chore: sync workflow-sync-trigger.yml from Template-Generic [skip ci]

fix: correct dev health URL to git.dev.mokoconsulting.tech (#695)

.mokogitea/workflows/auto-release.yml

@@ -27,7 +27,7 @@ name: "Universal: Build & Release"
 
 on:
   pull_request:
-    types: [opened, closed]
+    types: [opened, synchronize, closed]
     branches:
       - main
     paths-ignore:
@@ -66,6 +66,7 @@ jobs:
     runs-on: release
     if: >-
       (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
+      (github.event.action == 'synchronize' && github.event.pull_request.merged != true) ||
       (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
 
     steps:

.mokogitea/workflows/deploy-dev.yml

@@ -106,4 +106,4 @@ jobs:
       - name: Verify dev instance
         run: |
           sleep 5
-          curl -sf https://dev.git.mokoconsulting.tech/api/healthz && echo " Dev API healthy"
+          curl -sf https://git.dev.mokoconsulting.tech/api/healthz && echo " Dev API healthy"

.mokogitea/workflows/deploy-manual.yml

@@ -0,0 +1,126 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Deploy
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+# PATH: /templates/workflows/joomla/deploy-manual.yml.template
+# VERSION: 04.07.00
+# BRIEF: Manual SFTP deploy to dev server for Joomla repos
+
+name: "Universal: Deploy to Dev (Manual)"
+
+on:
+  workflow_dispatch:
+    inputs:
+      clear_remote:
+        description: 'Delete all remote files before uploading'
+        required: false
+        default: 'false'
+        type: boolean
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: SFTP Deploy to Dev
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP
+        run: |
+          php -v && composer --version
+
+      - name: Setup MokoStandards tools
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
+            /tmp/mokostandards-api 2>/dev/null || true
+          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
+            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+
+      - name: Check FTP configuration
+        id: check
+        env:
+          HOST: ${{ vars.DEV_FTP_HOST }}
+          PATH_VAR: ${{ vars.DEV_FTP_PATH }}
+          PORT: ${{ vars.DEV_FTP_PORT }}
+        run: |
+          if [ -z "$HOST" ] || [ -z "$PATH_VAR" ]; then
+            echo "DEV_FTP_HOST or DEV_FTP_PATH not configured -- cannot deploy"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+          echo "host=$HOST" >> "$GITHUB_OUTPUT"
+
+          REMOTE="${PATH_VAR%/}"
+          echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"
+
+          [ -z "$PORT" ] && PORT="22"
+          echo "port=$PORT" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy via SFTP
+        if: steps.check.outputs.skip != 'true'
+        env:
+          SFTP_KEY: ${{ secrets.DEV_FTP_KEY }}
+          SFTP_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
+          SFTP_USER: ${{ vars.DEV_FTP_USERNAME }}
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ -- nothing to deploy"; exit 0; }
+
+          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
+            "${{ steps.check.outputs.host }}" "${{ steps.check.outputs.port }}" "$SFTP_USER" "${{ steps.check.outputs.remote }}" \
+            > /tmp/sftp-config.json
+
+          if [ -n "$SFTP_KEY" ]; then
+            echo "$SFTP_KEY" > /tmp/deploy_key
+            chmod 600 /tmp/deploy_key
+            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
+          else
+            printf ',"password":"%s"}' "$SFTP_PASS" >> /tmp/sftp-config.json
+          fi
+
+          DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
+          [ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)
+
+          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
+            php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
+          else
+            php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
+          fi
+
+          rm -f /tmp/deploy_key /tmp/sftp-config.json
+
+      - name: Summary
+        if: always()
+        run: |
+          if [ "${{ steps.check.outputs.skip }}" = "true" ]; then
+            echo "### Deploy Skipped -- FTP not configured" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "### Manual Dev Deploy Complete" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+            echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Host | \`${{ steps.check.outputs.host }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Remote | \`${{ steps.check.outputs.remote }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Clear | ${{ inputs.clear_remote }} |" >> $GITHUB_STEP_SUMMARY
+          fi

.mokogitea/workflows/deploy-mokogitea.yml

@@ -42,8 +42,8 @@ jobs:
     steps:
       - name: Check dev health
         run: |
-          echo "Checking dev.git.mokoconsulting.tech health..."
+          echo "Checking git.dev.mokoconsulting.tech health..."
-          if curl -sf --max-time 10 https://dev.git.mokoconsulting.tech/api/healthz; then
+          if curl -sf --max-time 10 https://git.dev.mokoconsulting.tech/api/healthz; then
             echo " Dev environment is healthy — proceeding with production deploy"
           else
             echo "::error::Dev environment is NOT healthy — blocking production deploy"

