{ github.run_id }}` | Docker image tag for jib push |
+| `maven-settings` | yes | — | Secret name containing `settings.xml` content |
+| `extra-args` | no | `` | Additional Maven arguments |
+
+**Phase `verify` runs** (PR validation — matches existing Jenkins behavior):
+```
+mvn <verify-goals> -s <settings>
+```
+> **Note:** The default `verify-goals` is `spotless:check checkstyle:check compile`, matching the current Jenkins PR behavior. This is intentionally lighter than `mvn verify` (which runs the full lifecycle including tests). Only `employee` overrides this to include `test`.
+
+**Phase `package-and-push` runs:**
+```
+mvn clean package jib:build -DsendCredentialsOverHttp=true \
+  -Djib.to.tags=<image-tag> -P <maven-profile> -s <settings>
+```
+
+**Notes:**
+- `maven-image` input allows overriding the full image (some services use `maven:3.9.12-eclipse-temurin-25` for Java 25)
+- The action writes `settings.xml` from the secret to a temp file, passes it via `-s`, and deletes it after
+
+---
+
+### Action 3: `helm-deploy`
+
+**Responsibility:** Deploy a service to Kubernetes via Helm over SSH. Replaces the `deployService()` Groovy function duplicated in every Jenkinsfile.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `service-name` | yes | — | Helm release name |
+| `helm-host` | yes | — | SSH target (e.g., `dsp1-stage.schmalzgroup.net`) |
+| `overrides-file` | no | `kubernetes/overrides-su.yaml` | Local path to Helm values override file |
+| `image-tag` | yes | — | Docker image tag to deploy |
+| `ssh-key` | yes | — | Secret name containing private SSH key |
+| `namespace` | no | `dsp` | Kubernetes namespace |
+| `helm-repo` | no | `nexus-helm-repository` | Helm chart repository name |
+| `helm-chart` | no | `DSP-Blueprint` | Chart name in the repo |
+
+**What it does:**
+```bash
+# SCP overrides file to remote host
+scp -i <key> -o StrictHostKeyChecking=no <overrides-file> root@<helm-host>:/tmp/<service>-overrides.yaml
+# Helm upgrade
+ssh -i <key> -o StrictHostKeyChecking=no root@<helm-host> \
+  "helm repo update && \
+   helm upgrade --install --create-namespace -n <namespace> <service> \
+   <helm-repo>/<helm-chart> -f /tmp/<service>-overrides.yaml \
+   --set image.tag=<image-tag> --atomic --debug"
+```
+
+---
+
+### Action 4: `secrets-inject`
+
+**Responsibility:** Append a secrets file (from CI secret store) to a Java `.properties` file. Replaces the "Load secrets" stage in every Jenkinsfile.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `secret-content` | yes | — | Secret value (the properties content to append) |
+| `target-file` | yes | — | Path to the `.properties` file (e.g., `src/main/resources/application-su.properties`) |
+
+**What it does:**
+```bash
+echo "" >> <target-file>
+echo "<secret-content>" >> <target-file>
+```
+
+**Note:** The secret is passed as a value (not a file path) to work naturally with Forgejo Secrets.
+
+---
+
+### Action 5: `pnpm-build`
+
+**Responsibility:** Set up pnpm, authenticate JFrog npm registry, install dependencies, run configurable npm scripts. Replaces the near-identical pnpm blocks in all ~50 Bitbucket TypeScript pipelines.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | no | `.` | Directory containing `package.json` |
+| `pnpm-version` | no | `10.14` | pnpm version to install globally |
+| `jfrog-token` | yes | — | JFrog npm auth token |
+| `run-scripts` | no | `ci,typecheck,build` | Comma-separated list of `pnpm run <script>` calls |
+| `frozen-lockfile` | no | `true` | Pass `--frozen-lockfile` |
+| `check-dedupe` | no | `true` | Run `pnpm dedupe --check` before install |
+| `node-version` | no | `22` | Node.js version |
+
+**What it does:**
+```bash
+npm i -g pnpm@<pnpm-version>
+pnpm set registry https://schmalz.jfrog.io/artifactory/api/npm/default-npm/
+pnpm set //schmalz.jfrog.io/artifactory/api/npm/default-npm/:_authToken=<jfrog-token>
+[ check-dedupe == true ] && pnpm --prefix=<working-directory> dedupe --check
+pnpm --prefix=<working-directory> install --frozen-lockfile
+for script in <run-scripts split by comma>:
+  pnpm --prefix=<working-directory> run <script>
+```
+
+---
+
+### Action 6: `terraform-validate`
+
+**Responsibility:** Validate Terraform code without a backend (for PR checks). Runs `fmt -check` and `validate`.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `terraform-dir` | no | `terraform` | Directory containing `.tf` files |
+| `terraform-version` | no | `1.11` | Terraform version (uses `hashicorp/terraform:<version>` image via container step) |
+| `jfrog-token` | yes | — | Sets `TF_TOKEN_schmalz_jfrog_io` for module downloads |
+| `aws-role-arn` | no | — | If provided, runs `aws-configure` before validate (needed when provider requires auth) |
+| `aws-profile` | no | `stage` | Profile to configure if `aws-role-arn` given |
+
+**What it does:**
+```bash
+export TF_TOKEN_schmalz_jfrog_io="<jfrog-token>"
+export TF_WORKSPACE=stage
+terraform -chdir=<terraform-dir> init -backend=false -no-color
+terraform -chdir=<terraform-dir> fmt -check -recursive
+terraform -chdir=<terraform-dir> validate
+```
+
+When `aws-role-arn` is provided, the action first invokes `aws-configure` as a composite step:
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+  if: ${{ inputs.aws-role-arn != '' }}
+  with:
+    role-arn: ${{ inputs.aws-role-arn }}
+    aws-profile: ${{ inputs.aws-profile }}
+```
+
+---
+
+### Action 7: `terraform-apply`
+
+**Responsibility:** Full Terraform init + workspace selection + apply + output capture. Replaces all "Deploy infrastructure" steps across Bitbucket pipelines.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `terraform-dir` | no | `terraform` | Directory containing `.tf` files |
+| `terraform-version` | no | `1.11` | Terraform version (uses `hashicorp/terraform:<version>` image via container step) |
+| `var-file` | yes | — | Path to `.tfvars` file (e.g., `stage.tfvars`) |
+| `workspace` | yes | — | Terraform workspace (`stage` or `prod`) |
+| `aws-role-arn` | yes | — | IAM role for AWS provider auth (via OIDC) |
+| `aws-profile` | no | `default` | AWS profile name |
+| `jfrog-token` | yes | — | Sets `TF_TOKEN_schmalz_jfrog_io` |
+| `output-names` | no | `` | Comma-separated list of `terraform output` names to capture as files in `.outputs/` |
+| `plan-only` | no | `false` | Run `plan -out terraform.plan` instead of `apply` (for prod approval gates) |
+| `plan-file` | no | `` | Path to a pre-existing plan file to apply (skips re-planning) |
+| `output-json-names` | no | `` | Comma-separated list of output names to capture as JSON (`terraform output --json`); written to `.outputs/<name>.json` |
+
+**What it does:**
+```bash
+# aws-configure is invoked first as a composite step (see below)
+export TF_TOKEN_schmalz_jfrog_io="<jfrog-token>"
+export TF_WORKSPACE=<workspace>
+export AWS_PROFILE=<aws-profile>
+terraform -chdir=<terraform-dir> init -no-color
+# if plan-only:
+  terraform -chdir=<terraform-dir> plan -var-file=<var-file> -out terraform.plan -no-color
+# elif plan-file set:
+  terraform -chdir=<terraform-dir> apply -auto-approve -no-color <plan-file>
+# else:
+  terraform -chdir=<terraform-dir> apply -var-file=<var-file> -auto-approve -no-color
+# capture outputs
+mkdir -p <terraform-dir>/.outputs
+for name in <output-names>:
+  terraform -chdir=<terraform-dir> output --raw <name> > <terraform-dir>/.outputs/<name>
+```
+
+The action invokes `aws-configure` as its first composite step:
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+  with:
+    role-arn: ${{ inputs.aws-role-arn }}
+    aws-profile: ${{ inputs.aws-profile }}
+```
+
+**Artifacts:** `<terraform-dir>/.outputs/**` and optionally `<terraform-dir>/terraform.plan`
+
+---
+
+### Action 8: `aws-s3-sync`
+
+**Responsibility:** Sync build artifacts to S3, clean up old versioned assets, optionally invalidate CloudFront. Replaces the S3 sync + cleanup + invalidation shell blocks in schmalz-core-platform and other frontend pipelines.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `source-dir` | yes | — | Local path to sync (e.g., `frontend/dist/client`) |
+| `s3-bucket` | yes | — | Target S3 bucket name. Callers must pass this explicitly, e.g., `${{ steps.tf.outputs.s3_bucket_name }}` |
+| `cache-control` | no | `public, max-age=31536000, immutable` | HTTP Cache-Control header |
+| `aws-role-arn` | yes | — | IAM role (via OIDC) |
+| `aws-profile` | no | `default` | AWS profile name |
+| `cloudfront-distribution-ids-file` | no | `` | Path to file containing space-separated CloudFront distribution IDs. If set, creates invalidations. |
+| `retention-days` | no | `7` | Delete versioned `_static/<timestamp>` prefixes older than this many days (0 = skip cleanup) |
+
+---
+
+### Action 9: `aws-lambda-update`
+
+**Responsibility:** Update a Lambda function alias to a new version, then optionally wait until provisioned concurrency reaches READY status. Replaces the ~30-line shell block duplicated in schmalz-core-platform and similar services.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `function-name` | yes | — | Lambda function name |
+| `function-version` | yes | — | Lambda version number |
+| `alias-name` | yes | — | Alias name |
+| `wait-provisioned-concurrency` | no | `false` | Poll until provisioned concurrency is READY |
+| `aws-role-arn` | yes | — | IAM role (via OIDC) |
+| `aws-profile` | no | `default` | AWS profile |
+| `region` | no | `eu-central-1` | AWS region |
+| `lambda-alias-updates-json` | no | `` | JSON array of `{function_name, version, alias_name}` objects; when set, applies all entries instead of a single alias (used in api.schmalz.com-products) |
+
+**Note:** All inputs are required explicitly. Callers read Terraform outputs via step outputs and pass them as inputs — no implicit file path coupling. Example:
+```yaml
+- id: tf
+  uses: schmalz/shared-actions/.github/actions/terraform-apply@v1
+  with:
+    output-names: lambda_name,lambda_version,lambda_alias_name
+
+- uses: schmalz/shared-actions/.github/actions/aws-lambda-update@v1
+  with:
+    function-name: ${{ steps.tf.outputs.lambda_name }}
+    function-version: ${{ steps.tf.outputs.lambda_version }}
+    alias-name: ${{ steps.tf.outputs.lambda_alias_name }}
+    aws-role-arn: ${{ vars.STAGE_AWS_ROLE_ARN }}
+```
+
+> **Note:** `terraform-apply` must expose output values via `$FORGEJO_OUTPUT` in addition to writing `.outputs/` files, so callers can reference them as `steps.<id>.outputs.<name>`.
+
+---
+
+### Action 10: `playwright-e2e`
+
+**Responsibility:** Run Playwright E2E tests, optionally with sharding, then upload results to S3. Replaces all Playwright steps in schmalz-core-platform (5-shard), api.schmalz.com-products, encoway-web-configurators, etc.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | no | `e2e` | Directory with Playwright config |
+| `playwright-version` | no | `v1.58.2` | Playwright Docker image version |
+| `jfrog-token` | yes | — | JFrog npm auth token |
+| `pnpm-version` | no | `10.11` | pnpm version |
+| `shard-index` | no | `1` | Current shard (1-based). Set to `${{ matrix.shard }}` for matrix jobs. |
+| `shard-total` | no | `1` | Total number of shards. 1 = no sharding. |
+| `s3-reports-bucket` | yes | — | S3 bucket for test report upload |
+| `s3-reports-prefix` | yes | — | S3 path prefix (e.g., `reports/api-schmalz-com-products`) |
+| `aws-role-arn` | yes | — | IAM role (via OIDC) |
+| `aws-profile` | no | `stage` | AWS profile |
+| `extra-deps` | no | `` | Space-separated list of apt packages to install before tests |
+
+**Sharding note:** For multi-shard tests (like schmalz-core-platform with 5 shards), use a matrix strategy in the consumer workflow:
+
+**Action body (composite steps — relevant excerpt):**
+```yaml
+steps:
+  - uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+    with:
+      role-arn: ${{ inputs.aws-role-arn }}
+      aws-profile: ${{ inputs.aws-profile }}
+
+  - name: Run Playwright tests
+    # ... docker run with shard args ...
+
+  - name: Upload results to S3
+    run: |
+      aws s3 sync playwright-report/ s3://${{ inputs.s3-reports-bucket }}/${{ inputs.s3-reports-prefix }}/shard-${{ inputs.shard-index }}/ \
+        --profile ${{ inputs.aws-profile }}
+```
+
+**Consumer sharding example:**
+```yaml
+strategy:
+  matrix:
+    shard: [1, 2, 3, 4, 5]
+```
+Then a separate merge job collects `blob-report/**` artifacts and calls `npx playwright merge-reports`.
+
+---
+
+### Action 11: `rust-build`
+
+**Responsibility:** Run Rust CI — fmt check, clippy, tests, optional cross-compilation. Replaces all Rust CI steps from keycloak-at-edge, go-schmalz-com, schmalz-lambda-utils-rs, and image.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `toolchain` | no | `stable` | Rust toolchain (stable, beta, nightly) |
+| `features` | no | `` | Comma-separated feature flags for `--features` |
+| `cross-target` | no | `` | If set, installs `cross` and uses it for the given target |
+| `run-fmt` | no | `true` | Run `cargo fmt --check` |
+| `run-clippy` | no | `true` | Run `cargo clippy -- -D warnings` |
+| `run-tests` | no | `true` | Run `cargo test` |
+| `run-deny` | no | `false` | Run `cargo deny check` |
+| `run-semver-checks` | no | `false` | Run `cargo semver-checks` |
+| `sccache-enabled` | no | `true` | Source `sccache_ci_setup.sh` if present |
+| `working-directory` | no | `.` | Crate root directory |
+
+---
+
+### Action 12: `publish-npm-package`
+
+**Responsibility:** Build and publish a library package to JFrog Artifactory npm registry. Triggered on semver version tags. Replaces publish pipelines for schmalz-ui-*, schmalz-lambda-utils-ts, schmalz-test-utils, etc.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | no | `.` | Package root (where `package.json` lives) |
+| `pnpm-version` | no | `10.14` | pnpm version |
+| `jfrog-token` | yes | — | JFrog npm auth token |
+| `registry-url` | no | `https://schmalz.jfrog.io/artifactory/api/npm/default-npm/` | npm registry to publish to |
+| `build-script` | no | `build` | Script to run before `pnpm publish` |
+
+**What it does:**
+```bash
+npm i -g pnpm@<pnpm-version>
+pnpm set registry <registry-url>
+pnpm set <registry-scope>:_authToken=<jfrog-token>
+pnpm --prefix=<working-directory> install --frozen-lockfile
+pnpm --prefix=<working-directory> run <build-script>
+pnpm --prefix=<working-directory> publish --no-git-checks
+```
+
+---
+
+### Action 13: ~~`sbom-upload`~~ — **Removed**
+
+> **CycloneDX SBOM upload via DependencyTrack is obsolete and has been removed from scope.** The `bitbucket-pipe-sbom` pipe is no longer used. Services that previously had an `sbom-upload` stage (danger-review, abaspim, babtec, betreuersuche) will not have an equivalent stage in the Forgejo migration. If SBOM tooling is reintroduced in future, it will be implemented as a new action.
+
+---
+
+### Action 14: `terraform-module-publish`
+
+**Responsibility:** Zip a Terraform module and publish it to JFrog Artifactory on git tags. Replaces the `schmalz-terraform-modules` Bitbucket pipeline publish step.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `module-dir` | yes | — | Path to the module directory to zip |
+| `module-name` | yes | — | Module name (used in the zip filename and upload path) |
+| `version` | yes | — | Version string (from git tag, e.g., `1.2.3`) |
+| `jfrog-url` | no | `https://schmalz.jfrog.io/artifactory/terraform/schmalz` | JFrog Terraform registry URL |
+| `jfrog-token` | yes | — | JFrog access token |
+
+---
+
+### Action 15: `docker-build-push`
+
+**Responsibility:** Build a Docker image and push it to JFrog with semver tags (major, minor, patch). Replaces db-devcontainer-base, bitbucket-pipe-i18n, bitbucket-pipe-sbom build pipelines.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `image-name` | yes | — | Image name (e.g., `default-docker/db-devcontainer-base`) |
+| `registry` | no | `schmalz.jfrog.io` | Container registry hostname |
+| `dockerfile` | no | `Dockerfile` | Path to Dockerfile |
+| `context` | no | `.` | Docker build context |
+| `version-tag` | yes | — | Full semver tag (e.g., `1.2.3`) — action auto-computes `1.2` and `1` aliases |
+| `jfrog-token` | yes | — | JFrog registry password/token |
+| `jfrog-user` | no | `jfrog-cicd-user` | JFrog registry username |
+
+---
+
+### Action 16: `publish-rust-crate`
+
+**Responsibility:** Build, test, and publish a Rust crate to JFrog Artifactory's Cargo registry. Replaces the `schmalz-lambda-utils-rs` Bitbucket pipeline publish step.
