ci: adapt workflows for Gitea migration

Change runner from runners-farhoodlabs to ubuntu-latest across all fork workflows. Update container registry from ghcr.io to git.farh.net and authenticate with REGISTRY_TOKEN. Migrate update-infra API calls from GitHub to Gitea. Disable refresh-lockfile.yml (requires GitHub gh CLI). Update CLAUDE.md references. Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request #16 from farhoodlabs/dev
2026-05-20 11:17:45 +00:00 · 2026-05-16 08:38:38 -07:00 · 2026-05-16 10:16:28 -04:00 · 2026-05-14 11:49:51 -04:00 · 2026-05-14 11:41:40 -04:00 · 2026-05-14 10:04:18 -04:00
9 changed files with 55 additions and 372 deletions
@@ -11,7 +11,7 @@ permissions:
 jobs:
  build:
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    outputs:
      image-tag: ${{ steps.tag.outputs.sha }}
@@ -23,28 +23,21 @@ jobs:
        id: tag
        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
      - name: Login to Docker Hub
        continue-on-error: true
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
+      - name: Login to Gitea Registry
        uses: docker/login-action@v3
        with:
-          registry: ghcr.io
+          registry: git.farh.net
-          username: ${{ github.actor }}
+          username: ${{ gitea.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
-          images: ghcr.io/farhoodlabs/paperclip-dev
+          images: git.farh.net/farhoodlabs/paperclip-dev
          tags: |
            type=raw,value=latest
            type=sha,prefix=
@@ -62,25 +55,16 @@ jobs:
  update-infra:
    needs: build
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
    steps:
      - name: Generate app token
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PAPERCLIP_APP_ID }}
          private-key: ${{ secrets.PAPERCLIP_APP_PRIVATE_KEY }}
          repositories: paperclip-infra
      - name: Update dev image tag in infra repo
        run: |
          SHA="${{ needs.build.outputs.image-tag }}"
          FILE="overlays/dev/kustomization.yaml"
          response=$(curl -sS \
-            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
-            -H "Accept: application/vnd.github.v3+json" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE")
            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE")
          file_sha=$(echo "$response" | jq -r '.sha')
          content=$(echo "$response" | jq -r '.content' | base64 -d)
@@ -88,7 +72,6 @@ jobs:
          encoded=$(printf '%s' "$new_content" | base64 -w 0)
          curl -sS -X PUT \
-            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
-            -H "Accept: application/vnd.github.v3+json" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
            -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}"
@@ -11,33 +11,27 @@ permissions:
 jobs:
  build:
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
+      - name: Login to Gitea Registry
        uses: docker/login-action@v3
        with:
-          registry: ghcr.io
+          registry: git.farh.net
-          username: ${{ github.actor }}
+          username: ${{ gitea.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
-          images: ghcr.io/farhoodlabs/paperclip
+          images: git.farh.net/farhoodlabs/paperclip
          tags: |
            type=raw,value=latest
            type=sha,prefix=
@@ -47,6 +41,7 @@ jobs:
        uses: docker/build-push-action@v6
        with:
          context: .
          file: .farhoodlabs/Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
@@ -1,15 +1,15 @@
 # Paperclip Fork — Project Context
 This is a fork of [paperclipai/paperclip](https://github.com/paperclipai/paperclip).
-Fork repo: https://github.com/farhoodlabs/paperclip
+Fork repo: https://git.farh.net/farhoodlabs/paperclip
 ## Branch Model
 | Branch | Purpose |
 |---|---|
 | `master` | Mirrors `upstream/master` exactly + `.farhoodlabs/` overlay directory + `assemble-local.yml` action. Never commit application code here. |
-| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `ghcr.io/farhoodlabs/paperclip`. |
+| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `git.farh.net/farhoodlabs/paperclip`. |
-| `dev` | Development branch based on upstream/master. Builds `ghcr.io/farhoodlabs/paperclip-dev` on every push. |
+| `dev` | Development branch based on upstream/master. Builds `git.farh.net/farhoodlabs/paperclip-dev` on every push. |
 | PR branches | `skill-pat-feature`, `skill-scan-refresh`, `feat/company-portability-complete` — open PRs to upstream, never rebase onto master/local. |
 **Never commit directly to `local`** — it is fully regenerated by the assemble action and any direct commits will be overwritten.