.mokogitea/workflows/gitleaks.yml

@@ -0,0 +1,92 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/gitleaks.yml.template
+# VERSION: 01.00.00
+# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
+#
+# +========================================================================+
+# |                        SECRET SCANNING                                 |
+# +========================================================================+
+# |                                                                        |
+# |  Scans commits for leaked secrets using Gitleaks.                      |
+# |                                                                        |
+# |  - PR scan: only new commits in the PR                                 |
+# |  - Scheduled: full repo scan weekly                                    |
+# |  - Alerts via ntfy on findings                                         |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Secret Scanning"
+
+on:
+  schedule:
+    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  gitleaks:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          GITLEAKS_VERSION="8.21.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - name: Scan for secrets
+        id: scan
+        run: |
+          echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
+          ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
+
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # Scan only PR commits
+            ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
+            echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if gitleaks detect $ARGS 2>&1; then
+            echo "result=clean" >> "$GITHUB_OUTPUT"
+            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "result=found" >> "$GITHUB_OUTPUT"
+            FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
+            echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: Notify on findings
+        if: failure() && steps.scan.outputs.result == 'found'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} — secrets detected in code" \
+            -H "Tags: rotating_light,key" \
+            -H "Priority: urgent" \
+            -d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true

.mokogitea/workflows/notify.yml

@@ -0,0 +1,70 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Notifications
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/notify.yml
+# VERSION: 01.00.00
+# BRIEF: Push notifications via ntfy on release success or workflow failure
+
+name: "Universal: Notifications"
+
+on:
+  workflow_run:
+    workflows:
+      - "Joomla Build & Release"
+      - "Joomla Extension CI"
+      - "Deploy"
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-releases' }}
+
+jobs:
+  notify:
+    name: Send Notification
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.workflow_run.conclusion == 'success' ||
+      github.event.workflow_run.conclusion == 'failure'
+
+    steps:
+      - name: Notify on success (releases only)
+        if: >-
+          github.event.workflow_run.conclusion == 'success' &&
+          contains(github.event.workflow_run.name, 'Release')
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} released" \
+            -H "Tags: white_check_mark,package" \
+            -H "Priority: default" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} completed successfully." \
+            "${NTFY_URL}/${NTFY_TOPIC}"
+
+      - name: Notify on failure
+        if: github.event.workflow_run.conclusion == 'failure'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} workflow failed" \
+            -H "Tags: x,warning" \
+            -H "Priority: high" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} failed. Check the run for details." \
+            "${NTFY_URL}/${NTFY_TOPIC}"

