This directory contains the complete CI/CD automation for Radio Calico. The workflows are designed to provide comprehensive testing, security scanning, and release automation.
Triggers: Push to main/develop, Pull Requests
Purpose: Complete validation pipeline with comprehensive testing and security checks.
Jobs:
- Lint: Code quality checks (ESLint, Prettier)
- Security: Dependency scanning, secrets detection, npm audit
- Unit Tests: Full test suite with PostgreSQL service
- Integration Tests: End-to-end testing with Docker Compose
- Docker Build: Multi-stage container building
- Container Security: Trivy vulnerability scanning
- Deployment Test: Production environment validation
- Dependency Check: Outdated packages analysis
Key Features:
- β Multi-environment testing (Node.js 18, PostgreSQL 15)
- β Comprehensive security scanning
- β Test coverage reporting with Codecov
- β Docker multi-platform builds (amd64, arm64)
- β Detailed job summaries and artifacts
Triggers: Pull Request events (opened, synchronize, reopened)
Purpose: Fast feedback for PR authors with essential checks.
Jobs:
- PR Validation: Size analysis, breaking change detection
- Security Check: Quick security audit, secrets scanning
- Critical Tests: Essential test suite for rapid feedback
- PR Comment: Automated status updates on PRs
- Auto-assign: Intelligent reviewer assignment
Key Features:
- β‘ Fast execution (< 10 minutes)
- π¬ Automated PR comments with results
- π₯ Smart reviewer assignment based on changed files
- π Breaking change detection
Triggers: Daily schedule (6 AM UTC), Manual dispatch
Purpose: Comprehensive security monitoring and vulnerability management.
Jobs:
- Dependency Scan: NPM audit for main and test dependencies
- Container Scan: Trivy scanning for Docker images
- Secret Scan: Gitleaks scanning for exposed secrets
- Security Summary: Consolidated reporting and notifications
Key Features:
- π Daily automated scans
- π¨ Automatic issue creation for vulnerabilities
- π SARIF reporting for GitHub Security tab
- π Git history secret scanning
- π Security dashboard in workflow summaries
Triggers: Git tags (v*.*.*), Manual workflow dispatch
Purpose: Automated release creation with full validation and artifact generation.
Jobs:
- Validate Release: Version validation, changelog extraction
- Pre-Release Tests: Full test suite execution
- Build Artifacts: Source archives, Docker images
- Release Security: Final security validation
- Create Release: GitHub release with artifacts
- Deploy Staging: Optional staging deployment
- Notify Release: PR comments, release notifications
- Cleanup on Failure: Automatic cleanup of failed releases
Key Features:
- π¦ Multi-platform Docker image publishing
- π Automatic changelog extraction
- π Security scanning before release
- π·οΈ Semantic version validation
- π Staging deployment automation
- π¬ Automatic PR notifications
NODE_VERSION: '18' # Node.js version for all workflows
POSTGRES_VERSION: '15' # PostgreSQL version for testing
REGISTRY: ghcr.io # Container registryGITHUB_TOKEN- Automatically provided by GitHubCODECOV_TOKEN- Optional, for test coverage reporting
permissions:
contents: read/write # Repository access
packages: write # Container registry
security-events: write # Security tab integration
actions: read # Workflow access# Trigger manual security scan
gh workflow run security.yml
# Run specific scan type
gh workflow run security.yml -f scan_type=dependencies
gh workflow run security.yml -f scan_type=containers
gh workflow run security.yml -f scan_type=secrets# Automatic release from tag
git tag v1.0.0
git push origin v1.0.0
# Manual release creation
gh workflow run release.yml -f tag=v1.0.0 -f pre_release=false# Run tests locally (matches CI)
make test
# Run security scan locally
make security
# Lint code
make lint
# Build Docker images
make build- NPM audit for dependencies
- Container image scanning with Trivy
- Secret detection with Gitleaks
- Custom pattern matching for sensitive data
- Automatic issue creation for high/critical vulnerabilities
- PR blocking for security failures
- SARIF upload to GitHub Security tab
- Daily security monitoring reports
- Principle of least privilege for workflow permissions
- Artifact retention policies (30-90 days)
- Secure secret handling
- Audit trail for all deployments
Each workflow provides detailed summaries with:
- Test results and coverage metrics
- Security scan outcomes
- Deployment status
- Performance metrics
- Test coverage reports
- Security scan results
- Build artifacts and checksums
- Container images
- PR status comments
- Security alert issues
- Release announcements
- Deployment confirmations
1. Test Failures
# Check PostgreSQL service status
# Verify environment variables
# Review test artifacts2. Security Scan Failures
# Run npm audit fix locally
# Update vulnerable dependencies
# Check for false positives3. Docker Build Issues
# Verify Dockerfile syntax
# Check base image availability
# Review build context4. Release Failures
# Verify tag format (v1.0.0)
# Check changelog format
# Ensure all tests pass- Check workflow run logs in GitHub Actions tab
- Review job summaries for quick diagnostics
- Download artifacts for detailed analysis
- Check security tab for vulnerability details
graph TD
A[Push/PR] --> B[CI Pipeline]
B --> C{Tests Pass?}
C -->|Yes| D[Deploy/Release]
C -->|No| E[Block Merge]
F[Daily Schedule] --> G[Security Scan]
G --> H{Vulnerabilities?}
H -->|Yes| I[Create Issues]
H -->|No| J[Update Dashboard]
K[Release Tag] --> L[Release Pipeline]
L --> M[Build Artifacts]
M --> N[Security Check]
N --> O[Create Release]
- Review and update dependency versions
- Update base Docker images
- Refresh security scan configurations
- Monitor workflow performance metrics
- Audit workflow permissions
- Review security policies
- Update documentation
- Performance optimization
Last Updated: $(date -u) Workflow Version: 1.0.0 Maintainer: Development Team