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | no | `.` | Crate root directory |
+| `rust-version` | no | `1.87` | Rust toolchain version |
+| `cargo-registry-name` | no | `jfrog` | Name of the Cargo registry (as configured in `.cargo/config.toml`) |
+| `jfrog-token` | yes | — | JFrog access token for Cargo registry auth |
+| `run-tests` | no | `true` | Run `cargo test` before publishing |
+
+**What it does:**
+```bash
+rustup default <rust-version>
+cargo test  # if run-tests
+cargo publish --registry <cargo-registry-name>
+```
+
+---
+
+### Action 17: `cloudfront-invalidate`
+
+**Responsibility:** Invalidate one or more CloudFront distributions. Standalone action for repos that need CF invalidation without S3 sync (e.g., `go-schmalz-com`, `keycloak-at-edge`, repos using `aws-lambda-update` without `aws-s3-sync`).
+
+**Inputs:**
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `distribution-ids` | yes | — | Space-separated CloudFront distribution IDs, or path to file containing them |
+| `paths` | no | `/*` | Invalidation paths |
+| `aws-role-arn` | yes | — | IAM role (via OIDC) |
+| `aws-profile` | no | `default` | AWS profile name |
+
+> **Note:** `aws-s3-sync` already has built-in CloudFront invalidation via its `cloudfront-distribution-ids-file` input. Use this standalone action only when invalidation is needed without S3 sync.
+
+---
+
+## Consumer Workflow Patterns
+
+### Pattern A — Java/Kubernetes Service (replaces all 18 Jenkinsfiles)
+
+**File structure per repo:**
+```
+.forgejo/workflows/
+  pr.yml
+  deploy.yml
+```
+
+**`.forgejo/workflows/pr.yml`:**
+```yaml
+name: PR Validation
+on:
+  pull_request:
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/maven-build@v1
+        with:
+          phase: verify
+          maven-profile: test
+          java-version: "17"          # adjust per service
+          maven-settings: ${{ secrets.MAVEN_SETTINGS_XML }}
+```
+
+**`.forgejo/workflows/deploy.yml`:**
+```yaml
+name: Deploy
+on:
+  push:
+    branches: [dev, main]
+
+env:
+  SERVICE: danger-review          # set to this repo's service name
+  ENVIRONMENT: ${{ github.ref_name == 'main' && 'pu' || 'su' }}
+  HELM_HOST: ${{ github.ref_name == 'main' && 'dsp1.schmalzgroup.net' || 'dsp1-stage.schmalzgroup.net' }}
+  OVERRIDES_FILE: ${{ github.ref_name == 'main' && 'kubernetes/overrides-pu.yaml' || 'kubernetes/overrides-su.yaml' }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    enable-openid-connect: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: schmalz/shared-actions/.github/actions/secrets-inject@v1
+        with:
+          secret-content: ${{ secrets[format('{0}-secrets-{1}', env.SERVICE, env.ENVIRONMENT)] }}
+          target-file: src/main/resources/application-${{ env.ENVIRONMENT }}.properties
+
+      - uses: schmalz/shared-actions/.github/actions/maven-build@v1
+        with:
+          phase: package-and-push
+          maven-profile: ${{ github.ref_name == 'main' && 'prod' || 'test' }}
+          image-tag: ${{ github.sha }}-${{ github.run_id }}
+          maven-settings: ${{ secrets.MAVEN_SETTINGS_XML }}
+
+      - uses: schmalz/shared-actions/.github/actions/helm-deploy@v1
+        with:
+          service-name: ${{ env.SERVICE }}
+          helm-host: ${{ env.HELM_HOST }}
+          overrides-file: ${{ env.OVERRIDES_FILE }}
+          image-tag: ${{ github.sha }}-${{ github.run_id }}
+          ssh-key: ${{ secrets.DSP1_SSH_KEY }}
+```
+
+**Per-service customization:** Set `SERVICE` to the repo's service name in the workflow-level `env:` block (as shown above — do not use repo-level variables). Java version and Maven profile vary per service (see table below).
+
+#### Java Service Configuration Reference
+
+| Service | Java | Maven Image | Image Tag Format | Extra Stages |
+|---------|------|-------------|-----------------|-------------|
+| shopqa | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT-epoch` | Pattern G cron (see below) |
+| employee | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT-epoch` | `--timeout 8m0s` on helm |
+| abwesenheitsassistent | **17** | `maven:3.8.5-openjdk-17` | `GIT_COMMIT-epoch` | copy .npmrc before build |
+| danger-review | **17** | `maven:3.8.5-eclipse-temurin-17` | `GIT_COMMIT-epoch` | copy .npmrc |
+| ratingtool | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT` | Pattern G cron (see below) |
+| blueprint-vue | **25** | `maven:3.9.12-eclipse-temurin-25` | `GIT_COMMIT-epoch` | copy .npmrc |
+| blueprint | 25 | `maven:3.9.12-eclipse-temurin-25` | `GIT_COMMIT-epoch` | — |
+| abasinno | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT-epoch` | — |
+| vmi | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT` | copy .npmrc |
+| mail | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT` | — |
+| betreuersuche | **17** | `maven:3.8.5-openjdk-17` | `GIT_COMMIT-epoch` | Pattern G cron (see below) |
+| abaspim | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT` | — |
+| babtec | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT` | — |
+| productsearch | **17** | `maven:3.8.5-openjdk-17` | `GIT_COMMIT` | — |
+| menuplan | 8 | `maven:3.8.5-openjdk-8` | `GIT_COMMIT` | — |
+| yokoy | **17** | `maven:3.8.5-openjdk-17` | `GIT_COMMIT` | — |
+
+> **Image tag standardization:** Jenkins pipelines inconsistently use `GIT_COMMIT` (8 services) vs `GIT_COMMIT-epoch` (8 services). The migration standardizes on `${{ github.sha }}-${{ github.run_id }}` for all services, which is equivalent to the `GIT_COMMIT-epoch` pattern and guarantees uniqueness even for re-runs of the same commit.
+
+> **ESB (all services):** The ESB monorepo will be split into individual single-service repositories before migration. Each resulting repo will be migrated independently using Pattern A. ESB is excluded from this table; add rows here once the split is complete.
+
+**Note on services with `.npmrc` (abwesenheitsassistent, blueprint-vue, vmi, danger-review):** Add a step before `maven-build` to write `.npmrc` from a secret. These services have a frontend sub-module requiring JFrog npm auth.
+
+---
+
+### Pattern B — TypeScript Lambda + Terraform Service (replaces ~40 Bitbucket pipelines)
+
+**`.forgejo/workflows/pr.yml`:**
+```yaml
+name: PR Validation
+on:
+  pull_request:
+
+jobs:
+  validate-backend:
+    runs-on: ubuntu-latest
+    if: # only when backend-ts/** changed (use paths filter)
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/pnpm-build@v1
+        with:
+          working-directory: backend-ts
+          run-scripts: ci,typecheck,build,test:unit
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+
+  validate-infra:
+    runs-on: ubuntu-latest
+    enable-openid-connect: true
+    if: # only when terraform/** changed
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/terraform-validate@v1
+        with:
+          terraform-dir: terraform
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+          aws-role-arn: ${{ vars.STAGE_AWS_ROLE_ARN }}
+```
+
+**`.forgejo/workflows/deploy.yml`:**
+```yaml
+name: Deploy
+on:
+  push:
+    branches: [dev, main]
+
+env:
+  IS_PROD: ${{ github.ref_name == 'main' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/pnpm-build@v1
+        with:
+          working-directory: backend-ts
+          run-scripts: ci,typecheck,build
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: backend-dist
+          path: backend-ts/dist/**
+
+  deploy:
+    needs: build
+    runs-on: ubuntu-latest
+    enable-openid-connect: true
+    environment: ${{ github.ref_name == 'main' && 'prod' || 'stage' }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: backend-dist
+          path: backend-ts/dist
+
+      - id: tf
+        uses: schmalz/shared-actions/.github/actions/terraform-apply@v1
+        with:
+          terraform-dir: terraform
+          workspace: ${{ github.ref_name == 'main' && 'prod' || 'stage' }}
+          var-file: ${{ github.ref_name == 'main' && 'prod.tfvars' || 'stage.tfvars' }}
+          aws-role-arn: ${{ github.ref_name == 'main' && vars.PROD_AWS_ROLE_ARN || vars.STAGE_AWS_ROLE_ARN }}
+          aws-profile: ${{ github.ref_name == 'main' && 'prod' || 'stage' }}
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+          output-names: lambda_name,lambda_version,lambda_alias_name,s3_bucket_name,cloudfront_distribution_ids
+
+      - uses: schmalz/shared-actions/.github/actions/aws-lambda-update@v1
+        with:
+          function-name: ${{ steps.tf.outputs.lambda_name }}
+          function-version: ${{ steps.tf.outputs.lambda_version }}
+          alias-name: ${{ steps.tf.outputs.lambda_alias_name }}
+          aws-role-arn: ${{ github.ref_name == 'main' && vars.PROD_AWS_ROLE_ARN || vars.STAGE_AWS_ROLE_ARN }}
+          aws-profile: ${{ github.ref_name == 'main' && 'prod' || 'stage' }}
+```
+
+---
+
+### Pattern C — Terraform-only Infrastructure (aws-infra-app, aws-infra-dev)
+
+Prod uses plan → manual approval → apply via Forgejo environment protection rules.
+
+```yaml
+# deploy.yml
+jobs:
+  plan-prod:
+    if: github.ref_name == 'main'
+    environment: prod-plan        # no reviewers, just captures plan
+    enable-openid-connect: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/terraform-apply@v1
+        with:
+          plan-only: true
+          var-file: prod.tfvars
+          workspace: prod
+          aws-role-arn: ${{ vars.PROD_AWS_ROLE_ARN }}
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: tf-plan-prod
+          path: terraform/terraform.plan
+          retention-days: 1
+
+  apply-prod:
+    needs: plan-prod
+    environment: prod             # <-- requires manual approval in Forgejo
+    enable-openid-connect: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          name: tf-plan-prod
+          path: terraform
+      - uses: schmalz/shared-actions/.github/actions/terraform-apply@v1
+        with:
+          plan-file: terraform/terraform.plan
+          workspace: prod
+          aws-role-arn: ${{ vars.PROD_AWS_ROLE_ARN }}
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+---
+
+### Pattern D — Library Package (schmalz-ui-*, schmalz-lambda-utils-ts, etc.)
+
+```yaml
+# release.yml — triggered on v*.*.* tags
+name: Publish
+on:
+  push:
+    tags: ["v*.*.*"]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/publish-npm-package@v1
+        with:
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+          build-script: build
+```
+
+---
+
+### Pattern E — Playwright E2E with Sharding (schmalz-core-platform)
+
+```yaml
+# e2e.yml
+name: E2E Tests
+on:
+  workflow_dispatch:
+  # or: called after deploy
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    enable-openid-connect: true
+    strategy:
+      matrix:
+        shard: [1, 2, 3, 4, 5]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/playwright-e2e@v1
+        with:
+          working-directory: frontend
+          shard-index: ${{ matrix.shard }}
+          shard-total: 5
+          s3-reports-bucket: com.schmalz.db.stage.test-reports
+          s3-reports-prefix: reports/schmalz-core-platform
+          aws-role-arn: ${{ vars.STAGE_AWS_ROLE_ARN }}
+          jfrog-token: ${{ secrets.JFROG_TOKEN }}
+
+  merge-reports:
+    needs: test
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: blob-report-*
+          merge-multiple: true
+          path: frontend/blob-report
+      # merge + upload with aws-configure + shell steps
+      # (this is service-specific enough to stay inline in core-platform)
+```
+
+---
+
+### Pattern G — Cron Jobs
+
+Services that had scheduled tasks in Jenkins (indicated as `cron: trigger-endpoint` in the configuration table) fall into two categories. Use the right sub-pattern depending on what the cron actually does.
+
+#### G1 — HTTP endpoint trigger (scheduled curl)
+
+Use this when the cron job's only purpose is to call an HTTP endpoint on the running service (e.g., to kick off a background batch job). No build or deploy step is needed.
+
+**`.forgejo/workflows/cron.yml`:**
+```yaml
+name: Cron Trigger
+on:
+  schedule:
+    - cron: "0 2 * * *"   # replace with schedule from Jenkins config
+
+jobs:
+  trigger:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger endpoint
+        run: |
+          curl -sf -X POST \
+            -H "Authorization: Bearer ${{ secrets.CRON_TRIGGER_TOKEN }}" \
+            https://<service-host>/api/trigger
+```
+
+**Secrets required:** `CRON_TRIGGER_TOKEN` — auth token for the endpoint (add as repo or org secret). If the endpoint is unauthenticated on internal infra, omit the header.
+
+#### G2 — Scheduled job / script (no external endpoint)
+
+Use this when the cron runs a script, SQL job, or container directly in CI — not via an HTTP call.
+
+**`.forgejo/workflows/cron.yml`:**
+```yaml
+name: Cron Job
+on:
+  schedule:
+    - cron: "0 2 * * *"   # replace with schedule from Jenkins config
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    enable-openid-connect: true   # only if AWS access is needed
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+        # remove if no AWS needed
+        with:
+          role-arn: ${{ vars.STAGE_AWS_ROLE_ARN }}
+
+      - name: Run scheduled task
+        run: |
+          # replace with the actual command/script from Jenkins
+          ./scripts/run-batch.sh
+```
+
+#### Cron services in scope
+
+| Service | Cron type | Notes |
+|---------|-----------|-------|
+| shopqa | G1 | Every 30 minutes (`*/30 * * * *` UTC) — Jenkins: `H/30 * * * *` |
+| ratingtool | G1 | Two schedules: daily (`0 5 * * *`) + yearly Sept 1 (`0 5 1 9 *`) — Jenkins: daily + `H 7 1 9 *` |
+| betreuersuche | G1 | Check Jenkins for schedule and endpoint URL |
+
+> **Note:** Forgejo cron schedules use UTC. Adjust from Jenkins timezones if needed. Also note that Forgejo only runs `schedule` triggers when the workflow file exists on the **default branch**.
+
+---
+
+### Pattern F — Cross-Repo Trigger (replaces Bitbucket `trigger-pipeline`)
+
+Use this when one repo must trigger a workflow in another repo — for example, triggering an API docs rebuild in `api.schmalz.com` after any `api.schmalz.com-*` service deploys.
+
+**Mechanism:** Forgejo `repository_dispatch` API. The source repo POSTs to the target repo's dispatch endpoint. The target repo has a workflow listening for `repository_dispatch`.
+
+**Source repo — send trigger step:**
+```yaml
+- name: Trigger downstream repo
+  run: |
+    curl -X POST \
+      -H "Authorization: token ${{ secrets.FORGEJO_PAT }}" \
+      -H "Content-Type: application/json" \
+      https://schmalz-git.git.onstackit.cloud/api/v1/repos/schmalz/api.schmalz.com/dispatches \
+      -d '{"type": "api-updated", "inputs": {"caller": "${{ github.repository }}", "sha": "${{ github.sha }}"}}'
+```
+
+**Target repo — receive trigger (`.forgejo/workflows/on-api-updated.yml`):**
+```yaml
+name: On API Updated
+on:
+  repository_dispatch:
+    types: [api-updated]
+
+jobs:
+  rebuild-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Rebuild docs
+        run: # ... docs build steps ...
+```
+
+**Secrets required:** `FORGEJO_PAT` — a personal access token (or machine account token) with `repo` scope on the target repo. Store as an org-level secret so all source repos can use it without duplication.
+
+**Note:** `FORGEJO_PAT` is distinct from `FORGEJO_TOKEN` (the built-in per-job token). It must be created manually and granted cross-repo write access.
+
+---
+
+## Migration Order
+
+### Phase 1 — Foundation (unblocks everything else)
+1. Create `schmalz/shared-actions` repository in STACKIT Git
+2. Complete OIDC setup in AWS (both accounts) — **this blocks all AWS-related pipelines**
+3. Implement and test `aws-configure` action
+4. Implement `terraform-validate` + `terraform-apply`
+5. Migrate `aws-infra-app` (pure Terraform, no build, simplest possible consumer)
+6. Migrate `aws-infra-dev`
+7. Tag `v1.0.0`
+
+### Phase 2 — TypeScript Lambda Services (largest group)
+1. Implement `pnpm-build`, `aws-s3-sync`, `aws-lambda-update`
+2. Migrate 3 simpler Lambda services as pilot: `api.schmalz.com-jobs` (AWS pilot — straightforward Lambda + Terraform), `blueprint` and `blueprint-vue` (internal K8s pilot — Java/Helm, different stack)
+3. Migrate remaining ~35 TypeScript services
+4. Tag `v1.1.0`
+
+### Phase 3 — Java/Jenkins Services
+
+**Prerequisites / gate (confirmed, not pending):**
+- K8s deployment target: **on-prem SSH/Helm is permanent** — `helm-deploy` deploys to `dsp1.schmalzgroup.net` (stage) and `dsp1-stage.schmalzgroup.net` (prod). No AWS migration for these services. `helm-deploy` is a permanent shared action, not transitional.
+- ESB monorepo must be split into single-service repos before any ESB services can be migrated. Phase 3 starts ESB migration only after the split is complete.
+
+1. Implement `maven-build`, `helm-deploy`, `secrets-inject`
+2. Migrate 2 simple Java services as pilot (`mail`, `productsearch`)
+3. Migrate remaining 16 Java services
+4. Migrate ESB services (after monorepo split — see Prerequisites above)
+5. Tag `v1.2.0`
+
+### Phase 4 — E2E, Rust, Complex Services
+1. Implement `playwright-e2e`, `rust-build`, `publish-rust-crate`, `cloudfront-invalidate`
+2. Migrate `schmalz-core-platform` (most complex — parallel builds, 5-shard E2E, JMeter)
+3. Migrate `keycloak-at-edge`, `go-schmalz-com` (Rust backends)
+4. Migrate `schmalz-lambda-utils-rs`
+5. Tag `v1.3.0`
+
+### Phase 5 — Libraries, Infra Modules, Docker Images
+1. Implement `publish-npm-package`, `terraform-module-publish`, `docker-build-push`
+2. Migrate `schmalz-terraform-modules`
+3. Migrate all npm library packages (schmalz-ui-*, utils-ts, etc.)
