bash -> sh

Co-authored-by: moilanik <niko.moilanen@tietoevry.com>
Reviewed-on: #33

.gitea/workflows/ci-container-build-push.yml

@@ -33,7 +33,9 @@ jobs:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME || github.actor }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
         run: |
-          REGISTRY="${DOCKER_REGISTRY:?DOCKER_REGISTRY not set in conf}"
+          if [ -z "${DOCKER_REGISTRY}" ]; then echo "ERROR: DOCKER_REGISTRY not set in conf"; exit 1; fi
+          REGISTRY="${DOCKER_REGISTRY}"
+          REGISTRY_HOST="${REGISTRY%%/*}"
           DOCKERFILE="${{ inputs.dockerfile_path }}"
           IMAGE_NAME="${{ inputs.image_name }}"
           TAG="${{ inputs.tag }}"
@@ -46,8 +48,6 @@ jobs:
             -f "${DOCKERFILE}" \
             -t "${IMAGE_NAME}:${TAG}" .
 
-          REGISTRY_HOST="${REGISTRY%%/*}"
-
           FULL_IMAGE="${REGISTRY}/${IMAGE_NAME}:${TAG}"
           echo "Pushing ${FULL_IMAGE} ..."
 

.gitea/workflows/docker-build-push.yml

@@ -45,29 +45,31 @@ jobs:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME || github.actor }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
         run: |
+          if [ -z "${DOCKER_REGISTRY}" ]; then echo "ERROR: DOCKER_REGISTRY not set in env.conf"; exit 1; fi
+          if [ -z "${DOCKER_IMAGE_NAME}" ]; then echo "ERROR: DOCKER_IMAGE_NAME not set in env.conf"; exit 1; fi
+          REGISTRY="${DOCKER_REGISTRY}"
+          IMAGE="${DOCKER_IMAGE_NAME}"
+          REGISTRY_HOST="${REGISTRY%%/*}"
+
           NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
           docker build \
             --label "git.commit=${{ github.sha }}" \
             --label "git.commitBy=${{ github.actor }}" \
             --label "build.date=${NOW}" \
             -f "${DOCKERFILE}" \
-            -t "${DOCKER_IMAGE_NAME}:${VERSION}" \
-            -t "${DOCKER_IMAGE_NAME}:latest" .
-
-          REGISTRY="${DOCKER_REGISTRY:?DOCKER_REGISTRY not set in env.conf}"
-          IMAGE="${DOCKER_IMAGE_NAME:?DOCKER_IMAGE_NAME not set in env.conf}"
-          REGISTRY_HOST="${REGISTRY%%/*}"
+            -t "${IMAGE}:${VERSION}" \
+            -t "${IMAGE}:latest" .
 
           FULL_IMAGE="${REGISTRY}/${IMAGE}:${VERSION}"
           echo "Pushing ${FULL_IMAGE} ..."
 
-          docker tag "${DOCKER_IMAGE_NAME}:${VERSION}" "$FULL_IMAGE"
+          docker tag "${IMAGE}:${VERSION}" "$FULL_IMAGE"
           echo "$DOCKER_PASSWORD" | docker login "$REGISTRY_HOST" -u "$DOCKER_USERNAME" --password-stdin
           docker push "$FULL_IMAGE"
 
           FULL_LATEST="${REGISTRY}/${IMAGE}:latest"
           echo "Pushing ${FULL_LATEST} ..."
-          docker tag "${DOCKER_IMAGE_NAME}:latest" "$FULL_LATEST"
+          docker tag "${IMAGE}:latest" "$FULL_LATEST"
           docker push "$FULL_LATEST"
 
           docker logout "$REGISTRY_HOST"

.gitea/workflows/git-pages.ci-main.yml

@@ -3,7 +3,6 @@ on:
   push:
     branches:
       - main
-      - feature/helm-chart
     paths:
       - git-pages/**
       - .gitea/workflows/helm-build-push.yml

.gitea/workflows/helm-build-push.yml

@@ -39,6 +39,12 @@ jobs:
     container:
       image: alpine/helm:3.19.0
     steps:
+      - name: Install Node.js for actions/checkout
+        # COMPROMISE: Requires internet access.
+        # Does NOT work in air-gapped environments.
+        # Replace with a custom image (e.g., extending alpine/helm + nodejs) if needed.
+        run: apk add --no-cache nodejs
+
       - uses: actions/checkout@v4
       - uses: actions/checkout@v4
         with:
@@ -47,6 +53,7 @@ jobs:
 
