cleanup: remove unused GitHub Actions workflows and migrate PR Guard to Gitea

Deleted unused `.github` workflows and configurations, including obsolete CI/CD pipelines and PR templates, which were no longer executed after the migration to Gitea. Migrated the `PR Guard` workflow for hardcoded version checks to `.gitea/workflows/pr-guard.yaml`. Verified functional workflows in Gitea (e.g., Docker publish). Documented changes and rationale in session logs. Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
2026-03-09 13:03:57 +01:00
parent 23e08403f1
commit 4ae11e6668
12 changed files with 34 additions and 748 deletions
@@ -1,9 +1,7 @@
 name: PR Guard
 on:
  pull_request:
    branches: [ "**" ]
 jobs:
  no-hardcoded-versions:
    runs-on: ubuntu-latest
@@ -1,38 +0,0 @@
 {
  "ignorePatterns": [
    {
      "pattern": "^http://localhost"
    },
    {
      "pattern": "^https://localhost"
    },
    {
      "pattern": "^http://127.0.0.1"
    },
    {
      "pattern": "^https://127.0.0.1"
    },
    {
      "pattern": "^XXXX-filename\\.md$"
    }
  ],
  "replacementPatterns": [
    {
      "pattern": "^/",
      "replacement": "{{BASEURL}}/"
    }
  ],
  "httpHeaders": [
    {
      "urls": ["https://github.com"],
      "headers": {
        "Accept": "text/html"
      }
    }
  ],
  "timeout": "20s",
  "retryOn429": true,
  "retryCount": 3,
  "fallbackRetryDelay": "30s",
  "aliveStatusCodes": [200, 206]
 }
@@ -1,15 +0,0 @@
 ## Ziel
 Kurze Beschreibung des Ziels/Problems und was dieser PR löst.
 ## Änderungen
 -
 ## Prüfliste (Definition of Done)
 - [ ] CI grün (Backend/Docs)
 - [x] Doku-Front‑Matter vorhanden und valide (`modul`, `status`, `summary`, optional `last_reviewed`, `review_cycle`, `yt_epic/yt_issues`)
 - [ ] Links geprüft (CI Link‑Checker läuft grün)
 - [ ] Falls relevant: YouTrack‑Key im PR‑Titel/Commit enthalten (z. B. MP-7)
 - [ ] Bei Architekturänderung: ADR aktualisiert und verlinkt
 ## Screenshots/Notizen (optional)
 -
@@ -1,124 +0,0 @@
 name: CI - Main Pipeline
 permissions:
  contents: read
 concurrency:
  group: ci-main-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
 jobs:
  # ========================================
  # 1. Docker SSoT (bleibt wie ist)
  # ========================================
  docker-ssot:
    name: Docker SSoT Validation
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Validate Docker SSoT (compat mode)
        if: ${{ hashFiles('scripts/docker-versions-update.sh') != '' && hashFiles('scripts/generate-compose-files.sh') != '' && hashFiles('scripts/validate-docker-consistency.sh') != '' }}
        run: |
          bash scripts/docker-versions-update.sh sync
          bash scripts/generate-compose-files.sh all development
          bash scripts/validate-docker-consistency.sh all
      - name: Validate Docker SSoT (envless mode)
        if: ${{ hashFiles('scripts/generate-compose-files.sh') != '' && hashFiles('scripts/validate-docker-consistency.sh') != '' }}
        run: |
          DOCKER_SSOT_MODE=envless bash scripts/generate-compose-files.sh all development
          DOCKER_SSOT_MODE=envless bash scripts/validate-docker-consistency.sh all
      - name: Lint docker-compose (fallback)
        if: ${{ hashFiles('scripts/validate-docker-consistency.sh') == '' }}
        run: docker compose -f docker/docker-compose.yaml config
  # ========================================
  # 2. OpenAPI Validation (nur Lint)
  # ========================================
  validate-openapi:
    name: Validate OpenAPI Specs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: '20'
      - name: Install Spectral
        run: npm install -g @stoplight/spectral-cli
      - name: Validate OpenAPI
        run: |
          spectral lint backend/gateway/src/main/resources/openapi/documentation.yaml \
            --ruleset .spectral.yaml \
            --fail-severity error
  # ========================================
  # 3. Markdown Docs (nur kritische)
  # ========================================
  validate-docs:
    name: Validate Essential Docs
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Lint Critical Markdown
        uses: DavidAnson/markdownlint-cli2-action@v21
        with:
          globs: |
            README.md
            docs/README.md
            docs/01_Architecture/adr/**/*.md
            docs/02_Onboarding/Development/start-local.md
      - name: Check Links in ADRs
        uses: gaurav-nelson/github-action-markdown-link-check@v1
        with:
          config-file: '.github/markdown-link-check.json'
          folder-path: 'docs/01_Architecture/adr/'
          use-quiet-mode: 'yes'
  # ========================================
  # 4. Build & Test
  # ========================================
  build-test:
    name: Build and Test
    runs-on: ubuntu-latest
    needs: [ docker-ssot, validate-openapi, validate-docs ]
    steps:
      - uses: actions/checkout@v6
      - name: Setup JDK 25
        uses: actions/setup-java@v5
        with:
          java-version: '25'
          distribution: 'temurin'
          cache: gradle
      - name: Build
        run: ./gradlew staticAnalysis build -x test
      - name: Check Bundle Budgets
        run: ./gradlew checkBundleBudget
      - name: Test
        run: ./gradlew test
      - name: Upload OpenAPI Specs (Artifact)
        uses: actions/upload-artifact@v5
        with:
          name: openapi-specs
          path: docs/api/generated/*.json
          retention-days: 30
        continue-on-error: true
@@ -1,196 +0,0 @@
 # ===================================================================
 # GitHub Actions - Automatisches Deployment auf Proxmox-Server
 # Meldestelle Project - CI/CD Pipeline
 # ===================================================================
 name: Deploy Proxmox (manual)
 permissions:
  contents: read
 concurrency:
  group: deploy-proxmox-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch: # Manueller Trigger
 env:
  DOCKER_COMPOSE_VERSION: "v2.20.0"
 jobs:
  # ===================================================================
  # Build & Test
  # ===================================================================
  build-and-test:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v6
    - name: Set up JDK 25
      uses: actions/setup-java@v5
      with:
        java-version: '25'
        distribution: 'temurin'
    - name: Cache Gradle dependencies
      uses: actions/cache@v4
      with:
        path: |
          ~/.gradle/caches
          ~/.gradle/wrapper
        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
        restore-keys: |
          ${{ runner.os }}-gradle-
    - name: Grant execute permission for gradlew
      run: chmod +x gradlew
    - name: Static Analysis
      run: ./gradlew staticAnalysis --no-daemon || true
    - name: Build (all)
      run: ./gradlew build -x test --no-daemon
    - name: Test (all)
      run: ./gradlew test --no-daemon || true  # Allow failure for now
  # ===================================================================
  # Deploy to Proxmox (nur bei main branch)
  # ===================================================================
  deploy:
    needs: build-and-test
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch'
    steps:
    - name: Checkout Code
      uses: actions/checkout@v6
    - name: Setup SSH Key
      uses: webfactory/ssh-agent@v0.8.0
      with:
        ssh-private-key: ${{ secrets.PROXMOX_SSH_PRIVATE_KEY }}
    - name: Add Proxmox to known_hosts
      run: |
        ssh-keyscan -H ${{ secrets.PROXMOX_HOST }} >> ~/.ssh/known_hosts
    - name: Deploy to Proxmox Server
      env:
        PROXMOX_HOST: ${{ secrets.PROXMOX_HOST }}
        PROXMOX_USER: ${{ secrets.PROXMOX_USER }}
        DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
      run: |
        ssh $PROXMOX_USER@$PROXMOX_HOST << 'ENDSSH'
          set -e
          # Navigate to deployment directory
          cd ${{ secrets.DEPLOY_PATH }}
          # Pull latest changes
          echo "🔄 Pulling latest changes from GitHub..."