+4. Migrate `db-devcontainer-base`, custom pipe repositories
+5. Tag `v1.4.0`
+
+---
+
+## Caching Strategy
+
+Every Bitbucket pipeline uses `caches:` extensively. Forgejo Actions must replicate this for acceptable build times.
+
+**Approach:** Each shared action is responsible for its own caching internally. Consumer workflows should not need to configure caching.
+
+| Action | Cache Key | Cache Path | Notes |
+|--------|-----------|------------|-------|
+| `pnpm-build` | `pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}` | `~/.local/share/pnpm/store/v3` | pnpm store |
+| `maven-build` | `maven-${{ hashFiles('**/pom.xml') }}` | `~/.m2/repository` | Maven local repo |
+| `terraform-apply` | `terraform-${{ hashFiles('**/.terraform.lock.hcl') }}` | `<terraform-dir>/.terraform/providers` | TF provider plugins |
+| `terraform-validate` | Same as `terraform-apply` | Same | Shares cache key |
+| `rust-build` | `cargo-${{ hashFiles('**/Cargo.lock') }}` | `~/.cargo/registry`, `target/` | Cargo registry + build artifacts |
+| `playwright-e2e` | `playwright-${{ inputs.playwright-version }}` | `~/.cache/ms-playwright` | Browser binaries |
+
+**Implementation:** Use `actions/cache@v4` (available on Forgejo via `https://data.forgejo.org/actions/cache@v4`). Each action's `action.yml` should include a cache step before the build step with `restore-keys` for partial matches.
+
+> **Note:** Forgejo Actions cache storage is per-repository. Cache size limits depend on the STACKIT Git instance configuration — verify the default limit (typically 10 GB per repo) is sufficient for large Maven/Cargo caches.
+
+---
+
+## Version Standardization Matrix
+
+Current pipelines use inconsistent tool versions. Standardize on these versions for migration:
+
+| Tool | Current Range (across repos) | Migration Standard | Notes |
+|------|-----------------------------|--------------------|-------|
+| pnpm | 9.9.0 – 10.30 | `10.11` | Match pnpm-build default; repos can override |
+| Node.js | 22 – 24 | `22` (LTS) | Via pnpm-build `node-version` input |
+| Terraform | 1.9.5 – 1.14 | `1.11` | Match terraform-apply default |
+| Rust | 1.76 – 1.87 | `1.87` | Latest stable; match rust-build default |
+| Playwright | 1.47 – 1.58 | `v1.58.2` | Match playwright-e2e default |
+| Java | 8, 17, 25 | Per-service (see table) | Cannot standardize — JDK version is app-dependent |
+
+> **Action defaults define the standard.** Repos that need a different version override via the action's version input. This avoids per-repo configuration drift.
+
+---
+
+## Forgejo-Specific Migration Notes
+
+### Path Filtering
+
+Bitbucket pipelines can filter by changed paths per step. Forgejo (like GitHub Actions) only supports path filtering at the **workflow trigger level** (`on.push.paths`), not per-job or per-step.
+
+**Workarounds:**
+1. **Separate workflows per path scope** — e.g., `deploy-backend.yml` with `paths: ['backend-ts/**']` and `deploy-terraform.yml` with `paths: ['terraform/**']`
+2. **`dorny/paths-filter` action** — use `https://data.forgejo.org/dorny/paths-filter@v3` to compute changed paths, then use `if:` conditions on subsequent jobs
+
+### Runner Sizing
+
+Bitbucket supports `size: 2x` (8GB RAM) for memory-intensive steps. Forgejo runner sizing depends on the STACKIT Git instance configuration. If `2x` runners are needed (e.g., for Playwright, large Maven builds), request labeled runners from STACKIT or configure runner labels in the instance admin.
+
+### Parallel Step Migration
+
+Bitbucket `parallel:` blocks run steps concurrently within a pipeline. In Forgejo, use **jobs without `needs:`** to achieve the same parallelism — independent jobs run concurrently by default.
+
+**Bitbucket `BITBUCKET_PARALLEL_STEP` variable:** Some pipelines read this to determine shard behavior. Replace with `${{ matrix.shard }}` in Forgejo matrix jobs.
+
+### Environment Protection
+
+Forgejo supports `environment:` with protection rules (manual approval) similar to GitHub. Configure environments in the repo or org settings:
+- `prod` — require manual approval for production deploys (Pattern C)
+- `stage` — no approval required
+
+### `BITBUCKET_*` Variable Mapping
+
+| Bitbucket | Forgejo Equivalent |
+|-----------|-------------------|
+| `BITBUCKET_COMMIT` | `${{ github.sha }}` |
+| `BITBUCKET_BRANCH` | `${{ github.ref_name }}` |
+| `BITBUCKET_REPO_SLUG` | `${{ github.event.repository.name }}` |
+| `BITBUCKET_BUILD_NUMBER` | `${{ github.run_number }}` |
+| `BITBUCKET_PARALLEL_STEP` | `${{ matrix.shard }}` (in matrix jobs) |
+| `BITBUCKET_STEP_TRIGGERER_UUID` | `${{ github.actor }}` |
+
+---
+
+## Additional Patterns & Edge Cases
+
+### i18n Auto-PR Pattern (encoway-web-configurators)
+
+Replaces the Bitbucket `bitbucket-pipe-i18n` auto-commit + PR workflow. In Forgejo, this becomes a workflow step that commits translations and opens a PR via Forgejo API.
+
+```yaml
+# In the deploy workflow, after build:
+- name: Commit i18n updates and create PR
+  if: env.I18N_CHANGED == 'true'
+  run: |
+    git config user.name "CI Bot"
+    git config user.email "ci@schmalzgroup.com"
+    BRANCH="i18n/update-$(date +%Y%m%d-%H%M%S)"
+    git checkout -b "$BRANCH"
+    git add src/locales/
+    git commit -m "chore(i18n): update translations"
+    git push origin "$BRANCH"
+    # Create PR via Forgejo API
+    curl -X POST \
+      -H "Authorization: token ${{ secrets.FORGEJO_PAT }}" \
+      -H "Content-Type: application/json" \
+      https://schmalz-git.git.onstackit.cloud/api/v1/repos/${{ github.repository }}/pulls \
+      -d "{\"title\": \"chore(i18n): update translations\", \"head\": \"$BRANCH\", \"base\": \"${{ github.ref_name }}\"}"
+```
+
+> **Open Question #5 is resolved:** This is a per-repo workflow step, not a shared action, since only encoway-web-configurators uses it.
+
+### api.schmalz.com `update-docs` Custom Pipeline
+
+The `api.schmalz.com` repo has a custom Bitbucket pipeline `update-docs` triggered via `trigger-pipeline` from other API repos. This is replaced by **Pattern F** (repository_dispatch). No additional action needed.
+
+### Terraform JSON Output (api.schmalz.com-products)
+
+`api.schmalz.com-products` uses `terraform output --json lambda_alias_updates` which returns a JSON array of `{function_name, version, alias_name}` objects. The current `terraform-apply` action only supports `--raw` via `output-names`.
+
+**Solution:** Add an `output-json-names` input to `terraform-apply`:
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `output-json-names` | no | `` | Comma-separated list of output names to capture as JSON (uses `terraform output --json` instead of `--raw`) |
+
+The action writes JSON output to `<terraform-dir>/.outputs/<name>.json` and sets step outputs. Callers parse with `fromJSON()`:
+```yaml
+- id: tf
+  uses: schmalz/shared-actions/.github/actions/terraform-apply@v1
+  with:
+    output-json-names: lambda_alias_updates
+
+- uses: schmalz/shared-actions/.github/actions/aws-lambda-update@v1
+  with:
+    lambda-alias-updates-json: ${{ steps.tf.outputs.lambda_alias_updates }}
+```
+
+### Python ACME Build (schmalz-core-platform)
+
+`schmalz-core-platform` has a Python-based ACME certificate helper (`acme/`) built with `pip install` + custom script. This is a one-off build step, not a shared action. Handle it as a raw `run:` step in the `schmalz-core-platform` workflow:
+```yaml
+- name: Build ACME helper
+  run: |
+    cd acme
+    pip install -r requirements.txt
+    python build.py
+```
+
+---
+
+## pnpm-build Multi-Package Note
+
+Several repos (e.g., `schmalz-core-platform`, `encoway-web-configurators`) have multiple pnpm packages in different directories (e.g., `backend-ts/`, `frontend/`, `e2e/`). The `pnpm-build` action operates on a single `working-directory`.
+
+**For multi-package repos:** Call `pnpm-build` multiple times with different `working-directory` values, or use pnpm workspace features with a root-level `pnpm-workspace.yaml`. The action supports both patterns.
+
+---
+
+
+
+| # | Question | Status | Impact |
+|---|----------|--------|--------|
+| 1 | **Jenkins K8s target:** Will on-prem Kubernetes services migrate to AWS, or stay on `dsp1.schmalzgroup.net`? | **Resolved:** Stay on-prem permanently. `helm-deploy` is a permanent shared action. | — |
+| 2 | **Prod deployment gates:** Should `main`-branch deploys require a manual approval step in Forgejo Environments? | Open | Affects Pattern B and C workflow design |
+| 3 | **STACKIT Git org name:** What is the exact organization slug used for `uses: <org>/shared-actions/...`? | **Resolved:** `schmalz` | Required in every `uses:` reference |
+| 4 | **STACKIT Git OIDC hostname:** What is the actual hostname of the STACKIT Git instance? | **Resolved:** `schmalz-git.git.onstackit.cloud` (may move to `git.schmalzgroup.com`) | Required for OIDC trust policy configuration |
+| 5 | **i18n auto-PR pipeline:** The `encoway-web-configurators` pipeline auto-commits translations and creates PRs via Bitbucket API. This needs a Forgejo API equivalent. | **Resolved:** Per-repo workflow step using Forgejo PR API — see "i18n Auto-PR Pattern" section. | — |
+| 6 | **Atlassian trigger-pipeline replacement:** Several pipelines trigger cross-repo pipelines (e.g., triggering `api.schmalz.com` docs update after any API deploy). | **Resolved:** Use Forgejo `repository_dispatch` API — see Pattern F. | — |
+| 7 | **DependencyTrack token:** Currently per-service Jenkins credential. | **Obsolete:** `sbom-upload` removed from scope entirely. | — |
+
+---
+
+## Checklist: Per-Repo Migration Steps
+
+For each repository migrated, follow this checklist:
+
+- [ ] Identify which Pattern (A/B/C/D/E/F/G) applies
+- [ ] Check service-specific variations (see configuration reference tables)
+- [ ] Create `.forgejo/workflows/pr.yml`
+- [ ] Create `.forgejo/workflows/deploy.yml`
+- [ ] Add any required secrets to the repo or confirm they're inherited from org
+- [ ] Run PR workflow on a test branch and verify it passes
+- [ ] Run deploy workflow to stage and verify the deployment succeeds
+- [ ] Run deploy workflow to prod and verify
+- [ ] Disable the old Bitbucket/Jenkins pipeline
+- [ ] Document any deviations from the standard pattern
+
+---
+
+*Last updated: 2026-04-17 (v2 — review corrections applied)*
+*Status: Concept — ready for Phase 1 implementation*

From a09a422251422e8fbe93115283181717dcd24cdf Mon Sep 17 00:00:00 2001
From: Michael Seele <michael.seele@schmalz.de>
Date: Tue, 21 Apr 2026 12:20:39 +0200
Subject: [PATCH 3/5] wip: inital set of shared actions

---
 .github/actions/aikido-full-scan/README.md    |  44 +++++++
 .github/actions/aikido-full-scan/action.yml   |  29 +++++
 .github/actions/aikido-pr-scan/README.md      |  26 ++++
 .github/actions/aikido-pr-scan/action.yml     |  37 ++++++
 .github/actions/aws-configure/README.md       |  25 ++++
 .github/actions/aws-configure/action.yml      |  45 +++++++
 .github/actions/aws-lambda-update/README.md   |  50 ++++++++
 .github/actions/aws-lambda-update/action.yml  |  95 ++++++++++++++
 .github/actions/aws-s3-sync/README.md         |  31 +++++
 .github/actions/aws-s3-sync/action.yml        |  71 +++++++++++
 .../actions/cloudfront-invalidate/README.md   |  27 ++++
 .../actions/cloudfront-invalidate/action.yml  |  46 +++++++
 .github/actions/docker-build-push/README.md   |  30 +++++
 .github/actions/docker-build-push/action.yml  |  46 +++++++
 .github/actions/helm-deploy/README.md         |  33 +++++
 .github/actions/helm-deploy/action.yml        |  55 ++++++++
 .github/actions/maven-build/README.md         |  32 +++++
 .github/actions/maven-build/action.yml        |  74 +++++++++++
 .github/actions/playwright-e2e/README.md      |  38 ++++++
 .github/actions/playwright-e2e/action.yml     | 109 ++++++++++++++++
 .github/actions/pnpm-build/README.md          |  28 +++++
 .github/actions/pnpm-build/action.yml         |  80 ++++++++++++
 .github/actions/publish-npm-package/README.md |  26 ++++
 .../actions/publish-npm-package/action.yml    |  51 ++++++++
 .github/actions/publish-rust-crate/README.md  |  26 ++++
 .github/actions/publish-rust-crate/action.yml |  42 +++++++
 .github/actions/rust-build/README.md          |  42 +++++++
 .github/actions/rust-build/action.yml         | 101 +++++++++++++++
 .github/actions/secrets-inject/README.md      |  23 ++++
 .github/actions/secrets-inject/action.yml     |  18 +++
 .github/actions/terraform-apply/README.md     |  38 ++++++
 .github/actions/terraform-apply/action.yml    | 118 ++++++++++++++++++
 .../terraform-module-publish/README.md        |  29 +++++
 .../terraform-module-publish/action.yml       |  32 +++++
 .github/actions/terraform-validate/README.md  |  28 +++++
 .github/actions/terraform-validate/action.yml |  59 +++++++++
 .github/workflows/validate-shared-actions.yml |  73 +++++++++++
 .gitignore                                    |  50 --------
 README.md                                     |  19 ++-
 39 files changed, 1775 insertions(+), 51 deletions(-)
 create mode 100644 .github/actions/aikido-full-scan/README.md
 create mode 100644 .github/actions/aikido-full-scan/action.yml
 create mode 100644 .github/actions/aikido-pr-scan/README.md
 create mode 100644 .github/actions/aikido-pr-scan/action.yml
 create mode 100644 .github/actions/aws-configure/README.md
 create mode 100644 .github/actions/aws-configure/action.yml
 create mode 100644 .github/actions/aws-lambda-update/README.md
 create mode 100644 .github/actions/aws-lambda-update/action.yml
 create mode 100644 .github/actions/aws-s3-sync/README.md
 create mode 100644 .github/actions/aws-s3-sync/action.yml
 create mode 100644 .github/actions/cloudfront-invalidate/README.md
 create mode 100644 .github/actions/cloudfront-invalidate/action.yml
 create mode 100644 .github/actions/docker-build-push/README.md
 create mode 100644 .github/actions/docker-build-push/action.yml
 create mode 100644 .github/actions/helm-deploy/README.md
 create mode 100644 .github/actions/helm-deploy/action.yml
 create mode 100644 .github/actions/maven-build/README.md
 create mode 100644 .github/actions/maven-build/action.yml
 create mode 100644 .github/actions/playwright-e2e/README.md
 create mode 100644 .github/actions/playwright-e2e/action.yml
 create mode 100644 .github/actions/pnpm-build/README.md
 create mode 100644 .github/actions/pnpm-build/action.yml
 create mode 100644 .github/actions/publish-npm-package/README.md
 create mode 100644 .github/actions/publish-npm-package/action.yml
 create mode 100644 .github/actions/publish-rust-crate/README.md
 create mode 100644 .github/actions/publish-rust-crate/action.yml
 create mode 100644 .github/actions/rust-build/README.md
 create mode 100644 .github/actions/rust-build/action.yml
 create mode 100644 .github/actions/secrets-inject/README.md
 create mode 100644 .github/actions/secrets-inject/action.yml
 create mode 100644 .github/actions/terraform-apply/README.md
 create mode 100644 .github/actions/terraform-apply/action.yml
 create mode 100644 .github/actions/terraform-module-publish/README.md
 create mode 100644 .github/actions/terraform-module-publish/action.yml
 create mode 100644 .github/actions/terraform-validate/README.md
 create mode 100644 .github/actions/terraform-validate/action.yml
 create mode 100644 .github/workflows/validate-shared-actions.yml
 delete mode 100644 .gitignore

diff --git a/.github/actions/aikido-full-scan/README.md b/.github/actions/aikido-full-scan/README.md
new file mode 100644
index 0000000..61bd69d
--- /dev/null
+++ b/.github/actions/aikido-full-scan/README.md
@@ -0,0 +1,44 @@
+# aikido-full-scan
+
+Run a full Aikido security scan — intended for nightly or scheduled runs.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `aikido-api-key` | Yes | | Aikido CI API key (`AIK_CI_xxx`) |
+| `branch-name` | Yes | | Branch to scan (`dev` for applications, `main` for libraries) |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aikido-full-scan@v1
+  with:
+    aikido-api-key: ${{ secrets.AIKIDO_API_KEY }}
+    branch-name: dev
+```
+
+### Nightly schedule example
+
+```yaml
+on:
+  schedule:
+    - cron: '0 2 * * *'
+
+jobs:
+  aikido-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: schmalz/shared-actions/.github/actions/aikido-full-scan@v1
+        with:
+          aikido-api-key: ${{ secrets.AIKIDO_API_KEY }}
+          branch-name: dev
+```
+
+## Notes
+
+- Uses the `aikidosecurity/local-scanner` Docker image to scan inside the CI runner.