@@ -70,7 +70,7 @@ Edit `.farhoodlabs/Dockerfile` on `master`. Only modify the production stage —
 ## Deployment
-Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `ghcr.io/farhoodlabs/paperclip:latest`.
+Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `git.farh.net/farhoodlabs/paperclip:latest`.
 ## Key Files
@@ -1,193 +0,0 @@
 name: Assemble local branch
 # Triggers on every master push (i.e. after syncing upstream) and on demand.
 # Builds the `local` branch: master + fork overlay + cherry-picked pending upstream PRs.
 # Syncs build-dev.yml to the `dev` branch so every dev push triggers a build.
 #
 # PR entries support an optional "exclude:BRANCH" suffix to handle cases where
 # one PR branch was rebased onto another. The exclude branch's commits are subtracted
 # from the cherry-pick range so they aren't double-applied.
 #
 # When upstream merges a PR, remove its entry from PR_CHERRY_PICK or PR_SQUASH below.
 on:
  push:
    branches: [master]
  workflow_dispatch:
 permissions:
  contents: write
  actions: write
 jobs:
  assemble:
    runs-on: runners-farhoodlabs
    timeout-minutes: 15
    steps:
      - name: Checkout master
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Configure git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
      - name: Fetch all remotes
        run: |
          git remote add upstream https://github.com/paperclipai/paperclip.git 2>/dev/null || true
          git fetch --all --quiet
      - name: Assemble local branch
        run: |
          set -euo pipefail
          # Start local from master (which mirrors upstream)
          git checkout -B local origin/master
          # Apply fork overlay: Dockerfile, build workflows, CLAUDE.md
          cp .farhoodlabs/Dockerfile Dockerfile
          cp .farhoodlabs/CLAUDE.md CLAUDE.md
          mkdir -p .github/workflows
          cp .farhoodlabs/.github/workflows/build-prod.yml .github/workflows/build-prod.yml
          cp .farhoodlabs/.github/workflows/build-dev.yml .github/workflows/build-dev.yml
          git add Dockerfile CLAUDE.md .github/workflows/build-prod.yml .github/workflows/build-dev.yml
          git commit -m "chore: apply fork overlay from .farhoodlabs"
          # --- PRs to cherry-pick commit-by-commit (clean, no merge commits) ---
          # Format: "PR-number branch-name [exclude:base-branch]"
          # Use exclude: when a branch was rebased onto another PR branch to avoid double-applying commits.
          # Remove an entry here when upstream merges the PR.
          PR_CHERRY_PICK=(
            "3237 skill-pat-feature"
            "3351 skill-scan-refresh exclude:skill-pat-feature"
            "4162 fix/far-108-k8s-adapter-reaper-liveness"
          )
          for entry in "${PR_CHERRY_PICK[@]}"; do
            # Parse: pr_num, branch, optional exclude branch
            pr_num=$(echo "$entry" | awk '{print $1}')
            branch=$(echo "$entry" | awk '{print $2}')
            exclude_branch=$(echo "$entry" | grep -oP '(?<=exclude:)\S+' || true)
            remote_branch="origin/$branch"
            exclude_arg=""
            if [ -n "$exclude_branch" ]; then
              exclude_arg="--not origin/$exclude_branch"
            fi
            if ! git rev-parse "$remote_branch" &>/dev/null; then
              echo "WARNING: $remote_branch not found, skipping PR #$pr_num"
              continue
            fi
            # Exclude commits already on origin/master (fork-overlay/CI infra
            # that landed on master via the .farhoodlabs/ overlay path). PR
            # branches sometimes pull these in via `git merge origin/master`,
            # but cherry-picking them onto `local` (which is already master)
            # is redundant and produces conflicts on the assemble-local file.
            mapfile -t commits < <(git log --no-merges --reverse --format="%H" upstream/master.."$remote_branch" ^origin/master $exclude_arg)
            if [ ${#commits[@]} -eq 0 ]; then
              echo "PR #$pr_num ($branch): no unique commits — likely merged upstream, skipping"
              continue
            fi
            echo "PR #$pr_num ($branch): cherry-picking ${#commits[@]} commit(s)"
