main job ajo tässä haarassa

- ci.yml: pure dispatch (Feature → ci-feature, Main → ci-main), 18 lines
- ci-feature.yml (new):  load-config → quality-gate
- ci-main.yml (new):     load-config → check-version → quality-gate → docker-build-push
- check-version.yml (new): provider workflow for artifact existence check and version calculation
- docker-build-push.yml (renamed from build_publish-artifact.yml):
  - removed check job, quality-gate block, gatekeeper logic, build-context artifact
  - version passed as input, simplified needs chain (build → push → tag-commit)
  - fixed consumer→provider checkout pattern (.ci/scripts/)

.gitea/scripts/generate-report-index.sh

@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-SHA8="${GITHUB_SHA:0:8}"
-REPORTS_DIR="reports/${SHA8}"
-
-mkdir -p "${REPORTS_DIR}"
-
-BATS_PASS=$(grep -c 'ok' "${REPORTS_DIR}/bats/results.txt" 2>/dev/null || echo 0)
-BATS_FAIL=$(grep -c 'not ok' "${REPORTS_DIR}/bats/results.txt" 2>/dev/null || echo 0)
-CUCUMBER_PASS=$(jq '.summary.passed // 0' "${REPORTS_DIR}/cucumber/report.json" 2>/dev/null || echo 0)
-CUCUMBER_FAIL=$(jq '.summary.failed // 0' "${REPORTS_DIR}/cucumber/report.json" 2>/dev/null || echo 0)
-
-{
-  echo "<!DOCTYPE html><html><head><meta charset='utf-8'>"
-  echo "<title>CI report ${SHA8}</title>"
-  echo "<style>body{font-family:sans-serif;margin:2em}a{color:#2563eb}table{border-collapse:collapse}"
-  echo "th,td{border:1px solid #ccc;padding:8px;text-align:left}"
-  echo ".pass{color:#059669}.fail{color:#dc2626}</style></head><body>"
-  echo "<h1>CI report <code>${SHA8}</code></h1>"
-  echo "<p>Commit: ${GITHUB_SHA}<br>Branch: ${GITHUB_REF_NAME}<br>Run: ${GITHUB_RUN_ID}</p>"
-  echo "<table><tr><th>Suite</th><th>Passed</th><th>Failed</th><th>Report</th></tr>"
-  echo "<tr><td>Bats</td><td class='pass'>${BATS_PASS}</td><td class='fail'>${BATS_FAIL}</td>"
-  echo "<td><a href='bats/results.txt'>results.txt</a>"
-  echo " | <a href='bats/junit.xml'>junit.xml</a></td></tr>"
-  echo "<tr><td>Cucumber</td><td class='pass'>${CUCUMBER_PASS}</td><td class='fail'>${CUCUMBER_FAIL}</td>"
-  echo "<td><a href='cucumber/index.html'>report</a>"
-  echo " | <a href='cucumber/report.json'>json</a></td></tr>"
-  echo "</table></body></html>"
-} > "${REPORTS_DIR}/index.html"

