diff --git a/.farhoodlabs/.github/workflows/build-dev.yml b/.farhoodlabs/.github/workflows/build-dev.yml index c74c3631..293cdc8c 100644 --- a/.farhoodlabs/.github/workflows/build-dev.yml +++ b/.farhoodlabs/.github/workflows/build-dev.yml @@ -11,7 +11,7 @@ permissions: jobs: build: - runs-on: runners-farhoodlabs + runs-on: ubuntu-latest timeout-minutes: 30 outputs: image-tag: ${{ steps.tag.outputs.sha }} @@ -23,28 +23,21 @@ jobs: id: tag run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT - - name: Login to Docker Hub - continue-on-error: true - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Login to GHCR + - name: Login to Gitea Registry uses: docker/login-action@v3 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + registry: git.farh.net + username: ${{ gitea.repository_owner }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/farhoodlabs/paperclip-dev + images: git.farh.net/farhoodlabs/paperclip-dev tags: | type=raw,value=latest type=sha,prefix= @@ -62,25 +55,16 @@ jobs: update-infra: needs: build - runs-on: runners-farhoodlabs + runs-on: ubuntu-latest steps: - - name: Generate app token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.PAPERCLIP_APP_ID }} - private-key: ${{ secrets.PAPERCLIP_APP_PRIVATE_KEY }} - repositories: paperclip-infra - - name: Update dev image tag in infra repo run: | SHA="${{ needs.build.outputs.image-tag }}" FILE="overlays/dev/kustomization.yaml" response=$(curl -sS \ - -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE") + -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \ + "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE") file_sha=$(echo "$response" | jq -r '.sha') content=$(echo "$response" | jq -r '.content' | base64 -d) @@ -88,7 +72,6 @@ jobs: encoded=$(printf '%s' "$new_content" | base64 -w 0) curl -sS -X PUT \ - -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE" \ + -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \ + "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE" \ -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}" diff --git a/.farhoodlabs/.github/workflows/build-prod.yml b/.farhoodlabs/.github/workflows/build-prod.yml index 468a0041..8c0c5d9e 100644 --- a/.farhoodlabs/.github/workflows/build-prod.yml +++ b/.farhoodlabs/.github/workflows/build-prod.yml @@ -11,33 +11,27 @@ permissions: jobs: build: - runs-on: runners-farhoodlabs + runs-on: ubuntu-latest timeout-minutes: 30 steps: - name: Checkout uses: actions/checkout@v4 - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Login to GHCR + - name: Login to Gitea Registry uses: docker/login-action@v3 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + registry: git.farh.net + username: ${{ gitea.repository_owner }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/farhoodlabs/paperclip + images: git.farh.net/farhoodlabs/paperclip tags: | type=raw,value=latest type=sha,prefix= diff --git a/.farhoodlabs/CLAUDE.md b/.farhoodlabs/CLAUDE.md index f57dbc07..870aebb5 100644 --- a/.farhoodlabs/CLAUDE.md +++ b/.farhoodlabs/CLAUDE.md @@ -1,15 +1,15 @@ # Paperclip Fork — Project Context This is a fork of [paperclipai/paperclip](https://github.com/paperclipai/paperclip). -Fork repo: https://github.com/farhoodlabs/paperclip +Fork repo: https://git.farh.net/farhoodlabs/paperclip ## Branch Model | Branch | Purpose | |---|---| | `master` | Mirrors `upstream/master` exactly + `.farhoodlabs/` overlay directory + `assemble-local.yml` action. Never commit application code here. | -| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `ghcr.io/farhoodlabs/paperclip`. | -| `dev` | Development branch based on upstream/master. Builds `ghcr.io/farhoodlabs/paperclip-dev` on every push. | +| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `git.farh.net/farhoodlabs/paperclip`. | +| `dev` | Development branch based on upstream/master. Builds `git.farh.net/farhoodlabs/paperclip-dev` on every push. | | PR branches | `skill-pat-feature`, `skill-scan-refresh`, `feat/company-portability-complete` — open PRs to upstream, never rebase onto master/local. | **Never commit directly to `local`** — it is fully regenerated by the assemble action and any direct