Feture/gitops7 (#44)

Co-authored-by: moilanik <niko.moilanen@tietoevry.com>
Reviewed-on: #44

.gitea/workflows/gitops-dispatch.yml

@@ -22,7 +22,7 @@ on:
         required: true
     outputs:
       summary:
-        description: 'Pipe-format: component|version|status|commit_sha|repo'
+        description: "Pipe-format: component|version|status|commit_sha|repo"
         value: ${{ jobs.dispatch.outputs.summary }}
 
 env:
@@ -68,6 +68,11 @@ jobs:
             -H "Content-Type: application/json" \
             -d "$(jq -nc --arg ref "main" --argjson inputs "$INPUTS" '{ref: "main", inputs: $inputs}')"
 
+      - uses: actions/checkout@v4
+        with:
+          repository: niko/gitea-ci-library
+          path: .ci
+
       - name: Poll for completion
         id: poll
         env:
@@ -119,10 +124,24 @@ jobs:
             if [ "$STATUS" = "completed" ]; then
               if [ "$CONCLUSION" = "success" ]; then
                 echo "GitOps workflow completed successfully"
-                BRANCH_RESP=$(curl -s --connect-timeout 5 --max-time 10 \
+
-                  "${GITEA_API_URL}/api/v1/repos/${GITOPS_REPO}/branches/main" \
+                # 1. List recent commits from GitOps repo
-                  -H "Authorization: token $GITEA_TOKEN") || true
+                COMMITS=$(curl -s --connect-timeout 5 --max-time 10 \
-                GITOPS_COMMIT=$(echo "$BRANCH_RESP" | jq -r '.commit.id // empty')
+                  "${GITEA_API_URL}/api/v1/repos/${GITOPS_REPO}/commits?sha=main&limit=10" \
+                  -H "Authorization: token $GITEA_TOKEN")
+
+                # 2. Find commit by message: "gitops: update version to X.Y.Z"
+                SEARCH_MSG="gitops: update version to ${GITOPS_VERSION}"
+                GITOPS_COMMIT=$(echo "$COMMITS" | jq -r \
+                  --arg msg "$SEARCH_MSG" \
+                  '[.[] | select(.commit.message | contains($msg))] | .[0].sha // empty')
+
+                # 3. If not found → fail
+                if [ -z "$GITOPS_COMMIT" ]; then
+                  echo "ERROR: no matching GitOps commit found for version ${GITOPS_VERSION}" >&2
+                  exit 1
+                fi
+
                 echo "GITOPS_COMMIT=$GITOPS_COMMIT" >> "$GITHUB_OUTPUT"
                 echo "$GITOPS_COMMIT" > /tmp/gitops-commit
                 exit 0
@@ -147,3 +166,24 @@ jobs:
           fi
           COMPONENT="${GITOPS_TAG_PREFIX:-${GITOPS_FILE}}"
           echo "GITOPS_SUMMARY=${COMPONENT}|${GITOPS_VERSION}|${STATUS}|${GITOPS_SHA}|${GITOPS_REPO}" >> "$GITHUB_OUTPUT"
+
+      - name: Set commit status
+        if: success()
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          GITOPS_SHA=$(cat /tmp/gitops-commit)
+
+          PREFIX="${GITOPS_TAG_PREFIX%/}"
+          if [ -n "$PREFIX" ]; then
+            CONTEXT="gitops/$(basename "${GITOPS_SOURCE_REPO}")/${PREFIX}"
+            DESCRIPTION="GitOps: ${PREFIX} ${GITOPS_VERSION}"
+          else
+            CONTEXT="gitops/$(basename "${GITOPS_SOURCE_REPO}")"
+            DESCRIPTION="GitOps: ${GITOPS_VERSION}"
+          fi
+
+          ROOT_REPO="${GITOPS_SOURCE_REPO}" ROOT_COMMIT="${GITOPS_SOURCE_COMMIT}" \
+            bash .ci/scripts/report-status.sh success \
+            "$DESCRIPTION" "$CONTEXT" "" \
+            "${GITEA_API_URL}/${GITOPS_REPO}/commit/${GITOPS_SHA}"

.gitea/workflows/helm-build-push.yml

@@ -8,6 +8,12 @@ on:
       version:
         required: true
         type: string
+      chart_path:
+        required: true
+        type: string
+      extra_dependency_paths:
+        required: false
+        type: string
     secrets:
       GITEA_TOKEN:
         required: true
@@ -47,6 +53,13 @@ jobs:
           repository: niko/gitea-ci-library
           path: .ci
 