.gitea/workflows/build_publish-artifact.yml

@@ -1,356 +0,0 @@
-name: Build & Publish Artifact
-on:
-  workflow_call:
-    inputs:
-      env_json:
-        required: true
-        type: string
-      bats-image:
-        required: true
-        type: string
-      cucumber-node-image:
-        required: true
-        type: string
-    secrets:
-      GITEA_TOKEN:
-        required: true
-      GIT_PAGES_PUBLISH_TOKEN:
-        required: true
-      DOCKER_USERNAME:
-        required: false
-      DOCKER_PASSWORD:
-        required: true
-
-env:
-  GITEA_API_URL: ${{ fromJson(inputs.env_json).GITEA_API_URL }}
-  GIT_PAGES_URL: ${{ fromJson(inputs.env_json).GIT_PAGES_URL }}
-  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-  GIT_PAGES_PUBLISH_TOKEN: ${{ secrets.GIT_PAGES_PUBLISH_TOKEN }}
-  REPO: ${{ github.repository }}
-  DOCKER_REGISTRY: ${{ fromJson(inputs.env_json).DOCKER_REGISTRY || '' }}
-  DOCKER_IMAGE_NAME: ${{ fromJson(inputs.env_json).DOCKER_IMAGE_NAME || '' }}
-  DOCKER_UI_URL: ${{ fromJson(inputs.env_json).DOCKER_UI_URL || '' }}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    outputs:
-      artifact_exists: ${{ steps.set-outputs.outputs.artifact_exists }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set Gitea status to PENDING
-        run: |
-          echo "===== gitea-ci-library - Check existing artifact | begin ====="
-          bash scripts/report-status.sh pending "Checking version..." ci-check
-
-      - name: Check existing artifact and calculate version
-        run: |
-          RAW_VERSION=$(jq -r '.version' package.json)
-          BASE_VERSION=$(echo "$RAW_VERSION" | cut -d'.' -f1-2)
-          echo "gitea-ci-library - Tunnistettu Major.Minor versio: $BASE_VERSION"
-
-          TAGS_JSON=$(curl -s -f -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
-            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/tags")
-
-          TAG=$(echo "$TAGS_JSON" | jq -r 'if type == "array" then .[] | select(.commit.sha == "${{ github.sha }}") | .name else empty end' | head -1)
-
-          mkdir -p /tmp/build-ctx
-
-          if [ -n "$TAG" ]; then
-            echo "ARTIFACT_EXISTS=true" > /tmp/build-ctx/build.env
-            echo "NEXT_VERSION=$TAG" >> /tmp/build-ctx/build.env
-            echo "gitea-ci-library - Artefakti löytyi jo tagilla: $TAG."
-          else
-            echo "ARTIFACT_EXISTS=false" > /tmp/build-ctx/build.env
-            
-            HIGHEST_PATCH=$(echo "$TAGS_JSON" | jq -r --arg bv "$BASE_VERSION." '
-              if type == "array" then .[] | .name | select(startswith($bv)) | sub($bv; "") | tonumber else empty end' | sort -rn | head -1)
-
-            if [ -z "$HIGHEST_PATCH" ]; then NEXT_PATCH=0; else NEXT_PATCH=$((HIGHEST_PATCH + 1)); fi
-            FULL_VERSION="${BASE_VERSION}.${NEXT_PATCH}"
-            
-            echo "NEXT_VERSION=$FULL_VERSION" >> /tmp/build-ctx/build.env
-            echo "gitea-ci-library - Uusi vapaa versio: $FULL_VERSION"
-          fi
-
-      - name: Set job outputs
-        id: set-outputs
-        run: |
-          source /tmp/build-ctx/build.env
-          echo "artifact_exists=$ARTIFACT_EXISTS" >> "$GITHUB_OUTPUT"
-
-      - name: Upload build env artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: build-context
-          path: /tmp/build-ctx/build.env
-
-      - name: Set Gitea status to SUCCESS
-        if: success()
-        run: |
-          source /tmp/build-ctx/build.env
-          if [ "${ARTIFACT_EXISTS}" = "true" ]; then
-            bash scripts/report-status.sh success "Skip build: version $NEXT_VERSION exists" ci-check
-          else
-            bash scripts/report-status.sh success "Build version $NEXT_VERSION required" ci-check
-          fi
-
-      - name: Set Gitea status to FAILURE
-        if: failure()
-        run: bash scripts/report-status.sh failure "Check version FAILED" ci-check
-
-  # quality-gate:
-  #   needs: [check]
-  #   uses: niko/gitea-ci-library/.gitea/workflows/quality-gate.yml@main
-  #   secrets: inherit
-  #   with:
-  #     env_json: ${{ inputs.env_json }}
-  #     bats-image: ${{ inputs.bats-image }}
-  #     cucumber-node-image: ${{ inputs.cucumber-node-image }}
-
-  build:
-    runs-on: ubuntu-latest
-    # needs: [check, quality-gate]
-    needs: [check]
-    # Skipataan koko build jos artefakti löytyy jo
-    if: needs.check.outputs.artifact_exists != 'true'
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Download build env
-        uses: actions/download-artifact@v3
-        with:
-          name: build-context
-          path: /tmp/build-ctx
-
-      - name: Check if build needed
-        id: gatekeeper
-        run: |
-          source /tmp/build-ctx/build.env
-          if [ "${ARTIFACT_EXISTS}" = "true" ]; then
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Set Gitea status to PENDING
-        if: steps.gatekeeper.outputs.skip == 'false'
-        run: |
-          echo "===== gitea-ci-library - Docker Build | begin ====="
-          bash scripts/report-status.sh pending "Building Docker image..." ci-docker-build
-
-      - name: Build container
-        if: steps.gatekeeper.outputs.skip == 'false'
-        run: |
-          source /tmp/build-ctx/build.env
-          NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-          docker build \
-            --label "git.commit=${{ github.sha }}" \
-            --label "git.commitBy=${{ github.actor }}" \
-            --label "build.date=${NOW}" \
-            -t "${DOCKER_IMAGE_NAME}:${NEXT_VERSION}" .
-
-      - name: Report status SUCCESS
-        if: steps.gatekeeper.outputs.skip == 'false' && success()
-        run: |
-          source /tmp/build-ctx/build.env
-          bash scripts/report-status.sh success "Docker build $NEXT_VERSION OK" ci-docker-build
-
-      - name: Report status FAILURE
-        if: steps.gatekeeper.outputs.skip == 'false' && failure()
-        run: |
-          source /tmp/build-ctx/build.env
-          bash scripts/report-status.sh failure "Docker build $NEXT_VERSION FAILED" ci-docker-build
-
-      - name: Save Docker image
-        if: steps.gatekeeper.outputs.skip == 'false' && success()
-        run: |
-          source /tmp/build-ctx/build.env
-          mkdir -p /tmp/image
-          docker save "${DOCKER_IMAGE_NAME}:${NEXT_VERSION}" -o /tmp/image/artifact.tar
-
-      - name: Upload Docker image artifact
-        if: steps.gatekeeper.outputs.skip == 'false' && success()
