# Forgejo Actions CI/CD Setup

Forgejo Actions is GitHub Actions-compatible CI/CD built into Forgejo. Every push to `kitestacks-homelab` triggers: compose validation, secret leak scan, and shellcheck.

## Architecture

```
Developer pushes to Forgejo
         │
         ▼
Forgejo Actions scheduler
         │
         ▼
forgejo-runner container
  ├── compose-lint job   (validates all apps/*/docker-compose.yml)
  ├── secrets-check job  (scans for hardcoded passwords/tokens)
  └── shellcheck job     (lints all scripts/*.sh)
```

## One-time setup

### 1. Restart Forgejo to enable Actions

Actions is now enabled via `FORGEJO__actions__ENABLED=true` in the compose env. Restart to apply:

```bash
cd ~/kitestacks-homelab/apps/forgejo
docker compose up -d --force-recreate
```

Verify in the Forgejo UI: Admin Panel → Configuration → Actions = Enabled

### 2. Get a runner registration token

In Forgejo web UI:
- Site Admin → Actions → Runners → **Create new runner token**
- Copy the token (starts with `grt_...`)

### 3. Register and start the runner

```bash
cd ~/kitestacks-homelab/apps/forgejo-runner
mkdir -p config

# Register the runner (one-time, interactive)
docker run --rm -it \
  -v $(pwd)/config:/etc/act_runner \
  code.forgejo.org/forgejo/runner:3.5.0 \
  register \
    --instance http://forgejo:3000 \
    --token <paste-grt-token-here> \
    --name monk-runner \
    --labels docker:docker://node:20

# Start the runner daemon
docker compose up -d
```

### 4. Verify

Push any change to kitestacks-homelab → Forgejo → Actions tab shows the pipeline running.

## Workflow file

`.forgejo/workflows/ci.yml` — runs on every push/PR to main:

| Job | What it does |
|-----|-------------|
| `compose-lint` | `docker compose config --quiet` on all compose files |
| `secrets-check` | grep for hardcoded passwords, tokens, private keys |
| `shellcheck` | static analysis on all `scripts/*.sh` |

## Adding workflows to other repos

Copy `.forgejo/workflows/ci.yml` into any repo that has a runner label matching `docker`. The runner on monk can serve all repos in your Forgejo instance.

## Extending the pipeline

Add a deploy job that runs after tests pass:

```yaml
  deploy:
    name: Deploy to monk
    runs-on: docker
    needs: [compose-lint, secrets-check, shellcheck]
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4
      - name: Redeploy changed app
        run: docker compose -f apps/myapp/docker-compose.yml up -d --pull always
```