       - name: Package Helm chart
         run: |
+          helm dependency update "${CHART_PATH}"
           helm package "${CHART_PATH}" \
             --version "${VERSION}" \
             --app-version "${VERSION}" \

docs/workflows.md

@@ -63,15 +63,77 @@ checkout → laske versio package.json + git-tageista → output
 
 **Trigger:** `workflow_call`
 
-**Inputs:** `env_json`, `version`
+**Inputs:**
+
+| Parametri | Pakollinen | Kuvaus |
+|-----------|------------|--------|
+| `env_json` | Kyllä | Konffi `gitea-env.conf`:stä |
+| `version` | Kyllä | Version string (check-version output) |
+
+**`env_json`-avaimet:**
+
+| Avain | Pakollinen | Kuvaus |
+|-------|------------|--------|
+| `DOCKER_REGISTRY` | Kyllä | Registry (esim. `gitea.app.keskikuja.site/niko`) |
+| `DOCKER_IMAGE_NAME` | Kyllä | Kuvan nimi ilman registry-polkua |
+| `DOCKER_UI_URL` | Ei | Registry UI -linkki raportointia varten |
+| `DOCKERFILE` | Ei | Dockerfile-polku, oletus `Dockerfile` |
+| `GITEA_API_URL` | Kyllä | Gitean API-URL |
+| `GIT_TAG_PREFIX` | Ei | Tag-prefix (esim. `docker/`) |
 
 **Secrets:** `GITEA_TOKEN`, `DOCKER_USERNAME`, `DOCKER_PASSWORD`
 
 **Steppi-kaavio:**
 ```
-build-push (build + push samassa jobissa, ei levyn kautta) → tag-commit
+build-push (build + push, labelit: commit+date) → tag-commit (git-tagin luonti)
 ```
 
+**Huomio:** Ei käytä `container:`-direktiiviä — ajaa suoraan runnerilla,
+joten `actions/checkout` toimii ilman node-asennuksia.
+
+---
+
+### `helm-build-push.yml` — Helm chart build & push
+
+**Trigger:** `workflow_call`
+
+**Inputs:**
+
+| Parametri | Pakollinen | Kuvaus |
+|-----------|------------|--------|
+| `env_json` | Kyllä | Konffi `gitea-env.conf`:stä |
+| `version` | Kyllä | Version string (check-version output) |
+| `chart_path` | Ei | Polku Chart.yaml-hakemistoon, oletus `.` |
+
+**`env_json`-avaimet:**
+
+| Avain | Pakollinen | Kuvaus |
+|-------|------------|--------|
+| `HELM_REGISTRY` | Kyllä | OCI-registry (esim. `gitea.app.keskikuja.site/niko`) |
+| `HELM_UI_URL` | Ei | Registry UI -linkki raportointia varten |
+| `GITEA_API_URL` | Kyllä | Gitean API-URL |
+| `GIT_TAG_PREFIX` | Ei | Tag-prefix (esim. `helm/`) |
+
+**Secrets:** `GITEA_TOKEN`, `HELM_USER`, `HELM_PASSWORD`
+
+**Steppi-kaavio:**
+```
+build-push (helm package → helm push OCI) → tag-commit (git-tagin luonti)
+```
+
+**Steppien kuvaus `build-push`-jobissa:**
+1. **Node.js-asennus** — `apk add --no-cache nodejs` (vaaditaan `actions/checkout`-actionia varten)
+2. **Checkout** — sovellusrepo ja gitea-ci-library `.ci/`-polkuun
+3. **Package** — `helm package` versiolla `$VERSION`
+4. **Push OCI** — `helm push` registryyn autentikoinnilla
+5. **Report status** — commit-status + UI-linkki
+
+**Kompromissi:** Kontti `alpine/helm` ei sisällä node.js:ää, mutta
+`actions/checkout@v4` on JavaScript-action ja vaatii sen. Siksi nodejs
+asennetaan lennossa ennen checkouttia. Tämä vaatii internet-yhteyden
+eikä toimi air gap -ympäristössä. Korvaa tarvittaessa custom-kontilla
+(jossa helm + nodejs, ks. `skills/ci-container-build/SKILL.md`).
+
 ---
 