+      - name: Resolve extra subchart dependencies
+        if: inputs.extra_dependency_paths != ''
+        run: |
+          for path in $(echo "${{ inputs.extra_dependency_paths }}" | tr ',' '\n'); do
+            helm dependency update "${path}"
+          done
+
       - name: Package Helm chart
         run: |
           CHART_DIR=$(dirname "${CHART_FILE}")

docs/workflows.md

@@ -103,7 +103,8 @@ joten `actions/checkout` toimii ilman node-asennuksia.
 |-----------|------------|--------|
 | `env_json` | Kyllä | Konffi `gitea-env.conf`:stä |
 | `version` | Kyllä | Version string (check-version output) |
-| `chart_path` | Ei | Polku Chart.yaml-hakemistoon, oletus `.` |
+| `chart_path` | Kyllä | Polku Chart.yaml-hakemistoon |
+| `extra_dependency_paths` | Ei | Pilkulla erotellut polut subcharttien dependeinceille, joille ajetaan `helm dependency update` ennen päächartin buildia |
 
 **`env_json`-avaimet:**
 
@@ -124,9 +125,10 @@ build-push (helm package → helm push OCI) → tag-commit (git-tagin luonti)
 **Steppien kuvaus `build-push`-jobissa:**
 1. **Node.js-asennus** — `apk add --no-cache nodejs` (vaaditaan `actions/checkout`-actionia varten)
 2. **Checkout** — sovellusrepo ja gitea-ci-library `.ci/`-polkuun
-3. **Package** — `helm package` versiolla `$VERSION`
+3. **Resolve extra subchart dependencies** — `helm dependency update` jokaiselle `extra_dependency_paths`-polulle (vain jos input on annettu)
-4. **Push OCI** — `helm push` registryyn autentikoinnilla
+4. **Package** — `helm dependency update` + `helm package` versiolla `$VERSION`
-5. **Report status** — commit-status + UI-linkki
+5. **Push OCI** — `helm push` registryyn autentikoinnilla
+6. **Report status** — commit-status + UI-linkki
 
 **Kompromissi:** Kontti `alpine/helm` ei sisällä node.js:ää, mutta
 `actions/checkout@v4` on JavaScript-action ja vaatii sen. Siksi nodejs

skills/consumer-pipelines/SKILL.md

@@ -368,9 +368,18 @@ Pakkaa ja pushee Helm-chartin OCI-registryyn. Käyttää `alpine/helm`-konttia.
 
 ```yaml
 HELM_REGISTRY: gitea.app.keskikuja.site/niko
-VERSION_FILE: platform-helm/Chart.yaml  # chart-hakemisto + versionlähde
+VERSION_FILE: platform-helm/Chart.yaml  # versionlähde, chart_path määrää chart-hakemiston
 ```
 
+**Inputit:**
+
+| Parametri | Pakollinen | Kuvaus |
+|-----------|------------|--------|
+| `env_json` | Kyllä | Konffi `gitea-env.conf`:stä |
+| `version` | Kyllä | Version string (check-version output) |
+| `chart_path` | Kyllä | Polku Chart.yaml-hakemistoon (esim. `platform-helm`) |
+| `extra_dependency_paths` | Ei | Pilkulla erotellut polut subcharttien dependeinceille |
+
 **Käyttö reitittimessä:**
 
 ```yaml
@@ -382,11 +391,19 @@ helm-build-push:
   with:
     env_json: ${{ needs.load-config.outputs.env_json }}
     version:  ${{ needs.check-version.outputs.version }}
+    chart_path: platform-helm
+    # extra_dependency_paths: subchart-a,subchart-b  # tarvittaessa
 ```
 
-Chart-hakemisto johdetaan `VERSION_FILE`-polusta: `dirname "${VERSION_FILE}"`.
+`chart_path` on eksplisiittinen polku chart-hakemistoon (esim. `platform-helm`).
-Jos `VERSION_FILE` on `Chart.yaml`, konteksti on juuri. Jos `platform-helm/Chart.yaml`,
+`VERSION_FILE` määrää version lähteen (`Chart.yaml:n` `version`-kenttä) —
-konteksti on `platform-helm/`.
+nämä voivat olla eri polkuja, mutta tyypillisesti molemmat osoittavat samaan
+chart-hakemistoon.
+
+**`extra_dependency_paths`:** Jos chartilla on alikarttoja (subchartteja) jotka
+vaativat `helm dependency update` -ajon ennen päächartin buildia, anna niiden
+polut pilkulla eroteltuna. Provider ajaa `helm dependency update` jokaiselle
+polulle ennen päächartin buildia.
 