          git fetch origin
          git reset --hard origin/main
          # Create backup of current environment
          echo "💾 Creating backup..."
          cp .env .env.backup.$(date +%Y%m%d_%H%M%S) || true
          # Stop existing services
          echo "🛑 Stopping existing services..."
          docker compose --env-file docker/.env -f docker/docker-compose.yaml down || true
          # Clean up old images (optional)
          echo "🧹 Cleaning up old images..."
          docker image prune -f || true
          # Build new images
          echo "🏗️ Building new images..."
          docker compose --env-file docker/.env -f docker/docker-compose.yaml build
          # Start infrastructure first
          echo "🚀 Starting infrastructure..."
          docker compose --env-file docker/.env -f docker/docker-compose.yaml up -d
          # Wait for infrastructure to be ready
          echo "⏳ Waiting for infrastructure..."
          sleep 30
          # Start services
          echo "🚀 Starting services..."
          # Start services (already included in main compose file)
          docker compose --env-file docker/.env -f docker/docker-compose.yaml up -d
          # Wait for services to be ready
          echo "⏳ Waiting for services..."
          sleep 30
          # Start clients
          echo "🚀 Starting clients..."
          # Start clients (already included in main compose file)
          docker compose --env-file docker/.env -f docker/docker-compose.yaml up -d
          # Health check
          echo "🏥 Running health checks..."
          sleep 60
          # Check service status
          echo "📊 Service Status:"
          docker compose --env-file docker/.env -f docker/docker-compose.yaml ps
          # Check logs for errors
          echo "📋 Recent logs:"
          docker compose --env-file docker/.env -f docker/docker-compose.yaml logs --tail=50
          echo "✅ Deployment completed successfully!"
        ENDSSH
    - name: Verify Deployment
      env:
        PROXMOX_HOST: ${{ secrets.PROXMOX_HOST }}
        PROXMOX_USER: ${{ secrets.PROXMOX_USER }}
      run: |
        echo "🔍 Verifying deployment..."
        # Check if services are responding
        ssh $PROXMOX_USER@$PROXMOX_HOST << 'ENDSSH'
          # Check API Gateway health
          curl -f http://localhost:8081/actuator/health || echo "❌ API Gateway health check failed"
          # Check Consul
          curl -f http://localhost:8500/v1/status/leader || echo "❌ Consul health check failed"
          # Check Web-App
          curl -f http://localhost:4000/health || echo "❌ Web-App health check failed"
          # Check VNC
          curl -f http://localhost:6080/ || echo "❌ VNC health check failed"
          echo "✅ Health checks completed"
        ENDSSH
  # ===================================================================
  # Notification (Optional)
  # ===================================================================
  notify:
    needs: [build-and-test, deploy]
    runs-on: ubuntu-latest
    if: always()
    steps:
    - name: Notify Success
      if: needs.deploy.result == 'success'
      run: |
        echo "✅ Deployment to Proxmox successful!"
        echo "🌐 Web-App: https://meldestelle.yourdomain.com"
        echo "🖥️ Desktop-VNC: https://vnc.meldestelle.yourdomain.com"
        echo "🔗 API: https://api.meldestelle.yourdomain.com"
    - name: Notify Failure
      if: needs.deploy.result == 'failure'
      run: |
        echo "❌ Deployment to Proxmox failed!"
        echo "Check the logs above for details."