 ## Consumer-esimerkki (`example-*`)

scripts/check-version.sh

@@ -4,7 +4,7 @@ set -e
 RAW_VERSION=""
 
 if [ -n "${VERSION_FILE-}" ] && [ -f "${VERSION_FILE-}" ]; then
-  RAW_VERSION=$(sed -n 's/^version:[[:space:]]*\([^[:space:]]*\).*/\1/p' "${VERSION_FILE}")
+  RAW_VERSION=$(tr -d "$(printf '\xef\xbb\xbf')" < "${VERSION_FILE}" | sed -n 's/^version:[[:space:]]*\([^[:space:]]*\).*/\1/p')
   if [ -z "${RAW_VERSION}" ]; then
     if echo "${VERSION_FILE}" | grep -q -E '\.json$'; then
       RAW_VERSION=$(jq -r '.version' "${VERSION_FILE}")
@@ -22,7 +22,7 @@ if [ -z "${RAW_VERSION}" ]; then
   elif [ -f pom.xml ]; then
     RAW_VERSION=$(grep -oP '<version>\K[^<]+' pom.xml | head -1)
   elif [ -f Chart.yaml ]; then
-    RAW_VERSION=$(sed -n 's/^version:[[:space:]]*\([^[:space:]]*\).*/\1/p' Chart.yaml)
+    RAW_VERSION=$(tr -d "$(printf '\xef\xbb\xbf')" < Chart.yaml | sed -n 's/^version:[[:space:]]*\([^[:space:]]*\).*/\1/p')
   else
     echo "ERROR: No version source found (VERSION_FILE, VERSION, package.json, pom.xml, Chart.yaml)" >&2
     exit 1

scripts/ci-report.sh

@@ -1,5 +1,5 @@
-#!/usr/bin/env bash
-set -euo pipefail
+#!/usr/bin/env sh
+set -eu
 
 DESCRIPTION="${1:-}"
 CONTEXT="${2:-}"
@@ -14,53 +14,71 @@ REPORT_DIR="reports/${SUITE}"
 
 if [ ! -d "$REPORT_DIR" ]; then
   echo "ERROR: $REPORT_DIR not found" >&2
-  bash .ci/scripts/report-status.sh failure "$DESCRIPTION" "$CONTEXT"
+  sh .ci/scripts/report-status.sh failure "$DESCRIPTION" "$CONTEXT"
   exit 1
 fi
 
-FILES=()
-while IFS= read -r -d '' f; do
-  FILES+=("$(basename "$f")")
-done < <(find "$REPORT_DIR" -maxdepth 1 -type f ! -name index.html -print0 2>/dev/null || true)
+FILE_COUNT=0
+SUBDIR_COUNT=0
+ENTRIES=""
 
-SUBDIRS=()
-while IFS= read -r -d '' d; do
-  name="${d#$REPORT_DIR/}"
-  [ -f "$d/index.html" ] && SUBDIRS+=("$name")
-done < <(find "$REPORT_DIR" -maxdepth 1 -type d ! -name . -print0 2>/dev/null || true)
+for f in "$REPORT_DIR"/*; do
+  [ -f "$f" ] || continue
+  base=$(basename "$f")
+  [ "$base" = "index.html" ] && continue
+  FILE_COUNT=$((FILE_COUNT + 1))
+  ENTRIES="${ENTRIES}file:${base}
+"
+done
 
-TOTAL=$(( ${#FILES[@]} + ${#SUBDIRS[@]} ))
+for d in "$REPORT_DIR"/*/; do
+  [ -d "$d" ] || continue
+  base=$(basename "$d")
+  [ -f "$d/index.html" ] || continue
+  SUBDIR_COUNT=$((SUBDIR_COUNT + 1))
+  ENTRIES="${ENTRIES}dir:${base}
+"
+done
+
+TOTAL=$((FILE_COUNT + SUBDIR_COUNT))
 
 if [ "$TOTAL" -eq 0 ]; then
   echo "ERROR: no reportable items in $REPORT_DIR" >&2
-  bash .ci/scripts/report-status.sh failure "$DESCRIPTION" "$CONTEXT"
+  sh .ci/scripts/report-status.sh failure "$DESCRIPTION" "$CONTEXT"
   exit 1
 fi
 