-        uses: actions/upload-artifact@v3
-        with:
-          name: docker-image
-          path: /tmp/image/artifact.tar
-
-  push:
-    runs-on: ubuntu-latest
-    needs: [check, build]
-    if: needs.check.outputs.artifact_exists != 'true'
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Download build env
-        uses: actions/download-artifact@v3
-        with:
-          name: build-context
-          path: /tmp/build-ctx
-
-      - name: Verify Build Status
-        id: gatekeeper
-        run: |
-          BUILD_RESULT="${{ needs.build.result }}"
-          source /tmp/build-ctx/build.env
-          if [ "$BUILD_RESULT" != "success" ]; then
-            echo "gitea-ci-library - Edellinen vaihe epäonnistui. Keskeytetään." >&2
-            exit 1
-          fi
-          if [ "${ARTIFACT_EXISTS}" = "true" ]; then
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Load saved Docker image
-        if: steps.gatekeeper.outputs.skip == 'false'
-        uses: actions/download-artifact@v3
-        with:
-          name: docker-image
-          path: /tmp/image
-
-      - name: Set Gitea status to PENDING
-        if: steps.gatekeeper.outputs.skip == 'false'
-        run: |
-          echo "===== gitea-ci-library - Docker Push | begin ====="
-          bash scripts/report-status.sh pending "Pushing to registry..." ci-docker-push
-
-      - name: Push to Docker Registry
-        if: steps.gatekeeper.outputs.skip == 'false'
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME || github.actor }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-        run: |
-          source /tmp/build-ctx/build.env
-          docker load -i /tmp/image/artifact.tar
-
-          REGISTRY="${DOCKER_REGISTRY:?DOCKER_REGISTRY not set in env.conf}"
-          IMAGE="${DOCKER_IMAGE_NAME:?DOCKER_IMAGE_NAME not set in env.conf}"
-          REGISTRY_HOST="${REGISTRY%%/*}"
-
-          FULL_IMAGE="${REGISTRY}/${IMAGE}:${NEXT_VERSION}"
-          echo "Pushing ${FULL_IMAGE} ..."
-
-          docker tag "${DOCKER_IMAGE_NAME}:${NEXT_VERSION}" "$FULL_IMAGE"
-          echo "$DOCKER_PASSWORD" | docker login "$REGISTRY_HOST" -u "$DOCKER_USERNAME" --password-stdin
-          docker push "$FULL_IMAGE"
-          docker logout "$REGISTRY_HOST"
-
-      - name: Report status SUCCESS
-        if: steps.gatekeeper.outputs.skip == 'false' && success()
-        run: |
-          source /tmp/build-ctx/build.env
-          CONTAINER_URL=""
-          if [ -n "${DOCKER_UI_URL:-}" ] && [ -n "${NEXT_VERSION:-}" ]; then
-            CONTAINER_URL="${DOCKER_UI_URL}/${NEXT_VERSION}"
-          fi
-          bash scripts/report-status.sh success "Docker push $NEXT_VERSION OK" ci-docker-push "" "$CONTAINER_URL"
-
-      - name: Report status FAILURE
-        if: steps.gatekeeper.outputs.skip == 'false' && failure()
-        run: |
-          source /tmp/build-ctx/build.env
-          bash scripts/report-status.sh failure "Docker push $NEXT_VERSION FAILED" ci-docker-push
-
-  tag-commit:
-    runs-on: ubuntu-latest
-    needs: [check, push]
-    if: needs.check.outputs.artifact_exists != 'true'
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Download build env
-        uses: actions/download-artifact@v3
-        with:
-          name: build-context
-          path: /tmp/build-ctx
-
-      - name: Verify Push Status
-        id: gatekeeper
-        run: |
-          PUSH_RESULT="${{ needs.push.result }}"
-          source /tmp/build-ctx/build.env
-          if [ "$PUSH_RESULT" != "success" ]; then
-            echo "gitea-ci-library - Push vaihe epäonnistui. Keskeytetään." >&2
-            exit 1
-          fi
-          if [ "${ARTIFACT_EXISTS}" = "true" ]; then
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "skip=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Set Gitea status to PENDING
-        if: steps.gatekeeper.outputs.skip == 'false'
-        run: |
-          echo "===== gitea-ci-library - Create Tag | begin ====="
-          bash scripts/report-status.sh pending "Creating tag..." ci-docker-tag
-
-      - name: Create git tag
-        if: steps.gatekeeper.outputs.skip == 'false'
-        env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-          REPO: ${{ github.repository }}
-          SERVER_URL: ${{ gitea.server_url }}
-          RUN_NUMBER: ${{ github.run_number }}
-          SHA: ${{ github.sha }}
-        run: |
-          source /tmp/build-ctx/build.env
-          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
-            "$SERVER_URL/api/v1/repos/$REPO/tags" \
-            -H "Authorization: token $GITEA_TOKEN" \
-            -H "Content-Type: application/json" \
-            -d "{\"tag_name\": \"$NEXT_VERSION\", \"message\": \"Build #$RUN_NUMBER\", \"target\": \"$SHA\"}")
-
-          if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "409" ]; then
-            exit 0
-          else
-            exit 1
-          fi
-
-      - name: Report status SUCCESS
-        if: steps.gatekeeper.outputs.skip == 'false' && success()
-        run: |
-          source /tmp/build-ctx/build.env
-          bash scripts/report-status.sh success "Tag $NEXT_VERSION OK" ci-docker-tag
-
-      - name: Report status FAILURE
-        if: steps.gatekeeper.outputs.skip == 'false' && failure()
-        run: |
-          source /tmp/build-ctx/build.env
-          bash scripts/report-status.sh failure "Tag $NEXT_VERSION FAILED" ci-docker-tag
-
-  cleanup:
-    runs-on: ubuntu-latest
-    needs: [tag-commit]
-    if: always()
-    steps:
-      - name: Delete build artifacts
-        run: |
-          echo "Siivotaan artifactit..."
-          RUN_ID="${{ github.run_id }}"
-          REPO="${{ github.repository }}"
-          SERVER="${{ gitea.server_url }}"
-
-          # List artifacts for this run
-          ARTIFACTS=$(curl -s \
-            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
-            "${SERVER}/api/v1/repos/${REPO}/actions/runs/${RUN_ID}/artifacts")
-
-          echo "Artifacts: $(echo "$ARTIFACTS" | jq -r '.artifacts | length') kpl"
-
-          # Delete each by name
-          echo "$ARTIFACTS" | jq -r '.artifacts[] | .name' | while IFS= read -r name; do
-            echo "Deleting: $name"
-            curl -s -X DELETE \
-              -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
-              "${SERVER}/api/v1/repos/${REPO}/actions/runs/${RUN_ID}/artifacts/${name}"
-            echo " -> deleted $name"
-          done