@@ -1,57 +0,0 @@
 name: KDoc → YouTrack KB Sync
 permissions:
  contents: read
 concurrency:
  group: kdoc-sync-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch:
    inputs:
      kb_root_title:
        description: "Root-Titel der YouTrack KB (z. B. 'API & Entwicklerdoku')"
        required: true
        default: "API & Entwicklerdoku"
      bc_root:
        description: "Ordner unterhalb des KB-Roots für BCs (z. B. 'BCs')"
        required: false
        default: "BCs"
 jobs:
  kdoc-sync:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - name: Setup JDK 25
        uses: actions/setup-java@v5
        with:
          distribution: temurin
          java-version: '25'
      - name: Setup Gradle
        uses: gradle/actions/setup-gradle@v5
      - name: Build Dokka (GFM)
        run: |
          ./gradlew --no-daemon dokkaGfmAll || ./gradlew --no-daemon dokkaGfm
      - name: Python deps for YouTrack sync
        run: |
          python -m pip install --upgrade pip
          pip install requests pyyaml
      - name: Sync KDoc Markdown to YouTrack KB
        if: ${{ hashFiles('.junie/scripts/youtrack-sync-kb.py') != '' }}
        env:
          YT_URL: ${{ secrets.YT_URL }}
          YT_TOKEN: ${{ secrets.YT_TOKEN }}
          KB_ROOT_TITLE: ${{ github.event.inputs.kb_root_title }}
          KB_BC_ROOT: ${{ github.event.inputs.bc_root }}
        run: |
          python .junie/scripts/youtrack-sync-kb.py --src build/dokka/gfm
@@ -1,229 +0,0 @@
 name: Integration Tests
 permissions:
  contents: read
 concurrency:
  group: integration-tests-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
 jobs:
  integration-tests:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        keycloak_db: [postgres, dev-file]
    env:
      KEYCLOAK_VERSION: "26.4.2"
    services:
      postgres:
        image: postgres:16-alpine
        env:
          POSTGRES_USER: meldestelle
          POSTGRES_PASSWORD: meldestelle
          POSTGRES_DB: meldestelle
        ports:
          - 5432:5432
        options: >-
          --health-cmd "pg_isready -U meldestelle -d $${POSTGRES_DB}"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 12
          --health-start-period 20s
      redis:
        image: redis:7-alpine
        ports:
          - 6379:6379
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
      zookeeper:
        image: confluentinc/cp-zookeeper:7.5.0
        env:
          ZOOKEEPER_CLIENT_PORT: 2181
        ports:
          - 2181:2181
        options: >-
          --health-cmd "nc -z localhost 2181 || exit 1"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 3
          --health-start-period 10s
      kafka:
        image: confluentinc/cp-kafka:7.5.0
        env:
          KAFKA_BROKER_ID: 1
          KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
          KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:29092,PLAINTEXT_HOST://localhost:9092
          KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
          KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
          KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
        ports:
          - 9092:9092
        options: >-
          --health-cmd "kafka-topics --bootstrap-server localhost:9092 --list || exit 1"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 3
          --health-start-period 30s
      zipkin:
        image: openzipkin/zipkin:2
        ports:
          - 9411:9411
        options: >-
          --health-cmd "wget -q -O - http://localhost:9411/health || exit 1"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 3
          --health-start-period 10s
    steps:
      - uses: actions/checkout@v6
      - name: Set up JDK 25
        uses: actions/setup-java@v5
        with:
          java-version: 25
          distribution: 'temurin'
          cache: 'gradle'
      - name: Setup Gradle (modern)
        uses: gradle/actions/setup-gradle@v5
      - name: Wait for Postgres to be ready (pg_isready in service network)
        if: ${{ matrix.keycloak_db == 'postgres' }}
        run: |
          echo "Waiting for Postgres..."
          for i in {1..40}; do
            if docker run --rm --network ${{ job.services.postgres.network }} \
              postgres:16-alpine pg_isready -h postgres -p 5432 -U meldestelle -d meldestelle; then
              echo "Postgres is ready"; break; fi; echo -n "."; sleep 3; done
      - name: Start Keycloak with Postgres (dev) and wait for readiness
        if: ${{ matrix.keycloak_db == 'postgres' }}
        run: |
          set -euo pipefail
          echo "Starting Keycloak (DB=postgres)..."