+- Performs a full scan (all scan types: code, dependencies, IaC, secrets) and uploads results to the Aikido dashboard.
+- Repository name is auto-detected from Forgejo environment variables.
+- Does not run in gating mode — the scan reports findings but does not fail the workflow unless the scanner itself errors.
diff --git a/.github/actions/aikido-full-scan/action.yml b/.github/actions/aikido-full-scan/action.yml
new file mode 100644
index 0000000..648b4af
--- /dev/null
+++ b/.github/actions/aikido-full-scan/action.yml
@@ -0,0 +1,29 @@
+name: aikido-full-scan
+description: Run a full Aikido security scan (for nightly/scheduled runs)
+
+inputs:
+  aikido-api-key:
+    description: 'Aikido CI API key (AIK_CI_xxx)'
+    required: true
+  branch-name:
+    description: 'Branch to scan (e.g., dev for applications, main for libraries)'
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Aikido full scan
+      shell: bash
+      env:
+        AIKIDO_API_KEY: ${{ inputs.aikido-api-key }}
+        INPUT_BRANCH_NAME: ${{ inputs.branch-name }}
+      run: |
+        REPO_NAME="${GITHUB_REPOSITORY##*/}"
+
+        docker run --rm \
+          -v "$GITHUB_WORKSPACE:/repo" \
+          -e AIKIDO_API_KEY \
+          aikidosecurity/local-scanner:latest \
+          scan /repo \
+            --repositoryname "$REPO_NAME" \
+            --branchname "$INPUT_BRANCH_NAME"
diff --git a/.github/actions/aikido-pr-scan/README.md b/.github/actions/aikido-pr-scan/README.md
new file mode 100644
index 0000000..0c3f34d
--- /dev/null
+++ b/.github/actions/aikido-pr-scan/README.md
@@ -0,0 +1,26 @@
+# aikido-pr-scan
+
+Run Aikido security scan on a PR in gating mode — fails if new vulnerabilities are introduced.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `aikido-api-key` | Yes | | Aikido CI API key (`AIK_CI_xxx`) |
+| `fail-on` | No | `high` | Minimum severity to fail on (`low`, `medium`, `high`, `critical`) |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aikido-pr-scan@v1
+  with:
+    aikido-api-key: ${{ secrets.AIKIDO_API_KEY }}
+```
+
+## Notes
+
+- Uses the `aikidosecurity/local-scanner` Docker image to scan inside the CI runner.
+- Runs in PR gating mode: only detects **new** vulnerabilities introduced by the PR (diff-based).
+- Repository name and branch are auto-detected from Forgejo environment variables.
+- The API key is passed via environment variable, never interpolated in shell commands.
+- Base and head commit IDs are derived from `GITHUB_BASE_SHA` and `GITHUB_SHA`.
diff --git a/.github/actions/aikido-pr-scan/action.yml b/.github/actions/aikido-pr-scan/action.yml
new file mode 100644
index 0000000..66ca044
--- /dev/null
+++ b/.github/actions/aikido-pr-scan/action.yml
@@ -0,0 +1,37 @@
+name: aikido-pr-scan
+description: Run Aikido security scan on a PR in gating mode (fails on new vulnerabilities)
+
+inputs:
+  aikido-api-key:
+    description: 'Aikido CI API key (AIK_CI_xxx)'
+    required: true
+  fail-on:
+    description: 'Minimum severity to fail on (low, medium, high, critical)'
+    required: false
+    default: 'high'
+
+runs:
+  using: composite
+  steps:
+    - name: Aikido PR scan
+      shell: bash
+      env:
+        AIKIDO_API_KEY: ${{ inputs.aikido-api-key }}
+        INPUT_FAIL_ON: ${{ inputs.fail-on }}
+      run: |
+        REPO_NAME="${GITHUB_REPOSITORY##*/}"
+        BRANCH_NAME="${GITHUB_HEAD_REF}"
+        BASE_COMMIT="${GITHUB_BASE_SHA:-$(git rev-parse HEAD~1)}"
+        HEAD_COMMIT="${GITHUB_SHA}"
+
+        docker run --rm \
+          -v "$GITHUB_WORKSPACE:/repo" \
+          -e AIKIDO_API_KEY \
+          aikidosecurity/local-scanner:latest \
+          scan /repo \
+            --repositoryname "$REPO_NAME" \
+            --branchname "$BRANCH_NAME" \
+            --gating-mode pr \
+            --fail-on "$INPUT_FAIL_ON" \
+            --base-commit-id "$BASE_COMMIT" \
+            --head-commit-id "$HEAD_COMMIT"
diff --git a/.github/actions/aws-configure/README.md b/.github/actions/aws-configure/README.md
new file mode 100644
index 0000000..fa1c330
--- /dev/null
+++ b/.github/actions/aws-configure/README.md
@@ -0,0 +1,25 @@
+# aws-configure
+
+Authenticate with AWS via OIDC and export credentials to the environment.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `role-arn` | Yes | | Full IAM role ARN |
+| `aws-profile` | No | `default` | Profile name written to `~/.aws/config` |
+| `region` | No | `eu-central-1` | AWS region |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+  with:
+    role-arn: arn:aws:iam::123456789012:role/my-role
+```
+
+## Notes
+
+- Requires `enable-openid-connect: true` on the Forgejo runner job.
+- Credentials are exported via `$FORGEJO_ENV` so subsequent steps can use them.
+- When `aws-profile` is not `default`, a named AWS CLI profile is also configured.
diff --git a/.github/actions/aws-configure/action.yml b/.github/actions/aws-configure/action.yml
new file mode 100644
index 0000000..b16219b
--- /dev/null
+++ b/.github/actions/aws-configure/action.yml
@@ -0,0 +1,45 @@
+name: aws-configure
+description: Authenticate with AWS via OIDC
+
+inputs:
+  role-arn:
+    description: Full IAM role ARN
+    required: true
+  aws-profile:
+    description: Profile name written to ~/.aws/config
+    required: false
+    default: default
+  region:
+    description: AWS region
+    required: false
+    default: eu-central-1
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        OIDC_TOKEN=$(curl -sf \
+          -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+          "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r .value)
+
+        CREDS=$(aws sts assume-role-with-web-identity \
+          --role-arn "$INPUT_ROLE_ARN" \
+          --role-session-name forgejo-ci \
+          --web-identity-token "$OIDC_TOKEN" \
+          --region "$INPUT_REGION" \
+          --query 'Credentials' --output json)
+
+        mkdir -p ~/.aws
+
+        echo "AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r .AccessKeyId)" >> $FORGEJO_ENV
+        echo "AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r .SecretAccessKey)" >> $FORGEJO_ENV
+        echo "AWS_SESSION_TOKEN=$(echo $CREDS | jq -r .SessionToken)" >> $FORGEJO_ENV
+        echo "AWS_DEFAULT_REGION=$INPUT_REGION" >> $FORGEJO_ENV
+
+        if [ "$INPUT_AWS_PROFILE" != "default" ]; then
+          aws configure set aws_access_key_id "$(echo $CREDS | jq -r .AccessKeyId)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_secret_access_key "$(echo $CREDS | jq -r .SecretAccessKey)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set aws_session_token "$(echo $CREDS | jq -r .SessionToken)" --profile "$INPUT_AWS_PROFILE"
+          aws configure set region "$INPUT_REGION" --profile "$INPUT_AWS_PROFILE"
+        fi
+      shell: bash
diff --git a/.github/actions/aws-lambda-update/README.md b/.github/actions/aws-lambda-update/README.md
new file mode 100644
index 0000000..1ec611c
--- /dev/null
+++ b/.github/actions/aws-lambda-update/README.md
@@ -0,0 +1,50 @@
+# aws-lambda-update
+
+Update Lambda function alias to a new version, optionally wait for provisioned concurrency.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `function-name` | Yes | | Lambda function name |
+| `function-version` | Yes | | Lambda version number |
+| `alias-name` | Yes | | Alias name |
+| `aws-role-arn` | Yes | | IAM role via OIDC |
+| `wait-provisioned-concurrency` | No | `false` | Poll until provisioned concurrency is READY |
+| `aws-profile` | No | `default` | AWS CLI profile name |
+| `region` | No | `eu-central-1` | AWS region |
+| `lambda-alias-updates-json` | No | `""` | JSON array of `{function_name, version, alias_name}` objects for batch updates |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-lambda-update@v1
+  with:
+    function-name: my-function
+    function-version: "42"
+    alias-name: live
+    aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+    wait-provisioned-concurrency: "true"
+```
+
+### Batch update
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-lambda-update@v1
+  with:
+    function-name: unused
+    function-version: "0"
+    alias-name: unused
+    aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+    lambda-alias-updates-json: |
+      [
+        {"function_name": "fn-a", "version": "3", "alias_name": "live"},
+        {"function_name": "fn-b", "version": "7", "alias_name": "live"}
+      ]
+```
+
+## Notes
+
+- When `lambda-alias-updates-json` is set, the single-alias inputs (`function-name`, `function-version`, `alias-name`) are ignored.
+- Provisioned concurrency polling checks every 5 seconds and fails the step if status becomes `FAILED`.
+- Uses `aws-configure` internally for OIDC authentication.
diff --git a/.github/actions/aws-lambda-update/action.yml b/.github/actions/aws-lambda-update/action.yml
new file mode 100644
index 0000000..87fff8f
--- /dev/null
+++ b/.github/actions/aws-lambda-update/action.yml
@@ -0,0 +1,95 @@
+name: aws-lambda-update
+description: Update Lambda function alias to a new version, optionally wait for provisioned concurrency
+
+inputs:
+  function-name:
+    description: Lambda function name
+    required: true
+  function-version:
+    description: Lambda version number
+    required: true
+  alias-name:
+    description: Alias name
+    required: true
+  wait-provisioned-concurrency:
+    description: Poll until provisioned concurrency is READY
+    required: false
+    default: "false"
+  aws-role-arn:
+    description: IAM role via OIDC
+    required: true
+  aws-profile:
+    description: AWS CLI profile name
+    required: false
+    default: default
+  region:
+    description: AWS region
+    required: false
+    default: eu-central-1
+  lambda-alias-updates-json:
+    description: JSON array of {function_name, version, alias_name} objects; when set, applies all entries instead of single alias
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+      with:
+        role-arn: ${{ inputs.aws-role-arn }}
+        aws-profile: ${{ inputs.aws-profile }}
+        region: ${{ inputs.region }}
+
+    - run: |
+        AWS_PROFILE="${{ inputs.aws-profile }}"
+        WAIT_PC="${{ inputs.wait-provisioned-concurrency }}"
+
+        update_alias() {
+          local fn="$1" ver="$2" alias="$3"
+          echo "Updating alias '$alias' on '$fn' to version $ver"
+          aws lambda update-alias \
+            --function-name "$fn" \
+            --name "$alias" \
+            --function-version "$ver" \
+            --profile "$AWS_PROFILE"
+        }
+
+        wait_provisioned_concurrency() {
+          local fn="$1" alias="$2"
+          echo "Waiting for provisioned concurrency on '$fn' alias '$alias'..."
+          while true; do
+            STATUS=$(aws lambda get-provisioned-concurrency-config \
+              --function-name "$fn" \
+              --qualifier "$alias" \
+              --profile "$AWS_PROFILE" \
+              --query 'Status' --output text 2>/dev/null || echo "NOT_FOUND")
+            echo "  Status: $STATUS"
+            if [ "$STATUS" = "READY" ]; then
+              break
+            elif [ "$STATUS" = "FAILED" ]; then
+              echo "ERROR: Provisioned concurrency failed for '$fn' alias '$alias'"
+              exit 1
+            fi
+            sleep 5
+          done
+        }
+
+        UPDATES_JSON='${{ inputs.lambda-alias-updates-json }}'
+
+        if [ -n "$UPDATES_JSON" ]; then
+          echo "$UPDATES_JSON" | jq -c '.[]' | while read -r entry; do
+            FN=$(echo "$entry" | jq -r '.function_name')
+            VER=$(echo "$entry" | jq -r '.version')
+            ALIAS=$(echo "$entry" | jq -r '.alias_name')
+            update_alias "$FN" "$VER" "$ALIAS"
+            if [ "$WAIT_PC" = "true" ]; then
+              wait_provisioned_concurrency "$FN" "$ALIAS"
+            fi
+          done
+        else
+          update_alias "${{ inputs.function-name }}" "${{ inputs.function-version }}" "${{ inputs.alias-name }}"
+          if [ "$WAIT_PC" = "true" ]; then
+            wait_provisioned_concurrency "${{ inputs.function-name }}" "${{ inputs.alias-name }}"
+          fi
+        fi
+      shell: bash
diff --git a/.github/actions/aws-s3-sync/README.md b/.github/actions/aws-s3-sync/README.md
new file mode 100644
index 0000000..32c211f
--- /dev/null
+++ b/.github/actions/aws-s3-sync/README.md
@@ -0,0 +1,31 @@
+# aws-s3-sync
+
+Sync build artifacts to S3, clean up old versioned assets, and optionally invalidate CloudFront.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `source-dir` | Yes | | Local path to sync |
+| `s3-bucket` | Yes | | Target S3 bucket name |
+| `aws-role-arn` | Yes | | IAM role ARN for OIDC authentication |
+| `cache-control` | No | `public, max-age=31536000, immutable` | HTTP `Cache-Control` header |
+| `aws-profile` | No | `default` | AWS CLI profile name |
+| `cloudfront-distribution-ids-file` | No | `""` | Path to file with space-separated CloudFront distribution IDs |
+| `retention-days` | No | `7` | Delete `_static/<timestamp>` prefixes older than this many days (`0` to skip) |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/aws-s3-sync@v1
+  with:
+    source-dir: dist/
+    s3-bucket: my-app-bucket
+    aws-role-arn: arn:aws:iam::123456789012:role/my-role
+```
+
+## Notes
+
+- Requires `enable-openid-connect: true` on the job.
+- Old assets under `_static/` are cleaned up based on `retention-days` by parsing timestamp-named prefixes.
+- CloudFront invalidation uses `/*` path and is triggered only when `cloudfront-distribution-ids-file` points to an existing file.
diff --git a/.github/actions/aws-s3-sync/action.yml b/.github/actions/aws-s3-sync/action.yml
new file mode 100644
index 0000000..c7c0710
--- /dev/null
+++ b/.github/actions/aws-s3-sync/action.yml
@@ -0,0 +1,71 @@
+name: aws-s3-sync
+description: Sync build artifacts to S3, clean up old versioned assets, optionally invalidate CloudFront
+
+inputs:
+  source-dir:
+    description: Local path to sync
+    required: true
+  s3-bucket:
+    description: Target S3 bucket name
+    required: true
+  cache-control:
+    description: HTTP Cache-Control header
+    required: false
+    default: "public, max-age=31536000, immutable"
+  aws-role-arn:
+    description: IAM role via OIDC
+    required: true
+  aws-profile:
+    description: AWS CLI profile name
+    required: false
+    default: default
+  cloudfront-distribution-ids-file:
+    description: Path to file with space-separated CF distribution IDs. If set, creates invalidations.
+    required: false
+    default: ""
+  retention-days:
+    description: Delete versioned _static/<timestamp> prefixes older than this many days (0 = skip)
+    required: false
+    default: "7"
+
+runs:
+  using: composite
+  steps:
+    - uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+      with:
+        role-arn: ${{ inputs.aws-role-arn }}
+        aws-profile: ${{ inputs.aws-profile }}
+
+    - run: |
+        SOURCE_DIR="${{ inputs.source-dir }}"
+        S3_BUCKET="${{ inputs.s3-bucket }}"
+        CACHE_CONTROL="${{ inputs.cache-control }}"
+        AWS_PROFILE="${{ inputs.aws-profile }}"
+        RETENTION_DAYS="${{ inputs.retention-days }}"
+        CF_IDS_FILE="${{ inputs.cloudfront-distribution-ids-file }}"
+
+        # Sync
+        aws s3 sync "$SOURCE_DIR" "s3://$S3_BUCKET" \
+          --cache-control "$CACHE_CONTROL" \
+          --profile "$AWS_PROFILE"
+
+        # Cleanup old _static/ prefixes if retention-days > 0
+        if [ "$RETENTION_DAYS" -gt 0 ]; then
+          CUTOFF=$(date -d "-${RETENTION_DAYS} days" +%s)
+          aws s3 ls "s3://$S3_BUCKET/_static/" --profile "$AWS_PROFILE" | while read -r line; do
+            PREFIX=$(echo "$line" | awk '{print $2}')
+            # Extract timestamp from prefix name, compare to cutoff, delete if old
+            TIMESTAMP=$(echo "$PREFIX" | tr -d '/')
+            if [ $(date -d "$TIMESTAMP" +%s 2>/dev/null || echo 0) -lt "$CUTOFF" ]; then
+              aws s3 rm "s3://$S3_BUCKET/_static/$PREFIX" --recursive --profile "$AWS_PROFILE"
+            fi
+          done
+        fi
+
+        # CloudFront invalidation
+        if [ -n "$CF_IDS_FILE" ] && [ -f "$CF_IDS_FILE" ]; then
+          for DIST_ID in $(cat "$CF_IDS_FILE"); do
+            aws cloudfront create-invalidation --distribution-id "$DIST_ID" --paths "/*" --profile "$AWS_PROFILE"
+          done
+        fi
+      shell: bash
diff --git a/.github/actions/cloudfront-invalidate/README.md b/.github/actions/cloudfront-invalidate/README.md
new file mode 100644
index 0000000..48d4092
--- /dev/null
+++ b/.github/actions/cloudfront-invalidate/README.md
@@ -0,0 +1,27 @@
+# cloudfront-invalidate
+
+Invalidate one or more CloudFront distributions.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `distribution-ids` | Yes | | Space-separated CloudFront distribution IDs, or path to a file containing them |
+| `aws-role-arn` | Yes | | IAM role via OIDC |
+| `paths` | No | `/*` | Invalidation paths |
+| `aws-profile` | No | `default` | AWS CLI profile name |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/cloudfront-invalidate@v1
+  with:
+    distribution-ids: E1234567890ABC E0987654321XYZ
+    aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+```
+
+## Notes
+
+- `distribution-ids` can be literal IDs or a path to a file containing them (one per line or space-separated).