 **Yksittäisten Helm-UI-linkkien raportointi:** `HELM_UI_URL` on
 tarkoitettu yleiselle registry UI:lle — provider muodostaa linkin

skills/gitops-update/SKILL.md

@@ -1,10 +1,9 @@
 ---
 name: gitops-update
 description: |
-  Setting up GitOps version updates: GitOps-repo workflow template, code
+  Getting GitOps configuration updates working for a consumer project —
-  repo dispatch, secret requirements, and two-repo commit-status pattern.
+  GitOps repo setup, consumer pipeline wiring, secrets, and commit-status
-  Activates when the user needs to wire up artifact builds to GitOps
+  output.
-  configuration updates.
 activation-gate: |
   User mentions GitOps update, gitops-update, dispatch to another repo,
   two-repo version bump, cross-repo deployment, or wiring build output to
@@ -13,47 +12,26 @@ category: ci
 impact: high
 ---
 
-# GitOps Update — Provider-palvelu
+# GitOps Update — consumer setup
 
-`scripts/gitops-update.sh` ja `scripts/dispatch-workflow.sh` muodostavat
+## What you need
-GitOps-päivityspalvelun. Artifact buildataan code repossa, minkä jälkeen
-code repo dispatchaa GitOps-repoon, joka päivittää konfiguraatiotiedoston
-ja pushaa muutoksen.
 
-## Arkkitehtuuri
+- **GitOps repo** — holds the configuration files (e.g. `Chart.yaml`, `values.yaml`)
+- **Consumer repo** — builds artifacts and triggers the update
+- **Bottitoken** — Gitea token with write access to the GitOps repo only
 
-Kaksi erillistä repoa, eristetyt oikeudet:
+Two repos, isolated access. The consumer never writes to GitOps directly;
+it dispatches a workflow that clones, updates, commits, and pushes.
 
-```
+---
-Code repo                          GitOps repo
-(build & push artifact)            (konfiguraatiot)
 
-build & push onnistuu (v0.2.3)
+## 1. GitOps-repo setup
-         │
-         │ dispatch ci-main.yml
-         │ {file, yq_tpl, version, source_repo, source_commit}
-         │
-         └────────────────────────────────────→┐
-                                               │
-         dispatch-workflow.sh pollaa ←─────────┘
-                                               │
-         code repo asettaa                     │ git clone, yq update,
-         oman commit-statusnsa                 │ git commit + push
-         dispatchin exit-koodilla              │ status GitOps-repoon
-```
 
-**Token-periaate:** Vain GitOps-repoon kirjoitetaan. Code repo asettaa
+Create `.gitea/workflows/gitops-service.yaml`:
-oman commit-statusnsa dispatch-kutsun exit-koodin perusteella omalla
-auto-tokenillaan. GitOps-repon auto-token ei tarvitse oikeuksia code
-repoon.
-
-## GitOps-repon workflow (ci-main.yml)
-
-GitOps-repoon luodaan `.gitea/workflows/ci-main.yml`:
 
 ```yaml
 name: GitOps Update
-run-name: "GitOps Service (${{ inputs.dispatch_id || 'manual' }})"
+run-name: "GitOps (${{ inputs.dispatch_id || 'manual' }})"
 on:
   workflow_dispatch:
     inputs:
@@ -86,7 +64,6 @@ env:
   SOURCE_REPO: ${{ inputs.source_repo }}
   SOURCE_COMMIT: ${{ inputs.source_commit }}
   GITOPS_REPO: ${{ github.repository }}
-  GITOPS_BRANCH: ${{ github.ref_name }}
   GITEA_API_URL: ${{ gitea.server_url }}
   GIT_TAG_PREFIX: ${{ inputs.git_tag_prefix || '' }}
 
@@ -95,18 +72,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
       - uses: actions/checkout@v4
         with:
           repository: niko/gitea-ci-library
           path: .ci
-
       - name: Install yq
         run: |
           wget -qO /usr/local/bin/yq \
             https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
           chmod +x /usr/local/bin/yq
-
       - name: Run GitOps update
         env:
           GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
@@ -114,297 +88,130 @@ jobs:
           bash .ci/scripts/gitops-update.sh
 ```
 