commits will be overwritten. @@ -70,7 +70,7 @@ Edit `.farhoodlabs/Dockerfile` on `master`. Only modify the production stage — ## Deployment -Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `ghcr.io/farhoodlabs/paperclip:latest`. +Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `git.farh.net/farhoodlabs/paperclip:latest`. ## Key Files diff --git a/.github/workflows/build-dev.yml b/.github/workflows/build-dev.yml index c74c3631..293cdc8c 100644 --- a/.github/workflows/build-dev.yml +++ b/.github/workflows/build-dev.yml @@ -11,7 +11,7 @@ permissions: jobs: build: - runs-on: runners-farhoodlabs + runs-on: ubuntu-latest timeout-minutes: 30 outputs: image-tag: ${{ steps.tag.outputs.sha }} @@ -23,28 +23,21 @@ jobs: id: tag run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT - - name: Login to Docker Hub - continue-on-error: true - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Login to GHCR + - name: Login to Gitea Registry uses: docker/login-action@v3 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + registry: git.farh.net + username: ${{ gitea.repository_owner }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/farhoodlabs/paperclip-dev + images: git.farh.net/farhoodlabs/paperclip-dev tags: | type=raw,value=latest type=sha,prefix= @@ -62,25 +55,16 @@ jobs: update-infra: needs: build - runs-on: runners-farhoodlabs + runs-on: ubuntu-latest steps: - - name: Generate app token - id: app-token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.PAPERCLIP_APP_ID }} - private-key: ${{ secrets.PAPERCLIP_APP_PRIVATE_KEY }} - repositories: paperclip-infra - - name: Update dev image tag in infra repo run: | SHA="${{ needs.build.outputs.image-tag }}" FILE="overlays/dev/kustomization.yaml" response=$(curl -sS \ - -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE") + -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \ + "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE") file_sha=$(echo "$response" | jq -r '.sha') content=$(echo "$response" | jq -r '.content' | base64 -d) @@ -88,7 +72,6 @@ jobs: encoded=$(printf '%s' "$new_content" | base64 -w 0) curl -sS -X PUT \ - -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \ - -H "Accept: application/vnd.github.v3+json" \ - "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE" \ + -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \ + "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE" \ -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}" diff --git a/.github/workflows/build-prod.yml b/.github/workflows/build-prod.yml index 468a0041..8c0c5d9e 100644 --- a/.github/workflows/build-prod.yml +++ b/.github/workflows/build-prod.yml @@ -11,33 +11,27 @@ permissions: jobs: build: - runs-on: runners-farhoodlabs + runs-on: ubuntu-latest timeout-minutes: 30 steps: - name: Checkout uses: actions/checkout@v4 - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Login to GHCR + - name: Login to Gitea Registry uses: docker/login-action@v3 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + registry: git.farh.net + username: ${{ gitea.repository_owner }} + password: ${{ secrets.REGISTRY_TOKEN }} - name: Docker meta id: meta uses: docker/metadata-action@v5 with: - images: ghcr.io/farhoodlabs/paperclip + images: git.farh.net/farhoodlabs/paperclip tags: | type=raw,value=latest type=sha,prefix= diff --git a/.github/workflows/refresh-lockfile.yml b/.github/workflows/refresh-lockfile.yml index a52d6f00..bf7dfce7 100644 --- a/.github/workflows/refresh-lockfile.yml +++ b/.github/workflows/refresh-lockfile.yml @@ -1,96 +1,16 @@ +# Disabled in fork — `gh` CLI and GitHub-specific commands are not available on Gitea. +# Lockfile refreshes are managed directly in development workflows. +# +# NOTE: upstream may overwrite this file when master is synced. Re-apply if that happens. name: Refresh Lockfile - on: - push: - branches: - - master workflow_dispatch: - -concurrency: - group: refresh-lockfile-master - cancel-in-progress: false - + inputs: + note: + description: "Disabled in fork. Uses GitHub-specific gh CLI." + required: false jobs: - refresh: + disabled: runs-on: ubuntu-latest - timeout-minutes: 10 - permissions: - contents: write - pull-requests: write - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup pnpm - uses: pnpm/action-setup@v4 - with: - version: 9.15.4 - run_install: false - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: 20 - cache: pnpm - - - name: Refresh pnpm lockfile - run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile - - - name: Fail on unexpected file changes - run: | - changed="$(git status --porcelain)" - if [ -z "$changed" ]; then - echo "Lockfile is already up to date." - exit 0 - fi - if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then - echo "Unexpected files changed during lockfile refresh:" - echo "$changed" - exit 1 - fi - - - name: Create or update pull request - id: upsert-pr - env: - GH_TOKEN: ${{ github.token }} - REPO_OWNER: ${{ github.repository_owner }} - run: | - if git diff --quiet -- pnpm-lock.yaml; then - echo "Lockfile unchanged, nothing to do." - echo "pr_url=" >> "$GITHUB_OUTPUT" - exit 0 - fi - - BRANCH="chore/refresh-lockfile" - git config user.name "lockfile-bot" - git config user.email "lockfile-bot@users.noreply.github.com" - - git checkout -B "$BRANCH" - git add pnpm-lock.yaml - git commit -m "chore(lockfile): refresh pnpm-lock.yaml" - git push --force origin "$BRANCH" - - # Only reuse an open PR from this repository owner, not a fork with the same branch name. - pr_url="$( - gh pr list --state open --head "$BRANCH" --json url,headRepositoryOwner \ - --jq ".[] | select(.headRepositoryOwner.login == \"$REPO_OWNER\") | .url" | - head -n 1 - )" - if [ -z "$pr_url" ]; then - pr_url="$(gh pr create \ - --head "$BRANCH" \ - --title "chore(lockfile): refresh pnpm-lock.yaml" \ - --body "Auto-generated lockfile refresh after dependencies changed on master. This PR only updates pnpm-lock.yaml.")" - echo "Created new PR: $pr_url" - else - echo "PR already exists: $pr_url" - fi - echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" - - - name: Enable auto-merge for lockfile PR - if: steps.upsert-pr.outputs.pr_url != '' - env: - GH_TOKEN: ${{ github.token }} - run: | - gh pr merge --auto --squash --delete-branch "${{ steps.upsert-pr.outputs.pr_url }}" + - run: echo "Disabled. Lockfile management requires GitHub-specific tooling." diff --git a/.github/workflows/sync-upstream.yml b/.github/workflows/sync-upstream.yml index 20ae3c19..30d6af8f 100644 --- a/.github/workflows/sync-upstream.yml +++ b/.github/workflows/sync-upstream.yml @@ -16,7 +16,7 @@ permissions: jobs: sync: - runs-on: runners-farhoodlabs + runs-on: ubuntu-latest timeout-minutes: 10 steps: - name: Checkout master diff --git a/CLAUDE.md b/CLAUDE.md index f57dbc07..870aebb5 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,15 +1,15 @@ # Paperclip Fork — Project Context This is a fork of [paperclipai/paperclip](https://github.com/paperclipai/paperclip). -Fork repo: https://github.com/farhoodlabs/paperclip +Fork repo: https://git.farh.net/farhoodlabs/paperclip ## Branch Model | Branch | Purpose | |---|---| | `master` | Mirrors `upstream/master` exactly + `.farhoodlabs/` overlay directory + `assemble-local.yml` action. Never commit application code here. | -| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `ghcr.io/farhoodlabs/paperclip`. | -| `dev` | Development branch based on upstream/master. Builds `ghcr.io/farhoodlabs/paperclip-dev` on every push. | +| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `git.farh.net/farhoodlabs/paperclip`. | +| `dev` | Development branch based on upstream/master. Builds `git.farh.net/farhoodlabs/paperclip-dev` on every push. | | PR branches | `skill-pat-feature`, `skill-scan-refresh`, `feat/company-portability-complete` — open PRs to upstream, never rebase onto master/local. | **Never commit directly to `local`** — it is fully regenerated by the assemble action and any direct commits will be overwritten. @@ -70,7 +70,7 @@ Edit `.farhoodlabs/Dockerfile` on `master`. Only modify the production stage — ## Deployment -Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `ghcr.io/farhoodlabs/paperclip:latest`. +Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `git.farh.net/farhoodlabs/paperclip:latest`. ## Key Files