.mokogitea/workflows/version-set.yml

@@ -0,0 +1,130 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow.Template
+# INGROUP: MokoStandards.CI
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Joomla
+# PATH: /.mokogitea/workflows/version-set.yml
+# VERSION: 01.00.00
+# BRIEF: Set or reset the extension version across all version-bearing files
+
+name: "Joomla: Set Version"
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version number (e.g. 01.00.00)"
+        required: true
+        type: string
+      branch:
+        description: "Branch to update (default: current)"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  set-version:
+    name: Set Version to ${{ inputs.version }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Validate version format
+        run: |
+          VERSION="${{ inputs.version }}"
+          if ! echo "$VERSION" | grep -qP '^\d{2}\.\d{2}\.\d{2}$'; then
+            echo "::error::Invalid version format '${VERSION}' — expected XX.YY.ZZ (e.g. 01.00.00)"
+            exit 1
+          fi
+          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.MOKOGITEA_TOKEN || secrets.GA_TOKEN || github.token }}
+          ref: ${{ inputs.branch || github.ref }}
+          fetch-depth: 1
+
+      - name: Update manifest version
+        run: |
+          MANIFEST=""
+          for XML_FILE in $(find . -maxdepth 3 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
+            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
+              MANIFEST="$XML_FILE"
+              break
+            fi
+          done
+
+          if [ -z "$MANIFEST" ]; then
+            echo "::warning::No Joomla extension manifest found — skipping manifest update"
+          else
+            OLD_VER=$(grep -oP '<version>\K[^<]+' "$MANIFEST" | head -1)
+            sed -i "s|<version>${OLD_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
+            echo "Manifest: ${OLD_VER} → ${VERSION} (${MANIFEST})"
+          fi
+
+      - name: Update README.md version
+        run: |
+          if [ -f "README.md" ]; then
+            if grep -qP '^\s*VERSION:\s*\d' README.md; then
+              sed -i -E "s/(VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" README.md
+              echo "README.md version updated to ${VERSION}"
+            else
+              echo "::warning::No VERSION line found in README.md — skipping"
+            fi
+          fi
+
+      - name: Update CHANGELOG.md
+        run: |
+          if [ -f "CHANGELOG.md" ]; then
+            DATE=$(date +%Y-%m-%d)
+            # Check if this version already has an entry
+            if grep -q "^\#\# \[${VERSION}\]" CHANGELOG.md; then
+              echo "CHANGELOG.md already has entry for ${VERSION} — skipping"
+            else
+              # Insert new version entry after [Unreleased] or at the top after header
+              if grep -q '^\#\# \[Unreleased\]' CHANGELOG.md; then
+                sed -i "/^\#\# \[Unreleased\]/a\\\\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
+              else
+                sed -i "/^\# Changelog/a\\\\n## [Unreleased]\n\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
+              fi
+              echo "CHANGELOG.md: added entry for ${VERSION}"
+            fi
+          else
+            echo "::warning::No CHANGELOG.md found — skipping"
+          fi
+
+      - name: Update FILE INFORMATION blocks
+        run: |
+          # Update VERSION in file header blocks (# VERSION: XX.YY.ZZ)
+          find . -maxdepth 1 -type f \( -name "*.yml" -o -name "*.yaml" -o -name "*.php" -o -name "*.md" \) \
+            -not -path "./.git/*" -not -path "./vendor/*" -print0 2>/dev/null | \
+          while IFS= read -r -d '' FILE; do
+            if head -20 "$FILE" | grep -qP '^\s*#?\s*VERSION:\s*\d{2}\.\d{2}\.\d{2}'; then
+              sed -i -E "s/(#?\s*VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" "$FILE"
+              echo "Updated FILE INFORMATION VERSION in ${FILE}"
+            fi
+          done
+
+      - name: Commit and push
+        run: |
+          git config user.name "Moko Consulting [bot]"
+          git config user.email "hello@mokoconsulting.tech"
+          git add -A
+          if git diff --cached --quiet; then
+            echo "No version changes detected — nothing to commit"
+          else
+            git commit -m "chore: set version to ${VERSION} [skip bump]
+
+Authored-by: Moko Consulting"
+            git push
+            echo "### Version Set" >> $GITHUB_STEP_SUMMARY
+            echo "Version updated to \`${VERSION}\` on branch \`${GITHUB_REF_NAME}\`" >> $GITHUB_STEP_SUMMARY
+          fi

.mokogitea/workflows/workflow-sync-trigger.yml

@@ -0,0 +1,73 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /.mokogitea/workflows/workflow-sync-trigger.yml
+# VERSION: 01.01.00
+# BRIEF: Trigger workflow sync to live repos when a PR is merged to main
+
+name: "Universal: Workflow Sync Trigger"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  sync:
+    name: Sync workflows to live repos
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      !contains(github.event.pull_request.title, '[skip sync]')
+
+    steps:
+      - name: Determine platform from repo name
+        id: platform
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          case "$REPO" in
+            Template-Joomla)   PLATFORM="joomla" ;;
+            Template-Dolibarr) PLATFORM="dolibarr" ;;
+            Template-Go)       PLATFORM="go" ;;
+            Template-MCP)      PLATFORM="mcp" ;;
+            Template-Generic)  PLATFORM="" ;;
+            *)                 PLATFORM="" ;;
+          esac
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+          echo "Platform: ${PLATFORM:-all}"
+
+      - name: Clone mokocli
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          GITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
+          git clone --depth 1 "${GITEA_URL}/MokoConsulting/mokocli.git" /tmp/mokocli
+
+      - name: Install dependencies
+        run: |
+          cd /tmp/mokocli
+          composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+
+      - name: Run workflow sync
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          ARGS="--token ${MOKOGITEA_TOKEN}"
+          ARGS="${ARGS} --org ${{ vars.GITEA_ORG || github.repository_owner }}"
+          ARGS="${ARGS} --phase repos"
+
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ -n "$PLATFORM" ]; then
+            ARGS="${ARGS} --platform-filter ${PLATFORM}"
+          fi
+
+          php /tmp/mokocli/cli/workflow_sync.php ${ARGS}