From 801c7e224931fc193043927f3d0b60629f8f3ac5 Mon Sep 17 00:00:00 2001 From: Michael Seele Date: Thu, 11 Jun 2026 07:34:01 +0000 Subject: [PATCH 01/10] feat: add publish actions with documentation --- .forgejo/workflows/tag-release.yml | 2 + README.md | 2 + publish-npm-package/README.md | 28 +++++++++++++ publish-npm-package/action.yml | 64 ++++++++++++++++++++++++++++++ publish-rust-crate/README.md | 29 ++++++++++++++ publish-rust-crate/action.yml | 64 ++++++++++++++++++++++++++++++ 6 files changed, 189 insertions(+) create mode 100644 publish-npm-package/README.md create mode 100644 publish-npm-package/action.yml create mode 100644 publish-rust-crate/README.md create mode 100644 publish-rust-crate/action.yml diff --git a/.forgejo/workflows/tag-release.yml b/.forgejo/workflows/tag-release.yml index 3bd09b0..79c61b0 100644 --- a/.forgejo/workflows/tag-release.yml +++ b/.forgejo/workflows/tag-release.yml @@ -26,6 +26,8 @@ on: - pnpm-build - playwright-merge - playwright-run + - publish-npm-package + - publish-rust-crate - publish-static-contents - rust-build - terraform-apply diff --git a/README.md b/README.md index cf223c2..66f3ecf 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Shared actions for Forgejo CI/CD pipelines. | [pnpm-build](pnpm-build) | Action for building and validating with PNPM | | [playwright-merge](playwright-merge) | Merge Playwright shard blob reports and publish consolidated reports | | [playwright-run](playwright-run) | Run Playwright tests for one shard and upload its blob report | +| [publish-npm-package](publish-npm-package) | Publish a PNPM package to JFrog Artifactory | +| [publish-rust-crate](publish-rust-crate) | Publish a Rust crate to JFrog Artifactory | | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution | | [rust-build](rust-build) | Set up Rust toolchain, run checks, and build via the project's build.sh | | [terraform-apply](terraform-apply) | Apply Terraform configuration files using the official Terraform CLI | diff --git a/publish-npm-package/README.md b/publish-npm-package/README.md new file mode 100644 index 0000000..7411507 --- /dev/null +++ b/publish-npm-package/README.md @@ -0,0 +1,28 @@ +# publish-npm-package + +Publish a PNPM package to JFrog Artifactory. + +## Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `working-directory` | No | `.` | Directory containing `package.json` | +| `node-version` | No | `24` | Node.js version | +| `pnpm-version` | No | `10.33` | pnpm version | +| `jfrog-token` | Yes | — | JFrog npm auth token | +| `registry-url` | No | `https://schmalz.jfrog.io/artifactory/api/npm/default-npm/` | npm registry URL | + +## Usage + +```yaml +- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-npm-package@publish-npm-package-v1 + with: + working-directory: . + jfrog-token: ${{ secrets.JFROG_TOKEN }} +``` + +## Notes + +- Publishes with `pnpm publish`. +- Configures the registry auth token from `registry-url` and `jfrog-token`. +- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks. diff --git a/publish-npm-package/action.yml b/publish-npm-package/action.yml new file mode 100644 index 0000000..69b8fa3 --- /dev/null +++ b/publish-npm-package/action.yml @@ -0,0 +1,64 @@ +name: publish-npm-package +description: Publish a PNPM package to JFrog Artifactory. + +inputs: + working-directory: + description: Directory containing package.json + required: false + default: "." + node-version: + description: Node.js version + required: false + default: "24" + pnpm-version: + description: pnpm version + required: false + default: "10.33" + jfrog-token: + description: JFrog npm auth token + required: true + registry-url: + description: npm registry URL + required: false + default: "https://schmalz.jfrog.io/artifactory/api/npm/default-npm/" + +runs: + using: composite + steps: + # Pinned to commit SHA instead of a tag to prevent supply chain attacks. + # actions/setup-node v4.4.0 — https://code.forgejo.org/actions/setup-node/commits/tag/v4.4.0 + - name: Setup Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + with: + node-version: ${{ inputs.node-version }} + + # Pinned to commit SHA instead of a tag to prevent supply chain attacks. + # pnpm/action-setup v4.3.0 — https://code.forgejo.org/pnpm/action-setup/commits/tag/v4.3.0 + - name: Install pnpm + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 + env: + # pnpm/action-setup bootstraps itself via npm before pnpm is available, + # so it must reach the public npm registry. + NPM_CONFIG_REGISTRY: https://registry.npmjs.org + with: + version: ${{ inputs.pnpm-version }} + + - name: Configure JFrog registry authentication + shell: bash + env: + JFROG_TOKEN: ${{ inputs.jfrog-token }} + REGISTRY_URL: ${{ inputs.registry-url }} + run: | + set -euo pipefail + + pnpm set registry "${REGISTRY_URL}" + + AUTHORITY="${REGISTRY_URL#https://}" + AUTHORITY="${AUTHORITY#http://}" + AUTHORITY="${AUTHORITY%/}" + pnpm set "//${AUTHORITY}/:_authToken" "${JFROG_TOKEN}" + + - name: Publish + shell: bash + working-directory: ${{ inputs.working-directory }} + run: pnpm publish diff --git a/publish-rust-crate/README.md b/publish-rust-crate/README.md new file mode 100644 index 0000000..69a44c2 --- /dev/null +++ b/publish-rust-crate/README.md @@ -0,0 +1,29 @@ +# publish-rust-crate + +Publish a Rust crate to JFrog Artifactory. + +## Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `working-directory` | No | `.` | Directory containing `Cargo.toml` | +| `rust-version` | No | `1.95.0` | Rust toolchain version | +| `jfrog-token` | Yes | — | JFrog token for the Artifactory Cargo registry | +| `registry-name` | No | `artifactory` | Cargo registry name | +| `registry-index` | No | `sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/` | Cargo registry index URL | + +## Usage + +```yaml +- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-rust-crate@publish-rust-crate-v1 + with: + working-directory: . + jfrog-token: ${{ secrets.JFROG_TOKEN }} +``` + +## Notes + +- Configures Cargo registry settings in `${CARGO_HOME}/config.toml` and `${CARGO_HOME}/credentials.toml`. +- Falls back to `$HOME/.cargo` when `CARGO_HOME` is not set. +- Publishes with `cargo publish --registry `. +- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks. diff --git a/publish-rust-crate/action.yml b/publish-rust-crate/action.yml new file mode 100644 index 0000000..11b26b3 --- /dev/null +++ b/publish-rust-crate/action.yml @@ -0,0 +1,64 @@ +name: publish-rust-crate +description: Publish a Rust crate to JFrog Artifactory. + +inputs: + working-directory: + description: Directory containing Cargo.toml + required: false + default: "." + rust-version: + description: Rust toolchain version + required: false + default: "1.95.0" + jfrog-token: + description: JFrog token for the Artifactory Cargo registry + required: true + registry-name: + description: Cargo registry name + required: false + default: artifactory + registry-index: + description: Cargo registry index URL + required: false + default: "sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/" + +runs: + using: composite + steps: + # Pinned to commit SHA instead of a tag to prevent supply chain attacks. + # dtolnay/rust-toolchain v1 (2026-03-27) — https://github.com/dtolnay/rust-toolchain/commit/3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 + - name: Setup Rust toolchain + uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 + with: + toolchain: ${{ inputs.rust-version }} + + - name: Configure Cargo registry (JFrog Artifactory) + shell: bash + env: + JFROG_TOKEN: ${{ inputs.jfrog-token }} + REGISTRY_NAME: ${{ inputs.registry-name }} + REGISTRY_INDEX: ${{ inputs.registry-index }} + run: | + set -euo pipefail + + CARGO_HOME_DIR="${CARGO_HOME:-$HOME/.cargo}" + mkdir -p "${CARGO_HOME_DIR}" + + cat >> "${CARGO_HOME_DIR}/config.toml" <> "${CARGO_HOME_DIR}/credentials.toml" < Date: Mon, 15 Jun 2026 12:09:09 +0530 Subject: [PATCH 02/10] fix: create terraform workspaces automatically in shared actions --- terraform-apply/action.yml | 2 +- terraform-validate/action.yml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/terraform-apply/action.yml b/terraform-apply/action.yml index 3776737..8d76de9 100644 --- a/terraform-apply/action.yml +++ b/terraform-apply/action.yml @@ -61,7 +61,7 @@ runs: TF_DIR: ${{ inputs.terraform-dir }} TF_WORKSPACE_NAME: ${{ inputs.workspace }} run: | - terraform -chdir="$TF_DIR" workspace select "$TF_WORKSPACE_NAME" + terraform -chdir="$TF_DIR" workspace select -or-create "$TF_WORKSPACE_NAME" - name: Terraform Apply shell: bash diff --git a/terraform-validate/action.yml b/terraform-validate/action.yml index 0fcde1f..b4389db 100644 --- a/terraform-validate/action.yml +++ b/terraform-validate/action.yml @@ -69,6 +69,15 @@ runs: TF_TOKEN_schmalz_jfrog_io: ${{ inputs.jfrog-token }} run: terraform -chdir=${{ env.TF_DIR }} init -backend=false -no-color + - name: Terraform Select Workspace + if: ${{ inputs.workspace != '' }} + shell: bash + env: + TF_DIR: ${{ inputs.terraform-dir }} + TF_WORKSPACE_NAME: ${{ inputs.workspace }} + run: | + terraform -chdir="$TF_DIR" workspace select -or-create "$TF_WORKSPACE_NAME" + - name: Terraform Format Check shell: bash env: From 36343e0a7903bc0ff96496c870bde5adb33b8bea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Mon, 15 Jun 2026 09:28:00 +0200 Subject: [PATCH 03/10] fix: revert workspace selection as validate does not initialize backend --- terraform-validate/action.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/terraform-validate/action.yml b/terraform-validate/action.yml index b4389db..0fcde1f 100644 --- a/terraform-validate/action.yml +++ b/terraform-validate/action.yml @@ -69,15 +69,6 @@ runs: TF_TOKEN_schmalz_jfrog_io: ${{ inputs.jfrog-token }} run: terraform -chdir=${{ env.TF_DIR }} init -backend=false -no-color - - name: Terraform Select Workspace - if: ${{ inputs.workspace != '' }} - shell: bash - env: - TF_DIR: ${{ inputs.terraform-dir }} - TF_WORKSPACE_NAME: ${{ inputs.workspace }} - run: | - terraform -chdir="$TF_DIR" workspace select -or-create "$TF_WORKSPACE_NAME" - - name: Terraform Format Check shell: bash env: From 5b6f2cfd289b2345339b91f05e827630791e6533 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Tue, 16 Jun 2026 13:33:16 +0200 Subject: [PATCH 04/10] feat: create deploy-esb action --- .forgejo/workflows/tag-release.yml | 1 + esb-deploy/README.md | 30 +++++++++++++++ esb-deploy/action.yml | 60 ++++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 esb-deploy/README.md create mode 100644 esb-deploy/action.yml diff --git a/.forgejo/workflows/tag-release.yml b/.forgejo/workflows/tag-release.yml index 79c61b0..f17834c 100644 --- a/.forgejo/workflows/tag-release.yml +++ b/.forgejo/workflows/tag-release.yml @@ -18,6 +18,7 @@ on: - aws-configure - cache - checkout + - deploy-esb - download-artifact - helm-deploy - i18n-sync diff --git a/esb-deploy/README.md b/esb-deploy/README.md new file mode 100644 index 0000000..1b761ac --- /dev/null +++ b/esb-deploy/README.md @@ -0,0 +1,30 @@ +# esb-deploy + +Deploy a service to an ESB docker host. + +## Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `docker-host` | Yes | - | esbdb3.schmalzgroup.net, esbdb4.schmalzgroup.net, esbdb2-stage.schmalzgroup.net| +| `java-version` | Yes | 25 | Same as default of