Drop-in from fai/platform .forgejo/workflow-templates/
sign-bundle-keypair.yml. Triggers on v*.*.* tag push: builds
wasm32-wasip2, fetches the fai CLI from get.fai.flemming.ai,
packs the bundle, ECDSA P-256 signs it against the org-level
Forgejo secret FAI_SIGNING_KEY, round-trip-verifies against
infra/cosign/official.pub on fai/platform main, and attaches
bundle + .sig to the Forgejo Release via the API.
Signed-off-by: flemming-it <sf@flemming.it>
The previous workflow was a copy of the pre-SDK template — it
did the own-repo checkout but had no provision for fetching
fai-module-sdk from git.flemming.ws/fai/module-sdk. After the
v0.3.0 SDK migration, every CI run failed at the cargo fetch
stage because the runner had no credential for the cross-org
private repo.
Adopt the same pattern that text-extract and llm-chat already
use: a MODULE_SDK_PAT actions secret, CARGO_NET_GIT_FETCH_WITH_CLI=true,
and a 'git config url.X.insteadOf Y' that injects the token
into any outgoing git.flemming.ws URL transparently.
Bumps the module to 0.3.2 (patch — CI infrastructure only,
behaviour unchanged).
Signed-off-by: flemming-it <sf@flemming.it>
Mirrors the workflow in fai/platform: Linux x86_64 only, manual
checkout via the external URL to bypass DinD network isolation,
fmt/clippy/build/test on host, plus an explicit wasm32-wasip2
release build to confirm the module still produces a valid WASM
component.
See fai/platform docs/architecture/ci.md for the rationale on
why we don't use actions/checkout.
Signed-off-by: flemming-it <sf@flemming.it>