+- Each distribution is invalidated separately in a loop.
+- Uses `aws-configure` internally for OIDC authentication.
diff --git a/.github/actions/cloudfront-invalidate/action.yml b/.github/actions/cloudfront-invalidate/action.yml
new file mode 100644
index 0000000..ad94fd3
--- /dev/null
+++ b/.github/actions/cloudfront-invalidate/action.yml
@@ -0,0 +1,46 @@
+name: cloudfront-invalidate
+description: Invalidate one or more CloudFront distributions
+
+inputs:
+  distribution-ids:
+    description: Space-separated CloudFront distribution IDs, or path to file containing them
+    required: true
+  paths:
+    description: Invalidation paths
+    required: false
+    default: "/*"
+  aws-role-arn:
+    description: IAM role via OIDC
+    required: true
+  aws-profile:
+    description: AWS CLI profile name
+    required: false
+    default: default
+
+runs:
+  using: composite
+  steps:
+    - uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+      with:
+        role-arn: ${{ inputs.aws-role-arn }}
+        aws-profile: ${{ inputs.aws-profile }}
+
+    - run: |
+        DISTRIBUTION_IDS="${{ inputs.distribution-ids }}"
+        PATHS="${{ inputs.paths }}"
+        AWS_PROFILE="${{ inputs.aws-profile }}"
+
+        # Check if distribution-ids is a file path or literal IDs
+        if [ -f "$DISTRIBUTION_IDS" ]; then
+          IDS=$(cat "$DISTRIBUTION_IDS")
+        else
+          IDS="$DISTRIBUTION_IDS"
+        fi
+
+        for DIST_ID in $IDS; do
+          aws cloudfront create-invalidation \
+            --distribution-id "$DIST_ID" \
+            --paths "$PATHS" \
+            --profile "$AWS_PROFILE"
+        done
+      shell: bash
diff --git a/.github/actions/docker-build-push/README.md b/.github/actions/docker-build-push/README.md
new file mode 100644
index 0000000..b401af5
--- /dev/null
+++ b/.github/actions/docker-build-push/README.md
@@ -0,0 +1,30 @@
+# docker-build-push
+
+Build Docker image and push to JFrog with semver tags.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `image-name` | Yes | | Image name (e.g., `default-docker/db-devcontainer-base`) |
+| `version-tag` | Yes | | Full semver tag (e.g., `1.2.3`) |
+| `jfrog-token` | Yes | | JFrog registry password/token |
+| `registry` | No | `schmalz.jfrog.io` | Docker registry |
+| `dockerfile` | No | `Dockerfile` | Path to Dockerfile |
+| `context` | No | `.` | Docker build context |
+| `jfrog-user` | No | `jfrog-cicd-user` | JFrog registry user |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/docker-build-push@v1
+  with:
+    image-name: default-docker/my-service
+    version-tag: 1.2.3
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Pushes three tags per build: full (`1.2.3`), minor (`1.2`), and major (`1`).
+- Consumers using the major or minor tag always get the latest patch release.
diff --git a/.github/actions/docker-build-push/action.yml b/.github/actions/docker-build-push/action.yml
new file mode 100644
index 0000000..401325f
--- /dev/null
+++ b/.github/actions/docker-build-push/action.yml
@@ -0,0 +1,46 @@
+name: docker-build-push
+description: Build Docker image and push to JFrog with semver tags (major, minor, patch)
+
+inputs:
+  image-name:
+    description: 'Image name (e.g., default-docker/db-devcontainer-base)'
+    required: true
+  registry:
+    description: 'Docker registry'
+    required: false
+    default: 'schmalz.jfrog.io'
+  dockerfile:
+    description: 'Path to Dockerfile'
+    required: false
+    default: 'Dockerfile'
+  context:
+    description: 'Docker build context'
+    required: false
+    default: '.'
+  version-tag:
+    description: 'Full semver tag (e.g., 1.2.3)'
+    required: true
+  jfrog-token:
+    description: 'JFrog registry password/token'
+    required: true
+  jfrog-user:
+    description: 'JFrog registry user'
+    required: false
+    default: 'jfrog-cicd-user'
+
+runs:
+  using: composite
+  steps:
+    - name: Build and push Docker image
+      shell: bash
+      run: |
+        echo "${{ inputs.jfrog-token }}" | docker login "${{ inputs.registry }}" -u "${{ inputs.jfrog-user }}" --password-stdin
+
+        FULL="${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.version-tag }}"
+        MINOR="${{ inputs.registry }}/${{ inputs.image-name }}:$(echo "${{ inputs.version-tag }}" | cut -d. -f1,2)"
+        MAJOR="${{ inputs.registry }}/${{ inputs.image-name }}:$(echo "${{ inputs.version-tag }}" | cut -d. -f1)"
+
+        docker build -f "${{ inputs.dockerfile }}" -t "$FULL" -t "$MINOR" -t "$MAJOR" "${{ inputs.context }}"
+        docker push "$FULL"
+        docker push "$MINOR"
+        docker push "$MAJOR"
diff --git a/.github/actions/helm-deploy/README.md b/.github/actions/helm-deploy/README.md
new file mode 100644
index 0000000..b813a9c
--- /dev/null
+++ b/.github/actions/helm-deploy/README.md
@@ -0,0 +1,33 @@
+# helm-deploy
+
+Deploy a service to Kubernetes via Helm over SSH.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `service-name` | Yes | | Helm release name |
+| `helm-host` | Yes | | SSH target (e.g., `dsp1-stage.schmalzgroup.net`) |
+| `image-tag` | Yes | | Docker image tag to deploy |
+| `ssh-key` | Yes | | Private SSH key content |
+| `overrides-file` | No | `kubernetes/overrides-su.yaml` | Local path to Helm values override file |
+| `namespace` | No | `dsp` | Kubernetes namespace |
+| `helm-repo` | No | `nexus-helm-repository` | Helm chart repository name |
+| `helm-chart` | No | `DSP-Blueprint` | Chart name in the repo |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/helm-deploy@v1
+  with:
+    service-name: my-service
+    helm-host: dsp1-stage.schmalzgroup.net
+    image-tag: ${{ github.sha }}
+    ssh-key: ${{ secrets.SSH_KEY }}
+```
+
+## Notes
+
+- The override file is `scp`-ed to the remote host, then `helm upgrade --install` is run via SSH.
+- Uses `--atomic` flag, so a failed deploy is automatically rolled back.
+- `StrictHostKeyChecking` is disabled.
diff --git a/.github/actions/helm-deploy/action.yml b/.github/actions/helm-deploy/action.yml
new file mode 100644
index 0000000..e10c00d
--- /dev/null
+++ b/.github/actions/helm-deploy/action.yml
@@ -0,0 +1,55 @@
+name: helm-deploy
+description: Deploy a service to Kubernetes via Helm over SSH
+
+inputs:
+  service-name:
+    description: Helm release name
+    required: true
+  helm-host:
+    description: SSH target (e.g., dsp1-stage.schmalzgroup.net)
+    required: true
+  overrides-file:
+    description: Local path to Helm values override file
+    required: false
+    default: kubernetes/overrides-su.yaml
+  image-tag:
+    description: Docker image tag to deploy
+    required: true
+  ssh-key:
+    description: Private SSH key content
+    required: true
+  namespace:
+    description: Kubernetes namespace
+    required: false
+    default: dsp
+  helm-repo:
+    description: Helm chart repository name
+    required: false
+    default: nexus-helm-repository
+  helm-chart:
+    description: Chart name in the repo
+    required: false
+    default: DSP-Blueprint
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: |
+        SSH_KEY_FILE=$(mktemp)
+        trap "rm -f '$SSH_KEY_FILE'" EXIT
+
+        echo "${{ inputs.ssh-key }}" > "$SSH_KEY_FILE"
+        chmod 600 "$SSH_KEY_FILE"
+
+        SSH_OPTS="-i $SSH_KEY_FILE -o StrictHostKeyChecking=no"
+        REMOTE="root@${{ inputs.helm-host }}"
+        SERVICE="${{ inputs.service-name }}"
+
+        scp $SSH_OPTS "${{ inputs.overrides-file }}" "$REMOTE:/tmp/${SERVICE}-overrides.yaml"
+
+        ssh $SSH_OPTS "$REMOTE" \
+          "helm repo update && \
+           helm upgrade --install --create-namespace -n ${{ inputs.namespace }} $SERVICE \
+           ${{ inputs.helm-repo }}/${{ inputs.helm-chart }} -f /tmp/${SERVICE}-overrides.yaml \
+           --set image.tag=${{ inputs.image-tag }} --atomic --debug"
diff --git a/.github/actions/maven-build/README.md b/.github/actions/maven-build/README.md
new file mode 100644
index 0000000..ebfc7db
--- /dev/null
+++ b/.github/actions/maven-build/README.md
@@ -0,0 +1,32 @@
+# maven-build
+
+Run a Maven build -- verify-only for PRs or package+jib push for deploys.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `maven-settings` | Yes | | Secret containing `settings.xml` content |
+| `java-version` | No | `8` | Java version |
+| `maven-image` | No | `maven:3.8.5-openjdk-8` | Maven Docker image |
+| `phase` | No | `verify` | Build phase: `verify` or `package-and-push` |
+| `verify-goals` | No | `spotless:check checkstyle:check compile` | Goals for the verify phase |
+| `maven-profile` | No | `test` | Maven profile used during `package-and-push` |
+| `service-dir` | No | `.` | Working directory containing the POM |
+| `skip-tests` | No | `false` | Pass `-DskipTests` |
+| `image-tag` | No | `${{ github.sha }}-${{ github.run_id }}` | Docker image tag for jib |
+| `extra-args` | No | | Additional Maven CLI arguments |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/maven-build@v1
+  with:
+    maven-settings: ${{ secrets.MAVEN_SETTINGS }}
+    phase: package-and-push
+```
+
+## Notes
+
+- Maven repository cache is restored/saved automatically using `pom.xml` hash.
+- The `settings.xml` is written to a temp file and cleaned up after the build.
diff --git a/.github/actions/maven-build/action.yml b/.github/actions/maven-build/action.yml
new file mode 100644
index 0000000..e7446f7
--- /dev/null
+++ b/.github/actions/maven-build/action.yml
@@ -0,0 +1,74 @@
+name: maven-build
+description: Run Maven build — verify-only (PRs) or package+jib push (deploy)
+
+inputs:
+  phase:
+    required: false
+    default: 'verify'
+  verify-goals:
+    required: false
+    default: 'spotless:check checkstyle:check compile'
+  maven-profile:
+    required: false
+    default: 'test'
+  service-dir:
+    required: false
+    default: '.'
+  skip-tests:
+    required: false
+    default: 'false'
+  image-tag:
+    required: false
+    default: '${{ github.sha }}-${{ github.run_id }}'
+  maven-settings:
+    required: true
+    description: Secret containing settings.xml content
+  extra-args:
+    required: false
+    default: ''
+
+runs:
+  using: composite
+  steps:
+    - name: Restore Maven cache
+      uses: https://data.forgejo.org/actions/cache/restore@v4
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
+
+    - name: Maven build
+      shell: bash
+      working-directory: ${{ inputs.service-dir }}
+      run: |
+        SETTINGS_FILE=$(mktemp)
+        echo "${{ inputs.maven-settings }}" > "$SETTINGS_FILE"
+        trap 'rm -f "$SETTINGS_FILE"' EXIT
+
+        SKIP_TESTS_FLAG=""
+        if [ "${{ inputs.skip-tests }}" = "true" ]; then
+          SKIP_TESTS_FLAG="-DskipTests"
+        fi
+
+        if [ "${{ inputs.phase }}" = "verify" ]; then
+          mvn ${{ inputs.verify-goals }} \
+            -s "$SETTINGS_FILE" \
+            $SKIP_TESTS_FLAG \
+            ${{ inputs.extra-args }}
+        elif [ "${{ inputs.phase }}" = "package-and-push" ]; then
+          mvn clean package jib:build \
+            -DsendCredentialsOverHttp=true \
+            -Djib.to.tags=${{ inputs.image-tag }} \
+            -P ${{ inputs.maven-profile }} \
+            -s "$SETTINGS_FILE" \
+            $SKIP_TESTS_FLAG \
+            ${{ inputs.extra-args }}
+        else
+          echo "Unknown phase: ${{ inputs.phase }}"
+          exit 1
+        fi
+
+    - name: Save Maven cache
+      uses: https://data.forgejo.org/actions/cache/save@v4
+      with:
+        path: ~/.m2/repository
+        key: maven-${{ hashFiles('**/pom.xml') }}
diff --git a/.github/actions/playwright-e2e/README.md b/.github/actions/playwright-e2e/README.md
new file mode 100644
index 0000000..b62dbc9
--- /dev/null
+++ b/.github/actions/playwright-e2e/README.md
@@ -0,0 +1,38 @@
+# playwright-e2e
+
+Run Playwright E2E tests with optional sharding, upload results to S3.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `jfrog-token` | Yes | | JFrog npm auth token |
+| `s3-reports-bucket` | Yes | | S3 bucket for report upload |
+| `s3-reports-prefix` | Yes | | S3 path prefix |
+| `aws-role-arn` | Yes | | IAM role ARN for OIDC authentication |
+| `working-directory` | No | `e2e` | Directory containing Playwright config |
+| `playwright-version` | No | `v1.58.2` | Playwright version tag for browser cache key |
+| `pnpm-version` | No | `10.11` | pnpm version |
+| `shard-index` | No | `1` | Current shard (1-based) |
+| `shard-total` | No | `1` | Total shards. 1 = no sharding |
+| `aws-profile` | No | `stage` | AWS CLI profile name |
+| `extra-deps` | No | `""` | Space-separated apt packages to install |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/playwright-e2e@v1
+  with:
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+    s3-reports-bucket: my-reports-bucket
+    s3-reports-prefix: pr-${{ github.event.number }}
+    aws-role-arn: ${{ secrets.AWS_ROLE_ARN }}
+    shard-index: "1"
+    shard-total: "4"
+```
+
+## Notes
+
+- Playwright browsers are cached between runs using the `playwright-version` input as cache key.
+- Reports are uploaded to `s3://<bucket>/<prefix>/shard-<index>/`.
+- Uses JFrog Artifactory as the npm registry for dependency installation.
diff --git a/.github/actions/playwright-e2e/action.yml b/.github/actions/playwright-e2e/action.yml
new file mode 100644
index 0000000..4042f0e
--- /dev/null
+++ b/.github/actions/playwright-e2e/action.yml
@@ -0,0 +1,109 @@
+name: playwright-e2e
+description: Run Playwright E2E tests with optional sharding, upload results to S3.
+
+inputs:
+  working-directory:
+    description: Directory containing Playwright config
+    required: false
+    default: e2e
+  playwright-version:
+    description: Playwright version tag (browser cache key only — actual version comes from pnpm-lock.yaml)
+    required: false
+    default: v1.58.2
+  jfrog-token:
+    description: JFrog npm auth token
+    required: true
+  pnpm-version:
+    description: pnpm version
+    required: false
+    default: "10.11"
+  node-version:
+    description: Node.js version
+    required: false
+    default: "22"
+  shard-index:
+    description: Current shard (1-based)
+    required: false
+    default: "1"
+  shard-total:
+    description: Total shards. 1 = no sharding.
