chore: sync deploy-manual.yml from Template-Generic [skip ci]

.mokogitea/workflows/auto-release.yml

@@ -10,9 +10,9 @@
 # VERSION: 05.00.00
 # BRIEF: Universal build & release � detects platform from manifest.xml
 #
-# +========================================================================+
+# +=======================================================================+
 # |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
+# +=======================================================================+
 # |                                                                        |
 # |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
 # |                                                                        |
@@ -21,7 +21,7 @@
 # |    dolibarr: mod*.class.php, update.txt, dev version reset             |
 # |    generic:  README-only, no update stream                             |
 # |                                                                        |
-# +========================================================================+
+# +=======================================================================+
 
 name: "Universal: Build & Release"
 
@@ -30,6 +30,15 @@ on:
     types: [opened, closed]
     branches:
       - main
+    paths-ignore:
+      - '.mokogitea/workflows/**'
+      - '*.md'
+      - 'wiki/**'
+      - '.editorconfig'
+      - '.gitignore'
+      - '.gitattributes'
+      - '.gitmessage'
+      - 'LICENSE' 
   workflow_dispatch:
     inputs:
       action:
@@ -51,7 +60,7 @@ permissions:
   contents: write
 
 jobs:
-  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────────
   promote-rc:
     name: Promote to RC
     runs-on: release
@@ -149,7 +158,7 @@ jobs:
           echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
           echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY
 
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
+  # ── Merged PR → Build & Release (or promote RC to stable) ─────────────────────────
   release:
     name: Build & Release Pipeline
     runs-on: release
@@ -241,11 +250,47 @@ jobs:
           VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
           [ -z "$VERSION" ] && VERSION="00.00.00" && echo "skip=true" >> "$GITHUB_OUTPUT"
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "tag=stable" >> "$GITHUB_OUTPUT"
+          PLATFORM="${{ steps.platform.outputs.platform }}"
-          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
+          if [[ "$PLATFORM" == joomla* ]]; then
+            echo "tag=stable" >> "$GITHUB_OUTPUT"
+            echo "release_tag=stable" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"
+            echo "release_tag=v${VERSION}" >> "$GITHUB_OUTPUT"
+          fi
           echo "branch=main" >> "$GITHUB_OUTPUT"
           echo "Published version: ${VERSION}"
 
+      - name: "Create semver tag for non-Joomla repos"
+        id: semver
+        if: |
+          steps.version.outputs.skip != 'true' &&
+          !startsWith(steps.platform.outputs.platform, 'joomla')
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+          SEMVER_TAG="v${VERSION}"
+
+          echo "Creating semver tag: ${SEMVER_TAG}"
+
+          # Create the git tag via API
+          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
+            -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/tags" \
+            -d "{\"tag_name\":\"${SEMVER_TAG}\",\"target\":\"main\",\"message\":\"Release ${VERSION}\"}" 2>/dev/null || echo "000")
+
+          if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "200" ]; then
+            echo "Created semver tag: ${SEMVER_TAG}"
+          elif [ "$HTTP_CODE" = "409" ]; then
+            echo "Semver tag ${SEMVER_TAG} already exists (skipped)"
+          else
+            echo "::warning::Failed to create semver tag ${SEMVER_TAG} (HTTP ${HTTP_CODE})"
+          fi
+
+          echo "semver_tag=${SEMVER_TAG}" >> "$GITHUB_OUTPUT"
+
       - name: Update release notes and promote changelog
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

.mokogitea/workflows/composer-publish.yml

@@ -1,76 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-name: "Publish to Composer"
-
-on:
-  push:
-    tags:
-      - 'v*'
-      - '[0-9]*.[0-9]*.[0-9]*'
-  release:
-    types: [published]
-  workflow_dispatch:
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-jobs:
-  publish:
-    name: Publish Package
-    runs-on: ubuntu-latest
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip publish]')
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup PHP
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-
-      - name: Install dependencies
-        run: composer install --no-dev --no-interaction --prefer-dist --quiet
-
-      - name: Determine version
-        id: version
-        run: |
-          VERSION=$(php -r "echo json_decode(file_get_contents('composer.json'))->version;")
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "Package version: ${VERSION}"
-
-      # Gitea Composer Registry — auto-publishes from tags
-      # The tag push itself registers the package at:
-      # https://git.mokoconsulting.tech/api/packages/MokoConsulting/composer
-      - name: Verify Gitea registry
-        run: |
-          echo "Gitea Composer registry auto-publishes from tags."
-          echo "Package available at: ${GITEA_URL}/api/packages/MokoConsulting/composer"
-          echo "Install: composer require mokoconsulting/mokocli"
-
-      # Packagist — notify of new version
-      - name: Notify Packagist
-        if: secrets.PACKAGIST_TOKEN != ''
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-          echo "Notifying Packagist of version ${VERSION}..."
-          curl -sf -X POST \
-            -H "Content-Type: application/json" \
-            -d '{"repository":{"url":"https://git.mokoconsulting.tech/MokoConsulting/mokocli"}}' \
-            "https://packagist.org/api/update-package?username=mokoconsulting&apiToken=${{ secrets.PACKAGIST_TOKEN }}" \
-            && echo "Packagist notified" \
-            || echo "::warning::Packagist notification failed (package may not be registered yet)"
-
-      - name: Summary
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-          echo "## Composer Package Published" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Registry | Status |" >> $GITHUB_STEP_SUMMARY
-          echo "|----------|--------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Gitea | \`composer require mokoconsulting/mokocli:${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Packagist | \`composer require mokoconsulting/mokocli\` |" >> $GITHUB_STEP_SUMMARY