          docker run -d --name keycloak \
            --network ${{ job.services.postgres.network }} \
            -p 8180:8080 \
            -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
            -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
            -e KC_DB=postgres \
            -e KC_DB_URL=jdbc:postgresql://postgres:5432/meldestelle \
            -e KC_DB_USERNAME=meldestelle \
            -e KC_DB_PASSWORD=meldestelle \
            -e KC_HEALTH_ENABLED=true \
            -e JAVA_OPTS="-Xms256m -Xmx1024m -XX:MaxRAMPercentage=60" \
            quay.io/keycloak/keycloak:${{ env.KEYCLOAK_VERSION }} \
            start-dev
          echo "Giving Keycloak 30s to initialize..."; sleep 30
          wait_for() {
            local url="$1"; local label="$2"; local timeout="${3:-180}"; local interval="${4:-5}"
            echo "Waiting for $label ($url) ..."
            if ! timeout ${timeout}s bash -c 'until curl -fsS --output /dev/null '"$url"'; do echo -n "."; sleep '"$interval"'; done'; then
              echo "\n[WAIT] Timeout on $url"
              return 1
            fi
            echo "\n[WAIT] $label is up"
          }
          if ! wait_for http://localhost:8180/ "root" 180 5; then
            docker logs --tail=200 keycloak || true
            exit 1
          fi
          if ! wait_for http://localhost:8180/health "health" 180 5; then
            echo "[INFO] /health nicht erreichbar – versuche /q/health (Quarkus default)"
            wait_for http://localhost:8180/q/health "q-health" 180 5 || true
          fi
          wait_for http://localhost:8180/health/ready "health-ready" 300 5 || true
          wait_for http://localhost:8180/admin/master/console/ "admin-console" 300 5 || (docker logs --tail=400 keycloak && exit 1)
      - name: Start Keycloak with dev-file (no Postgres) and wait for readiness
        if: ${{ matrix.keycloak_db == 'dev-file' }}
        run: |
          set -euo pipefail
          echo "Starting Keycloak (DB=dev-file, no Postgres)..."
          docker run -d --name keycloak \
            -p 8180:8080 \
            -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
            -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
            -e KC_DB=dev-file \
            -e KC_HEALTH_ENABLED=true \
            -e JAVA_OPTS="-Xms256m -Xmx1024m -XX:MaxRAMPercentage=60" \
            quay.io/keycloak/keycloak:${{ env.KEYCLOAK_VERSION }} \
            start-dev
          echo "Giving Keycloak 20s to initialize..."; sleep 20
          wait_for() {
            local url="$1"; local label="$2"; local timeout="${3:-180}"; local interval="${4:-5}"
            echo "Waiting for $label ($url) ..."