            for sha in "${commits[@]}"; do
              git cherry-pick "$sha" || {
                # If the cherry-pick produced an empty result (commit's content
                # is already in HEAD via auto-merge), skip it instead of failing.
                # State signature: CHERRY_PICK_HEAD set, no unmerged paths,
                # nothing staged.
                if [ -f .git/CHERRY_PICK_HEAD ] \
                  && [ -z "$(git diff --name-only --diff-filter=U)" ] \
                  && git diff --staged --quiet; then
                  echo "PR #$pr_num: $sha became empty after merge, skipping"
                  git cherry-pick --skip
                  continue
                fi
                echo "::error::Cherry-pick conflict at $sha from PR #$pr_num ($branch)"
                echo "::error::Resolve the conflict, force-push the branch, then re-run this workflow"
                git cherry-pick --abort
                exit 1
              }
            done
          done
          # --- PRs to apply as a single squash (complex history with merge commits) ---
          # git merge --squash applies the net final diff of the branch, bypassing
          # intra-PR commit ordering issues. CI commits that cancel out are ignored.
          # Remove an entry here when upstream merges the PR.
          PR_SQUASH=(
            "3987 feat/company-portability-complete"
          )
          for entry in "${PR_SQUASH[@]}"; do
            pr_num="${entry%% *}"
            branch="${entry#* }"
            remote_branch="origin/$branch"
            if ! git rev-parse "$remote_branch" &>/dev/null; then
              echo "WARNING: $remote_branch not found, skipping PR #$pr_num"
              continue
            fi
            # Check if the branch has any unique non-merge commits
            unique=$(git log --no-merges --oneline upstream/master.."$remote_branch" | wc -l)
            if [ "$unique" -eq 0 ]; then
              echo "PR #$pr_num ($branch): no unique commits — likely merged upstream, skipping"
              continue
            fi
            echo "PR #$pr_num ($branch): applying as squash ($unique non-merge commits)"
            git merge --squash "$remote_branch" || {
              echo "::error::Squash conflict for PR #$pr_num ($branch)"
              git merge --abort 2>/dev/null || git reset --hard HEAD
              exit 1
            }
            # Only commit if there are staged changes
            git diff --staged --quiet || git commit -m "feat: apply PR #$pr_num ($branch)"
          done
          git push origin local --force
          echo "local branch assembled and pushed"
      - name: Trigger prod build
        run: |
          curl -sS -X POST \
            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
            -H "Accept: application/vnd.github.v3+json" \
            https://api.github.com/repos/${{ github.repository }}/actions/workflows/build-prod.yml/dispatches \
            -d '{"ref":"local"}'
      - name: Sync build-dev.yml to dev branch
        run: |
          set -euo pipefail
          if ! git rev-parse origin/dev &>/dev/null; then
            echo "dev branch not found on origin, skipping"
            exit 0
          fi
          canonical=".farhoodlabs/.github/workflows/build-dev.yml"
          target=".github/workflows/build-dev.yml"
          if git show origin/dev:"$target" 2>/dev/null | diff --brief - "$canonical" &>/dev/null; then
            echo "build-dev.yml on dev is up to date, skipping"
            exit 0
          fi
          echo "Syncing build-dev.yml to dev branch..."