-**Huomiot:**
+> **⚠️ yq ladataan lennossa.** Tämä on väliaikainen kompromissi. Myöhemmin
-- `GITEA_TOKEN` on Gitean auto-token — scopeutuu GitOps-repoon, riittää
+> julkaistaan Docker Hubiin custom CI-kontti, jossa nodejs + git + yq
-  cloneen, committiin, pushiin ja commit-statusiin GitOps-repossa
+> valmiina. Sama patterni kuin `ci-bats` ja `ci-cucumber`.
-- `run-name` ja `dispatch_id` mahdollistavat dispatchaavan skriptin tunnistaa
+> Ks. `skills/ci-container-build/SKILL.md`. 
-  tämän workflow-runin yksiselitteisesti `display_title`-kentästä, vaikka
-  samassa repossa olisi samanaikaisia ajoja
-- yq ladataan lennossa (kompromissi, ks. "Tuleva CI-kontti")
 
-### Tulossa: custom CI-kontti
+Key points:
+- `run-name` must include `dispatch_id` — the consumer's poll step uses it to find the run
+- `secrets.GITEA_TOKEN` is the **auto-token** — write access to the GitOps repo only, no consumer access needed
+- Commit message becomes `"[skip ci] gitops: update version to X.Y.Z"` — used by consumer to find the commit SHA
 
-Nykyinen job lataa yq:n lennossa. Myöhemmin rakennetaan oma kontti
+---
-(`ci-gitops`), jossa on nodejs + git + yq valmiina. Sama patterni kuin
-`ci-bats` ja `ci-cucumber`. Ks. `skills/ci-container-build/SKILL.md`.
 
-## Code-repon dispatch-step
+## 2. Consumer-repo setup
 
-Code repo dispatchaa GitOps-repon workflown artifact buildin onnistuttua:
+### 2.1 Token
+
+Create a Gitea token with write access to the GitOps repo:
+
+1. Gitea → `Settings` → `Applications` → `Generate Token`
+2. Select the GitOps repo, grant write access
+3. Save as an Actions secret in the consumer repo: **`GITOPS_DISPATCH_TOKEN`**
+
+### 2.2 Pipeline call
+
+Add a job after your build step that calls the dispatch workflow:
 
 ```yaml
 gitops-update:
-  needs: [helm-build-push]
+  needs: [build-push]
   if: success()
-  runs-on: ubuntu-latest
+  uses: niko/gitea-ci-library/.gitea/workflows/gitops-dispatch.yml@v1
-  steps:
+  secrets: inherit
-    - uses: actions/checkout@v4
+  with:
-
+    env_json: ${{ needs.load-config.outputs.env_json }}
-    - uses: actions/checkout@v4
+    version: ${{ needs.version.outputs.version }}
-      with:
+    GITOPS_FILE: dev/Chart.yaml
-        repository: niko/gitea-ci-library
+    GITOPS_YQ_TPL: '.version = "{{VERSION}}"'
-        path: .ci
+    GITOPS_REPO: niko/your-gitops-repo
-
-    - name: Dispatch GitOps update
-      id: dispatch
-      env:
-        GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-      run: |
-        INPUTS=$(jq -nc \
-          --arg file "dev/Chart.yaml" \
-          --arg yq_tpl '(.dependencies[] | select(.name == "agent-platform-helm") | .version) = "{{VERSION}}"' \
-          --arg version "${{ needs.check-version.outputs.version }}" \
-          --arg source_repo "${{ github.repository }}" \
-          --arg source_commit "${{ github.sha }}" \
-          '{file: $file, yq_tpl: $yq_tpl, version: $version, source_repo: $source_repo, source_commit: $source_commit}')
-        OUTPUT=$(bash .ci/scripts/dispatch-workflow.sh \
-          "niko/agent-platform-gitops" \
-          "ci-main.yml" \
-          "main" \
-          "$INPUTS" \
-          "${{ fromJson(needs.load-config.outputs.env_json).GITEA_API_URL }}" \
-          "${{ secrets.GITEA_TOKEN }}" \
-          "30")
-        echo "$OUTPUT"
-        GITOPS_COMMIT=$(echo "$OUTPUT" | grep '^GITOPS_COMMIT=' | cut -d= -f2)
-        echo "gitops_commit=$GITOPS_COMMIT" >> "$GITHUB_OUTPUT"
 ```
 
-### Multi-artifact pipeline (kontti + helm)
+This single job handles: dispatch → poll → find commit SHA → set commit-status on your commit → produce `GITOPS_SUMMARY` output.
 
