get to prod tasks
This commit is contained in:
72
tasks/web-production/13-github-actions-ci.md
Normal file
72
tasks/web-production/13-github-actions-ci.md
Normal file
@@ -0,0 +1,72 @@
|
||||
# 13. GitHub Actions CI Pipeline
|
||||
|
||||
meta:
|
||||
id: web-production-13
|
||||
feature: web-production
|
||||
priority: P1
|
||||
depends_on: [web-production-17, web-production-18, web-production-19, web-production-20]
|
||||
tags: [cicd, automation, production]
|
||||
|
||||
objective:
|
||||
- Build a comprehensive CI pipeline that runs tests, linting, type checking, and security scans on every pull request
|
||||
|
||||
deliverables:
|
||||
- GitHub Actions workflow files
|
||||
- PR checks for web and browser-ext
|
||||
- Test reporting and coverage
|
||||
- Dependency vulnerability scanning
|
||||
|
||||
steps:
|
||||
1. Create .github/workflows/ci.yml:
|
||||
- Trigger on pull_request and push to main
|
||||
- Set up Node.js 22 with pnpm
|
||||
- Install dependencies with frozen lockfile
|
||||
2. Add job: lint-and-typecheck:
|
||||
- Run `pnpm lint` (tsc --noEmit)
|
||||
- Run `pnpm lint:ext`
|
||||
- Fail on any TypeScript errors
|
||||
3. Add job: test:
|
||||
- Run `pnpm test` (vitest for web)
|
||||
- Run `pnpm test:ext` (vitest for browser-ext)
|
||||
- Generate coverage reports with @vitest/coverage-v8
|
||||
- Upload coverage to Codecov or similar
|
||||
4. Add job: build:
|
||||
- Run `pnpm build` for web
|
||||
- Run `pnpm build:ext` for browser-ext
|
||||
- Verify build artifacts exist
|
||||
5. Add job: security-scan:
|
||||
- Run `pnpm audit` with --audit-level=high
|
||||
- Run `npm audit fix` suggestions as PR comment
|
||||
- Add OWASP dependency check
|
||||
6. Add job: docker-build:
|
||||
- Build scheduler Dockerfile
|
||||
- Verify Docker image builds successfully
|
||||
7. Configure branch protection:
|
||||
- Require all checks to pass before merge
|
||||
- Require 1 reviewer approval
|
||||
- Require up-to-date branch before merge
|
||||
|
||||
tests:
|
||||
- Integration: Create test PR, verify all checks run
|
||||
- Security: Introduce vulnerable dependency, verify scan catches it
|
||||
- Build: Verify build artifacts are created
|
||||
|
||||
acceptance_criteria:
|
||||
- All PRs trigger CI pipeline automatically
|
||||
- Lint, typecheck, test, build, and security jobs run in parallel
|
||||
- Tests failing blocks PR merge
|
||||
- Coverage report uploaded for every PR
|
||||
- Security vulnerabilities (high+) block PR merge
|
||||
- Docker build verified on every PR
|
||||
- Pipeline completes in <10 minutes
|
||||
|
||||
validation:
|
||||
- Open test PR → all checks green
|
||||
- Introduce TypeScript error → lint job fails
|
||||
- Add vulnerable package → security scan fails
|
||||
- Check Codecov → coverage diff visible in PR
|
||||
|
||||
notes:
|
||||
- Use pnpm/action-setup for proper pnpm installation
|
||||
- Cache node_modules between runs for speed
|
||||
- Consider using GitHub Actions matrix for multiple Node versions
|
||||
Reference in New Issue
Block a user