          # Save canonical content before switching branches (.farhoodlabs/ only exists on master)
          tmp=$(mktemp)
          cp "$canonical" "$tmp"
          git checkout -B dev-wf-sync origin/dev
          mkdir -p "$(dirname "$target")"
          cp "$tmp" "$target"
          rm "$tmp"
          git add "$target"
          git commit -m "chore(ci): sync build-dev.yml from .farhoodlabs"
          git push origin dev-wf-sync:dev
          echo "build-dev.yml synced to dev"
@@ -11,7 +11,7 @@ permissions:
 jobs:
  build:
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    outputs:
      image-tag: ${{ steps.tag.outputs.sha }}
@@ -23,28 +23,21 @@ jobs:
        id: tag
        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
      - name: Login to Docker Hub
        continue-on-error: true
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
+      - name: Login to Gitea Registry
        uses: docker/login-action@v3
        with:
-          registry: ghcr.io
+          registry: git.farh.net
-          username: ${{ github.actor }}
+          username: ${{ gitea.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
-          images: ghcr.io/farhoodlabs/paperclip-dev
+          images: git.farh.net/farhoodlabs/paperclip-dev
          tags: |
            type=raw,value=latest
            type=sha,prefix=
@@ -62,25 +55,16 @@ jobs:
  update-infra:
    needs: build
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
    steps:
      - name: Generate app token
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PAPERCLIP_APP_ID }}
          private-key: ${{ secrets.PAPERCLIP_APP_PRIVATE_KEY }}
          repositories: paperclip-infra
      - name: Update dev image tag in infra repo
        run: |
          SHA="${{ needs.build.outputs.image-tag }}"
          FILE="overlays/dev/kustomization.yaml"
          response=$(curl -sS \
-            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
-            -H "Accept: application/vnd.github.v3+json" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE")
            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE")
          file_sha=$(echo "$response" | jq -r '.sha')
          content=$(echo "$response" | jq -r '.content' | base64 -d)
@@ -88,7 +72,6 @@ jobs:
          encoded=$(printf '%s' "$new_content" | base64 -w 0)
          curl -sS -X PUT \
-            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
+            -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
-            -H "Accept: application/vnd.github.v3+json" \
+            "https://git.farh.net/api/v1/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
            -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}"
@@ -11,33 +11,27 @@ permissions:
 jobs:
  build:
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Login to GHCR
+      - name: Login to Gitea Registry
        uses: docker/login-action@v3
        with:
-          registry: ghcr.io
+          registry: git.farh.net
-          username: ${{ github.actor }}
+          username: ${{ gitea.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
-          images: ghcr.io/farhoodlabs/paperclip
+          images: git.farh.net/farhoodlabs/paperclip
          tags: |
            type=raw,value=latest
            type=sha,prefix=
@@ -47,6 +41,7 @@ jobs:
        uses: docker/build-push-action@v6
        with:
          context: .
          file: .farhoodlabs/Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
@@ -1,96 +1,16 @@
 # Disabled in fork — `gh` CLI and GitHub-specific commands are not available on Gitea.
 # Lockfile refreshes are managed directly in development workflows.
 #
 # NOTE: upstream may overwrite this file when master is synced. Re-apply if that happens.
 name: Refresh Lockfile
 on:
  push:
    branches:
      - master
  workflow_dispatch:
-
+    inputs:
-concurrency:
+      note:
-  group: refresh-lockfile-master
+        description: "Disabled in fork. Uses GitHub-specific gh CLI."
-  cancel-in-progress: false
+        required: false
 jobs:
-  refresh:
+  disabled:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: write
      pull-requests: write
    steps:
-      - name: Checkout repository
+      - run: echo "Disabled. Lockfile management requires GitHub-specific tooling."
        uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 9.15.4
          run_install: false
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm
      - name: Refresh pnpm lockfile
        run: pnpm install --lockfile-only --ignore-scripts --no-frozen-lockfile
      - name: Fail on unexpected file changes
        run: |
          changed="$(git status --porcelain)"
          if [ -z "$changed" ]; then
            echo "Lockfile is already up to date."
            exit 0
          fi
          if printf '%s\n' "$changed" | grep -Fvq ' pnpm-lock.yaml'; then
            echo "Unexpected files changed during lockfile refresh:"
            echo "$changed"
            exit 1
          fi
      - name: Create or update pull request
        id: upsert-pr
        env:
          GH_TOKEN: ${{ github.token }}
          REPO_OWNER: ${{ github.repository_owner }}
        run: |
          if git diff --quiet -- pnpm-lock.yaml; then
            echo "Lockfile unchanged, nothing to do."
