# 13. GitHub Actions CI Pipeline

meta:
  id: web-production-13
  feature: web-production
  priority: P1
  depends_on: [web-production-17, web-production-18, web-production-19, web-production-20]
  tags: [cicd, automation, production]

objective:
- Build a comprehensive CI pipeline that runs tests, linting, type checking, and security scans on every pull request

deliverables:
- GitHub Actions workflow files
- PR checks for web and browser-ext
- Test reporting and coverage
- Dependency vulnerability scanning

steps:
1. Create .github/workflows/ci.yml:
   - Trigger on pull_request and push to main
   - Set up Node.js 22 with pnpm
   - Install dependencies with frozen lockfile
2. Add job: lint-and-typecheck:
   - Run `pnpm lint` (tsc --noEmit)
   - Run `pnpm lint:ext`
   - Fail on any TypeScript errors
3. Add job: test:
   - Run `pnpm test` (vitest for web)
   - Run `pnpm test:ext` (vitest for browser-ext)
   - Generate coverage reports with @vitest/coverage-v8
   - Upload coverage to Codecov or similar
4. Add job: build:
   - Run `pnpm build` for web
   - Run `pnpm build:ext` for browser-ext
   - Verify build artifacts exist
5. Add job: security-scan:
   - Run `pnpm audit` with --audit-level=high
   - Run `npm audit fix` suggestions as PR comment
   - Add OWASP dependency check
6. Add job: docker-build:
   - Build scheduler Dockerfile
   - Verify Docker image builds successfully
7. Configure branch protection:
   - Require all checks to pass before merge
   - Require 1 reviewer approval
   - Require up-to-date branch before merge

tests:
- Integration: Create test PR, verify all checks run
- Security: Introduce vulnerable dependency, verify scan catches it
- Build: Verify build artifacts are created

acceptance_criteria:
- All PRs trigger CI pipeline automatically
- Lint, typecheck, test, build, and security jobs run in parallel
- Tests failing blocks PR merge
- Coverage report uploaded for every PR
- Security vulnerabilities (high+) block PR merge
- Docker build verified on every PR
- Pipeline completes in <10 minutes

validation:
- Open test PR → all checks green
- Introduce TypeScript error → lint job fails
- Add vulnerable package → security scan fails
- Check Codecov → coverage diff visible in PR

notes:
- Use pnpm/action-setup for proper pnpm installation
- Cache node_modules between runs for speed
- Consider using GitHub Actions matrix for multiple Node versions