ci: centralize Dagger calls in Taskfile and enforce standards via pre-commit

.forgejo/workflows/ci.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Install Dagger & Task
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=/usr/local/bin sh
-          curl -sL https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin
+          go install github.com/go-task/task/v3/cmd/task@latest
           sudo apt-get update && sudo apt-get install -y stunnel4 netcat-openbsd
 
       - name: Setup Dagger Remote Engine (via stunnel)
@@ -32,7 +32,7 @@ jobs:
         run: scripts/setup_dagger_remote.sh
 
       - name: Run Full Check Suite
-        run: dagger call --progress=plain -m ci check
+        run: task check-dagger
 
   build-linux:
     name: Build Linux Release
@@ -66,9 +66,7 @@ jobs:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
-        run: |
-          HASH=$(git rev-parse --short HEAD)
-          dagger call --progress=plain -m ci deploy-linux --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+        run: task deploy-linux
 
   deploy-playstore:
     name: Build & Deploy to Play Store
@@ -100,8 +98,7 @@ jobs:
         env:
           ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
           PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
-        run: |
-          dagger call --progress=plain -m ci publish-android --play-store-config env:PLAY_STORE_CONFIG_JSON
+        run: task publish-android
 
       - name: Build & Deploy APK to server
         continue-on-error: true
@@ -110,9 +107,7 @@ jobs:
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
           ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
-        run: |
-          HASH=$(git rev-parse --short HEAD)
-          dagger call --progress=plain -m ci deploy-apk --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+        run: task deploy-apk
 
   publish-website:
     name: Publish Website Build History
@@ -149,5 +144,4 @@ jobs:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
           SSH_USER: ${{ secrets.SSH_USER }}
           SSH_HOST: ${{ secrets.SSH_HOST }}
-        run: |
-          dagger call --progress=plain -m ci publish-website --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+        run: task publish-website

.forgejo/workflows/website.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Install Dagger & Task
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=/usr/local/bin sh
-          curl -sL https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin
+          go install github.com/go-task/task/v3/cmd/task@latest
           sudo apt-get update && sudo apt-get install -y stunnel4 netcat-openbsd
 
       - name: Setup Dagger Remote Engine (via stunnel)
@@ -39,8 +39,7 @@ jobs:
           SSH_PRIVATE_KEY: ${{ secrets.WEBSITE_SSH_PRIVATE_KEY }}
           SSH_USER: ${{ secrets.WEBSITE_SSH_USER }}
           SSH_HOST: ${{ secrets.WEBSITE_SSH_HOST }}
-        run: |
-          dagger call --progress=plain -m ci publish-website --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+        run: task publish-website
 
       - name: Verify Website
         env:

.pre-commit-config.yaml

@@ -30,3 +30,15 @@ repos:
         entry: bash -c 'cd "$(git rev-parse --show-toplevel)" && nix develop --command scripts/pre_commit_check.sh'
         pass_filenames: false
         always_run: true
+      - id: ci-no-direct-dagger
+        name: check for direct dagger calls in workflows (use Task instead)
+        language: system
+        entry: "bash -c 'git grep \"dagger call\" .forgejo/workflows/ && echo \"ERROR: Direct dagger calls found in workflows. Use Taskfile instead.\" && exit 1 || exit 0'"
+        pass_filenames: false
+        always_run: true
+      - id: dagger-progress-plain
+        name: ensure all dagger calls use --progress=plain
+        language: system
+        entry: "bash -c 'git grep \"dagger call\" -- \":!.pre-commit-config.yaml\" | grep -v \"\\-\\-progress=plain\" && echo \"ERROR: All dagger calls must include --progress=plain\" && exit 1 || exit 0'"
+        pass_filenames: false
+        always_run: true

Taskfile.yml

@@ -174,23 +174,60 @@ tasks:
   test-backend:
     desc: Backend tests against a local Stalwart mail server (via Dagger)
     cmds:
-      - dagger call -m ci test-backend --source .
+      - dagger call --progress=plain -m ci test-backend --source .
 
   integration-ui:
     desc: UI E2E tests on Linux via Xvfb — headless, no emulator needed (via Dagger)
     cmds:
-      - dagger call -m ci test-integration --source .
+      - dagger call --progress=plain -m ci test-integration --source .
 
   sync-reliability:
     desc: Run sync reliability runner (via Dagger)
     cmds:
-      - dagger call -m ci test-sync-reliability --source .
+      - dagger call --progress=plain -m ci test-sync-reliability --source .
 
   stalwart:
     desc: Start a Stalwart instance for local development (via Dagger)
     cmds:
       - echo "Starting Stalwart on default ports (JMAP=8080, IMAP=1430, SMTP=1025, SIEVE=4190)"
-      - dagger call -m ci stalwart up --ports 8080:8080 --ports 1430:1430 --ports 1025:1025 --ports 4190:4190
+      - dagger call --progress=plain -m ci stalwart up --ports 8080:8080 --ports 1430:1430 --ports 1025:1025 --ports 4190:4190
+
+  deploy-linux:
+    desc: Build and deploy Linux release via Dagger
+    preconditions:
+      - sh: test -n "$SSH_PRIVATE_KEY"
+        msg: "SSH_PRIVATE_KEY is not set"
+    cmds:
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -m ci deploy-linux --source . --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+
+  publish-android:
+    desc: Build and publish Android App Bundle to Play Store via Dagger
+    preconditions:
+      - sh: test -n "$PLAY_STORE_CONFIG_JSON"
+        msg: "PLAY_STORE_CONFIG_JSON is not set"
+    cmds:
+      - dagger call --progress=plain -m ci publish-android --source . --play-store-config env:PLAY_STORE_CONFIG_JSON
+
+  deploy-apk:
+    desc: Build and deploy Android APK via Dagger
+    preconditions:
+      - sh: test -n "$SSH_PRIVATE_KEY"
+        msg: "SSH_PRIVATE_KEY is not set"
+    cmds:
+      - HASH=$(git rev-parse --short HEAD) && dagger call --progress=plain -m ci deploy-apk --source . --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST" --commit-hash "$HASH"
+
+  publish-website:
+    desc: Build and publish website via Dagger
+    preconditions:
+      - sh: test -n "$SSH_PRIVATE_KEY"
+        msg: "SSH_PRIVATE_KEY is not set"
+    cmds:
+      - dagger call --progress=plain -m ci publish-website --source . --ssh-key env:SSH_PRIVATE_KEY --ssh-user "$SSH_USER" --ssh-host "$SSH_HOST"
+
+  check-dagger:
+    desc: Run full check suite via Dagger
+    cmds:
+      - dagger call --progress=plain -m ci check --source .
 
   integration-android:
     desc: UI integration tests on a connected Android emulator (Stalwart on host, emulator reaches it via 10.0.2.2)