Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/tasks/web-production/13-github-actions-ci.md
Michael Freno 5214412fff get to prod tasks
2026-05-26 16:06:34 -04:00

2.4 KiB
Raw Permalink Blame History

13. GitHub Actions CI Pipeline

meta: id: web-production-13 feature: web-production priority: P1 depends_on: [web-production-17, web-production-18, web-production-19, web-production-20] tags: [cicd, automation, production]

objective:

  • Build a comprehensive CI pipeline that runs tests, linting, type checking, and security scans on every pull request

deliverables:

  • GitHub Actions workflow files
  • PR checks for web and browser-ext
  • Test reporting and coverage
  • Dependency vulnerability scanning

steps:

  1. Create .github/workflows/ci.yml:
    • Trigger on pull_request and push to main
    • Set up Node.js 22 with pnpm
    • Install dependencies with frozen lockfile
  2. Add job: lint-and-typecheck:
    • Run pnpm lint (tsc --noEmit)
    • Run pnpm lint:ext
    • Fail on any TypeScript errors
  3. Add job: test:
    • Run pnpm test (vitest for web)
    • Run pnpm test:ext (vitest for browser-ext)
    • Generate coverage reports with @vitest/coverage-v8
    • Upload coverage to Codecov or similar
  4. Add job: build:
    • Run pnpm build for web
    • Run pnpm build:ext for browser-ext
    • Verify build artifacts exist
  5. Add job: security-scan:
    • Run pnpm audit with --audit-level=high
    • Run npm audit fix suggestions as PR comment
    • Add OWASP dependency check
  6. Add job: docker-build:
    • Build scheduler Dockerfile
    • Verify Docker image builds successfully
  7. Configure branch protection:
    • Require all checks to pass before merge
    • Require 1 reviewer approval
    • Require up-to-date branch before merge

tests:

  • Integration: Create test PR, verify all checks run
  • Security: Introduce vulnerable dependency, verify scan catches it
  • Build: Verify build artifacts are created

acceptance_criteria:

  • All PRs trigger CI pipeline automatically
  • Lint, typecheck, test, build, and security jobs run in parallel
  • Tests failing blocks PR merge
  • Coverage report uploaded for every PR
  • Security vulnerabilities (high+) block PR merge
  • Docker build verified on every PR
  • Pipeline completes in <10 minutes

validation:

  • Open test PR → all checks green
  • Introduce TypeScript error → lint job fails
  • Add vulnerable package → security scan fails
  • Check Codecov → coverage diff visible in PR

notes:

  • Use pnpm/action-setup for proper pnpm installation
  • Cache node_modules between runs for speed
  • Consider using GitHub Actions matrix for multiple Node versions
Reference in New Issue View Git Blame Copy Permalink