{"id":50928206,"url":"https://github.com/three-cubes/ci-workflows","last_synced_at":"2026-06-17T01:05:57.278Z","repository":{"id":364491783,"uuid":"1268126037","full_name":"three-cubes/ci-workflows","owner":"three-cubes","description":"Org-shared CI: reusable workflows + composite actions for three-cubes repos (#499 Phase 4)","archived":false,"fork":false,"pushed_at":"2026-06-13T07:32:31.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T09:12:15.478Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/three-cubes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-13T07:04:44.000Z","updated_at":"2026-06-13T07:32:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/three-cubes/ci-workflows","commit_stats":null,"previous_names":["three-cubes/ci-workflows"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/three-cubes/ci-workflows","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/three-cubes%2Fci-workflows","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/three-cubes%2Fci-workflows/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/three-cubes%2Fci-workflows/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/three-cubes%2Fci-workflows/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/three-cubes","download_url":"https://codeload.github.com/three-cubes/ci-workflows/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/three-cubes%2Fci-workflows/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34429546,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-16T02:00:06.860Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-17T01:05:56.481Z","updated_at":"2026-06-17T01:05:57.266Z","avatar_url":"https://github.com/three-cubes.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# three-cubes/ci-workflows\n\nOrg-shared CI for three-cubes repositories — reusable workflows (`workflow_call`) and composite actions, so every repo's CI derives from one source instead of drifting copies. Part of [kairix#499](https://github.com/three-cubes/kairix/issues/499) Phase 4.\n\n## Layout\n\n```\nactions/                 composite actions (shared steps)\n  setup-uv-cached/        pinned uv + cached venv\n.github/workflows/        reusable workflow_call workflows (added incrementally)\n  python-quality-gate.yml the generic Python lint/type/security/test/coverage gate\n```\n\n## Principles\n\n- **Config lives in GitHub org/repo variables + secrets, never hardcoded here or in consuming repos.** Reusable workflows and actions take config as `inputs`; consuming repos pass org/repo `vars`/`secrets` (e.g. `PRIVATE_INFRA_PATTERNS`, `SONAR_TOKEN`, coverage floors, image names). No git-excluded config files.\n- **Pin everything.** Third-party actions pinned to a full commit SHA; consumers pin this repo's reusable workflows to a `@vN` tag so a change rolls out per-repo on the org dependency-cooldown cadence, not all at once.\n- **Public, but secret-free.** This repo is public (consumed by public + private org repos); it contains zero credentials — those stay in org/repo secrets.\n\n## Consuming\n\n```yaml\n# caller in a three-cubes repo:\njobs:\n  quality:\n    uses: three-cubes/ci-workflows/.github/workflows/python-quality-gate.yml@v1\n    with:\n      python-version: \"3.12\"\n    secrets: inherit\n```\n\n## `python-quality-gate.yml` — reusable Python gate\n\nThe generic Python quality gate: the org-standard locked-uv install (the\n`setup-uv-cached` composite — pinned `setup-uv` + cached `uv sync` + optional\n`--require-hashes` CI tools) followed by lint / type / security / test / coverage\nsteps. Each step is opt-in via a `run-*` toggle so a repo enables exactly what it\nruns. **Repo-specific steps stay in the caller** — taz keeps openclaw / llm-judge /\nthe fitness harness; kairix keeps arch-fitness / union-coverage / Docker. This\nworkflow is the shared *middle*, not the whole gate.\n\n### Capability toggles (`run-*`)\n\n| Input | Default | Gates |\n|---|---|---|\n| `run-shellcheck` | `true` | install shellcheck + lint discovered `*.sh` |\n| `run-ruff-lint` | `true` | `uv run ruff check` (blocking) |\n| `run-ruff-format-check` | `true` | `uv run ruff format --check` (non-blocking, `|| true`) |\n| `run-bandit` | `true` | `uv run bandit -r` SAST |\n| `run-compileall` | `true` | `uv run python -m compileall` syntax gate |\n| `run-mypy` | `false` | `uv run mypy` (taz: off; kairix: on) |\n| `run-pytest` | `true` | pytest + branch coverage + optional XML normalise |\n| `run-node` | `false` | pnpm/TS half: setup-node + pnpm install + TS coverage |\n| `run-detect-secrets` | `true` | detect-secrets changed-file scan |\n\n### Toolchain + install inputs\n\n| Input | Default | Purpose |\n|---|---|---|\n| `python-version` | `\"3.12\"` | Python uv resolves against |\n| `uv-version` | `\"0.11.16\"` | pinned uv version (org standard) |\n| `fetch-depth` | `2` | checkout depth (`0` for full-history secret scans) |\n| `sync-args` | `\"--locked --all-packages\"` | `uv sync` args (single-package repos: `--all-extras --all-groups`) |\n| `ci-requirements-path` | `\".github/requirements-ci.txt\"` | `--require-hashes` CI-tools file; `\"\"` skips |\n\n### Lint / type / security targets\n\n| Input | Default | Purpose |\n|---|---|---|\n| `ruff-lint-paths` | `\"scripts/ tests/\"` | `ruff check` targets |\n| `ruff-lint-args` | `\"\"` | extra `ruff check` args (e.g. `--ignore=...`) |\n| `ruff-format-paths` | `\"scripts/ tests/\"` | `ruff format --check` targets |\n| `bandit-paths` | `\"scripts/\"` | `bandit -r` targets |\n| `bandit-args` | `\"-ll -ii -c pyproject.toml\"` | extra bandit args |\n| `mypy-paths` | `\"kairix/\"` | `mypy` targets |\n| `mypy-args` | `\"--ignore-missing-imports\"` | extra mypy args |\n| `compileall-paths` | `\"scripts tests\"` | `compileall` targets |\n| `shellcheck-find-paths` | `\"scripts\"` | roots searched for `*.sh` |\n\n### Test + coverage\n\n| Input | Default | Purpose |\n|---|---|---|\n| `pytest-args` | `\"-q tests -n auto\"` | pytest selector / parallelism / junit |\n| `coverage-paths` | `\"--cov=scripts --cov=tests/lib\"` | `--cov=` sources; `\"\"` disables |\n| `coverage-xml` | `\"coverage.xml\"` | coverage XML output path |\n| `coverage-fail-under` | `0` | `--cov-fail-under` floor (0 defers to a ratchet) |\n| `normalize-coverage-script` | `\"\"` | optional post-pytest XML normaliser; `\"\"` skips |\n\n### Node / TS half (when `run-node: true`)\n\n| Input | Default | Purpose |\n|---|---|---|\n| `node-version-file` | `\".nvmrc\"` | Node version file |\n| `pnpm-version` | `\"10.27.0\"` | pnpm version |\n| `pnpm-install-args` | `\"--frozen-lockfile --ignore-scripts\"` | `pnpm install` args |\n| `ts-coverage-command` | `\"pnpm -r --if-present test:coverage\"` | TS coverage command |\n\n### detect-secrets\n\n| Input | Default | Purpose |\n|---|---|---|\n| `detect-secrets-baseline` | `\".secrets.baseline\"` | baseline file path |\n\n### Secrets\n\n| Secret | Required | Purpose |\n|---|---|---|\n| `gh-token` | no | `GITHUB_TOKEN` override for authenticated git/gh (falls back to `github.token`) |\n\nRepo-specific secrets (`SONAR_TOKEN`, `CLI_PROXY_API_*`, `CODECOV_TOKEN`, …) stay\nin the caller's own steps — they are not part of this generic gate.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthree-cubes%2Fci-workflows","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthree-cubes%2Fci-workflows","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthree-cubes%2Fci-workflows/lists"}