+    required: false
+    default: "1"
+  s3-reports-bucket:
+    description: S3 bucket for report upload
+    required: true
+  s3-reports-prefix:
+    description: S3 path prefix
+    required: true
+  aws-role-arn:
+    description: IAM role ARN for OIDC authentication
+    required: true
+  aws-profile:
+    description: AWS CLI profile name
+    required: false
+    default: stage
+  extra-deps:
+    description: Space-separated apt packages to install
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Configure AWS
+      uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+      with:
+        role-arn: ${{ inputs.aws-role-arn }}
+        aws-profile: ${{ inputs.aws-profile }}
+
+    - name: Restore Playwright browser cache
+      uses: https://data.forgejo.org/actions/cache/restore@v4
+      with:
+        path: ~/.cache/ms-playwright
+        key: playwright-${{ inputs.playwright-version }}
+
+    - name: Setup Node.js
+      uses: https://code.forgejo.org/actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    - name: Run Playwright tests and upload results
+      shell: bash
+      env:
+        EXTRA_DEPS: ${{ inputs.extra-deps }}
+        PNPM_VERSION: ${{ inputs.pnpm-version }}
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        WORKING_DIR: ${{ inputs.working-directory }}
+        SHARD_INDEX: ${{ inputs.shard-index }}
+        SHARD_TOTAL: ${{ inputs.shard-total }}
+        BUCKET: ${{ inputs.s3-reports-bucket }}
+        PREFIX: ${{ inputs.s3-reports-prefix }}
+        AWS_PROFILE: ${{ inputs.aws-profile }}
+      run: |
+        if [ -n "${EXTRA_DEPS}" ]; then
+          sudo apt-get update -qq
+          sudo apt-get install -y ${EXTRA_DEPS}
+        fi
+
+        npm i -g "pnpm@${PNPM_VERSION}"
+        pnpm set registry https://schmalz.jfrog.io/artifactory/api/npm/default-npm/
+        pnpm set "//schmalz.jfrog.io/artifactory/api/npm/default-npm/:_authToken=${JFROG_TOKEN}"
+
+        pnpm --prefix="${WORKING_DIR}" install --frozen-lockfile
+        pnpm --prefix="${WORKING_DIR}" exec playwright install --with-deps
+
+        SHARD_ARG=""
+        if [ "${SHARD_TOTAL}" != "1" ]; then
+          SHARD_ARG="--shard=${SHARD_INDEX}/${SHARD_TOTAL}"
+        fi
+        pnpm --prefix="${WORKING_DIR}" exec playwright test ${SHARD_ARG}
+
+        aws s3 sync "${WORKING_DIR}/playwright-report/" \
+          "s3://${BUCKET}/${PREFIX}/shard-${SHARD_INDEX}/" \
+          --profile "${AWS_PROFILE}"
+
+    - name: Save Playwright browser cache
+      uses: https://data.forgejo.org/actions/cache/save@v4
+      with:
+        path: ~/.cache/ms-playwright
+        key: playwright-${{ inputs.playwright-version }}
diff --git a/.github/actions/pnpm-build/README.md b/.github/actions/pnpm-build/README.md
new file mode 100644
index 0000000..02a1218
--- /dev/null
+++ b/.github/actions/pnpm-build/README.md
@@ -0,0 +1,28 @@
+# pnpm-build
+
+Set up pnpm, authenticate with JFrog npm registry, install dependencies, and run build scripts.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `jfrog-token` | Yes | | JFrog npm auth token |
+| `working-directory` | No | `.` | Directory containing `package.json` |
+| `pnpm-version` | No | `10.14` | pnpm version |
+| `node-version` | No | `22` | Node.js version |
+| `run-scripts` | No | `ci,typecheck,build` | Comma-separated list of `pnpm run` scripts |
+| `frozen-lockfile` | No | `true` | Pass `--frozen-lockfile` to `pnpm install` |
+| `check-dedupe` | No | `true` | Run `pnpm dedupe --check` |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/pnpm-build@v1
+  with:
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- pnpm store cache is restored/saved automatically using `pnpm-lock.yaml` hash.
+- Registry is set to `schmalz.jfrog.io`.
diff --git a/.github/actions/pnpm-build/action.yml b/.github/actions/pnpm-build/action.yml
new file mode 100644
index 0000000..effc794
--- /dev/null
+++ b/.github/actions/pnpm-build/action.yml
@@ -0,0 +1,80 @@
+name: pnpm-build
+description: Set up pnpm, authenticate JFrog npm registry, install deps, run scripts.
+
+inputs:
+  working-directory:
+    description: Directory containing package.json
+    required: false
+    default: "."
+  pnpm-version:
+    description: pnpm version
+    required: false
+    default: "10.14"
+  jfrog-token:
+    description: JFrog npm auth token
+    required: true
+  run-scripts:
+    description: Comma-separated list of pnpm run scripts
+    required: false
+    default: "ci,typecheck,build"
+  frozen-lockfile:
+    description: Pass --frozen-lockfile to pnpm install
+    required: false
+    default: "true"
+  check-dedupe:
+    description: Run pnpm dedupe --check
+    required: false
+    default: "true"
+  node-version:
+    description: Node.js version
+    required: false
+    default: "22"
+
+runs:
+  using: composite
+  steps:
+    - name: Restore pnpm cache
+      uses: https://data.forgejo.org/actions/cache/restore@v4
+      with:
+        path: ~/.local/share/pnpm/store/v3
+        key: pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
+
+    - name: Setup Node.js
+      uses: https://code.forgejo.org/actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    - name: Setup and build
+      shell: bash
+      env:
+        PNPM_VERSION: ${{ inputs.pnpm-version }}
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        WORKING_DIR: ${{ inputs.working-directory }}
+        RUN_SCRIPTS: ${{ inputs.run-scripts }}
+        FROZEN_LOCKFILE: ${{ inputs.frozen-lockfile }}
+        CHECK_DEDUPE: ${{ inputs.check-dedupe }}
+      run: |
+        npm i -g "pnpm@${PNPM_VERSION}"
+        pnpm set registry https://schmalz.jfrog.io/artifactory/api/npm/default-npm/
+        pnpm set "//schmalz.jfrog.io/artifactory/api/npm/default-npm/:_authToken=${JFROG_TOKEN}"
+
+        if [ "${CHECK_DEDUPE}" = "true" ]; then
+          pnpm --prefix="${WORKING_DIR}" dedupe --check
+        fi
+
+        INSTALL_ARGS=""
+        if [ "${FROZEN_LOCKFILE}" = "true" ]; then
+          INSTALL_ARGS="--frozen-lockfile"
+        fi
+        pnpm --prefix="${WORKING_DIR}" install ${INSTALL_ARGS}
+
+        IFS=',' read -ra SCRIPTS <<< "${RUN_SCRIPTS}"
+        for script in "${SCRIPTS[@]}"; do
+          pnpm --prefix="${WORKING_DIR}" run "${script}"
+        done
+
+    - name: Save pnpm cache
+      uses: https://data.forgejo.org/actions/cache/save@v4
+      with:
+        path: ~/.local/share/pnpm/store/v3
+        key: pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
diff --git a/.github/actions/publish-npm-package/README.md b/.github/actions/publish-npm-package/README.md
new file mode 100644
index 0000000..10531b9
--- /dev/null
+++ b/.github/actions/publish-npm-package/README.md
@@ -0,0 +1,26 @@
+# publish-npm-package
+
+Build and publish npm package to JFrog Artifactory.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `jfrog-token` | Yes | | JFrog npm auth token |
+| `working-directory` | No | `.` | Directory containing package.json |
+| `pnpm-version` | No | `10.14` | pnpm version |
+| `registry-url` | No | `https://schmalz.jfrog.io/artifactory/api/npm/default-npm/` | JFrog npm registry URL |
+| `build-script` | No | `build` | pnpm build script name |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/publish-npm-package@v1
+  with:
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Runs `pnpm install --frozen-lockfile`, then the build script, then `pnpm publish --no-git-checks`.
+- The version published is whatever is in `package.json` -- bump it before calling this action.
diff --git a/.github/actions/publish-npm-package/action.yml b/.github/actions/publish-npm-package/action.yml
new file mode 100644
index 0000000..0101668
--- /dev/null
+++ b/.github/actions/publish-npm-package/action.yml
@@ -0,0 +1,51 @@
+name: publish-npm-package
+description: Build and publish npm package to JFrog Artifactory.
+
+inputs:
+  working-directory:
+    description: Directory containing package.json
+    required: false
+    default: "."
+  pnpm-version:
+    description: pnpm version
+    required: false
+    default: "10.14"
+  node-version:
+    description: Node.js version
+    required: false
+    default: "22"
+  jfrog-token:
+    description: JFrog npm auth token
+    required: true
+  registry-url:
+    description: JFrog npm registry URL
+    required: false
+    default: "https://schmalz.jfrog.io/artifactory/api/npm/default-npm/"
+  build-script:
+    description: pnpm build script name
+    required: false
+    default: "build"
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: https://code.forgejo.org/actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    - name: Build and publish
+      shell: bash
+      env:
+        PNPM_VERSION: ${{ inputs.pnpm-version }}
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        REGISTRY_URL: ${{ inputs.registry-url }}
+        WORKING_DIR: ${{ inputs.working-directory }}
+        BUILD_SCRIPT: ${{ inputs.build-script }}
+      run: |
+        npm i -g "pnpm@${PNPM_VERSION}"
+        pnpm set registry "${REGISTRY_URL}"
+        pnpm set "//schmalz.jfrog.io/artifactory/api/npm/default-npm/:_authToken=${JFROG_TOKEN}"
+        pnpm --prefix="${WORKING_DIR}" install --frozen-lockfile
+        pnpm --prefix="${WORKING_DIR}" run "${BUILD_SCRIPT}"
+        pnpm --prefix="${WORKING_DIR}" publish --no-git-checks
diff --git a/.github/actions/publish-rust-crate/README.md b/.github/actions/publish-rust-crate/README.md
new file mode 100644
index 0000000..2e884b7
--- /dev/null
+++ b/.github/actions/publish-rust-crate/README.md
@@ -0,0 +1,26 @@
+# publish-rust-crate
+
+Build, test, and publish Rust crate to JFrog Cargo registry.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `jfrog-token` | Yes | | JFrog access token for Cargo registry auth |
+| `working-directory` | No | `.` | Directory containing Cargo.toml |
+| `rust-version` | No | `1.87` | Rust toolchain version |
+| `cargo-registry-name` | No | `jfrog` | Cargo registry name |
+| `run-tests` | No | `true` | Run `cargo test` before publishing |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/publish-rust-crate@v1
+  with:
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- The registry token is set via `CARGO_REGISTRIES_<NAME>_TOKEN` environment variable (registry name is uppercased).
+- The crate version published is whatever is in `Cargo.toml` -- bump it before calling this action.
diff --git a/.github/actions/publish-rust-crate/action.yml b/.github/actions/publish-rust-crate/action.yml
new file mode 100644
index 0000000..21736a1
--- /dev/null
+++ b/.github/actions/publish-rust-crate/action.yml
@@ -0,0 +1,42 @@
+name: publish-rust-crate
+description: Build, test, and publish Rust crate to JFrog Cargo registry.
+
+inputs:
+  working-directory:
+    description: Directory containing Cargo.toml
+    required: false
+    default: "."
+  rust-version:
+    description: Rust toolchain version
+    required: false
+    default: "1.87"
+  cargo-registry-name:
+    description: Cargo registry name
+    required: false
+    default: "jfrog"
+  jfrog-token:
+    description: JFrog access token for Cargo registry auth
+    required: true
+  run-tests:
+    description: Run cargo test before publishing
+    required: false
+    default: "true"
+
+runs:
+  using: composite
+  steps:
+    - name: Test and publish
+      shell: bash
+      env:
+        RUST_VERSION: ${{ inputs.rust-version }}
+        REGISTRY_NAME: ${{ inputs.cargo-registry-name }}
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        WORKING_DIR: ${{ inputs.working-directory }}
+        RUN_TESTS: ${{ inputs.run-tests }}
+      run: |
+        rustup default "${RUST_VERSION}"
+        UPPER_NAME="$(echo "${REGISTRY_NAME}" | tr '[:lower:]' '[:upper:]')"
+        export "CARGO_REGISTRIES_${UPPER_NAME}_TOKEN=Bearer ${JFROG_TOKEN}"
+        cd "${WORKING_DIR}"
+        if [ "${RUN_TESTS}" = "true" ]; then cargo test; fi
+        cargo publish --registry "${REGISTRY_NAME}"
diff --git a/.github/actions/rust-build/README.md b/.github/actions/rust-build/README.md
new file mode 100644
index 0000000..a02d2a4
--- /dev/null
+++ b/.github/actions/rust-build/README.md
@@ -0,0 +1,42 @@
+# rust-build
+
+Run Rust CI -- fmt, clippy, tests, optional cross-compilation.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `toolchain` | No | `stable` | Rust toolchain |
+| `features` | No | `""` | Cargo features to enable |
+| `cross-target` | No | `""` | Cross-compilation target (installs `cross` when set) |
+| `run-fmt` | No | `true` | Run `cargo fmt --check` |
+| `run-clippy` | No | `true` | Run clippy with `-D warnings` |
+| `run-tests` | No | `true` | Run `cargo test` |
+| `run-deny` | No | `false` | Run `cargo deny check` |
+| `run-semver-checks` | No | `false` | Run `cargo semver-checks` |
+| `sccache-enabled` | No | `true` | Enable sccache (requires `sccache_ci_setup.sh` in working directory) |
+| `working-directory` | No | `.` | Working directory |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/rust-build@v1
+  with:
+    features: serde,tokio
+    run-deny: "true"
+```
+
+### Cross-compilation
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/rust-build@v1
+  with:
+    cross-target: aarch64-unknown-linux-gnu
+    run-fmt: "false"
+```
+
+## Notes
+
+- Cargo registry and `target/` directory are cached based on `Cargo.lock` hash.
+- When `cross-target` is set, `cross` is installed and used instead of `cargo` for clippy, test, and build steps. `cargo fmt` always uses `cargo` directly.
+- sccache integration requires a `sccache_ci_setup.sh` script in the working directory.
diff --git a/.github/actions/rust-build/action.yml b/.github/actions/rust-build/action.yml
new file mode 100644
index 0000000..86eae0d
--- /dev/null
+++ b/.github/actions/rust-build/action.yml
@@ -0,0 +1,101 @@
+name: rust-build
+description: Run Rust CI — fmt, clippy, tests, optional cross-compilation.
+
+inputs:
+  toolchain:
+    required: false
+    default: "stable"
+  features:
+    required: false
+    default: ""
+  cross-target:
+    required: false
+    default: ""
+  run-fmt:
+    required: false
+    default: "true"
+  run-clippy:
+    required: false
+    default: "true"
+  run-tests:
+    required: false
+    default: "true"
+  run-deny:
+    required: false
+    default: "false"
+  run-semver-checks:
+    required: false
+    default: "false"
+  sccache-enabled:
+    required: false
+    default: "true"
+  working-directory:
+    required: false
+    default: "."
+
+runs:
+  using: composite
+  steps:
+    - name: Restore cargo cache
+      uses: https://data.forgejo.org/actions/cache/restore@v4
+      with:
+        path: |
+          ~/.cargo/registry
+          target/
+        key: cargo-${{ hashFiles('**/Cargo.lock') }}
+
+    - name: Rust CI
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        set -euo pipefail
+
+        rustup default ${{ inputs.toolchain }}
+
+        if [[ "${{ inputs.sccache-enabled }}" == "true" && -f sccache_ci_setup.sh ]]; then
+          source sccache_ci_setup.sh
+        fi
+
+        CMD=cargo
+        if [[ -n "${{ inputs.cross-target }}" ]]; then
+          cargo install cross
+          CMD=cross
+        fi
+
+        FEATURES_ARG=""
+        if [[ -n "${{ inputs.features }}" ]]; then
+          FEATURES_ARG="--features ${{ inputs.features }}"
+        fi
+
+        TARGET_ARG=""
+        if [[ -n "${{ inputs.cross-target }}" ]]; then
+          TARGET_ARG="--target ${{ inputs.cross-target }}"
+        fi
+
+        if [[ "${{ inputs.run-fmt }}" == "true" ]]; then
+          cargo fmt --check
+        fi
+
+        if [[ "${{ inputs.run-clippy }}" == "true" ]]; then
+          $CMD clippy $FEATURES_ARG $TARGET_ARG -- -D warnings
+        fi
+
+        if [[ "${{ inputs.run-tests }}" == "true" ]]; then
+          $CMD test $FEATURES_ARG $TARGET_ARG
+        fi
+
+        if [[ "${{ inputs.run-deny }}" == "true" ]]; then
+          cargo deny check
+        fi
+
+        if [[ "${{ inputs.run-semver-checks }}" == "true" ]]; then
+          cargo semver-checks
+        fi
+
+    - name: Save cargo cache
+      uses: https://data.forgejo.org/actions/cache/save@v4
+      with:
+        path: |
+          ~/.cargo/registry
+          target/
+        key: cargo-${{ hashFiles('**/Cargo.lock') }}
diff --git a/.github/actions/secrets-inject/README.md b/.github/actions/secrets-inject/README.md
new file mode 100644
index 0000000..2acd738
--- /dev/null
+++ b/.github/actions/secrets-inject/README.md
@@ -0,0 +1,23 @@
+# secrets-inject
+
+Append secret properties content to a Java `.properties` file.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `secret-content` | Yes | | Properties content to append |
+| `target-file` | Yes | | Path to the `.properties` file |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/secrets-inject@v1
+  with:
+    secret-content: ${{ secrets.APP_SECRETS }}
+    target-file: src/main/resources/application.properties
+```
+
+## Notes
+
+- A blank line is inserted before the appended content to avoid merging with the last existing line.
diff --git a/.github/actions/secrets-inject/action.yml b/.github/actions/secrets-inject/action.yml
new file mode 100644
index 0000000..ddb811f
--- /dev/null
+++ b/.github/actions/secrets-inject/action.yml
@@ -0,0 +1,18 @@
+name: secrets-inject
+description: Append a secrets file to a Java .properties file
+
+inputs:
+  secret-content:
+    description: Secret value (properties content to append)
+    required: true
+  target-file:
+    description: Path to the .properties file
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        echo "" >> ${{ inputs.target-file }}
+        echo "${{ inputs.secret-content }}" >> ${{ inputs.target-file }}
+      shell: bash
diff --git a/.github/actions/terraform-apply/README.md b/.github/actions/terraform-apply/README.md
new file mode 100644
index 0000000..144c4af
--- /dev/null
+++ b/.github/actions/terraform-apply/README.md
@@ -0,0 +1,38 @@
+# terraform-apply
+
+Full Terraform init, workspace select, plan/apply, and output capture.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `var-file` | Yes | | Path to `.tfvars` file |
+| `workspace` | Yes | | Terraform workspace (`stage` or `prod`) |
+| `aws-role-arn` | Yes | | IAM role ARN for OIDC authentication |
+| `jfrog-token` | Yes | | JFrog access token (sets `TF_TOKEN_schmalz_jfrog_io`) |
+| `terraform-dir` | No | `terraform` | Directory containing Terraform configuration |
+| `terraform-version` | No | `1.11` | Terraform version to install |
+| `aws-profile` | No | `default` | AWS CLI profile name |
+| `output-names` | No | `""` | Comma-separated Terraform output names to capture as raw values |
+| `output-json-names` | No | `""` | Comma-separated output names to capture as JSON |
+| `plan-only` | No | `false` | Run `plan -out` instead of `apply` |
+| `plan-file` | No | `""` | Pre-existing plan file to apply |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/terraform-apply@v1
+  with:
+    var-file: envs/stage.tfvars
+    workspace: stage
+    aws-role-arn: arn:aws:iam::123456789012:role/my-role
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+    output-names: api_url,db_host
+```
+
+## Notes
+
+- Requires `enable-openid-connect: true` on the job.