-Yksi main-haaran build tuottaa usein sekä Docker-imagen että Helm-chartin.
+### 2.3 Parameters
-Kumpikin artefakti dispatchaa oman GitOps-päivityksensä rinnakkain:
 
-```yaml
+| Input | Required | Description |
-gitops-helm:
-  needs: [helm-build-push]
-  if: success()
-  runs-on: ubuntu-latest
-  steps:
-    - uses: actions/checkout@v4
-    - uses: actions/checkout@v4
-      with:
-        repository: niko/gitea-ci-library
-        path: .ci
-    - name: Update helm version
-      id: helm
-      run: |
-        INPUTS=$(jq -nc \
-          --arg file "dev/Chart.yaml" \
-          --arg yq_tpl '(.dependencies[] | select(.name == "git-pages") | .version) = "{{VERSION}}"' \
-          --arg version "${{ needs.check-version.outputs.version }}" \
-          --arg source_repo "${{ github.repository }}" \
-          --arg source_commit "${{ github.sha }}" \
-          --arg git_tag_prefix "helm" \
-          '{dispatch_id: "", file: $file, yq_tpl: $yq_tpl, version: $version, source_repo: $source_repo, source_commit: $source_commit, git_tag_prefix: $git_tag_prefix}')
-        OUTPUT=$(bash .ci/scripts/dispatch-workflow.sh \
-          "niko/gitea-ci-gitops-tests" "gitops-service.yaml" "main" \
-          "$INPUTS" "${{ fromJson(needs.load-config.outputs.env_json).GITEA_API_URL }}" \
-          "${{ secrets.GITOPS_DISPATCH_TOKEN }}" "30")
-        echo "$OUTPUT"
-        echo "helm_commit=$(echo "$OUTPUT" | grep '^GITOPS_COMMIT=' | cut -d= -f2)" >> "$GITHUB_OUTPUT"
-
-gitops-docker:
-  needs: [docker-build-push]
-  if: success()
-  runs-on: ubuntu-latest
-  steps:
-    - uses: actions/checkout@v4
-    - uses: actions/checkout@v4
-      with:
-        repository: niko/gitea-ci-library
-        path: .ci
-    - name: Update docker tag
-      id: docker
-      run: |
-        INPUTS=$(jq -nc \
-          --arg file "dev/values.yaml" \
-          --arg yq_tpl '.service.tag = "{{VERSION}}"' \
-          --arg version "${{ needs.check-version.outputs.version }}" \
-          --arg source_repo "${{ github.repository }}" \
-          --arg source_commit "${{ github.sha }}" \
-          --arg git_tag_prefix "docker" \
-          '{dispatch_id: "", file: $file, yq_tpl: $yq_tpl, version: $version, source_repo: $source_repo, source_commit: $source_commit, git_tag_prefix: $git_tag_prefix}')
-        OUTPUT=$(bash .ci/scripts/dispatch-workflow.sh \
-          "niko/gitea-ci-gitops-tests" "gitops-service.yaml" "main" \
-          "$INPUTS" "${{ fromJson(needs.load-config.outputs.env_json).GITEA_API_URL }}" \
-          "${{ secrets.GITOPS_DISPATCH_TOKEN }}" "30")
-        echo "$OUTPUT"
-        echo "docker_commit=$(echo "$OUTPUT" | grep '^GITOPS_COMMIT=' | cut -d= -f2)" >> "$GITHUB_OUTPUT"
-```
-
-Kaksi dispatchia, kaksi eri tiedostoa, kaksi eri `GIT_TAG_PREFIX`-arvoa.
-Kummallakin on oma commit-status-linja ja oma summary-rivi.
-`dispatch-workflow.sh` hoitaa rinnakkaisuuden `display_title`-matchauksella.
-
-**GITEA_TOKEN dispatch-vaiheessa:** Tarvitaan manuaalinen token,
-jolla on **write-oikeus GitOps-repoon** (esim. org-tason token).
-Code-repon auto-token ei oikeuta dispatchaamaan toiseen repoon.
-Token luodaan Giteassa: `Settings → Applications → Generate Token`
-ja asetetaan code-repoon Actions Secretiksi.
-
-### Commit-status dispatchin perusteella
-
-`dispatch-workflow.sh` tulostaa `GITOPS_COMMIT=<sha>` stdoutiin onnistuneen
-GitOps-päivityksen jälkeen. Code repo parsii sen ja asettaa commit-statusin
-linkillä GitOps-committiin:
-
-```yaml
-    - name: Set commit-status with GitOps link
-      if: always()
-      env:
-        GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-        GITEA_API_URL: ${{ fromJson(needs.load-config.outputs.env_json).GITEA_API_URL }}
-        GITOPS_COMMIT: ${{ steps.dispatch.outputs.gitops_commit }}