            echo "pr_url=" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          BRANCH="chore/refresh-lockfile"
          git config user.name "lockfile-bot"
          git config user.email "lockfile-bot@users.noreply.github.com"
          git checkout -B "$BRANCH"
          git add pnpm-lock.yaml
          git commit -m "chore(lockfile): refresh pnpm-lock.yaml"
          git push --force origin "$BRANCH"
          # Only reuse an open PR from this repository owner, not a fork with the same branch name.
          pr_url="$(
            gh pr list --state open --head "$BRANCH" --json url,headRepositoryOwner \
              --jq ".[] | select(.headRepositoryOwner.login == \"$REPO_OWNER\") | .url" |
            head -n 1
          )"
          if [ -z "$pr_url" ]; then
            pr_url="$(gh pr create \
              --head "$BRANCH" \
              --title "chore(lockfile): refresh pnpm-lock.yaml" \
              --body "Auto-generated lockfile refresh after dependencies changed on master. This PR only updates pnpm-lock.yaml.")"
            echo "Created new PR: $pr_url"
          else
            echo "PR already exists: $pr_url"
          fi
          echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT"
      - name: Enable auto-merge for lockfile PR
        if: steps.upsert-pr.outputs.pr_url != ''
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh pr merge --auto --squash --delete-branch "${{ steps.upsert-pr.outputs.pr_url }}"
@@ -16,7 +16,7 @@ permissions:
 jobs:
  sync:
-    runs-on: runners-farhoodlabs
+    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - name: Checkout master
@@ -1,15 +1,15 @@
 # Paperclip Fork — Project Context
 This is a fork of [paperclipai/paperclip](https://github.com/paperclipai/paperclip).
-Fork repo: https://github.com/farhoodlabs/paperclip
+Fork repo: https://git.farh.net/farhoodlabs/paperclip
 ## Branch Model
 | Branch | Purpose |
 |---|---|
 | `master` | Mirrors `upstream/master` exactly + `.farhoodlabs/` overlay directory + `assemble-local.yml` action. Never commit application code here. |
-| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `ghcr.io/farhoodlabs/paperclip`. |
+| `local` | **Default branch.** Assembled automatically by `assemble-local.yml` on every `master` push. Contains: upstream + fork Dockerfile/workflows + all pending upstream PR cherry-picks. Builds `git.farh.net/farhoodlabs/paperclip`. |
-| `dev` | Development branch based on upstream/master. Builds `ghcr.io/farhoodlabs/paperclip-dev` on every push. |
+| `dev` | Development branch based on upstream/master. Builds `git.farh.net/farhoodlabs/paperclip-dev` on every push. |
 | PR branches | `skill-pat-feature`, `skill-scan-refresh`, `feat/company-portability-complete` — open PRs to upstream, never rebase onto master/local. |
 **Never commit directly to `local`** — it is fully regenerated by the assemble action and any direct commits will be overwritten.
@@ -70,7 +70,7 @@ Edit `.farhoodlabs/Dockerfile` on `master`. Only modify the production stage —
 ## Deployment
-Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `ghcr.io/farhoodlabs/paperclip:latest`.
+Paperclip runs in Kubernetes, not locally. Use `kubectl` to access it. The production image is `git.farh.net/farhoodlabs/paperclip:latest`.