.gitea/workflows/check-version.yml

@@ -0,0 +1,64 @@
+name: Check Existing Artifact
+on:
+  workflow_call:
+    inputs:
+      env_json:
+        required: true
+        type: string
+    secrets:
+      GITEA_TOKEN:
+        required: true
+    outputs:
+      artifact_exists:
+        value: ${{ jobs.check.outputs.artifact_exists }}
+      version:
+        value: ${{ jobs.check.outputs.version }}
+
+env:
+  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    outputs:
+      artifact_exists: ${{ steps.set-outputs.outputs.artifact_exists }}
+      version: ${{ steps.set-outputs.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check existing artifact and calculate version
+        run: |
+          RAW_VERSION=$(jq -r '.version' package.json)
+          BASE_VERSION=$(echo "$RAW_VERSION" | cut -d'.' -f1-2)
+          echo "gitea-ci-library - Tunnistettu Major.Minor versio: $BASE_VERSION"
+
+          TAGS_JSON=$(curl -s -f -H "Authorization: token $GITEA_TOKEN" \
+            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/tags")
+
+          TAG=$(echo "$TAGS_JSON" | jq -r 'if type == "array" then .[] | select(.commit.sha == "${{ github.sha }}") | .name else empty end' | head -1)
+
+          mkdir -p /tmp/build-ctx
+
+          if [ -n "$TAG" ]; then
+            echo "ARTIFACT_EXISTS=true" > /tmp/build-ctx/build.env
+            echo "NEXT_VERSION=$TAG" >> /tmp/build-ctx/build.env
+            echo "gitea-ci-library - Artefakti löytyi jo tagilla: $TAG."
+          else
+            echo "ARTIFACT_EXISTS=false" > /tmp/build-ctx/build.env
+
+            HIGHEST_PATCH=$(echo "$TAGS_JSON" | jq -r --arg bv "$BASE_VERSION." '
+              if type == "array" then .[] | .name | select(startswith($bv)) | sub($bv; "") | tonumber else empty end' | sort -rn | head -1)
+
+            if [ -z "$HIGHEST_PATCH" ]; then NEXT_PATCH=0; else NEXT_PATCH=$((HIGHEST_PATCH + 1)); fi
+            FULL_VERSION="${BASE_VERSION}.${NEXT_PATCH}"
+
+            echo "NEXT_VERSION=$FULL_VERSION" >> /tmp/build-ctx/build.env
+            echo "gitea-ci-library - Uusi vapaa versio: $FULL_VERSION"
+          fi
+
+      - name: Set job outputs
+        id: set-outputs
+        run: |
+          source /tmp/build-ctx/build.env
+          echo "artifact_exists=$ARTIFACT_EXISTS" >> "$GITHUB_OUTPUT"
+          echo "version=$NEXT_VERSION" >> "$GITHUB_OUTPUT"

.gitea/workflows/ci.yml

@@ -1,34 +0,0 @@
-name: CI
-on:
-  push:
-    branches: ["**"]
-  workflow_dispatch:
-
-jobs:
-  load-config:
-    name: Load gitea-env.conf to pipeline env
-    uses: niko/gitea-ci-library/.gitea/workflows/config-provider.yml@main
-    with:
-      config_path: .gitea/workflows/gitea-env.conf
-
-  # feature:
-  #   name: Quality Gate
-  #   if: github.ref != 'refs/heads/main'
-  #   needs: [load-config]
-  #   uses: niko/gitea-ci-library/.gitea/workflows/quality-gate.yml@main
-  #   secrets: inherit
-  #   with:
-  #     env_json: ${{ needs.load-config.outputs.env_json }}
-  #     bats-image: bats/bats:latest
-  #     cucumber-node-image: node:22
-
-  main:
-    name: Build & Push Artifact
-    # if: github.ref == 'refs/heads/main'  # FIXME: väliaikainen — ajetaan tässä haarassa
-    needs: [load-config]
-    uses: niko/gitea-ci-library/.gitea/workflows/build_publish-artifact.yml@feature/docker-kuntoon
-    secrets: inherit
-    with:
-      env_json: ${{ needs.load-config.outputs.env_json }}
-      bats-image: bats/bats:latest
-      cucumber-node-image: node:22

.gitea/workflows/config-provider.yml

@@ -1,21 +1,41 @@
-name: Config Provider Library
+name: Config Provider
 on:
   workflow_call:
     inputs:
       config_path:
         required: true
         type: string
+    secrets:
+      GITEA_TOKEN:
+        required: true
+      GIT_PAGES_PUBLISH_TOKEN:
+        required: true
     outputs:
       env_json:
         value: ${{ jobs.parse-config.outputs.json_data }}
+      config_path:
+        value: ${{ jobs.parse-config.outputs.config_path }}
+
+env:
+  CI_CONF_FILE: ${{ inputs.config_path }}
+  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+  GIT_PAGES_PUBLISH_TOKEN: ${{ secrets.GIT_PAGES_PUBLISH_TOKEN }}
 
 jobs:
   parse-config:
     runs-on: ubuntu-latest
     outputs:
       json_data: ${{ steps.convert.outputs.JSON_OUT }}
+      config_path: ${{ steps.set-path.outputs.CONFIG_PATH }}
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          repository: niko/gitea-ci-library
+          path: .ci
+
+      - name: Validate CI config
+        run: bash .ci/scripts/ci-validate.sh
 
       - id: convert
         run: |
@@ -29,3 +49,6 @@ jobs:
 
           CLEAN_JSON=$(echo "$JSON_STRING" | jq -c .)
           echo "JSON_OUT=$CLEAN_JSON" >> "$GITHUB_OUTPUT"
+
+      - id: set-path
+        run: echo "CONFIG_PATH=${{ inputs.config_path }}" >> "$GITHUB_OUTPUT"