            if ! timeout ${timeout}s bash -c 'until curl -fsS --output /dev/null '"$url"'; do echo -n "."; sleep '"$interval"'; done'; then
              echo "\n[WAIT] Timeout on $url"
              return 1
            fi
            echo "\n[WAIT] $label is up"
          }
          if ! wait_for http://localhost:8180/ "root" 180 5; then
            docker logs --tail=200 keycloak || true
            exit 1
          fi
          if ! wait_for http://localhost:8180/health "health" 180 5; then
            echo "[INFO] /health nicht erreichbar – versuche /q/health (Quarkus default)"
            wait_for http://localhost:8180/q/health "q-health" 180 5 || true
          fi
          wait_for http://localhost:8180/health/ready "health-ready" 300 5 || true
          wait_for http://localhost:8180/admin/master/console/ "admin-console" 300 5 || (docker logs --tail=400 keycloak && exit 1)
      - name: Grant execute permission for gradlew
        run: chmod +x gradlew
      - name: Static Analysis
        run: ./gradlew staticAnalysis --no-daemon
      - name: Run integration tests
        run: ./gradlew integrationTest --no-daemon --parallel
        env:
          # Environment variables for Redis connection
          REDIS_HOST: localhost
          REDIS_PORT: 6379
          # Keycloak base URL for integration tests (manual container)
          KEYCLOAK_AUTH_SERVER_URL: http://localhost:8180
          # Spring profile for integration tests
          SPRING_PROFILES_ACTIVE: integration-test
      - name: Upload test reports
        uses: actions/upload-artifact@v5
        if: always()
        with:
          name: integration-test-reports
          path: |
            **/build/reports/tests/integrationTest/
            **/build/test-results/integrationTest/
          retention-days: 7
      - name: Dump service logs (Keycloak, Postgres)
        if: always()
        run: |
          echo "=== Docker ps ===" && docker ps -a || true
          echo "=== Keycloak logs (tail) ===" && docker logs --tail=400 keycloak || true
          echo "=== Postgres logs (tail) ===" && docker logs --tail=200 $(docker ps -a --filter "name=postgres" --format "{{.ID}}") || true
@@ -1,25 +0,0 @@
 name: Docker SSoT Guard (Minimal)
 on:
  push:
    paths:
      - 'docker/**'
      - '.github/workflows/ssot-guard.yml'
  pull_request:
    paths:
      - 'docker/**'
      - '.github/workflows/ssot-guard.yml'
 jobs:
  check-compose-config:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      # FIX: .env aus Example erstellen, damit Variablen da sind
      - name: Create .env context
        run: cp docker/.env.example docker/.env
      # FIX: .yaml Extension nutzen (SSoT)
      - name: Validate Docker Compose Config
        run: docker compose --env-file docker/.env -f docker/docker-compose.yaml config
@@ -1,59 +0,0 @@
 name: YouTrack Sync (on merge)
 permissions:
  contents: read
  id-token: write
 concurrency:
  group: youtrack-sync-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches: [ main ]
 jobs:
  notify:
    runs-on: ubuntu-latest
    # Secrets als Umgebungsvariablen für den Job verfügbar machen
    env:
      YT_URL: ${{ secrets.YT_URL }}
      YT_TOKEN: ${{ secrets.YT_TOKEN }}
    steps:
      # WICHTIG: Checkout ist notwendig, damit "git log" funktioniert
      - name: Checkout Code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # Notwendig, um die Commit-Historie für "git log" zu laden
      - name: Comment to YouTrack Issue(s)
        # Wir haben das problematische "if: ${{ secrets... }}" entfernt.
        # Die Prüfung findet nun sicher im Shell-Skript statt.
        run: |
          set -euo pipefail
          # 1. Prüfen, ob Secrets vorhanden sind (Shell-Ebene)
          if [ -z "${YT_URL:-}" ] || [ -z "${YT_TOKEN:-}" ]; then
            echo "Skipping: YT_URL or YT_TOKEN is not set."
            exit 0
          fi
          # 2. Commit Message nach Issue-Keys durchsuchen
          KEYS=$(git log -1 --pretty=%B | grep -o '[A-Z]\+-[0-9]\+' | sort -u || true)
          if [ -z "$KEYS" ]; then
            echo "No issue keys in last commit message. Skipping."
            exit 0
          fi
          # 3. Kommentar an YouTrack senden
          for ISSUE in $KEYS; do
            MSG=$(printf 'PR/Commit gemergt: %s\nRepo: %s\nCommit: %s' "${{ github.event.head_commit.url }}" "${{ github.repository }}" "${{ github.sha }}")
            echo "Posting comment to $ISSUE..."
            curl -sS -X POST \
              -H "Authorization: Bearer $YT_TOKEN" \
              -H "Accept: application/json" \
              -H "Content-Type: application/json" \
              "$YT_URL/api/issues/$ISSUE/comments" \
              -d "{\"text\": \"$MSG\"}"
          done
@@ -13,9 +13,9 @@ owner: DevOps Engineer
 * ✅ **Gitea Secrets Finalisierung:** Erstellen der Secrets 
  * `REGISTRY_TOKEN` und 
  * `REGISTRY_USER` im Repository „Meldestelle“ (Umgehung der `GITEA_`-Namenssperre).
