73 lines
2.4 KiB
Markdown
73 lines
2.4 KiB
Markdown
# 13. GitHub Actions CI Pipeline
|
|
|
|
meta:
|
|
id: web-production-13
|
|
feature: web-production
|
|
priority: P1
|
|
depends_on: [web-production-17, web-production-18, web-production-19, web-production-20]
|
|
tags: [cicd, automation, production]
|
|
|
|
objective:
|
|
- Build a comprehensive CI pipeline that runs tests, linting, type checking, and security scans on every pull request
|
|
|
|
deliverables:
|
|
- GitHub Actions workflow files
|
|
- PR checks for web and browser-ext
|
|
- Test reporting and coverage
|
|
- Dependency vulnerability scanning
|
|
|
|
steps:
|
|
1. Create .github/workflows/ci.yml:
|
|
- Trigger on pull_request and push to main
|
|
- Set up Node.js 22 with pnpm
|
|
- Install dependencies with frozen lockfile
|
|
2. Add job: lint-and-typecheck:
|
|
- Run `pnpm lint` (tsc --noEmit)
|
|
- Run `pnpm lint:ext`
|
|
- Fail on any TypeScript errors
|
|
3. Add job: test:
|
|
- Run `pnpm test` (vitest for web)
|
|
- Run `pnpm test:ext` (vitest for browser-ext)
|
|
- Generate coverage reports with @vitest/coverage-v8
|
|
- Upload coverage to Codecov or similar
|
|
4. Add job: build:
|
|
- Run `pnpm build` for web
|
|
- Run `pnpm build:ext` for browser-ext
|
|
- Verify build artifacts exist
|
|
5. Add job: security-scan:
|
|
- Run `pnpm audit` with --audit-level=high
|
|
- Run `npm audit fix` suggestions as PR comment
|
|
- Add OWASP dependency check
|
|
6. Add job: docker-build:
|
|
- Build scheduler Dockerfile
|
|
- Verify Docker image builds successfully
|
|
7. Configure branch protection:
|
|
- Require all checks to pass before merge
|
|
- Require 1 reviewer approval
|
|
- Require up-to-date branch before merge
|
|
|
|
tests:
|
|
- Integration: Create test PR, verify all checks run
|
|
- Security: Introduce vulnerable dependency, verify scan catches it
|
|
- Build: Verify build artifacts are created
|
|
|
|
acceptance_criteria:
|
|
- All PRs trigger CI pipeline automatically
|
|
- Lint, typecheck, test, build, and security jobs run in parallel
|
|
- Tests failing blocks PR merge
|
|
- Coverage report uploaded for every PR
|
|
- Security vulnerabilities (high+) block PR merge
|
|
- Docker build verified on every PR
|
|
- Pipeline completes in <10 minutes
|
|
|
|
validation:
|
|
- Open test PR → all checks green
|
|
- Introduce TypeScript error → lint job fails
|
|
- Add vulnerable package → security scan fails
|
|
- Check Codecov → coverage diff visible in PR
|
|
|
|
notes:
|
|
- Use pnpm/action-setup for proper pnpm installation
|
|
- Cache node_modules between runs for speed
|
|
- Consider using GitHub Actions matrix for multiple Node versions
|