.gitea/workflows/docker-build-push.yml

@@ -0,0 +1,101 @@
+name: Docker Build & Push
+on:
+  workflow_call:
+    inputs:
+      env_json:
+        required: true
+        type: string
+      version:
+        required: true
+        type: string
+    secrets:
+      GITEA_TOKEN:
+        required: true
+      DOCKER_USERNAME:
+        required: false
+      DOCKER_PASSWORD:
+        required: true
+
+env:
+  GITEA_API_URL: ${{ fromJson(inputs.env_json).GITEA_API_URL }}
+  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+  DOCKER_REGISTRY: ${{ fromJson(inputs.env_json).DOCKER_REGISTRY || '' }}
+  DOCKER_IMAGE_NAME: ${{ fromJson(inputs.env_json).DOCKER_IMAGE_NAME || '' }}
+  DOCKER_UI_URL: ${{ fromJson(inputs.env_json).DOCKER_UI_URL || '' }}
+  VERSION: ${{ inputs.version }}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          repository: niko/gitea-ci-library
+          path: .ci
+
+      - name: Build and push container
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME || github.actor }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+        run: |
+          NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+          docker build \
+            --label "git.commit=${{ github.sha }}" \
+            --label "git.commitBy=${{ github.actor }}" \
+            --label "build.date=${NOW}" \
+            -t "${DOCKER_IMAGE_NAME}:${VERSION}" .
+
+          REGISTRY="${DOCKER_REGISTRY:?DOCKER_REGISTRY not set in env.conf}"
+          IMAGE="${DOCKER_IMAGE_NAME:?DOCKER_IMAGE_NAME not set in env.conf}"
+          REGISTRY_HOST="${REGISTRY%%/*}"
+
+          FULL_IMAGE="${REGISTRY}/${IMAGE}:${VERSION}"
+          echo "Pushing ${FULL_IMAGE} ..."
+
+          docker tag "${DOCKER_IMAGE_NAME}:${VERSION}" "$FULL_IMAGE"
+          echo "$DOCKER_PASSWORD" | docker login "$REGISTRY_HOST" -u "$DOCKER_USERNAME" --password-stdin
+          docker push "$FULL_IMAGE"
+          docker logout "$REGISTRY_HOST"
+
+      - name: Report status SUCCESS
+        if: success()
+        run: |
+          CONTAINER_URL=""
+          if [ -n "${DOCKER_UI_URL:-}" ] && [ -n "${VERSION:-}" ]; then
+            CONTAINER_URL="${DOCKER_UI_URL}/${VERSION}"
+          fi
+          bash .ci/scripts/report-status.sh success "Docker build & push ${VERSION} OK" ci-docker-build-push "" "$CONTAINER_URL"
+
+      - name: Report status FAILURE
+        if: failure()
+        run: bash .ci/scripts/report-status.sh failure "Docker build & push ${VERSION} FAILED" ci-docker-build-push
+
+  tag-commit:
+    runs-on: ubuntu-latest
+    needs: [build-push]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create git tag
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          SERVER_URL: ${{ gitea.server_url }}
+          RUN_NUMBER: ${{ github.run_number }}
+          SHA: ${{ github.sha }}
+        run: |
+          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
+            "$SERVER_URL/api/v1/repos/${{ github.repository }}/tags" \
+            -H "Authorization: token $GITEA_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\": \"${VERSION}\", \"message\": \"Build #$RUN_NUMBER\", \"target\": \"$SHA\"}")
+
+          if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "409" ]; then
+            exit 0
+          else
+            exit 1
+          fi

.gitea/workflows/example-bats-tests.yml

@@ -0,0 +1,64 @@
+name: Bats Tests
+on:
+  workflow_call:
+    inputs:
+      env_json:
+        required: true
+        type: string
+      bats-image:
+        required: true
+        type: string
+    secrets:
+      GITEA_TOKEN:
+        required: true
+      GIT_PAGES_PUBLISH_TOKEN:
+        required: true
+
+env:
+  GITEA_API_URL: ${{ fromJson(inputs.env_json).GITEA_API_URL }}
+  GIT_PAGES_URL: ${{ fromJson(inputs.env_json).GIT_PAGES_URL }}
+  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+  GIT_PAGES_PUBLISH_TOKEN: ${{ secrets.GIT_PAGES_PUBLISH_TOKEN }}
+
+jobs:
+  bats:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          repository: niko/gitea-ci-library
+          path: .ci
+
+      - name: Run bats tests
+        id: bats-tests
+        shell: bash
+        run: |
+          docker volume create bats-workspace
+          tar c . | docker run --rm -i -v bats-workspace:/data alpine tar x -C /data
+          mkdir -p "reports/${GITHUB_SHA:0:8}/bats"
+          set +e
+          docker run --rm \
+            -v bats-workspace:/data \
+            --entrypoint bash ${{ inputs.bats-image }} \
+            -c 'apk add -q lsof python3 jq curl ruby && cd /data && gem install bashcov -v 3.3.0 2>&1 | tail -1 && bashcov -- bats tests/' \
+            > "reports/${GITHUB_SHA:0:8}/bats/results.txt" 2>&1
+          BATS_EXIT=$?
+          bash .ci/.gitea/scripts/bats-coverage.sh bats-workspace "reports/${GITHUB_SHA:0:8}/bats"
+          docker volume rm bats-workspace > /dev/null 2>&1
+          bash .ci/.gitea/scripts/bats-report.sh "reports/${GITHUB_SHA:0:8}/bats"
+          echo "BATS_EXIT=${BATS_EXIT}" >> "${GITHUB_ENV}"
+          exit ${BATS_EXIT}
+
+      - name: Publish bats reports
+        if: always()
+        run: bash .ci/scripts/publish-git-pages.sh bats
+
+      - name: Report status
+        if: always()
+        run: |
+          if [ "${BATS_EXIT}" = "0" ]; then
+            bash .ci/scripts/report-status.sh success "Link to Bats reports" unit-tests bats
+          else
+            bash .ci/scripts/report-status.sh failure "Link to Bats reports" unit-tests bats
+          fi

.gitea/workflows/example-cucumber-tests.yml

@@ -0,0 +1,70 @@
+name: Cucumber Tests
+on:
+  workflow_call:
+    inputs:
+      env_json:
+        required: true
+        type: string
+      cucumber-node-image:
+        required: true
+        type: string
+    secrets:
+      GITEA_TOKEN:
+        required: true
+      GIT_PAGES_PUBLISH_TOKEN:
+        required: true
+
+env:
+  GITEA_API_URL: ${{ fromJson(inputs.env_json).GITEA_API_URL }}
+  GIT_PAGES_URL: ${{ fromJson(inputs.env_json).GIT_PAGES_URL }}
+  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+  GIT_PAGES_PUBLISH_TOKEN: ${{ secrets.GIT_PAGES_PUBLISH_TOKEN }}
+
+jobs:
+  cucumber:
+    runs-on: ubuntu-latest
+    container:
+      image: ${{ inputs.cucumber-node-image }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          repository: niko/gitea-ci-library
+          path: .ci
+
+      - name: Run cucumber tests
+        id: cucumber-tests
+        shell: bash
+        run: |
+          apt-get update -qq && apt-get install -y -qq --no-install-recommends lsof jq
+          npm install @cucumber/cucumber > /dev/null 2>&1
+          mkdir -p "reports/${GITHUB_SHA:0:8}/cucumber"
+          set +e
+          npx cucumber-js \
+            --format json:"reports/${GITHUB_SHA:0:8}/cucumber/report.json" \
+            --format html:"reports/${GITHUB_SHA:0:8}/cucumber/index.html" 2>&1
+          CUCUMBER_EXIT=$?
+          echo "CUCUMBER_EXIT=${CUCUMBER_EXIT}" >> "${GITHUB_ENV}"
+          exit ${CUCUMBER_EXIT}
+
+      - name: Publish cucumber reports
+        if: always()
+        run: bash .ci/scripts/publish-git-pages.sh cucumber
+
+      - name: Report status
+        if: always()
+        shell: bash
+        run: |
+          if [ "${CUCUMBER_EXIT}" = "0" ]; then
+            if [ -f "reports/${GITHUB_SHA:0:8}/cucumber/index.html" ]; then
+              bash .ci/scripts/report-status.sh success "Link to Cucumber reports" acc-tests cucumber
+            else
+              bash .ci/scripts/report-status.sh success "Link to Cucumber reports" acc-tests
+            fi
+          else
+            if [ -f "reports/${GITHUB_SHA:0:8}/cucumber/index.html" ]; then
+              bash .ci/scripts/report-status.sh failure "Link to Cucumber reports" acc-tests cucumber
+            else
+              bash .ci/scripts/report-status.sh failure "Link to Cucumber reports" acc-tests
+            fi
+          fi