-SHA8="${GITHUB_SHA:0:8}"
+SHA8=$(echo "${GITHUB_SHA:-xxxxxxxx}" | cut -c1-8)
 
 humanize() {
-  local name="$1"
-  name="${name%.*}"
-  name="${name//-/ }"
-  name="${name//_/ }"
-  echo "${name^}"
+  name="$1"
+  name=$(echo "$name" | sed -e 's/\.[^.]*$//' -e 's/[-_]/ /g')
+  first=$(echo "$name" | cut -c1 | tr '[:lower:]' '[:upper:]')
+  rest=$(echo "$name" | cut -c2-)
+  echo "${first}${rest}"
 }
 
 generate_index() {
-  local html
-  html='<!DOCTYPE html><html lang="en"><head><meta charset="utf-8">'
-  html+="<title>$DESCRIPTION</title>"
-  html+='<style>body{font-family:sans-serif;margin:2em;max-width:960px}h1{color:#1e293b}ul{list-style:none;padding:0}li{margin:.5em 0;padding:.5em;background:#f8fafc;border-radius:6px}a{color:#2563eb;text-decoration:none}a:hover{text-decoration:underline}</style>'
-  html+="</head><body><h1>$DESCRIPTION</h1><ul>"
-  for f in "${FILES[@]}"; do
-    html+="<li><a href=\"$f\">$(humanize "$f")</a></li>"
-  done
-  for d in "${SUBDIRS[@]}"; do
-    html+="<li><a href=\"$d/index.html\">${d^}</a></li>"
-  done
-  html+='</ul></body></html>'
-  printf '%s' "$html" > "$REPORT_DIR/index.html"
+  {
+    echo '<!DOCTYPE html><html lang="en"><head><meta charset="utf-8">'
+    echo "<title>$DESCRIPTION</title>"
+    echo '<style>body{font-family:sans-serif;margin:2em;max-width:960px}h1{color:#1e293b}ul{list-style:none;padding:0}li{margin:.5em 0;padding:.5em;background:#f8fafc;border-radius:6px}a{color:#2563eb;text-decoration:none}a:hover{text-decoration:underline}</style>'
+    echo "</head><body><h1>$DESCRIPTION</h1><ul>"
+
+    echo "$ENTRIES" | while IFS= read -r entry; do
+      [ -z "$entry" ] && continue
+      entry_type=$(echo "$entry" | cut -d: -f1)
+      entry_name=$(echo "$entry" | cut -d: -f2-)
+      if [ "$entry_type" = "file" ]; then
+        echo "<li><a href=\"$entry_name\">$(humanize "$entry_name")</a></li>"
+      else
+        cap=$(echo "$entry_name" | sed 's/\(.\).*/\1/' | tr '[:lower:]' '[:upper:]')$(echo "$entry_name" | sed 's/.//')
+        echo "<li><a href=\"$entry_name/index.html\">${cap}</a></li>"
+      fi
+    done
+
+    echo '</ul></body></html>'
+  } > "$REPORT_DIR/index.html"
 }
 
 STAGED="reports/${SHA8}/${SUITE}"
@@ -68,20 +86,25 @@ mkdir -p "$STAGED"
 
 if [ "$TOTAL" -eq 1 ]; then
   cp -a "$REPORT_DIR/." "$STAGED/"
-  bash .ci/scripts/publish-git-pages.sh "$SUITE"
+  sh .ci/scripts/publish-git-pages.sh "$SUITE"
 
-  if [ ${#FILES[@]} -eq 1 ]; then
-    ENTRY="${FILES[0]}"
+  first_entry=$(echo "$ENTRIES" | head -1)
+  first_type=$(echo "$first_entry" | cut -d: -f1)
+  first_name=$(echo "$first_entry" | cut -d: -f2-)
+
+  if [ "$first_type" = "file" ]; then
+    SINGLE_ENTRY="$first_name"
   else
-    ENTRY="${SUBDIRS[0]}/index.html"
+    SINGLE_ENTRY="${first_name}/index.html"
   fi
-  URL="${GIT_PAGES_URL}/${GITHUB_REPOSITORY}/reports/${SHA8}/${SUITE}/${ENTRY}"
-  bash .ci/scripts/report-status.sh "$STATUS" "$DESCRIPTION" "$CONTEXT" "" "$URL"
+
+  URL="${GIT_PAGES_URL}/${GITHUB_REPOSITORY}/reports/${SHA8}/${SUITE}/${SINGLE_ENTRY}"
+  sh .ci/scripts/report-status.sh "$STATUS" "$DESCRIPTION" "$CONTEXT" "" "$URL"
 else
   generate_index
   cp -a "$REPORT_DIR/." "$STAGED/"
-  bash .ci/scripts/publish-git-pages.sh "$SUITE"
-  bash .ci/scripts/report-status.sh "$STATUS" "$DESCRIPTION" "$CONTEXT" "$SUITE"
+  sh .ci/scripts/publish-git-pages.sh "$SUITE"
+  sh .ci/scripts/report-status.sh "$STATUS" "$DESCRIPTION" "$CONTEXT" "$SUITE"
 fi
 