-        VERSION: ${{ needs.check-version.outputs.version }}
-      run: |
-        GITOPS_URL="${GITEA_API_URL}/niko/agent-platform-gitops/commit/${GITOPS_COMMIT}"
-        CTX="gitops/$(basename ${{ github.repository }})"
-        DESC="Deploy to dev ${VERSION}"
-        if [ -n "$GITOPS_COMMIT" ]; then
-          bash .ci/scripts/report-status.sh success "$DESC" "$CTX" "" "$GITOPS_URL"
-        else
-          bash .ci/scripts/report-status.sh success "$DESC" "$CTX"
-        fi
-```
-
-`dispatch-workflow.sh` palauttaa:
-- exit 0 = GitOps-päivitys onnistui (+ `GITOPS_COMMIT=<sha>`)
-- exit 1 = GitOps-päivitys failasi
-- exit 124 = aikakatkaisu (360 min oletus)
-
-### Loppuraportti (report-summary)
-
-Code-repon viimeinen job (`report-summary`) lisää GitOps-päivityksestä
-rivin GITHUB_STEP_SUMMARYyn:
-
-```yaml
-    - name: GitOps summary
-      if: always()
-      env:
-        GITEA_API_URL: ${{ fromJson(needs.load-config.outputs.env_json).GITEA_API_URL }}
-        GITOPS_COMMIT: ${{ steps.dispatch.outputs.gitops_commit }}
-        VERSION: ${{ needs.check-version.outputs.version }}
-      run: |
-        if [ -n "$GITOPS_COMMIT" ]; then
-          LINK="${GITEA_API_URL}/niko/agent-platform-gitops/commit/${GITOPS_COMMIT}"
-        else
-          LINK="#"
-        fi
-        cat >> "$GITHUB_STEP_SUMMARY" << 'GITOPS'
-
-        ## GitOps updates
-
-        | Component | Version | Status | Commit |
-        |-----------|---------|--------|--------|
-        | agent-platform-helm | __VERSION__ | __STATUS__ | [link](__LINK__) |
-        GITOPS
-        sed -i "s|__VERSION__|${VERSION}|; s|__STATUS__|${{ job.status }}|; s|__LINK__|${LINK}|" \
-          "$GITHUB_STEP_SUMMARY"
-```
-
-## Secretit ja tokenit
-
-| Secret | Missä | Scope | Kuvaus |
-|--------|-------|-------|--------|
-| `GITEA_TOKEN` (auto) | Code repo | Vain code repo | Asettaa commit-statusin dispatchin jälkeen |
-| `GITEA_TOKEN` (auto) | GitOps repo | Vain GitOps repo | Klooni, push, commit-status GitOps-repossa |
-| `GITOPS_DISPATCH_TOKEN` (manuaalinen) | Code repo | Write GitOps-repoon | Dispatchaa GitOps-repon workflow |
-
-**Tokenin luonti:**
-1. Gitea → `Settings` → `Applications` → `Generate Token`
-2. Valitse repo-oikeudet: valitse GitOps-repo, anna write-oikeudet
-3. Token asetetaan code-repoon: `{repo} → Settings → Actions Secrets`
-4. Salaisuuden nimi: esim. `GITOPS_DISPATCH_TOKEN`
-
-## Provider-skriptit
-
-### `scripts/gitops-update.sh`
-
-Ajaan GitOps-repon workflow'ssa. Päivittää konfiguraatiotiedoston yq:llä,
-committaa ja pushaa. Asettaa commit-statuksen vain GitOps-repoon.
-
-**Input-ympäristömuuttujat:**
-
-| Muuttuja | Pakollinen | Kuvaus |
 |---|---|---|
-| `INPUT_FILE` | Kyllä | Tiedosto GitOps-repossa (esim. `dev/Chart.yaml`) |
+| `env_json` | Yes | Config JSON with `GITEA_API_URL`, optional `GIT_TAG_PREFIX` (for multi-component repos) |
-| `YQ_TPL` | Kyllä | yq-lauseke `{{VERSION}}`-placeholderilla |
+| `version` | Yes | Version to write (e.g. `0.2.3`) |
-| `VERSION` | Kyllä | Uusi versio (esim. `0.2.3`) |
+| `GITOPS_FILE` | Yes | Path in GitOps repo (e.g. `dev/Chart.yaml`) |
-| `SOURCE_REPO` | Kyllä | Code-repo slug (esim. `org/app`) |
+| `GITOPS_YQ_TPL` | Yes | yq expression, `{{VERSION}}` is replaced at runtime |
-| `SOURCE_COMMIT` | Kyllä | Code-repon commit SHA |
+| `GITOPS_REPO` | Yes | GitOps repo slug (e.g. `niko/agent-platform-gitops`) |
-| `GITOPS_REPO` | Kyllä | GitOps-repo slug |
-| `GITEA_API_URL` | Kyllä | Gitean API-URL |
-| `GITEA_TOKEN` | Kyllä | Gitea API-token (write GitOps-repoon) |
-| `GITOPS_BRANCH` | Ei | Branch (oletus `main`) |
-| `GIT_TAG_PREFIX` | Ei | Komponentin tag-prefix status-nimeämiseen (esim. `agent-platform-helm`) |
-| `GITOPS_CLONE_URL` | Ei | Yliajaa clone-URL (esim. eri protokolla) |
-| `GITOPS_TARGET_DIR` | Ei | Yliajaa clone-kohdehakemisto |
 