.gitea/workflows/example-feature.yml

@@ -0,0 +1,42 @@
+name: CI Feature
+on:
+  push:
+    branches-ignore:
+      - feature/docker-kuntoon
+      - main
+  workflow_dispatch:
+
+jobs:
+  load-config:
+    name: Load example-gitea-env.conf to pipeline env
+    uses: niko/gitea-ci-library/.gitea/workflows/config-provider.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      config_path: .gitea/workflows/example-gitea-env.conf
+
+  bats:
+    name: Bats tests
+    needs: [load-config]
+    uses: niko/gitea-ci-library/.gitea/workflows/example-bats-tests.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+      bats-image: bats/bats:latest
+
+  cucumber:
+    name: Cucumber tests
+    needs: [load-config]
+    uses: niko/gitea-ci-library/.gitea/workflows/example-cucumber-tests.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+      cucumber-node-image: node:22
+
+  report-summary:
+    name: Report Summary
+    needs: [load-config, bats, cucumber]
+    if: always()
+    uses: niko/gitea-ci-library/.gitea/workflows/example-report-summary.yml@feature/docker-kuntoon
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+      suites: bats cucumber

.gitea/workflows/example-main.yml

@@ -0,0 +1,62 @@
+name: CI Main
+on:
+  push:
+    branches:
+      - feature/docker-kuntoon
+      - main
+  workflow_dispatch:
+
+jobs:
+  load-config:
+    name: Load example-gitea-env.conf to pipeline env
+    uses: niko/gitea-ci-library/.gitea/workflows/config-provider.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      config_path: .gitea/workflows/example-gitea-env.conf
+
+  check-version:
+    name: Check existing artifact
+    needs: [load-config]
+    uses: niko/gitea-ci-library/.gitea/workflows/check-version.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+
+  bats:
+    name: Bats tests
+    needs: [load-config, check-version]
+    if: needs.check-version.outputs.artifact_exists != 'true'
+    uses: niko/gitea-ci-library/.gitea/workflows/example-bats-tests.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+      bats-image: bats/bats:latest
+
+  cucumber:
+    name: Cucumber tests
+    needs: [load-config, check-version]
+    if: needs.check-version.outputs.artifact_exists != 'true'
+    uses: niko/gitea-ci-library/.gitea/workflows/example-cucumber-tests.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+      cucumber-node-image: node:22
+
+  report-summary:
+    name: Report Summary
+    needs: [load-config, bats, cucumber]
+    if: always()
+    uses: niko/gitea-ci-library/.gitea/workflows/example-report-summary.yml@feature/docker-kuntoon
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+      suites: bats cucumber
+
+  build-push:
+    name: Build & Push Docker
+    needs: [load-config, check-version, bats, cucumber]
+    if: needs.check-version.outputs.artifact_exists != 'true'
+    uses: niko/gitea-ci-library/.gitea/workflows/docker-build-push.yml@feature/docker-kuntoon
+    secrets: inherit
+    with:
+      env_json: ${{ needs.load-config.outputs.env_json }}
+      version: ${{ needs.check-version.outputs.version }}

.gitea/workflows/example-report-summary.yml

@@ -0,0 +1,34 @@
+name: Report Summary
+on:
+  workflow_call:
+    inputs:
+      env_json:
+        required: true
+        type: string
+      suites:
+        required: true
+        type: string
+        description: Space-separated suite names published to git-pages
+
+env:
+  GIT_PAGES_URL: ${{ fromJson(inputs.env_json).GIT_PAGES_URL }}
+
+jobs:
+  summary:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate report links
+        shell: bash
+        run: |
+          SHA8="${GITHUB_SHA:0:8}"
+          BASE="${GIT_PAGES_URL}/${GITHUB_REPOSITORY}/reports/${SHA8}"
+
+          {
+            echo "## Test Reports"
+            echo ""
+            echo "| Suite | Report |"
+            echo "|-------|--------|"
+            for suite in ${{ inputs.suites }}; do
+              echo "| ${suite} | [View report](${BASE}/${suite}/) |"
+            done
+          } >> "${GITHUB_STEP_SUMMARY}"