the maven-build action | +| `maven-profile` | No | `test` | Maven profile to activate during deploy | +| `maven-settings` | **Yes** | — | Secret containing the `settings.xml` content used for repository authentication | +| `service-name` | Yes | — | Name of the service to deploy | + +## Usage + +```yaml +- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/esb-deploy@esb-deploy-v1 + with: + service-name: my-service + docker-host: esbdocker2-stage.schmalzgroup.net + java-version: 8 + maven-profile: test + maven-settings: ${{ secrets.MAVEN_SETTINGS }} +``` + +## Notes + +- The compose files are extracted from variables. They can be provided on the organization or repository level. +- The action uses the maven-build action to build the service. The pom.xml has to be in the root directory diff --git a/esb-deploy/action.yml b/esb-deploy/action.yml new file mode 100644 index 0000000..96a6593 --- /dev/null +++ b/esb-deploy/action.yml @@ -0,0 +1,60 @@ +name: Deploy ESB +description: Deploy a service to an ESB docker host. + +inputs: + docker-host: + description: Docker host to deploy to + required: true + maven-profile: + required: false + default: 'test' + description: 'Maven profile to use for the build' + maven-settings: + description: Secret containing the settings.xml content used for repository authentication + required: true + java-version: + description: Java version to use for the build + required: true + service: + description: Name of the service to deploy + required: false + default: 'true' + +runs: + using: composite + steps: + - name: Create compose files + shell: bash + env: + BASE_COMPOSE: ${{ vars.DOCKER_COMPOSE }} + SU_COMPOSE: ${{ vars.DOCKER_COMPOSE_SU }} + run: | + printf '%s\n' "$BASE_COMPOSE" > compose.yml + printf '%s\n' "$SU_COMPOSE" > compose-su.yml + + - uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/maven-build@maven-build-v1 + with: + phase: verify + maven-settings: ${{ inputs.maven-settings }} + verify-goals: clean package + java-version: ${{ inputs.java-version }} + + - name: Compose stage + if: ${{ inputs.stage == 'true' }} + shell: bash + env: + SERVICE: ${{ inputs.service }} + run: | + echo "Deploying $SERVICE to stage environment" + export DOCKER_HOST="tcp://${{ inputs.docker-host }}:2375" + docker compose -f compose.yml -f compose-su.yml up -d --build --no-deps "$SERVICE" + + - name: Compose prod + if: ${{ inputs.stage != 'true' }} + shell: bash + env: + SERVICE: ${{ inputs.service }} + run: | + echo "Deploying $SERVICE to production environment" + export DOCKER_HOST="tcp://${{ inputs.docker-host }}:2375" + docker compose -f compose.yml up -d --build --no-deps "$SERVICE" From 4e15383d233328604bbd4c37d9dc737d9784e165 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Tue, 16 Jun 2026 16:25:43 +0200 Subject: [PATCH 05/10] fix: use correct name in tag-release workflow --- .forgejo/workflows/tag-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/tag-release.yml b/.forgejo/workflows/tag-release.yml index f17834c..428ec72 100644 --- a/.forgejo/workflows/tag-release.yml +++ b/.forgejo/workflows/tag-release.yml @@ -18,8 +18,8 @@ on: - aws-configure - cache - checkout - - deploy-esb - download-artifact + - esb-deploy - helm-deploy - i18n-sync - inject-content From 115300a7e1614eaee4fc5d40ac7baf6e151ce73b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Tue, 16 Jun 2026 16:32:34 +0200 Subject: [PATCH 06/10] fix: readme mentioned wrong parameters --- esb-deploy/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/esb-deploy/README.md b/esb-deploy/README.md index 1b761ac..51eae81 100644 --- a/esb-deploy/README.md +++ b/esb-deploy/README.md @@ -10,14 +10,14 @@ Deploy a service to an ESB docker host. | `java-version` | Yes | 25 | Same as default of the