# Intake: Migrate Workflows to GitHub Actions

**Change**: 260406-vhk4-migrate-workflows-github-actions
**Created**: 2026-04-06
**Status**: Draft

## Origin

> Migrate the GitHub workflows ending with *-gcp to be compatible with GitHub Actions. Currently used inside a self-hosted Gitea instance. Once migrated, the repo moves to GitHub directly.

Conversational mode — extensive discussion preceded this intake. User confirmed all key decisions (see Assumptions).

## Why

The build-tools repo currently lives on a self-hosted Gitea instance. The organization is moving it to GitHub. The `*-gcp` workflow variants already use GitHub-compatible actions (`google-github-actions/auth@v2`, `actions/checkout@v4`, etc.) but one workflow (`push-s3-gcp.yml`) references a Gitea-hosted action (`https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0`) that GitHub Actions cannot resolve. The non-GCP workflows use Gitea-specific registry credentials (`docker_repo2_*`) that won't be needed on GitHub.

Without this change, the repo cannot be moved to GitHub — workflows would fail on first run.

## What Changes

### 1. Archive non-GCP workflows

Move these 4 files to `.github/workflows/archive/`:
- `base-build-image.yml`
- `dispatch-container-base.yml`
- `push-container.yml`
- `push-s3.yml`

### 2. Rename GCP workflows (drop `-gcp` suffix)

- `base-build-image-gcp.yml` → `base-build-image.yml`
- `dispatch-container-base-gcp.yml` → `dispatch-container-base.yml`
- `push-container-gcp.yml` → `push-container.yml`
- `push-s3-gcp.yml` → `push-s3.yml`

### 3. Fix `push-s3.yml` (formerly `push-s3-gcp.yml`)

Replace the Gitea-hosted `aws-cli-action` with the pattern from `dg2n-core`:

```yaml
# Replace this:
- name: Upload cloud files
  uses: https://git.gmetri.io/gmetribin/aws-cli-action@v1.0.0
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
    ...
  with:
    args: >
      s3 cp ...

# With this:
- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: ${{ vars.AWS_DEFAULT_REGION }}

- name: Upload cloud files
  run: |
    aws s3 cp \
      --recursive \
      --cache-control max-age=31536000 \
      --storage-class STANDARD_IA \
      cloud/ s3://${{ vars.AWS_UPLOAD_BUCKET }}/${{ env.REPO_SHORT_NAME }}/${{ steps.get-id.outputs.BUILD_ID }}
```

Also uppercase the AWS secret/var names to match dg2n-core convention: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_DEFAULT_REGION`, `AWS_UPLOAD_BUCKET`.

### 4. No changes to other workflows

These 5 workflows remain untouched — they already use standard GitHub Actions:
- `pr-lint-and-check.yml`
- `push-code-test.yml`
- `push-code-scan.yml`
- `push-npm.yml`
- `push-npm-from-container.yml`

## Affected Memory

- None — no spec-level behavior changes requiring memory updates.

## Impact

- `.github/workflows/` — 4 files archived, 4 files renamed, 1 file content-modified
- All consuming repos that call these reusable workflows will need to update their `uses:` references to drop the `-gcp` suffix
- GCP auth pattern (secrets/vars) stays identical — no infra changes needed
- Grype scanning stays disabled (commented out) in all GCP workflows

## Open Questions

- None — all questions resolved in discussion.

## Assumptions

| # | Grade | Decision | Rationale | Scores |
|---|-------|----------|-----------|--------|
| 1 | Certain | Non-GCP workflows archived, not deleted | Discussed — user explicitly said "put them in an archive folder" | S:95 R:90 A:95 D:90 |
| 2 | Certain | GCP workflows renamed to drop `-gcp` suffix | Discussed — user confirmed "yes lets remove gcp suffix" | S:95 R:85 A:90 D:85 |
| 3 | Certain | Grype scanning stays disabled | Discussed — user said "dont enable grype scanning" | S:95 R:90 A:95 D:95 |
| 4 | Certain | Use `aws-actions/configure-aws-credentials@v4` + inline `aws s3 cp` instead of custom action | Discussed — follows dg2n-core pattern, user pointed to that repo as reference | S:95 R:90 A:90 D:85 |
| 5 | Certain | AWS secret/var names uppercased to match dg2n-core convention | Discussed — user said dg2n-core has correct env vars/secrets config | S:90 R:85 A:90 D:85 |
| 6 | Certain | Use GitHub-hosted `ubuntu-22.04` runners | Discussed — user confirmed standard GitHub runners, was using self-hosted on Gitea | S:95 R:90 A:95 D:90 |
| 7 | Certain | `push-s3-gcp.yml` hybrid (GCP Docker + AWS S3) stays as-is | Discussed — user confirmed "yes" | S:90 R:85 A:90 D:90 |
| 8 | Confident | Other 5 workflows need no changes | Discussed — user confirmed "yes rest remain untouched", though npm workflows have gmetri email which user said is fine to keep | S:85 R:80 A:85 D:80 |
| 9 | Confident | Archive folder is `.github/workflows/archive/` | Reasonable default — user said "archive folder" without specifying exact path | S:80 R:75 A:85 D:80 |

9 assumptions (7 certain, 2 confident, 0 tentative, 0 unresolved).