.gitea/workflows/quality-gate.yml

@@ -1,173 +0,0 @@
-name: Quality Gate
-on:
-  workflow_call:
-    inputs:
-      env_json:
-        required: true
-        type: string
-      bats-image:
-        required: true
-        type: string
-      cucumber-node-image:
-        required: true
-        type: string
-    secrets:
-      GITEA_TOKEN:
-        required: true
-      GIT_PAGES_PUBLISH_TOKEN:
-        required: true
-
-env:
-  GITEA_API_URL: ${{ fromJson(inputs.env_json).GITEA_API_URL }}
-  GIT_PAGES_URL: ${{ fromJson(inputs.env_json).GIT_PAGES_URL }}
-  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-  GIT_PAGES_PUBLISH_TOKEN: ${{ secrets.GIT_PAGES_PUBLISH_TOKEN }}
-
-jobs:
-  validate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
-        with:
-          repository: niko/gitea-ci-library
-          path: .ci
-
-      - name: Pending
-        run: bash .ci/scripts/report-status.sh pending "Validating CI config..." ci-validate
-
-      - name: Validate CI config
-        id: validate
-        run: bash .ci/scripts/ci-validate.sh
-
-      - name: Report status
-        if: always()
-        run: |
-          if [ "${{ steps.validate.outcome }}" = "success" ]; then
-            bash .ci/scripts/report-status.sh success "CI config valid" ci-validate
-          else
-            bash .ci/scripts/report-status.sh failure "CI validation FAILED" ci-validate
-            exit 1
-          fi
-
-  bats:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
-        with:
-          repository: niko/gitea-ci-library
-          path: .ci
-
-      - name: Pending
-        run: bash .ci/scripts/report-status.sh pending "Running Bats tests..." ci-bats
-
-      - name: Run bats tests
-        id: bats-tests
-        shell: bash
-        run: |
-          docker volume create bats-workspace
-          tar c . | docker run --rm -i -v bats-workspace:/data alpine tar x -C /data
-          mkdir -p "reports/${GITHUB_SHA:0:8}/bats"
-          set +e
-          docker run --rm \
-            -v bats-workspace:/data \
-            --entrypoint bash ${{ inputs.bats-image }} \
-            -c 'apk add -q lsof python3 jq curl ruby && cd /data && gem install bashcov -v 3.3.0 2>&1 | tail -1 && bashcov -- bats tests/' \
-            > "reports/${GITHUB_SHA:0:8}/bats/results.txt" 2>&1
-          BATS_EXIT=$?
-          bash .ci/.gitea/scripts/bats-coverage.sh bats-workspace "reports/${GITHUB_SHA:0:8}/bats"
-          docker volume rm bats-workspace > /dev/null 2>&1
-          bash .ci/.gitea/scripts/bats-report.sh "reports/${GITHUB_SHA:0:8}/bats"
-          echo "BATS_EXIT=${BATS_EXIT}" >> "${GITHUB_ENV}"
-          exit ${BATS_EXIT}
-
-      - name: Publish bats reports
-        if: always()
-        run: bash .ci/scripts/publish-git-pages.sh bats
-
-      - name: Report status
-        if: always()
-        run: |
-          if [ "${BATS_EXIT}" = "0" ]; then
-            bash .ci/scripts/report-status.sh success "Bats tests OK" ci-bats bats
-          else
-            bash .ci/scripts/report-status.sh failure "Bats tests FAILED" ci-bats bats
-          fi
-
-  cucumber:
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ inputs.cucumber-node-image }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
-        with:
-          repository: niko/gitea-ci-library
-          path: .ci
-
-      - name: Pending
-        run: bash .ci/scripts/report-status.sh pending "Running Cucumber tests..." ci-cucumber
-
-      - name: Run cucumber tests
-        id: cucumber-tests
-        shell: bash
-        run: |
-          apt-get update -qq && apt-get install -y -qq --no-install-recommends lsof jq
-          npm install @cucumber/cucumber > /dev/null 2>&1
-          mkdir -p "reports/${GITHUB_SHA:0:8}/cucumber"
-          set +e
-          npx cucumber-js \
-            --format json:"reports/${GITHUB_SHA:0:8}/cucumber/report.json" \
-            --format html:"reports/${GITHUB_SHA:0:8}/cucumber/index.html" 2>&1
-          CUCUMBER_EXIT=$?
-          echo "CUCUMBER_EXIT=${CUCUMBER_EXIT}" >> "${GITHUB_ENV}"
-          exit ${CUCUMBER_EXIT}
-
-      - name: Publish cucumber reports
-        if: always()
-        run: bash .ci/scripts/publish-git-pages.sh cucumber
-
-      - name: Report status
-        if: always()
-        run: |
-          if [ "${CUCUMBER_EXIT}" = "0" ]; then
-            if [ -f "reports/${GITHUB_SHA:0:8}/cucumber/index.html" ]; then
-              bash .ci/scripts/report-status.sh success "Cucumber tests OK" ci-cucumber cucumber
-            else
-              bash .ci/scripts/report-status.sh success "Cucumber tests OK" ci-cucumber
-            fi
-          else
-            if [ -f "reports/${GITHUB_SHA:0:8}/cucumber/index.html" ]; then
-              bash .ci/scripts/report-status.sh failure "Cucumber tests FAILED" ci-cucumber cucumber
-            else
-              bash .ci/scripts/report-status.sh failure "Cucumber tests FAILED" ci-cucumber
-            fi
-          fi
-
-  build:
-    runs-on: ubuntu-latest
-    needs: [bats, cucumber]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
-        with:
-          repository: niko/gitea-ci-library
-          path: .ci
-
-      - name: Pending
-        run: bash .ci/scripts/report-status.sh pending "Generating report index..." ci-build
-
-      - name: Generate report index
-        id: report-index
-        run: bash .ci/.gitea/scripts/generate-report-index.sh
-
-      - name: Report status
-        if: always()
-        run: |
-          if [ "${{ steps.report-index.outcome }}" = "success" ]; then
-            bash .ci/scripts/report-status.sh success "Build complete" ci-build
-          else
-            bash .ci/scripts/report-status.sh failure "Build FAILED" ci-build
-            exit 1
-          fi