-*[ ] **Runner-Stabilisierung:** 
+*[x] **Runner-Stabilisierung:** _(verifiziert 2026-03-09: Screenshot bestätigt)_
-  * Prüfen des Systemd-Status von `act_runner` im Container `infra-runner`.
+  * `act_runner` ist `active (running)` seit 06.03.2026, `enabled; preset: enabled`.
-*[ ] Sicherstellen, dass der Status im Gitea-Interface von „Inaktiv“ auf „Aktiv“ springt.
+*[x] Status im Gitea-Interface: Runner ist **Aktiv** (läuft Tasks seit 06.03.2026).
 *[ ] **Erster Test-Build:** 
  * Erstellen eines Test-Projekts und 
  * Push aus der IDEA auslösen und das Log-Streaming in Gitea Actions verfolgen.
@@ -195,6 +195,37 @@ fachliche Implementierung war bereits vorhanden. Ein einziger kritischer Bug gef
  Backend `@RequestParam` erwartet `?since=...` — Delta-Sync lieferte immer alle Daten.
 - **Fix:** `url.parameters.append("lastSyncTimestamp", ...)` → `url.parameters.append("since", ...)`
 ## ✅ Gitea-Pipeline & Runner Analyse (2026-03-09, gleiche Session)
 ### Befund: Aktiver CI/CD-Kern
 - `.gitea/workflows/docker-publish.yaml` ist der einzige aktiv ausgeführte Workflow — grün seit 06.03.2026.
 - Matrix: 4 Services (`keycloak`, `api-gateway`, `ping-service`, `web-app`), `max-parallel: 1` (RAM-Schutz).
 - Native `linux/arm64`-Builds auf VM 102 (`10.0.0.23`), Push in interne Registry `10.0.0.22:3000`.
 ### Verifiziert (Screenshot 2026-03-09_12-47)
 - `insecure-registries: ["10.0.0.22:3000"]` permanent in `/etc/docker/daemon.json` gesetzt ✅
 - `act_runner`: `active (running)` seit 06.03.2026, `enabled; preset: enabled` ✅
 - `systemctl is-enabled act_runner` → `enabled` ✅
 ### Bereinigung `.github/`-Ordner
 - **Problem:** 6 GitHub Actions Workflows in `.github/workflows/` — auf Gitea nie ausgeführt (toter Code).
 - **Zusätzlich:** `ci-main.yml`, `deploy-proxmox.yml`, `ssot-guard.yml` referenzierten falschen Pfad
  `docker/docker-compose.yaml`.
 - **Fix:** `pr-guard.yml` (prüft hartcodierte Versionen in `build.gradle.kts`) nach `.gitea/workflows/pr-guard.yaml`
  migriert.
 - **Fix:** Gesamten `.github/`-Ordner gelöscht.
 - `youtrack-sync.yml` war nicht aktiv und wurde mitgelöscht — kein Handlungsbedarf.
 ### Aktive Workflows nach Bereinigung
 | Datei                                  | Trigger      | Zweck                                          |
 |----------------------------------------|--------------|------------------------------------------------|
 | `.gitea/workflows/docker-publish.yaml` | Push `main`  | Build & Push aller Docker-Images               |
 | `.gitea/workflows/pr-guard.yaml`       | Pull Request | Prüft hartcodierte Versionen in Gradle-Dateien |
 ## 🔜 Nächste Schritte
 - **TLS/HTTPS** — Langfristig: `KC_HOSTNAME_STRICT_HTTPS=true` setzen, sobald TLS eingerichtet ist.