${SHA:0:7} substring expansion is bash-specific and fails in sh.
Adding explicit shell: bash to both steps, matching the fix already
applied to build-push.yaml.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The runner is ARM64 but yq was hardcoded to download amd64 binary.
Auto-detect architecture to download the correct binary.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The pinned container image uses sh which doesn't support bash
string slicing syntax (${var:0:7}). Explicitly set shell: bash
to ensure compatibility.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Pin catthehacker/ubuntu:act-22.04 to digest sha256:52581951... to
prevent supply-chain drift from mutable tags
- Add ARM64 builds section to README documenting QEMU emulation
trade-offs and when to switch to native ARM64 runners (Rust builds)
- Update Notes section to reference new ARM64 docs and digest pinning
Ref: CON-578
P1 — deploy-k8s.yaml:
- Add set -euo pipefail to all run blocks
- Replace sed-based image tag patching with yq for YAML-safe updates
- Add source commit SHA and CI run link to deploy commit messages
- Install yq v4.44.1 as prerequisite step
P1 — build-push.yaml:
- Add runner input parameter for future ARM64 self-hosted runners
(default: ubuntu-latest with QEMU emulation)
P2 — test-python.yaml:
- Add pyproject.toml support (pip install -e) before requirements.txt fallback
P2 — build-push.yaml:
- Pin catthehacker/ubuntu container image to act-22.04 (was act-latest)
Ref: CON-578
Reusable Gitea Actions workflows for lint, test, build, and deploy:
- lint-python, lint-node, lint-rust
- test-python, test-node, test-rust
- build-push (Docker build + push to Gitea registry)
- deploy-k8s (GitOps image tag update in cluster repo)
Plus example caller workflows for python-fullstack, rust-service,
and node-frontend stacks. Branch refs aligned to staging per CON-570 standards.