.mokogitea/workflows/issue-branch.yml

@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: mokocli.Automation
-# VERSION: 01.08.00
+# VERSION: 01.00.00
 # BRIEF: Auto-create feature branch when an issue is opened
 
 name: "Universal: Issue Branch"

.mokogitea/workflows/pre-release.yml

@@ -88,8 +88,20 @@ jobs:
           php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
           php ${MOKO_CLI}/manifest_read.php --path . --github-output
 
+      - name: Check platform eligibility (Joomla only)
+        id: eligibility
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [[ "$PLATFORM" == joomla* ]] || [[ "$PLATFORM" == "joomla" ]]; then
+            echo "proceed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "proceed=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::Platform '$PLATFORM' — non-Joomla, skipping pre-release auto-bump"
+          fi
+
       - name: Resolve metadata and bump version
         id: meta
+        if: steps.eligibility.outputs.proceed == 'true'
         run: |
           # Auto-detect stability from branch name on push, or use input on dispatch
           if [ "${{ github.event_name }}" = "push" ]; then
@@ -166,6 +178,7 @@ jobs:
 
       - name: Create release
         id: release
+        if: steps.eligibility.outputs.proceed == 'true'
         run: |
           TAG="${{ steps.meta.outputs.tag }}"
           VERSION="${{ steps.meta.outputs.version }}"
@@ -176,6 +189,7 @@ jobs:
             --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
 
       - name: Update release notes from CHANGELOG.md
+        if: steps.eligibility.outputs.proceed == 'true'
         run: |
           TAG="${{ steps.meta.outputs.tag }}"
           VERSION="${{ steps.meta.outputs.version }}"
@@ -212,6 +226,7 @@ jobs:
 
       - name: Build package and upload
         id: package
+        if: steps.eligibility.outputs.proceed == 'true'
         run: |
           VERSION="${{ steps.meta.outputs.version }}"
           TAG="${{ steps.meta.outputs.tag }}"
@@ -225,6 +240,7 @@ jobs:
       # No need to build, commit, or sync updates.xml from workflows
 
       - name: "Delete lesser pre-release channels (cascade)"
+        if: steps.eligibility.outputs.proceed == 'true'
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

.mokogitea/workflows/security-audit.yml

@@ -1,82 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Security
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/security-audit.yml
-# VERSION: 01.00.00
-# BRIEF: Dependency vulnerability scanning for composer and npm packages
-
-name: "Universal: Security Audit"
-
-on:
-  schedule:
-    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'composer.json'
-      - 'composer.lock'
-      - 'package.json'
-      - 'package-lock.json'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
-
-jobs:
-  audit:
-    name: Dependency Audit
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Composer audit
-        if: hashFiles('composer.lock') != ''
-        run: |
-          echo "=== Composer Security Audit ==="
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
-          fi
-          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
-          RESULT=$?
-          if [ $RESULT -ne 0 ]; then
-            echo "::warning::Composer vulnerabilities found"
-            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
-          else
-            echo "No known vulnerabilities in composer dependencies"
-          fi
-
-      - name: NPM audit
-        if: hashFiles('package-lock.json') != ''
-        run: |
-          echo "=== NPM Security Audit ==="
-          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
-          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
-            echo "No known vulnerabilities in npm dependencies"
-          else
-            echo "::warning::NPM vulnerabilities found"
-            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
-          fi
-
-      - name: Notify on vulnerabilities
-        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          curl -sS \
-            -H "Title: ${REPO} has vulnerable dependencies" \
-            -H "Tags: lock,warning" \
-            -H "Priority: high" \
-            -d "Security audit found vulnerabilities. Review dependency updates." \
-            "${NTFY_URL}/${NTFY_TOPIC}" || true