# CI split into jobs: quality gate + CLI + examples matrix (built/deployed in parallel).

name: forge-sql-orm CI

on:

push:

branches: [ "master" ]

pull_request:

branches: [ "master" ]

concurrency:

group: ${{ github.workflow }}-${{ github.actor == 'dependabot[bot]' && github.run_id || github.ref }}

cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:

# --- Quality gate: core library lint / build / tests / coverage scanners ---

quality:

runs-on: ubuntu-latest

env:

SONARCLOUD_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}

QLTY_COVERAGE_TOKEN: ${{ secrets.QLTY_COVERAGE_TOKEN }}

CODACY_API_TOKEN: ${{ secrets.CODACY_API_TOKEN }}

permissions:

contents: read

packages: write

pull-requests: write

strategy:

matrix:

node-version: [24.x]

outputs:

core_version: ${{ steps.publish_core.outputs.core_version }}

extra_version: ${{ steps.publish_extra.outputs.extra_version }}

cli_version: ${{ steps.publish_cli.outputs.cli_version }}

steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

fetch-depth: 0

persist-credentials: false

- name: Use Node.js ${{ matrix.node-version }}

uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

with:

node-version: ${{ matrix.node-version }}

cache: 'npm'

- run: npm ci --ignore-scripts

- name: REUSE / SPDX compliance

uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5

- run: npm run knip

- name: License compliance (no GPL/LGPL/AGPL/copyleft)

run: npm run license:check

- run: npm run lint

- run: npm run build

- run: npm run format:check

- run: npm run test:coverage

- name: Publish forge-sql-orm to GitHub Packages (not npmjs.com)

if: github.actor != 'dependabot[bot]'

id: publish_core

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

node scripts/ci/github-packages.mjs publish-core

echo "core_version=$(node scripts/ci/github-packages.mjs ci-version)" >> "$GITHUB_OUTPUT"

- name: Extra package (knip / build / tests with coverage)

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

cd forge-sql-orm-extra

npm ci --ignore-scripts

if [ "${{ github.actor }}" != "dependabot[bot]" ]; then

node ../scripts/ci/github-packages.mjs install-workspace . "${{ steps.publish_core.outputs.core_version }}"

fi

npm run license:check

npm run knip

npm run build

npm run test:coverage

- name: Publish forge-sql-orm-extra to GitHub Packages

if: github.actor != 'dependabot[bot]'

id: publish_extra

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

node scripts/ci/github-packages.mjs publish-extra "${{ steps.publish_core.outputs.core_version }}"

echo "extra_version=$(node scripts/ci/github-packages.mjs ci-version forge-sql-orm-extra)" >> "$GITHUB_OUTPUT"

- name: CLI package (knip / lint / build / tests with coverage)

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

cd forge-sql-orm-cli

npm ci --ignore-scripts

if [ "${{ github.actor }}" != "dependabot[bot]" ]; then

node ../scripts/ci/github-packages.mjs install-workspace . "${{ steps.publish_core.outputs.core_version }}"

fi

npm run knip

npm run lint

npm run build

npm run test:coverage

- name: Publish forge-sql-orm-cli to GitHub Packages

if: github.actor != 'dependabot[bot]'

id: publish_cli

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

node scripts/ci/github-packages.mjs publish-cli "${{ steps.publish_core.outputs.core_version }}"

echo "cli_version=$(node scripts/ci/github-packages.mjs ci-version forge-sql-orm-cli)" >> "$GITHUB_OUTPUT"

- name: Merge library + EXTRA + CLI coverage into a single report

if: env.SONARCLOUD_TOKEN != '' || env.QLTY_COVERAGE_TOKEN != '' || env.CODACY_API_TOKEN != ''

run: npm run coverage:merge

- name: SonarQube Scan

if: env.SONARCLOUD_TOKEN != ''

uses: SonarSource/sonarqube-scan-action@c7ee0f9df90b7aa20e8dcf9695dcfe2e7da5b4f2 # v7.2.1

env:

SONAR_TOKEN: ${{ env.SONARCLOUD_TOKEN }}

- name: Upload to Qlty

if: env.QLTY_COVERAGE_TOKEN != ''

uses: qltysh/qlty-action/coverage@141b881236146435192435eb7b0e06ea0b70b4d9 # main as of 2026-05-12

with:

coverage-token: ${{ env.QLTY_COVERAGE_TOKEN }}

files: ./coverage/lcov.info

- name: Upload coverage to Codacy

if: env.CODACY_API_TOKEN != ''

uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0

with:

api-token: ${{ env.CODACY_API_TOKEN }}

coverage-reports: ./coverage/lcov.info

# --- Examples: one matrix entry per example, built & deployed in parallel ---

examples:

needs: quality

runs-on: ubuntu-latest

permissions:

contents: read

packages: read

environment: ${{ github.event_name == 'push' && 'production' || (github.event_name == 'workflow_dispatch' && inputs.environment || 'development') }}

strategy:

fail-fast: false

max-parallel: 5

matrix:

include:

# static: true-> has static/forge-orm-example frontend

# ai_lib: true-> has ai-lib that needs build:arm64

- { dir: forge-sql-orm-example-drizzle-driver-simple, static: true }

- { dir: forge-sql-orm-example-simple, static: true }

- { dir: forge-sql-orm-example-optimistic-locking, static: true }

- { dir: forge-sql-orm-example-query-analyses, static: true }

- { dir: forge-sql-orm-example-checklist, static: true }

- { dir: forge-sql-orm-example-org-tracker, static: true }

- { dir: forge-sql-orm-example-dynamic, static: true }

- { dir: forge-sql-orm-example-sql-executor, static: true }

- { dir: forge-sql-orm-example-cache, static: true }

- { dir: forge-sql-orm-example-atlascamp, static: true }

- { dir: forge-sql-orm-example-vector, static: true }

- { dir: forge-sql-orm-example-ai, static: true }

- { dir: forge-sql-orm-example-backend-ai, static: true, ai_lib: true }

- { dir: forge-sql-orm-example-ui-kit }

steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

persist-credentials: false

- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

with:

node-version: 24.x

cache: 'npm'

- run: npm install -g @forge/cli && forge settings set usage-analytics true

# push / dispatch-production -> "production"; everything else (PRs,

# dispatch-development) -> per-actor env named after the sanitized actor.

- name: Resolve Forge environment

env:

EVENT_NAME: ${{ github.event_name }}

INPUT_ENV: ${{ inputs.environment }}

ACTOR: ${{ github.actor }}

run: |

if [ "$EVENT_NAME" = "push" ] || { [ "$EVENT_NAME" = "workflow_dispatch" ] && [ "$INPUT_ENV" = "production" ]; }; then

forge_env="production"

else

forge_env="$(echo "$ACTOR" | tr -cd '[:alnum:]')"

fi

echo "FORGE_ENV=$forge_env" >> "$GITHUB_ENV"

echo "Resolved FORGE_ENV=$forge_env"

- name: Install example deps

run: cd examples/${{ matrix.dir }} && npm ci --ignore-scripts

- name: Install published workspace packages from GitHub Packages

if: github.actor != 'dependabot[bot]' && needs.quality.outputs.core_version != ''

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: |

node scripts/ci/github-packages.mjs install-example \

"examples/${{ matrix.dir }}" \

"${{ needs.quality.outputs.core_version }}" \

"${{ needs.quality.outputs.extra_version }}" \

"${{ needs.quality.outputs.cli_version }}"

- name: Knip (example)

run: cd examples/${{ matrix.dir }} && npm run knip

- name: Build example

run: cd examples/${{ matrix.dir }} && npm run build:ci

- name: Build ai-lib (arm64)

if: matrix.ai_lib

run: cd examples/${{ matrix.dir }}/ai-lib && npm ci --ignore-scripts && npm run build:arm64

- name: Install frontend deps

if: matrix.static

run: cd examples/${{ matrix.dir }}/static/forge-orm-example && npm ci --ignore-scripts

- name: Knip (frontend)

if: matrix.static

run: cd examples/${{ matrix.dir }}/static/forge-orm-example && npm run knip

- name: Build frontend

if: matrix.static

run: cd examples/${{ matrix.dir }}/static/forge-orm-example && npm run build

# One retry: Forge deploys hit transient Atlassian-side failures.

- name: Forge Deploy (${{ env.FORGE_ENV }})

if: github.actor != 'dependabot[bot]'

env:

FORGE_EMAIL: ${{ secrets.FORGE_EMAIL }}

FORGE_API_TOKEN: ${{ secrets.FORGE_API_TOKEN }}

run: |

cd "examples/${{ matrix.dir }}"

for attempt in 1 2; do

if forge deploy --non-interactive -e "$FORGE_ENV"; then

exit 0

fi

echo "::warning::forge deploy attempt $attempt failed for ${{ matrix.dir }}"

[ "$attempt" -lt 2 ] && sleep $((RANDOM % 21 + 10))

done

echo "forge deploy failed after 2 attempts"

exit 1

# Existing install on this site+environment -> --upgrade; otherwise a

# fresh install. The install list is parsed inline with Node.js.

# One retry (re-evaluated each attempt) for transient Atlassian failures.

- name: Forge Install (${{ env.FORGE_ENV }})

if: github.actor != 'dependabot[bot]'

env:

FORGE_EMAIL: ${{ secrets.FORGE_EMAIL }}

FORGE_API_TOKEN: ${{ secrets.FORGE_API_TOKEN }}

FORGE_HOSTNAME: ${{ secrets.FORGE_HOSTNAME }}

run: |

cd "examples/${{ matrix.dir }}"

if [ -z "${FORGE_HOSTNAME:-}" ]; then

echo "::error::FORGE_HOSTNAME secret is empty or unset — refusing to install (an empty host matches every site)"

exit 1

fi

install_once() {

# Don't mask failures: if the list call fails (e.g. transient

# network error) return non-zero so the loop retries the whole

# sequence, instead of silently assuming "not installed".

if ! installs="$(forge install list --json)"; then

echo "::warning::forge install list failed for ${{ matrix.dir }}"

return 1

fi

already_installed="$(FORGE_INSTALLS="$installs" node -e '

const raw = process.env.FORGE_INSTALLS || "[]";

let data;

try { data = JSON.parse(raw); } catch { data = []; }

const list = Array.isArray(data) ? data : (data.installations || data.result || data.data || []);

const host = (process.env.FORGE_HOSTNAME || "").toLowerCase();

const envName = (process.env.FORGE_ENV || "").toLowerCase();

const found = !!host && list.some((i) => {

const site = String(i.site || i.siteUrl || i.host || i.hostname || "").toLowerCase();

const env = String(i.environmentKey || i.environment || i.environmentType || "").toLowerCase();

return site.includes(host) && env === envName;

});

process.stdout.write(found ? "yes" : "no");

')"

if [ "$already_installed" = "yes" ]; then

echo "Found existing installation on $FORGE_HOSTNAME ($FORGE_ENV) -> upgrading"

forge install -e "$FORGE_ENV" -s "$FORGE_HOSTNAME" -p Jira --confirm-scopes --non-interactive --upgrade

else

echo "No installation on $FORGE_HOSTNAME ($FORGE_ENV) -> fresh install"

forge install -e "$FORGE_ENV" -s "$FORGE_HOSTNAME" -p Jira --confirm-scopes --non-interactive

fi

}

for attempt in 1 2; do

if install_once; then

exit 0

fi

echo "::warning::forge install attempt $attempt failed for ${{ matrix.dir }}"

[ "$attempt" -lt 2 ] && sleep $((RANDOM % 21 + 10))

done

echo "forge install failed after 2 attempts"

exit 1

build:

if: always()

needs: [quality, examples]

runs-on: ubuntu-latest

permissions:

contents: read

strategy:

matrix:

node-version: [24.x]

steps:

- name: Fail if any dependency failed or was cancelled

if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')

run: |

echo "One or more jobs did not succeed: ${{ join(needs.*.result, ', ') }}"

exit 1

- name: All required jobs passed

run: echo "quality and all examples succeeded"

# Every run publishes ephemeral -ci.* versions for downstream jobs; delete them

# after the workflow finishes so GitHub Packages storage does not accumulate.

cleanup-gpr:

needs: [build]

if: always() && github.actor != 'dependabot[bot]'

runs-on: ubuntu-latest

permissions:

contents: read

packages: write

steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

with:

persist-credentials: false

- name: Delete CI package versions from GitHub Packages

continue-on-error: true

env:

NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run: node scripts/ci/github-packages.mjs cleanup-ci-versions