+- Captured outputs are written to `$FORGEJO_OUTPUT` and to files under `<terraform-dir>/.outputs/`.
+- Provider cache is restored/saved automatically.
+- Use `plan-only: true` for a plan-then-apply workflow across jobs.
diff --git a/.github/actions/terraform-apply/action.yml b/.github/actions/terraform-apply/action.yml
new file mode 100644
index 0000000..e33dc95
--- /dev/null
+++ b/.github/actions/terraform-apply/action.yml
@@ -0,0 +1,118 @@
+name: terraform-apply
+description: Full Terraform init + workspace + apply + output capture
+
+inputs:
+  terraform-dir:
+    description: Directory containing Terraform configuration
+    required: false
+    default: terraform
+  terraform-version:
+    description: Terraform version to install
+    required: false
+    default: "1.11"
+  var-file:
+    description: Path to .tfvars file
+    required: true
+  workspace:
+    description: Terraform workspace (stage or prod)
+    required: true
+  aws-role-arn:
+    description: IAM role ARN for OIDC authentication
+    required: true
+  aws-profile:
+    description: AWS profile name
+    required: false
+    default: default
+  jfrog-token:
+    description: JFrog access token (sets TF_TOKEN_schmalz_jfrog_io)
+    required: true
+  output-names:
+    description: Comma-separated list of terraform output names to capture as raw
+    required: false
+    default: ""
+  plan-only:
+    description: Run plan -out instead of apply
+    required: false
+    default: "false"
+  plan-file:
+    description: Pre-existing plan file to apply
+    required: false
+    default: ""
+  output-json-names:
+    description: Comma-separated output names to capture as JSON
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Configure AWS credentials
+      uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+      with:
+        role-arn: ${{ inputs.aws-role-arn }}
+        aws-profile: ${{ inputs.aws-profile }}
+
+    - name: Restore Terraform provider cache
+      uses: https://data.forgejo.org/actions/cache/restore@v4
+      with:
+        path: ${{ inputs.terraform-dir }}/.terraform/providers
+        key: terraform-providers-${{ hashFiles(format('{0}/.terraform.lock.hcl', inputs.terraform-dir)) }}
+
+    - name: Install Terraform
+      shell: bash
+      run: |
+        TF_VERSION="${{ inputs.terraform-version }}"
+        curl -fsSL "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip
+        sudo unzip -o /tmp/terraform.zip -d /usr/local/bin
+        rm /tmp/terraform.zip
+        terraform version
+
+    - name: Terraform init, plan/apply, and capture outputs
+      shell: bash
+      env:
+        TF_TOKEN_schmalz_jfrog_io: ${{ inputs.jfrog-token }}
+        TF_WORKSPACE: ${{ inputs.workspace }}
+        AWS_PROFILE: ${{ inputs.aws-profile }}
+        TF_DIR: ${{ inputs.terraform-dir }}
+        VAR_FILE: ${{ inputs.var-file }}
+        PLAN_ONLY: ${{ inputs.plan-only }}
+        PLAN_FILE: ${{ inputs.plan-file }}
+        OUTPUT_NAMES: ${{ inputs.output-names }}
+        OUTPUT_JSON_NAMES: ${{ inputs.output-json-names }}
+      run: |
+        terraform -chdir="$TF_DIR" init -no-color
+
+        if [ "$PLAN_ONLY" = "true" ]; then
+          terraform -chdir="$TF_DIR" plan -var-file="$VAR_FILE" -out=terraform.plan -no-color
+        elif [ -n "$PLAN_FILE" ]; then
+          terraform -chdir="$TF_DIR" apply -auto-approve -no-color "$PLAN_FILE"
+        else
+          terraform -chdir="$TF_DIR" apply -var-file="$VAR_FILE" -auto-approve -no-color
+        fi
+
+        mkdir -p "$TF_DIR/.outputs"
+
+        if [ -n "$OUTPUT_NAMES" ]; then
+          IFS=',' read -ra NAMES <<< "$OUTPUT_NAMES"
+          for name in "${NAMES[@]}"; do
+            name=$(echo "$name" | xargs)
+            val=$(terraform -chdir="$TF_DIR" output --raw "$name")
+            echo "$val" > "$TF_DIR/.outputs/$name"
+            echo "$name=$val" >> "$FORGEJO_OUTPUT"
+          done
+        fi
+
+        if [ -n "$OUTPUT_JSON_NAMES" ]; then
+          IFS=',' read -ra JNAMES <<< "$OUTPUT_JSON_NAMES"
+          for name in "${JNAMES[@]}"; do
+            name=$(echo "$name" | xargs)
+            terraform -chdir="$TF_DIR" output --json "$name" > "$TF_DIR/.outputs/$name.json"
+            echo "$name=$(terraform -chdir="$TF_DIR" output --json "$name")" >> "$FORGEJO_OUTPUT"
+          done
+        fi
+
+    - name: Save Terraform provider cache
+      uses: https://data.forgejo.org/actions/cache/save@v4
+      with:
+        path: ${{ inputs.terraform-dir }}/.terraform/providers
+        key: terraform-providers-${{ hashFiles(format('{0}/.terraform.lock.hcl', inputs.terraform-dir)) }}
diff --git a/.github/actions/terraform-module-publish/README.md b/.github/actions/terraform-module-publish/README.md
new file mode 100644
index 0000000..895b707
--- /dev/null
+++ b/.github/actions/terraform-module-publish/README.md
@@ -0,0 +1,29 @@
+# terraform-module-publish
+
+Zip a Terraform module and publish to JFrog Artifactory.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `module-dir` | Yes | | Path to the module directory to zip |
+| `module-name` | Yes | | Module name (used in zip filename and upload path) |
+| `version` | Yes | | Version string (from git tag) |
+| `jfrog-token` | Yes | | JFrog access token |
+| `jfrog-url` | No | `https://schmalz.jfrog.io/artifactory/terraform/schmalz` | JFrog Artifactory base URL |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/terraform-module-publish@v1
+  with:
+    module-dir: modules/vpc
+    module-name: vpc
+    version: ${{ github.ref_name }}
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- The module directory contents are zipped and uploaded to `<jfrog-url>/<module-name>/<version>.zip`.
+- Uses `curl` with bearer token authentication.
diff --git a/.github/actions/terraform-module-publish/action.yml b/.github/actions/terraform-module-publish/action.yml
new file mode 100644
index 0000000..3ef3141
--- /dev/null
+++ b/.github/actions/terraform-module-publish/action.yml
@@ -0,0 +1,32 @@
+name: terraform-module-publish
+description: Zip a Terraform module and publish to JFrog Artifactory
+
+inputs:
+  module-dir:
+    description: Path to the module directory to zip
+    required: true
+  module-name:
+    description: Module name (used in zip filename and upload path)
+    required: true
+  version:
+    description: Version string (from git tag)
+    required: true
+  jfrog-url:
+    description: JFrog Artifactory base URL
+    required: false
+    default: https://schmalz.jfrog.io/artifactory/terraform/schmalz
+  jfrog-token:
+    description: JFrog access token
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Zip and publish module
+      shell: bash
+      run: |
+        cd "${{ inputs.module-dir }}"
+        zip -r "/tmp/${{ inputs.module-name }}-${{ inputs.version }}.zip" .
+        curl -sf -H "Authorization: Bearer ${{ inputs.jfrog-token }}" \
+          -T "/tmp/${{ inputs.module-name }}-${{ inputs.version }}.zip" \
+          "${{ inputs.jfrog-url }}/${{ inputs.module-name }}/${{ inputs.version }}.zip"
diff --git a/.github/actions/terraform-validate/README.md b/.github/actions/terraform-validate/README.md
new file mode 100644
index 0000000..59a949c
--- /dev/null
+++ b/.github/actions/terraform-validate/README.md
@@ -0,0 +1,28 @@
+# terraform-validate
+
+Validate Terraform code without a backend (for PR checks).
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `jfrog-token` | Yes | | Sets `TF_TOKEN_schmalz_jfrog_io` for provider auth |
+| `terraform-dir` | No | `terraform` | Directory containing `.tf` files |
+| `terraform-version` | No | `1.11` | Terraform version to use |
+| `aws-role-arn` | No | `""` | If provided, runs `aws-configure` before validate |
+| `aws-profile` | No | `stage` | AWS profile when `aws-role-arn` is given |
+
+## Usage
+
+```yaml
+- uses: schmalz/shared-actions/.github/actions/terraform-validate@v1
+  with:
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Runs `terraform init -backend=false`, `terraform fmt -check -recursive`, and `terraform validate`.
+- Sets `TF_WORKSPACE=stage` during init.
+- Provider cache is restored/saved automatically.
+- Optionally configures AWS credentials if `aws-role-arn` is provided (requires `enable-openid-connect: true`).
diff --git a/.github/actions/terraform-validate/action.yml b/.github/actions/terraform-validate/action.yml
new file mode 100644
index 0000000..c3f7bdb
--- /dev/null
+++ b/.github/actions/terraform-validate/action.yml
@@ -0,0 +1,59 @@
+name: terraform-validate
+description: Validate Terraform code without backend (for PR checks)
+
+inputs:
+  terraform-dir:
+    description: Directory containing .tf files
+    required: false
+    default: terraform
+  terraform-version:
+    description: Terraform version to use
+    required: false
+    default: "1.11"
+  jfrog-token:
+    description: Sets TF_TOKEN_schmalz_jfrog_io
+    required: true
+  aws-role-arn:
+    description: If provided, runs aws-configure before validate
+    required: false
+    default: ""
+  aws-profile:
+    description: Profile if aws-role-arn given
+    required: false
+    default: stage
+
+runs:
+  using: composite
+  steps:
+    - uses: schmalz/shared-actions/.github/actions/aws-configure@v1
+      if: ${{ inputs.aws-role-arn != '' }}
+      with:
+        role-arn: ${{ inputs.aws-role-arn }}
+        aws-profile: ${{ inputs.aws-profile }}
+
+    - uses: https://data.forgejo.org/actions/cache/restore@v4
+      with:
+        key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
+        path: ${{ inputs.terraform-dir }}/.terraform/providers
+
+    - name: Install Terraform
+      shell: bash
+      run: |
+        TF_VERSION="${{ inputs.terraform-version }}"
+        curl -fsSL "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip
+        sudo unzip -o /tmp/terraform.zip -d /usr/local/bin
+        rm /tmp/terraform.zip
+        terraform version
+
+    - run: |
+        export TF_TOKEN_schmalz_jfrog_io="${INPUT_JFROG_TOKEN}"
+        export TF_WORKSPACE=stage
+        terraform -chdir="${INPUT_TERRAFORM_DIR}" init -backend=false -no-color
+        terraform -chdir="${INPUT_TERRAFORM_DIR}" fmt -check -recursive
+        terraform -chdir="${INPUT_TERRAFORM_DIR}" validate
+      shell: bash
+
+    - uses: https://data.forgejo.org/actions/cache/save@v4
+      with:
+        key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
+        path: ${{ inputs.terraform-dir }}/.terraform/providers
diff --git a/.github/workflows/validate-shared-actions.yml b/.github/workflows/validate-shared-actions.yml
new file mode 100644
index 0000000..d12f25d
--- /dev/null
+++ b/.github/workflows/validate-shared-actions.yml
@@ -0,0 +1,73 @@
+name: validate-shared-actions
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  validate-shared-actions:
+    runs-on: ubuntu-latest
+    env:
+      ACTIONLINT_VERSION: "1.7.8"
+    steps:
+      - name: Checkout
+        uses: https://code.forgejo.org/actions/checkout@v4
+
+      - name: Restore actionlint cache
+        id: cache-actionlint
+        uses: https://data.forgejo.org/actions/cache/restore@v4
+        with:
+          path: .cache/tools/actionlint
+          key: actionlint-${{ runner.os }}-${{ env.ACTIONLINT_VERSION }}
+
+      - name: Install actionlint (pinned + checksum)
+        if: ${{ steps.cache-actionlint.outputs.cache-hit != 'true' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          VERSION="${ACTIONLINT_VERSION}"
+          OS="linux"
+          ARCH="amd64"
+          BASE_URL="https://github.com/rhysd/actionlint/releases/download/v${VERSION}"
+          TAR="actionlint_${VERSION}_${OS}_${ARCH}.tar.gz"
+          CHECKSUMS="checksums.txt"
+
+          INSTALL_DIR=".cache/tools/actionlint/${VERSION}"
+          mkdir -p "${INSTALL_DIR}"
+
+          curl -fsSL "${BASE_URL}/${TAR}" -o "/tmp/${TAR}"
+          curl -fsSL "${BASE_URL}/${CHECKSUMS}" -o "/tmp/${CHECKSUMS}"
+
+          grep " ${TAR}$" "/tmp/${CHECKSUMS}" > "/tmp/actionlint-sha256.txt"
+          (cd /tmp && sha256sum -c actionlint-sha256.txt)
+
+          tar -xzf "/tmp/${TAR}" -C "${INSTALL_DIR}" actionlint
+          chmod +x "${INSTALL_DIR}/actionlint"
+
+      - name: Save actionlint cache
+        if: ${{ steps.cache-actionlint.outputs.cache-hit != 'true' }}
+        uses: https://data.forgejo.org/actions/cache/save@v4
+        with:
+          path: .cache/tools/actionlint
+          key: actionlint-${{ runner.os }}-${{ env.ACTIONLINT_VERSION }}
+
+      - name: Lint workflows with actionlint
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          ACTIONLINT_BIN=".cache/tools/actionlint/${ACTIONLINT_VERSION}/actionlint"
+          if [ ! -x "${ACTIONLINT_BIN}" ]; then
+            echo "actionlint binary missing: ${ACTIONLINT_BIN}"
+            exit 1
+          fi
+
+          if compgen -G ".github/workflows/*.yml" > /dev/null || compgen -G ".github/workflows/*.yaml" > /dev/null; then
+            "${ACTIONLINT_BIN}" -color
+          else
+            echo "No workflow files found in .github/workflows; skipping actionlint workflow lint"
+          fi
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index b24d71e..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,50 +0,0 @@
-# These are some examples of commonly ignored file patterns.
-# You should customize this list as applicable to your project.
-# Learn more about .gitignore:
-#     https://www.atlassian.com/git/tutorials/saving-changes/gitignore
-
-# Node artifact files
-node_modules/
-dist/
-
-# Compiled Java class files
-*.class
-
-# Compiled Python bytecode
-*.py[cod]
-
-# Log files
-*.log
-
-# Package files
-*.jar
-
-# Maven
-target/
-dist/
-
-# JetBrains IDE
-.idea/
-
-# Unit test reports
-TEST*.xml
-
-# Generated by MacOS
-.DS_Store
-
-# Generated by Windows
-Thumbs.db
-
-# Applications
-*.app
-*.exe
-*.war
-
-# Large media files
-*.mp4
-*.tiff
-*.avi
-*.flv
-*.mov
-*.wmv
-
diff --git a/README.md b/README.md
index db9329b..f59690e 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,24 @@ Shared composite actions for Forgejo CI/CD pipelines.
