ci: add Forgejo Actions pipeline + runner setup

- apps/forgejo/docker-compose.yml: enable FORGEJO__actions__ENABLED=true - apps/forgejo-runner/docker-compose.yml: forgejo-runner:3.5.0 container mounts docker.sock so jobs can spin up containers on monk - .forgejo/workflows/ci.yml: 3-job pipeline on every push to main compose-lint → validates all apps/*/docker-compose.yml secrets-check → scans for hardcoded passwords/tokens/keys shellcheck → lints all scripts/*.sh - docs/ci-cd-setup.md: runner registration steps + extension guide PENDING (needs user action): 1. docker compose up -d --force-recreate in apps/forgejo/ to apply env 2. Get runner token from Forgejo admin panel 3. Run forgejo-runner register with token, then docker compose up Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 03:03:29 -05:00 · 2026-06-19 03:03:29 -05:00 · f38decc285
commit f38decc285
parent dbcf51993d
4 changed files with 195 additions and 0 deletions
--- a/docs/ci-cd-setup.md
+++ b/docs/ci-cd-setup.md
@ -0,0 +1,91 @@
+# Forgejo Actions CI/CD Setup
+
+Forgejo Actions is GitHub Actions-compatible CI/CD built into Forgejo. Every push to `kitestacks-homelab` triggers: compose validation, secret leak scan, and shellcheck.
+
+## Architecture
+
+```
+Developer pushes to Forgejo
+         │
+         ▼
+Forgejo Actions scheduler
+         │
+         ▼
+forgejo-runner container
+  ├── compose-lint job   (validates all apps/*/docker-compose.yml)
+  ├── secrets-check job  (scans for hardcoded passwords/tokens)
+  └── shellcheck job     (lints all scripts/*.sh)
+```
+
+## One-time setup
+
+### 1. Restart Forgejo to enable Actions
+
+Actions is now enabled via `FORGEJO__actions__ENABLED=true` in the compose env. Restart to apply:
+
+```bash
+cd ~/kitestacks-homelab/apps/forgejo
+docker compose up -d --force-recreate
+```
+
+Verify in the Forgejo UI: Admin Panel → Configuration → Actions = Enabled
+
+### 2. Get a runner registration token
+
+In Forgejo web UI:
+- Site Admin → Actions → Runners → **Create new runner token**
+- Copy the token (starts with `grt_...`)
+
+### 3. Register and start the runner
+
+```bash
+cd ~/kitestacks-homelab/apps/forgejo-runner
+mkdir -p config
+
+# Register the runner (one-time, interactive)
+docker run --rm -it \
+  -v $(pwd)/config:/etc/act_runner \
+  code.forgejo.org/forgejo/runner:3.5.0 \
+  register \
+    --instance http://forgejo:3000 \
+    --token <paste-grt-token-here> \
+    --name monk-runner \
+    --labels docker:docker://node:20
+
+# Start the runner daemon
+docker compose up -d
+```
+
+### 4. Verify
+
+Push any change to kitestacks-homelab → Forgejo → Actions tab shows the pipeline running.
+
+## Workflow file
+
+`.forgejo/workflows/ci.yml` — runs on every push/PR to main:
+
+| Job | What it does |
+|-----|-------------|
+| `compose-lint` | `docker compose config --quiet` on all compose files |
+| `secrets-check` | grep for hardcoded passwords, tokens, private keys |
+| `shellcheck` | static analysis on all `scripts/*.sh` |
+
+## Adding workflows to other repos
+
+Copy `.forgejo/workflows/ci.yml` into any repo that has a runner label matching `docker`. The runner on monk can serve all repos in your Forgejo instance.
+
+## Extending the pipeline
+
+Add a deploy job that runs after tests pass:
+
+```yaml
+  deploy:
+    name: Deploy to monk
+    runs-on: docker
+    needs: [compose-lint, secrets-check, shellcheck]
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Redeploy changed app
+        run: docker compose -f apps/myapp/docker-compose.yml up -d --pull always
+```