-**Commit-status muoto:**
+### 2.4 Output
 
-GitOps-repoon asetetaan commit-status:
+The workflow produces a `summary` output in pipe format:
 
-| Kenttä | Formaatti | Esimerkki |
+```
-|--------|-----------|-----------|
+component|version|status|commit_sha|repo
-| Context | `{repo}/{GIT_TAG_PREFIX} {RUN_ID}` tai `{repo} {RUN_ID}` | `gitea-ci-library/agent-platform-helm 473` |
+agent-platform-helm|0.2.3|success|abc789def|niko/agent-platform-gitops
-| Description | `Install to {env} {version}` | `Install to dev 0.2.0` |
+```
-| Target URL | Linkki code-repon committiin | `/niko/gitea-ci-library/commit/abc123` |
 
-Jos tiedosto on jo halutussa versiossa (ei muutoksia), status saa descriptionin `Install to {env} {version} — no change`. Commit-pushia ei tehdä, GitOps-repo pysyy muuttumattomana.
+Pass it to `report-summary.yml` for the pipeline summary:
 
-- `{env}` parsitaan `INPUT_FILE`:stä (`dev/Chart.yaml` → `dev`)
+```yaml
-- `{repo}` parsitaan `SOURCE_REPO`:sta (`niko/gitea-ci-library` → `gitea-ci-library`)
+report-summary:
-- `{GIT_TAG_PREFIX}` tulee env-varista (sama kuin `gitea-env.conf`:ssa)
+  needs: [load-config, gitops-update]
+  if: always()
+  uses: niko/gitea-ci-library/.gitea/workflows/report-summary.yml@main
+  with:
+    env_json: ${{ needs.load-config.outputs.env_json }}
+    suites: bats cucumber
+    gitops: ${{ needs.gitops-update.outputs.summary }}
+```
 
-### `scripts/dispatch-workflow.sh`
+---
 
-Dispatchaa workflow_dispatchin kohderepoon ja pollaa valmistumista.
+## 3. Token summary
-Generoi automaattisesti `dispatch_id`-tunnisteen, lisää sen dispatch-
-inputteihin ja tunnistaa workflow-runin kohdereposta `display_title`-
-kentän perusteella. Toimii luotettavasti vaikka samassa repossa olisi
-useita samanaikaisia dispatch-attribuutioita.
 