 
 | Action | Description |
 |--------|-------------|
-|  |  |
+| [aikido-full-scan](.github/actions/aikido-full-scan) | Run a full Aikido security scan (for nightly/scheduled runs) |
+| [aikido-pr-scan](.github/actions/aikido-pr-scan) | Run Aikido security scan on a PR in gating mode (fails on new vulnerabilities) |
+| [aws-configure](.github/actions/aws-configure) | Authenticate with AWS via OIDC |
+| [aws-lambda-update](.github/actions/aws-lambda-update) | Update Lambda function alias to a new version, optionally wait for provisioned concurrency |
+| [aws-s3-sync](.github/actions/aws-s3-sync) | Sync build artifacts to S3, clean up old versioned assets, optionally invalidate CloudFront |
+| [cloudfront-invalidate](.github/actions/cloudfront-invalidate) | Invalidate one or more CloudFront distributions |
+| [docker-build-push](.github/actions/docker-build-push) | Build Docker image and push to JFrog with semver tags (major, minor, patch) |
+| [helm-deploy](.github/actions/helm-deploy) | Deploy a service to Kubernetes via Helm over SSH |
+| [maven-build](.github/actions/maven-build) | Run Maven build — verify-only (PRs) or package+jib push (deploy) |
+| [playwright-e2e](.github/actions/playwright-e2e) | Run Playwright E2E tests with optional sharding, upload results to S3 |
+| [pnpm-build](.github/actions/pnpm-build) | Set up pnpm, authenticate JFrog npm registry, install deps, run scripts |
+| [publish-npm-package](.github/actions/publish-npm-package) | Build and publish npm package to JFrog Artifactory |
+| [publish-rust-crate](.github/actions/publish-rust-crate) | Build, test, and publish Rust crate to JFrog Cargo registry |
+| [rust-build](.github/actions/rust-build) | Run Rust CI — fmt, clippy, tests, optional cross-compilation |
+| [secrets-inject](.github/actions/secrets-inject) | Append a secrets file to a Java .properties file |
+| [terraform-apply](.github/actions/terraform-apply) | Full Terraform init + workspace + apply + output capture |
+| [terraform-module-publish](.github/actions/terraform-module-publish) | Zip a Terraform module and publish to JFrog Artifactory |
+| [terraform-validate](.github/actions/terraform-validate) | Validate Terraform code without backend (for PR checks) |
 
 ## Usage
 

From 76ebe0ec650ba75f01249dd8761c3797d8f9351e Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Fri, 24 Apr 2026 15:55:44 +0200
Subject: [PATCH 4/5] refactor: move action to repo root

---
 {.github/actions/aikido-full-scan => aikido-full-scan}/README.md  | 0
 {.github/actions/aikido-full-scan => aikido-full-scan}/action.yml | 0
 {.github/actions/aikido-pr-scan => aikido-pr-scan}/README.md      | 0
 {.github/actions/aikido-pr-scan => aikido-pr-scan}/action.yml     | 0
 {.github/actions/aws-configure => aws-configure}/README.md        | 0
 {.github/actions/aws-configure => aws-configure}/action.yml       | 0
 .../actions/aws-lambda-update => aws-lambda-update}/README.md     | 0
 .../actions/aws-lambda-update => aws-lambda-update}/action.yml    | 0
 {.github/actions/aws-s3-sync => aws-s3-sync}/README.md            | 0
 {.github/actions/aws-s3-sync => aws-s3-sync}/action.yml           | 0
 .../cloudfront-invalidate => cloudfront-invalidate}/README.md     | 0
 .../cloudfront-invalidate => cloudfront-invalidate}/action.yml    | 0
 .../actions/docker-build-push => docker-build-push}/README.md     | 0
 .../actions/docker-build-push => docker-build-push}/action.yml    | 0
 {.github/actions/helm-deploy => helm-deploy}/README.md            | 0
 {.github/actions/helm-deploy => helm-deploy}/action.yml           | 0
 {.github/actions/maven-build => maven-build}/README.md            | 0
 {.github/actions/maven-build => maven-build}/action.yml           | 0
 {.github/actions/playwright-e2e => playwright-e2e}/README.md      | 0
 {.github/actions/playwright-e2e => playwright-e2e}/action.yml     | 0
 {.github/actions/pnpm-build => pnpm-build}/README.md              | 0
 {.github/actions/pnpm-build => pnpm-build}/action.yml             | 0
 .../actions/publish-npm-package => publish-npm-package}/README.md | 0
 .../publish-npm-package => publish-npm-package}/action.yml        | 0
 .../actions/publish-rust-crate => publish-rust-crate}/README.md   | 0
 .../actions/publish-rust-crate => publish-rust-crate}/action.yml  | 0
 {.github/actions/rust-build => rust-build}/README.md              | 0
 {.github/actions/rust-build => rust-build}/action.yml             | 0
 {.github/actions/secrets-inject => secrets-inject}/README.md      | 0
 {.github/actions/secrets-inject => secrets-inject}/action.yml     | 0
 {.github/actions/terraform-apply => terraform-apply}/README.md    | 0
 {.github/actions/terraform-apply => terraform-apply}/action.yml   | 0
 .../README.md                                                     | 0
 .../action.yml                                                    | 0
 .../actions/terraform-validate => terraform-validate}/README.md   | 0
 .../actions/terraform-validate => terraform-validate}/action.yml  | 0
 36 files changed, 0 insertions(+), 0 deletions(-)
 rename {.github/actions/aikido-full-scan => aikido-full-scan}/README.md (100%)
 rename {.github/actions/aikido-full-scan => aikido-full-scan}/action.yml (100%)
 rename {.github/actions/aikido-pr-scan => aikido-pr-scan}/README.md (100%)
 rename {.github/actions/aikido-pr-scan => aikido-pr-scan}/action.yml (100%)
 rename {.github/actions/aws-configure => aws-configure}/README.md (100%)
 rename {.github/actions/aws-configure => aws-configure}/action.yml (100%)
 rename {.github/actions/aws-lambda-update => aws-lambda-update}/README.md (100%)
 rename {.github/actions/aws-lambda-update => aws-lambda-update}/action.yml (100%)
 rename {.github/actions/aws-s3-sync => aws-s3-sync}/README.md (100%)
 rename {.github/actions/aws-s3-sync => aws-s3-sync}/action.yml (100%)
 rename {.github/actions/cloudfront-invalidate => cloudfront-invalidate}/README.md (100%)
 rename {.github/actions/cloudfront-invalidate => cloudfront-invalidate}/action.yml (100%)
 rename {.github/actions/docker-build-push => docker-build-push}/README.md (100%)
 rename {.github/actions/docker-build-push => docker-build-push}/action.yml (100%)
 rename {.github/actions/helm-deploy => helm-deploy}/README.md (100%)
 rename {.github/actions/helm-deploy => helm-deploy}/action.yml (100%)
 rename {.github/actions/maven-build => maven-build}/README.md (100%)
 rename {.github/actions/maven-build => maven-build}/action.yml (100%)
 rename {.github/actions/playwright-e2e => playwright-e2e}/README.md (100%)
 rename {.github/actions/playwright-e2e => playwright-e2e}/action.yml (100%)
 rename {.github/actions/pnpm-build => pnpm-build}/README.md (100%)
 rename {.github/actions/pnpm-build => pnpm-build}/action.yml (100%)
 rename {.github/actions/publish-npm-package => publish-npm-package}/README.md (100%)
 rename {.github/actions/publish-npm-package => publish-npm-package}/action.yml (100%)
 rename {.github/actions/publish-rust-crate => publish-rust-crate}/README.md (100%)
 rename {.github/actions/publish-rust-crate => publish-rust-crate}/action.yml (100%)
 rename {.github/actions/rust-build => rust-build}/README.md (100%)
 rename {.github/actions/rust-build => rust-build}/action.yml (100%)
 rename {.github/actions/secrets-inject => secrets-inject}/README.md (100%)
 rename {.github/actions/secrets-inject => secrets-inject}/action.yml (100%)
 rename {.github/actions/terraform-apply => terraform-apply}/README.md (100%)
 rename {.github/actions/terraform-apply => terraform-apply}/action.yml (100%)
 rename {.github/actions/terraform-module-publish => terraform-module-publish}/README.md (100%)
 rename {.github/actions/terraform-module-publish => terraform-module-publish}/action.yml (100%)
 rename {.github/actions/terraform-validate => terraform-validate}/README.md (100%)
 rename {.github/actions/terraform-validate => terraform-validate}/action.yml (100%)

diff --git a/.github/actions/aikido-full-scan/README.md b/aikido-full-scan/README.md
similarity index 100%
rename from .github/actions/aikido-full-scan/README.md
rename to aikido-full-scan/README.md
diff --git a/.github/actions/aikido-full-scan/action.yml b/aikido-full-scan/action.yml
similarity index 100%
rename from .github/actions/aikido-full-scan/action.yml
rename to aikido-full-scan/action.yml
diff --git a/.github/actions/aikido-pr-scan/README.md b/aikido-pr-scan/README.md
similarity index 100%
rename from .github/actions/aikido-pr-scan/README.md
rename to aikido-pr-scan/README.md
diff --git a/.github/actions/aikido-pr-scan/action.yml b/aikido-pr-scan/action.yml
similarity index 100%
rename from .github/actions/aikido-pr-scan/action.yml
rename to aikido-pr-scan/action.yml
diff --git a/.github/actions/aws-configure/README.md b/aws-configure/README.md
similarity index 100%
rename from .github/actions/aws-configure/README.md
rename to aws-configure/README.md
diff --git a/.github/actions/aws-configure/action.yml b/aws-configure/action.yml
similarity index 100%
rename from .github/actions/aws-configure/action.yml
rename to aws-configure/action.yml
diff --git a/.github/actions/aws-lambda-update/README.md b/aws-lambda-update/README.md
similarity index 100%
rename from .github/actions/aws-lambda-update/README.md
rename to aws-lambda-update/README.md
diff --git a/.github/actions/aws-lambda-update/action.yml b/aws-lambda-update/action.yml
similarity index 100%
rename from .github/actions/aws-lambda-update/action.yml
rename to aws-lambda-update/action.yml
diff --git a/.github/actions/aws-s3-sync/README.md b/aws-s3-sync/README.md
similarity index 100%
rename from .github/actions/aws-s3-sync/README.md
rename to aws-s3-sync/README.md
diff --git a/.github/actions/aws-s3-sync/action.yml b/aws-s3-sync/action.yml
similarity index 100%
rename from .github/actions/aws-s3-sync/action.yml
rename to aws-s3-sync/action.yml
diff --git a/.github/actions/cloudfront-invalidate/README.md b/cloudfront-invalidate/README.md
similarity index 100%
rename from .github/actions/cloudfront-invalidate/README.md
rename to cloudfront-invalidate/README.md
diff --git a/.github/actions/cloudfront-invalidate/action.yml b/cloudfront-invalidate/action.yml
similarity index 100%
rename from .github/actions/cloudfront-invalidate/action.yml
rename to cloudfront-invalidate/action.yml
diff --git a/.github/actions/docker-build-push/README.md b/docker-build-push/README.md
similarity index 100%
rename from .github/actions/docker-build-push/README.md
rename to docker-build-push/README.md
diff --git a/.github/actions/docker-build-push/action.yml b/docker-build-push/action.yml
similarity index 100%
rename from .github/actions/docker-build-push/action.yml
rename to docker-build-push/action.yml
diff --git a/.github/actions/helm-deploy/README.md b/helm-deploy/README.md
similarity index 100%
rename from .github/actions/helm-deploy/README.md
rename to helm-deploy/README.md
diff --git a/.github/actions/helm-deploy/action.yml b/helm-deploy/action.yml
similarity index 100%
rename from .github/actions/helm-deploy/action.yml
rename to helm-deploy/action.yml
diff --git a/.github/actions/maven-build/README.md b/maven-build/README.md
similarity index 100%
rename from .github/actions/maven-build/README.md
rename to maven-build/README.md
diff --git a/.github/actions/maven-build/action.yml b/maven-build/action.yml
similarity index 100%
rename from .github/actions/maven-build/action.yml
rename to maven-build/action.yml
diff --git a/.github/actions/playwright-e2e/README.md b/playwright-e2e/README.md
similarity index 100%
rename from .github/actions/playwright-e2e/README.md
rename to playwright-e2e/README.md
diff --git a/.github/actions/playwright-e2e/action.yml b/playwright-e2e/action.yml
similarity index 100%
rename from .github/actions/playwright-e2e/action.yml
rename to playwright-e2e/action.yml
diff --git a/.github/actions/pnpm-build/README.md b/pnpm-build/README.md
similarity index 100%
rename from .github/actions/pnpm-build/README.md
rename to pnpm-build/README.md
diff --git a/.github/actions/pnpm-build/action.yml b/pnpm-build/action.yml
similarity index 100%
rename from .github/actions/pnpm-build/action.yml
rename to pnpm-build/action.yml
diff --git a/.github/actions/publish-npm-package/README.md b/publish-npm-package/README.md
similarity index 100%
rename from .github/actions/publish-npm-package/README.md
rename to publish-npm-package/README.md
diff --git a/.github/actions/publish-npm-package/action.yml b/publish-npm-package/action.yml
similarity index 100%
rename from .github/actions/publish-npm-package/action.yml
rename to publish-npm-package/action.yml
diff --git a/.github/actions/publish-rust-crate/README.md b/publish-rust-crate/README.md
similarity index 100%
rename from .github/actions/publish-rust-crate/README.md
rename to publish-rust-crate/README.md
diff --git a/.github/actions/publish-rust-crate/action.yml b/publish-rust-crate/action.yml
similarity index 100%
rename from .github/actions/publish-rust-crate/action.yml
rename to publish-rust-crate/action.yml
diff --git a/.github/actions/rust-build/README.md b/rust-build/README.md
similarity index 100%
rename from .github/actions/rust-build/README.md
rename to rust-build/README.md
diff --git a/.github/actions/rust-build/action.yml b/rust-build/action.yml
similarity index 100%
rename from .github/actions/rust-build/action.yml
rename to rust-build/action.yml
diff --git a/.github/actions/secrets-inject/README.md b/secrets-inject/README.md
similarity index 100%
rename from .github/actions/secrets-inject/README.md
rename to secrets-inject/README.md
diff --git a/.github/actions/secrets-inject/action.yml b/secrets-inject/action.yml
similarity index 100%
rename from .github/actions/secrets-inject/action.yml
rename to secrets-inject/action.yml
diff --git a/.github/actions/terraform-apply/README.md b/terraform-apply/README.md
similarity index 100%
rename from .github/actions/terraform-apply/README.md
rename to terraform-apply/README.md
diff --git a/.github/actions/terraform-apply/action.yml b/terraform-apply/action.yml
similarity index 100%
rename from .github/actions/terraform-apply/action.yml
rename to terraform-apply/action.yml
diff --git a/.github/actions/terraform-module-publish/README.md b/terraform-module-publish/README.md
similarity index 100%
rename from .github/actions/terraform-module-publish/README.md
rename to terraform-module-publish/README.md
diff --git a/.github/actions/terraform-module-publish/action.yml b/terraform-module-publish/action.yml
similarity index 100%
rename from .github/actions/terraform-module-publish/action.yml
rename to terraform-module-publish/action.yml
diff --git a/.github/actions/terraform-validate/README.md b/terraform-validate/README.md
similarity index 100%
rename from .github/actions/terraform-validate/README.md
rename to terraform-validate/README.md
diff --git a/.github/actions/terraform-validate/action.yml b/terraform-validate/action.yml
similarity index 100%
rename from .github/actions/terraform-validate/action.yml
rename to terraform-validate/action.yml

From dd0a4f28ddc2004d05381ab1ec7bdc6bac42133c Mon Sep 17 00:00:00 2001
From: Markus Opahle <markus.opahle@schmalz.de>
Date: Fri, 24 Apr 2026 15:56:10 +0200
Subject: [PATCH 5/5] feat: use mpalmer/action-validator to validate the shared
 actions

---
 .../workflows/validate-shared-actions.yml     | 23 ++++++
 .github/workflows/validate-shared-actions.yml | 73 -------------------
 2 files changed, 23 insertions(+), 73 deletions(-)
 create mode 100644 .forgejo/workflows/validate-shared-actions.yml
 delete mode 100644 .github/workflows/validate-shared-actions.yml

diff --git a/.forgejo/workflows/validate-shared-actions.yml b/.forgejo/workflows/validate-shared-actions.yml
new file mode 100644
index 0000000..570918d
--- /dev/null
+++ b/.forgejo/workflows/validate-shared-actions.yml
@@ -0,0 +1,23 @@
+name: validate-shared-actions
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  validate-shared-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate shared action metadata
+        uses: mpalmer/action-validator@v0.9.0
+        with:
+          version: 0.9.0
+          patterns: |
+            :(glob)**/action.yml
+            :(glob)**/action.yaml
diff --git a/.github/workflows/validate-shared-actions.yml b/.github/workflows/validate-shared-actions.yml
deleted file mode 100644
index d12f25d..0000000
--- a/.github/workflows/validate-shared-actions.yml
+++ /dev/null
@@ -1,73 +0,0 @@
-name: validate-shared-actions
-
-on:
-  pull_request:
-    types: [opened, reopened, synchronize]
-
-permissions:
-  contents: read
-
-jobs:
-  validate-shared-actions:
-    runs-on: ubuntu-latest
-    env:
-      ACTIONLINT_VERSION: "1.7.8"
-    steps:
-      - name: Checkout
-        uses: https://code.forgejo.org/actions/checkout@v4
-
-      - name: Restore actionlint cache
-        id: cache-actionlint
-        uses: https://data.forgejo.org/actions/cache/restore@v4
-        with:
-          path: .cache/tools/actionlint
-          key: actionlint-${{ runner.os }}-${{ env.ACTIONLINT_VERSION }}
-
-      - name: Install actionlint (pinned + checksum)
-        if: ${{ steps.cache-actionlint.outputs.cache-hit != 'true' }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          VERSION="${ACTIONLINT_VERSION}"
-          OS="linux"
-          ARCH="amd64"
-          BASE_URL="https://github.com/rhysd/actionlint/releases/download/v${VERSION}"
-          TAR="actionlint_${VERSION}_${OS}_${ARCH}.tar.gz"
-          CHECKSUMS="checksums.txt"
-
-          INSTALL_DIR=".cache/tools/actionlint/${VERSION}"
-          mkdir -p "${INSTALL_DIR}"
-
-          curl -fsSL "${BASE_URL}/${TAR}" -o "/tmp/${TAR}"
-          curl -fsSL "${BASE_URL}/${CHECKSUMS}" -o "/tmp/${CHECKSUMS}"
-
-          grep " ${TAR}$" "/tmp/${CHECKSUMS}" > "/tmp/actionlint-sha256.txt"
-          (cd /tmp && sha256sum -c actionlint-sha256.txt)
-
-          tar -xzf "/tmp/${TAR}" -C "${INSTALL_DIR}" actionlint
-          chmod +x "${INSTALL_DIR}/actionlint"
-
-      - name: Save actionlint cache
-        if: ${{ steps.cache-actionlint.outputs.cache-hit != 'true' }}
-        uses: https://data.forgejo.org/actions/cache/save@v4
-        with:
-          path: .cache/tools/actionlint
-          key: actionlint-${{ runner.os }}-${{ env.ACTIONLINT_VERSION }}
-
-      - name: Lint workflows with actionlint
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          ACTIONLINT_BIN=".cache/tools/actionlint/${ACTIONLINT_VERSION}/actionlint"
-          if [ ! -x "${ACTIONLINT_BIN}" ]; then
-            echo "actionlint binary missing: ${ACTIONLINT_BIN}"
-            exit 1
-          fi
-
-          if compgen -G ".github/workflows/*.yml" > /dev/null || compgen -G ".github/workflows/*.yaml" > /dev/null; then
-            "${ACTIONLINT_BIN}" -color
-          else
-            echo "No workflow files found in .github/workflows; skipping actionlint workflow lint"
-          fi