 ## Key Files
Author	SHA1	Message	Date
Chris Farhood	5499a0b4a6	ci: adapt workflows for Gitea migration Change runner from runners-farhoodlabs to ubuntu-latest across all fork workflows. Update container registry from ghcr.io to git.farh.net and authenticate with REGISTRY_TOKEN. Migrate update-infra API calls from GitHub to Gitea. Disable refresh-lockfile.yml (requires GitHub gh CLI). Update CLAUDE.md references. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-20 11:17:45 +00:00
Chris Farhood	55faea456f	Merge pull request #16 from farhoodlabs/dev Dev	2026-05-16 08:38:38 -07:00
Chris Farhood	5703fa225c	Merge dev into local; drop dead assemble-local workflow - Resolves the duplicate-SHA conflict on the gitea/skills commits by taking dev's versions (canonical after PR #13 superseded the original shim with the git-source refactor). - Deletes .github/workflows/assemble-local.yml -- the workflow triggered on master push but lived on local, so it never fired automatically; promotion happens via dev->local PRs instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-16 10:16:28 -04:00
Chris Farhood	8dbe99e32e	feat(skills): support Gitea/Forgejo git hosts end-to-end The skills source pipeline was hardcoded to GitHub conventions, so even though the UI now accepts non-GitHub URLs, the server couldn't actually fetch from anywhere else. - github-fetch.ts: dispatch by host family (github.com → GitHub API + raw.githubusercontent.com; everything else → Gitea/Forgejo API v1 + /api/v1/repos/.../media for raw content). - parseGitHubSourceUrl: also accept Gitea/Forgejo web URLs (/{owner}/{repo}/src/{branch\|commit\|tag}/{ref}/{path}). - routes/company-skills.ts: drop the hostname='github.com' gate in deriveTrackedSkillRef so non-GitHub skills are still tracked. - Generalize user-facing strings ('GitHub PAT' → 'PAT', 'GitHub source URL' → 'Source URL', etc.). GitHub Enterprise (was assumed by '/api/v3') is no longer a special case — non-github.com hosts are treated as Gitea/Forgejo. If GHE support is needed later, add a per-source host-family override.	2026-05-14 11:49:51 -04:00
Chris Farhood	9e854e33d9	fix(skills): drop GitHub-only regex gate on PAT input The PAT input on the skill import flow was hidden by a regex that matched github.com or org/repo shorthand. Self-hosted Gitea/Forgejo/GitLab sources got no auth field at all. Always show the input when a source is entered, and label it generically ('Personal access token') instead of 'GitHub PAT'. UI only — backend already accepts any token via /skills/:id/auth and /companies/:companyId/skills POST {source, authToken}.	2026-05-14 11:41:40 -04:00
Chris Farhood	fccbc7e39e	feat(ci): install gitea tea CLI in fork Dockerfile Adds the official Gitea 'tea' CLI (v0.14.0) alongside the existing forgejo CLIs (fj, fj-ex, fgj). Useful when interacting with Gitea instances whose API surface is covered by tea but not by the forgejo variants.	2026-05-14 10:04:18 -04:00
Chris Farhood	7a8afbb719	Merge pull request #12 from farhoodlabs/dev Dev	2026-05-12 16:39:28 -07:00
Chris Farhood	30ef61bb25	Merge pull request #11 from farhoodlabs/dev Dev	2026-05-11 17:02:31 -07:00
Chris Farhood	37e0aac971	ci: build prod image from .farhoodlabs/Dockerfile Pulls the prod image up to the same toolset as the dev image (kubectl, kubeseal, uv/uvx, forgejo CLIs, nano, vim) without diverging the upstream root Dockerfile. Both build-dev.yml and build-prod.yml now share the same fork-overlay Dockerfile; only the image tag and trigger branch differ.	2026-05-03 15:38:18 -04:00
Chris Farhood	cee1cd7f4e	Merge branches 'feat/skills-gitops-complete' and 'feat/secrets-management-ui' into local	2026-05-03 11:02:47 -04:00
Chris Farhood	85cbbc9263	revert: restore paperclip-dev skill (validation requires it for now) The earlier fix/remove-paperclip-dev-skill removed the bundled skill, but companies have stale company_skills rows that reference it as required, breaking 'Invalid company skill selection' validation. Put the file back to unblock; the underlying force-required-on-bundled bug remains and should be fixed in code rather than by deleting the skill.	2026-05-03 10:23:54 -04:00
Chris Farhood	acbfcb7d00	Merge branch 'feat/secrets-management-ui' into local	2026-05-03 09:45:59 -04:00
Chris Farhood	3bbd632355	Merge branch 'feat/env-var-multiline-input' into local	2026-05-02 08:18:31 -04:00
Chris Farhood	e37180d3e3	chore(plugin-rpc): raise MAX_RPC_TIMEOUT_MS cap to 60 minutes	2026-05-01 21:00:08 -04:00