 rm -rf "$STAGED"

scripts/publish-git-pages.sh

@@ -1,5 +1,5 @@
-#!/usr/bin/env bash
-set -euo pipefail
+#!/usr/bin/env sh
+set -eu
 
 SUITE_PATH="${1:-}"
 
@@ -12,7 +12,7 @@ SUITE_PATH="${1:-}"
 
 OWNER="${GITHUB_REPOSITORY%%/*}"
 REPO="${GITHUB_REPOSITORY##*/}"
-SHA8="${GITHUB_SHA:0:8}"
+SHA8=$(echo "$GITHUB_SHA" | cut -c1-8)
 PAGES_USER="${GIT_PAGES_PUBLISH_USER:-publish}"
 REPORT_DIR="reports/${SHA8}/${SUITE_PATH%/}"
 REPORT_BASE="${GIT_PAGES_URL}/${OWNER}/${REPO}/reports/${SHA8}"
@@ -33,17 +33,30 @@ else
 fi
 mkdir -p "$TARGET"
 cp -a "$REPORT_DIR/." "$TARGET/"
-if [ ! -f "$TARGET/index.html" ]; then
-  items=()
-  while IFS= read -r -d '' f; do
-    items+=("$(basename "$f")")
-  done < <(find "$TARGET" -maxdepth 1 -type f ! -name index.html -print0 2>/dev/null || true)
-  while IFS= read -r -d '' d; do
-    name=$(basename "$d")
-    [ -f "$d/index.html" ] && items+=("$name")
-  done < <(find "$TARGET" -maxdepth 1 -type d ! -name . -print0 2>/dev/null || true)
 
-  if [ ${#items[@]} -gt 1 ]; then
+if [ ! -f "$TARGET/index.html" ]; then
+  ITEM_LIST=""
+  ITEM_COUNT=0
+
+  for f in "$TARGET"/*; do
+    [ -f "$f" ] || continue
+    base=$(basename "$f")
+    [ "$base" = "index.html" ] && continue
+    ITEM_LIST="${ITEM_LIST}file:${base}
+"
+    ITEM_COUNT=$((ITEM_COUNT + 1))
+  done
+
+  for d in "$TARGET"/*/; do
+    [ -d "$d" ] || continue
+    base=$(basename "$d")
+    [ -f "$d/index.html" ] || continue
+    ITEM_LIST="${ITEM_LIST}dir:${base}
+"
+    ITEM_COUNT=$((ITEM_COUNT + 1))
+  done
+
+  if [ "$ITEM_COUNT" -gt 1 ]; then
     {
       echo '<!DOCTYPE html><html lang="en"><head><meta charset="utf-8">'
       echo "<title>Test report ${SHA8}</title>"
@@ -53,16 +66,21 @@ if [ ! -f "$TARGET/index.html" ]; then
       echo 'a{color:#2563eb;text-decoration:none}a:hover{text-decoration:underline}'
       echo '</style></head><body>'
       echo "<h1>Test report <code>${SHA8}</code></h1><ul>"
-      for item in "${items[@]}"; do
-        label="${item%.*}"
-        label="${label//-/ }"
-        label="${label//_/ }"
-        if [ -f "$TARGET/$item" ]; then
-          echo "<li><a href=\"$item\">${label^}</a></li>"
+
+      echo "$ITEM_LIST" | while IFS= read -r item; do
+        [ -z "$item" ] && continue
+        item_type=$(echo "$item" | cut -d: -f1)
+        item_name=$(echo "$item" | cut -d: -f2-)
+        label=$(echo "$item_name" | sed -e 's/\.[^.]*$//' -e 's/[-_]/ /g')
+        first=$(echo "$label" | cut -c1 | tr '[:lower:]' '[:upper:]')
+        rest=$(echo "$label" | cut -c2-)
+        if [ "$item_type" = "file" ]; then
+          echo "<li><a href=\"$item_name\">${first}${rest}</a></li>"
         else
-          echo "<li><a href=\"$item/index.html\">${label^}</a></li>"
+          echo "<li><a href=\"$item_name/index.html\">${first}${rest}</a></li>"
         fi
       done
+
       echo '</ul></body></html>'
     } > "$TARGET/index.html"
   fi
@@ -74,7 +92,7 @@ EOF
 find "$WORK/$OWNER" \( -type f -o -type l \) -print | sed "s|^${WORK}/||" | tar -cf "$TAR" -C "$WORK" -T -
 
