feat(workflows): add ci-test, ci-build, and deploy-staging reusable workflows

[troykelly]

Summary

Adds three missing reusable workflow templates to complete the standard 5-stage CI/CD pipeline across all Aperim product repos (APE-1615).

Before: only (lint + typecheck) and
After: full pipeline coverage via shared, call-site-configurable workflows

New workflows

Workflow	Stage	Description
	Test	pnpm test runner (Vitest/Jest); configurable command, optional coverage
	Build	Production build with pre/post hooks and optional artifact upload
	Deploy	Docker image → GHCR → Manage the rollout of one or many resources.

Valid resource types include:

• deployments
• daemonsets
• statefulsets

Examples:

Rollback to the previous deployment

kubectl rollout undo deployment/abc

Check the rollout status of a daemonset

kubectl rollout status daemonset/foo

Restart a deployment

kubectl rollout restart deployment/abc

Restart deployments with the 'app=nginx' label

kubectl rollout restart deployment --selector=app=nginx

Available Commands:
history View rollout history
pause Mark the provided resource as paused
restart Restart a resource
resume Resume a paused resource
status Show the status of the rollout
undo Undo a previous rollout

Usage:
kubectl rollout SUBCOMMAND [options]

Use "kubectl rollout --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands). on DOKS staging namespace |

Call pattern (per-repo entrypoint)

jobs:
  quality:
    uses: aperim/.github/.github/workflows/ci-quality.yml@main
    with:
      runner: '["self-hosted","ubuntu-latest","aperim"]'
  test:
    needs: [quality]
    uses: aperim/.github/.github/workflows/ci-test.yml@main
    with:
      runner: '["self-hosted","ubuntu-latest","aperim"]'
  build:
    needs: [test]
    uses: aperim/.github/.github/workflows/ci-build.yml@main
  deploy-staging:
    needs: [build]
    if: github.ref == 'refs/heads/main'
    uses: aperim/.github/.github/workflows/deploy-staging.yml@main
    with:
      image-name: my-product-api
      k8s-namespace: my-product-staging
    secrets:
      KUBECONFIG_STAGING: ${{ secrets.KUBECONFIG_STAGING }}

Design notes

• All inputs have sensible defaults — minimal config needed at call site
• tag defaults to short SHA; deployment/container names default to
• handles token/codegen generation steps (e.g.  ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND  No package.json (or package.yaml, or package.json5) was found in "/Users/paperclip". in aegis-command)
• Repos with DB service containers (aegis-command, budget) keep their existing per-repo CI — service containers can't be expressed in reusable workflow inputs

Test plan

• Confirm all three workflow files parse correctly (GitHub Actions YAML lint)
• Wire into a test repo and verify it runs
• Wire into a staging environment and verify rollout
• QA sign-off from Quinn Aldridge (APE-1615 subtask)

Refs: APE-1615

🤖 Generated with Claude Code