docs/adr/0007-status-reporting-pattern.md

@@ -0,0 +1,85 @@
+# 7. Statusraportoinnin pattern
+
+## Päätös
+
+Gitea Actionsin natiivi job-status on ensisijainen. Commit-status API:a
+(`report-status.sh`) käytetään **vain** kun työvaihe tuottaa ulkoisen linkin
+(testiraportti, Docker registry), jota natiivistaatus ei tue.
+
+### Tool-jobit (validate, check-version, tag-commit)
+
+Ei API-kutsuja. Luotetaan Gitean omaan job-statukseen.
+
+```yaml
+- uses: actions/checkout@v4
+
+- name: Do work
+  run: do-something
+```
+
+### Test-jobit (bats, cucumber)
+
+API:a käytetään raporttilinkin upottamiseksi commit-näkymään.
+
+```
+testit → publish (always) → status (always, exit-koodin mukaan)
+```
+
+```yaml
+- name: Run tests
+  shell: bash
+  run: |
+    run-tests
+    EXIT=$?
+    echo "EXIT=${EXIT}" >> "${GITHUB_ENV}"
+    exit ${EXIT}
+
+- name: Publish reports
+  if: always()
+  run: bash .ci/scripts/publish-git-pages.sh bats
+
+- name: Report status
+  if: always()
+  shell: bash
+  run: |
+    if [ "${EXIT}" = "0" ]; then
+      bash .ci/scripts/report-status.sh success "Link to Bats reports" unit-tests bats
+    else
+      bash .ci/scripts/report-status.sh failure "Link to Bats reports" unit-tests bats
+    fi
+```
+
+### Build & push -jobit (docker-build-push)
+
+API:a käytetään Docker registry -linkin upottamiseksi.
+
+```
+build → push → SUCCESS (registry-linkillä) / FAILURE
+```
+
+## Periaatteet
+
+1. Gitea Actionsin natiivi job-status on ensisijainen — myös PENDING/Running-tila
+   tulee natiivisti. API:a käytetään vain custom-linkin tarpeeseen (ADR 0004).
+2. `run`-komennon on nostettava virhe ylös — oli kyse tool-callista tai
+   testivirheestä (ADR 0008).
+3. Test-jobit käyttävät `if: always()` publish- ja status-stepeissä — raportti
+   julkaistaan ja status asetetaan aina, riippumatta testin lopputuloksesta.
+4. Testiraportit julkaistaan myös virhetilanteessa, mikäli ne ovat syntyneet.
+5. Commit-statuksen duplikaatio natiivijob-statuksen kanssa hyväksytään
+   testijobeille — se on ainoa mekanismi upottaa raporttilinkki commit-näkymään.
+6. Tool-jobit eivät käytä API:a lainkaan — ne luottavat Gitean natiiviin
+   job-statukseen.
+
+## Tausta
+
+Aiemmin commit-status API:a käytettiin jokaisessa työvaiheessa, myös niissä
+joilla ei ollut raporttia linkitettäväksi (validate, check-version, tag-commit).
+Tämä tuotti duplikaatiota: Gitea näytti sekä natiivin `CI Main / Validate CI config
+Successful` että API-statuksen `ci-validate CI config valid`. Kehittäjälle
+molemmat kertoivat saman asian.
+
+Käytännön pakko kuitenkin pakottaa API:n käyttöön testijobeissa: ilman
+raporttilinkkiä kukaan ei löydä testituloksia. Gitean natiivi job-status
+linkittää aina jobin lokiin — ei ulkoiseen raporttiin. Tämä on paras
+saatavilla oleva kompromissi.

docs/adr/0008-exit-code.md

@@ -0,0 +1,73 @@
+# 8. Exit code — ainoa onnistumisen mittari
+
+## Päätös
+
+Jokaisen `run`-stepin on nostettava virheellinen exit-koodi ylös sellaisenaan.
+Exit-koodia ei saa "syödä" missään tilanteessa. Onnistumisen ja epäonnistumisen
+päättely tapahtuu **ainoastaan** exit-koodin perusteella — ei tiedostojen
+olemassaolon, stdout-tulosteen tai minkään muun heuristiikan perusteella.
+
+## Periaatteet
+
+1. Exit-koodi on ainoa totuus. `0` = onnistui, kaikki muut = epäonnistui.
+2. Exit-koodia ei saa syödä. Pipe (`|`) viimeisenä komentona `tee`:hen syö
+   exit-koodin — `docker run … | tee file` palauttaa aina 0.
+3. Data transfer -pipet ovat sallittuja (`tar c . | docker run … tar x`),
+   koska niiden exit-koodilla ei ole semanttista merkitystä.
+4. Testien tai työkalujen ajaminen ei saa päättyä pipeen.
+5. `set -o pipefail` ei ole riittävä suojaus — PIPESTATUS resetoituu herkästi.
+
+## Sallitut patternit
+
+```yaml
+# Oikein: suora ajo, exit koodi $?:iin
+- name: Do work
+  run: |
+    some-command
+    EXIT=$?
+    echo "EXIT=${EXIT}" >> "${GITHUB_ENV}"
+    exit ${EXIT}
+
+# Oikein: stdout talteen ilman pipeä
+- name: Do work
+  run: |
+    some-command > results.txt 2>&1
+    EXIT=$?
+    echo "EXIT=${EXIT}" >> "${GITHUB_ENV}"
+    exit ${EXIT}
+
+# Oikein: docker run ilman pipeä
+- name: Run in container
+  run: |
+    docker run --rm image command > output.txt 2>&1
+    EXIT=$?
+    exit ${EXIT}
+```
+
+## Kielletyt patternit
+
+```yaml
+# Väärin: pipe syö exit-koodin
+- run: docker run … | tee results.txt
+
+# Väärin: pipe syö exit-koodin
+- run: tar … | docker … | tee file
+
+# Väärin: onnistumisen päättely tiedoston olemassaolosta
+- run: |
+    some-command || true
+    [ -f success.txt ] && exit 0 || exit 1
+```
+
+## Tausta
+
+Gitea Actionsissa `run`-stepin tila määräytyy viimeisen komennon exit-koodista.
+Pipe (`|`) asettaa `$?`:ksi viimeisen komennon tuloksen — jos viimeinen komento
+on `tee`, tulos on aina 0 riippumatta siitä mitä aiemmat komennot palauttivat.
+
+Tämä on aiheuttanut tuotannossa tilanteita, joissa testit feilasivat mutta jobi
+näytti vihreää, koska `tee` söi exit-koodin. Virhe havaittiin vasta kun raportteja
+alettiin lukea manuaalisesti — commit-status valehteli.
+
+Ratkaisu on yksiselitteinen: exit-koodi talteen `$?`-muuttujaan ennen kuin mikään
+muu komento ehtii muuttaa sitä, ja stepin viimeinen komento on aina `exit ${EXIT}`.