 publish() {
-  local method="$1"
+  method="$1"
   curl -sS -X "$method" "$PUBLISH_SITE_URL" \
     -u "${PAGES_USER}:${GIT_PAGES_PUBLISH_TOKEN}" \
     -H "Content-Type: application/x-tar" \

scripts/report-status.sh

@@ -1,11 +1,10 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# https://docs.gitea.com/api/next/#tag/repository/operation/repoCreateStatus
+#!/usr/bin/env sh
+set -eu
 
 STATE="${1:-}"
 DESCRIPTION="${2:-}"
-KEY="${3:-commit-${GITHUB_SHA:0:8}}"
+SHA8=$(echo "${GITHUB_SHA:-}" | cut -c1-8)
+KEY="${3:-commit-${SHA8}}"
 SUITE="${4:-}"
 CUSTOM_URL="${5:-}"
 
@@ -18,7 +17,8 @@ if [ -n "$CUSTOM_URL" ]; then
   URL="$CUSTOM_URL"
 elif [ -n "$SUITE" ]; then
   SUITE="${SUITE%/}/"
-  URL="${GIT_PAGES_URL}/${GITHUB_REPOSITORY}/reports/${GITHUB_SHA:0:8}/${SUITE}"
+  SHA8_CUT=$(echo "$GITHUB_SHA" | cut -c1-8)
+  URL="${GIT_PAGES_URL}/${GITHUB_REPOSITORY}/reports/${SHA8_CUT}/${SUITE}"
 else
   URL="${GITEA_API_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
 fi

skills/consumer-pipelines/REFERENCE.md

@@ -349,7 +349,7 @@ pitää komponentit selkeästi erillään, ja tekee repossa navigoinnista suorav
 
 | Ongelma | Ratkaisu |
 |---|---|
-| Monta komponenttia, yksi repo — mikä triggeröi? | `paths:`-filtteri: `push: { paths: ['<komponentti>/**'] }` |
+| Monta komponenttia, yksi repo — mikä triggeröi? | `paths:`-filtteri: komponentin hakemisto + sen CI-workflow't ja conf-tiedosto |
 | Jokaisella komponentilla oma versio | `VERSION_FILE=<komponentti>/package.json` confissa |
 | Git-tägit sekaisin ellei nimiavaruutta | `GIT_TAG_PREFIX=<komponentti>/` confissa → tägi `<komponentti>/1.2.3` |
 | Eri julkaisutahdit | Riippumattomat CI-triggerit, omat versiopolut |
@@ -378,7 +378,8 @@ on:
     branches:
       - main
     paths:
-      - '<komponentti>/**'
+      - <komponentti>/**
+      - .gitea/workflows/<komponentti>.*
 
 jobs:
   load-config:
@@ -435,6 +436,7 @@ jos commitilla on jo tägi, pipeline skipataan `if: artifact_exists != 'true'`.
 - Älä aja kaikkia komponentteja samasta triggeristä — `paths:` pitää CI:t erillisinä
 - Älä käytä samaa versionhallintatiedostoa usealle komponentille
 - Älä anna monorepo-parametreja pipeline-overrideina — kaikki kuuluu conf-tiedostoon
+- Älä rajaa `paths:` pelkkään komponentin hakemistoon — CI ei triggeröidy workflow- tai conf-muutoksista
 
 ## Versionhallinta
 

skills/consumer-pipelines/SKILL.md

@@ -189,3 +189,72 @@ Ei pipeä (`|`) komennon perässä — se syö exit-koodin. Käytä redirectiä
 