maven-build action | | `maven-profile` | No | `test` | Maven profile to activate during deploy | | `maven-settings` | **Yes** | — | Secret containing the `settings.xml` content used for repository authentication | -| `service-name` | Yes | — | Name of the service to deploy | +| `service` | Yes | — | Name of the service to deploy | ## Usage ```yaml - uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/esb-deploy@esb-deploy-v1 with: - service-name: my-service + service: my-service docker-host: esbdocker2-stage.schmalzgroup.net java-version: 8 maven-profile: test From 0134da8ac7cab452a944bfd3abe25487739952cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Wed, 17 Jun 2026 07:42:35 +0200 Subject: [PATCH 07/10] fix: propagate maven profile in esb-deploy action --- esb-deploy/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/esb-deploy/action.yml b/esb-deploy/action.yml index 96a6593..c8fd97f 100644 --- a/esb-deploy/action.yml +++ b/esb-deploy/action.yml @@ -38,6 +38,7 @@ runs: maven-settings: ${{ inputs.maven-settings }} verify-goals: clean package java-version: ${{ inputs.java-version }} + maven-profile: ${{ inputs.maven-profile}} - name: Compose stage if: ${{ inputs.stage == 'true' }} From 91494155758370e2731738b33ed27543e9113989 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Wed, 17 Jun 2026 08:01:38 +0200 Subject: [PATCH 08/10] fix: action did not provide stage toggle --- esb-deploy/README.md | 2 ++ esb-deploy/action.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/esb-deploy/README.md b/esb-deploy/README.md index 51eae81..ae02466 100644 --- a/esb-deploy/README.md +++ b/esb-deploy/README.md @@ -11,6 +11,7 @@ Deploy a service to an ESB docker host. | `maven-profile` | No | `test` | Maven profile to activate during deploy | | `maven-settings` | **Yes** | — | Secret containing the `settings.xml` content used for repository authentication | | `service` | Yes | — | Name of the service to deploy | +| `stage` | No | true | If true this is a stage deployment | ## Usage @@ -22,6 +23,7 @@ Deploy a service to an ESB docker host. java-version: 8 maven-profile: test maven-settings: ${{ secrets.MAVEN_SETTINGS }} + stage: true ``` ## Notes diff --git a/esb-deploy/action.yml b/esb-deploy/action.yml index c8fd97f..584274e 100644 --- a/esb-deploy/action.yml +++ b/esb-deploy/action.yml @@ -17,6 +17,9 @@ inputs: required: true service: description: Name of the service to deploy + required: true + stage: + description: Whether to deploy to stage environment (true) or production environment (false) required: false default: 'true' From a49611f28806801b87e0d31dd13ab949b5fae7d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Wed, 17 Jun 2026 08:52:37 +0200 Subject: [PATCH 09/10] fix: maven action did not set profile in verify mode --- maven-build/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/maven-build/action.yml b/maven-build/action.yml index 961bc28..1c9b161 100644 --- a/maven-build/action.yml +++ b/maven-build/action.yml @@ -97,6 +97,7 @@ runs: run: | mvn --batch-mode $VERIFY_GOALS \ -s /tmp/maven-settings.xml \ + -P "$MAVEN_PROFILE" \ $EXTRA_ARGS - name: Deploy From 9783972537edc63ff438168f5c4348148512b4b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=B6hringer?= Date: Wed, 17 Jun 2026 09:41:57 +0200 Subject: [PATCH 10/10] fix: actually provide maven profile --- maven-build/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/maven-build/action.yml b/maven-build/action.yml index 1c9b161..6b16ded 100644 --- a/maven-build/action.yml +++ b/maven-build/action.yml @@ -94,6 +94,7 @@ runs: env: VERIFY_GOALS: ${{ inputs.verify-goals }} EXTRA_ARGS: ${{ inputs.extra-args }} + MAVEN_PROFILE: ${{ inputs.maven-profile }} run: | mvn --batch-mode $VERIFY_GOALS \ -s /tmp/maven-settings.xml \