-**Argumentit:**
+| Token | Where | Scope | Purpose |
+|---|---|---|---|
+| `GITOPS_DISPATCH_TOKEN` (manual) | Consumer secrets | write GitOps repo | Dispatches the GitOps workflow |
+| `GITHUB_TOKEN` (auto) | Consumer workflow | write consumer repo | Sets commit-status on consumer's commit |
+| `GITEA_TOKEN` (auto) | GitOps workflow | write GitOps repo | Clone, push, commit-status in GitOps repo |
 
-| # | Pakollinen | Kuvaus |
+---
-|---|------------|--------|
-| 1 | Kyllä | Kohderepo (esim. `niko/agent-platform-gitops`) |
-| 2 | Kyllä | Workflow-tiedosto (esim. `ci-main.yml`) |
-| 3 | Kyllä | Branch/ref |
-| 4 | Kyllä | Inputs JSON |
-| 5 | Kyllä | Gitea API URL |
-| 6 | Kyllä | Gitea token |
-| 7 | Ei | Aikakatkaisu minuutteina (oletus 360) |
 
-Kutsujan ei tarvitse välittää `dispatch_id`:tä — skripti generoi sen
+## 4. What happens at runtime
-itse ja lisää inputteihin ennen dispatchia.
 
-## [skip ci]
+1. Consumer's `gitops-dispatch.yml` generates a unique `dispatch_id` and POSTs it to the GitOps repo
+2. GitOps workflow clones its own repo, applies `yq`, commits + pushes
+3. Consumer polls the GitOps repo's runs until the workflow completes
+4. Consumer lists recent commits and finds the matching one by commit message `"gitops: update version to X.Y.Z"`
+5. Consumer sets commit-status `gitops/{repo}[/{prefix}]` on its own commit with a link to the exact GitOps commit
+6. If no matching commit is found (no change or error), the job fails
+7. On failure, `GITOPS_SUMMARY` still flows through `report-summary` with `status=failure`
 
-Commit-viestissä on `[skip ci]`, joka estää GitActions-runneria
+---
-triggeröimästä uutta CI-ajoa GitOps-repoon pushista. Näin vältetään
-ääretön trigger-loop.
 
-## Race condition
+## 5. GIT_TAG_PREFIX (optional)
 
-`dispatch-workflow.sh` tunnistaa jokaisen dispatchatun runin uniikilla
+If the same consumer repo dispatches updates for multiple components (e.g. Docker image + Helm chart), set `GIT_TAG_PREFIX` in your `gitea-env.conf`:
-`dispatch_id`-tunnisteella `display_title`-kentästä. Vaikka useampi
-artifakti dispatchaisi samaan aikaan ja useita workflow-runeja olisi
-käynnissä rinnakkain, jokainen skripti löytää oikean runinsa.
 
-## Sääntöjä
+```
+GIT_TAG_PREFIX=docker/
+```
 
-1. **Token ei kirjoita code repoon.** GitOps-repon workflow ei tarvitse
+Each component gets its own commit-status context:
-   oikeuksia code repoon. Kaikki status-kutsut kohdistuvat vain
+
-   GitOps-repoon. Code repo asettaa oman statusnsa itse.
+| Prefix | Context |
-2. **Ei provider-workflowta.** GitOps-päivitys ei ole reusable workflow.
+|---|---|
-   GitOps-repo ajaa `scripts/gitops-update.sh`:n suoraan.
+| (empty) | `gitops/agent-platform` |
-3. **Vain `workflow_dispatch`.** GitOps-repon workflow:ta ei triggeröidä
+| `docker/` | `gitops/agent-platform/docker` |
-   pushista — se laukeaa vain dispatch-kutsusta.
+| `helm/` | `gitops/agent-platform/helm` |
-4. **Dispatch ei palauta tarkkaa SHA:**ta. Code repo ei tiedä GitOps-
+
-   commitin SHA:ta ennen dispatch-valmistumista. Status asetetaan
+This prevents status overwrites between parallel dispatch jobs.
-   dispatchin exit-koodin perusteella, ei GitOps-commitin tiedoilla.
+
-5. **`dispatch_id` on pakollinen kohde-workflow'ssa** — ilman sitä
+---
-   `dispatch-workflow.sh` ei löydä oikeaa runia moniajo-tilanteessa.
+
-6. **`[skip ci]` commit-viestissä.** Pakollinen trigger-loopin estoon.
+## 6. What you do NOT need to know
+
+- How `gitops-update.sh` works internally
+- How the polling finds the run
+- How the commit SHA is extracted
+- Race condition handling
+- CI container plans
+
+All of that is handled by `gitops-dispatch.yml`. You just call it.