 Providerin scriptit haetaan `actions/checkout`-stepillä `.ci/`-polkuun.
 Consumer ei kopioi eikä muokkaa providerin tiedostoja.
+
+## 10. Build & Push -providerit
+
+### `docker-build-push.yml` — Docker image build & push
+
+Buildaa ja pushee Docker-imagen OCI-registryyn. Ajaa suoraan runnerilla
+(ei `container:`-direktiiviä), joten `actions/checkout` toimii natiivisti.
+
+**`env_json`-avaimet (pakolliset):**
+
+```yaml
+DOCKER_REGISTRY: gitea.app.keskikuja.site/niko
+DOCKER_IMAGE_NAME: my-app
+```
+
+**Käyttö reitittimessä:**
+
+```yaml
+docker-build-push:
+  uses: OWNER/gitea-ci-library/.gitea/workflows/docker-build-push.yml@v1
+  needs: [check-version]
+  if: needs.check-version.outputs.artifact_exists == 'false'
+  secrets: inherit
+  with:
+    env_json: ${{ needs.load-config.outputs.env_json }}
+    version:  ${{ needs.check-version.outputs.version }}
+```
+
+Tarkka input/secret-lista: `docs/workflows.md`.
+
+### `helm-build-push.yml` — Helm chart build & push
+
+Pakkaa ja pushee Helm-chartin OCI-registryyn. Käyttää `alpine/helm`-konttia.
+
+**`env_json`-avaimet (pakolliset):**
+
+```yaml
+HELM_REGISTRY: gitea.app.keskikuja.site/niko
+```
+
+**Käyttö reitittimessä:**
+
+```yaml
+helm-build-push:
+  uses: OWNER/gitea-ci-library/.gitea/workflows/helm-build-push.yml@v1
+  needs: [check-version]
+  if: needs.check-version.outputs.artifact_exists == 'false'
+  secrets: inherit
+  with:
+    env_json: ${{ needs.load-config.outputs.env_json }}
+    version:  ${{ needs.check-version.outputs.version }}
+    # chart_path: '.'  # oletus, vaihda jos Chart.yaml on alihakemistossa
+```
+
+**Node.js-kompromissi:** `actions/checkout@v4` on JavaScript-action.
+Kontissa `alpine/helm` ei ole node.js:ää, joten se asennetaan lennossa
+`apk add --no-cache nodejs` ennen checkouttia.
+
+- Vaatii internet-yhteyden
+- Ei toimi air gap -ympäristössä
+- Korvaa tarvittaessa custom-kontilla (helm + nodejs):
+  rakenna `ci-container-build`-skillillä ja päivitä workflow'n
+  `container: image:` osoittamaan omaan konttiin
+
+**Yksittäisten Helm-UI-linkkien raportointi:** `HELM_UI_URL` on
+tarkoitettu yleiselle registry UI:lle — provider muodostaa linkin
+`${HELM_UI_URL}/${CHART_NAME}/${VERSION}` automaattisesti.
+
+Tarkka input/secret-lista: `docs/workflows.md`.

tests/check-version.bats

@@ -153,6 +153,21 @@ teardown() {
   [ "$NEXT_VERSION" = "0.3.2" ]
 }
 
+@test "VERSION_FILE=Chart-umbrella.yaml extracts only top-level version" {
+  mock_set_sequence '[{"code": 200, "body": []}]'
+  mock_start
+
+  export VERSION_FILE="$BATS_TEST_DIRNAME/fixtures/check-version/Chart-umbrella.yaml"
+  run bash scripts/check-version.sh
+
+  echo "STATUS=$status"
+  echo "OUTPUT=$output"
+  [ "$status" -eq 0 ]
+  source /tmp/build-ctx/build.env
+  echo "NEXT_VERSION=$NEXT_VERSION"
+  [ "$NEXT_VERSION" = "0.1.0" ]
+}
+
 @test "no version source exits with error" {
   mock_set_sequence '[{"code": 200, "body": []}]'
   mock_start

tests/fixtures/check-version/Chart-umbrella.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: agent-platform
+description: Agent Platform umbrella chart
+type: application
+version: 0.1.0
+dependencies:
+  - name: vikunja
+    version: "0.1.0"
+    repository: oci://registry.example.com
+  - name: langfuse
+    version: "0.2.0"
+    repository: oci://registry.example.com