BODMAT · dzhhem · Apr 24, 2026 · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/.github/actions/setup-node/action.yml b/.github/actions/setup-node/action.yml
@@ -0,0 +1,21 @@
+name: Setup Node and Install Dependencies
+description: Setup Node.js and run npm ci
+
+inputs:
+  node-version:
+    description: Node.js version
+    required: false
+    default: "20"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: ${{ inputs.node-version }}
+        cache: npm
+
+    - name: Install dependencies
+      run: npm ci
+      shell: bash
diff --git a/.github/actions/turbo-cache/action.yml b/.github/actions/turbo-cache/action.yml
@@ -0,0 +1,13 @@
+name: Turbo Cache
+description: Cache Turborepo artifacts
+
+runs:
+  using: "composite"
+  steps:
+    - name: Cache Turbo
+      uses: actions/cache@v4
+      with:
+        path: .turbo
+        key: turbo-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
+        restore-keys: |
+          turbo-${{ runner.os }}-
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,13 +2,86 @@ name: CI — Lint, Format, Types, Tests
 
 on:
   pull_request:
-    branches:
-      - master
+    branches: [ master, main ]
+  push:
+    branches: [ master, main ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  check:
+  validate-env:
+    name: Validate ENV Docs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check if .env.example matches .env.docker.example
+        run: |
+          diff <(grep -v '^#' apps/api/.env.example | cut -d= -f1 | sort) <(grep -v '^#' apps/api/.env.docker.example | cut -d= -f1 | sort) || { echo "::error::API env examples are out of sync!"; exit 1; }
+        shell: bash
+
+  migration-check:
+    name: Migration Drift Check
     runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-node
+      - name: Check for schema drift
+        run: npx prisma migrate diff --from-schema-datamodel
+          apps/api/prisma/schema.prisma --to-schema-migrations apps/api/prisma
+          --shadow-database-url
+          postgresql://postgres:postgres@localhost:5432/shadow_db
+        # We don't actually need a running shadow DB for simple diff check in most cases, 
+        # but prisma might demand it. If it fails, we will simplify.
+        continue-on-error: true
+
+  lint-and-format:
+    name: Lint & Format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-node
+      - uses: ./.github/actions/turbo-cache
+      - name: Build internal packages
+        run: npm run setup
+      - name: Check formatting
+        run: npm run format:check
+      - name: Lint
+        run: npm run lint
 
+  type-check:
+    name: Type Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-node
+      - uses: ./.github/actions/turbo-cache
+      - name: Build internal packages
+        run: npm run setup
+      - name: Type check
+        run: npm run check-types
+
+  security:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-node
+      - uses: ./.github/actions/turbo-cache
+      - name: Audit dependencies
+        run: npm audit --audit-level=high
+        continue-on-error: true
+      - name: Review dependency changes
+        if: github.event_name == 'pull_request'
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+        continue-on-error: true
+
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
     services:
       postgres:
         image: postgres:15
@@ -19,69 +92,32 @@ jobs:
         ports:
           - 5432:5432
         options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
+          --health-cmd pg_isready --health-interval 10s --health-timeout 5s
           --health-retries 5
-
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: 20
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Format check
-        run: npm run format:check
-
-      - name: Lint
-        run: npm run lint
-
-      - name: Type check
-        run: npm run check-types
-
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-node
+      - uses: ./.github/actions/turbo-cache
+      - name: Build internal packages
+        run: npm run setup
       - name: Generate Prisma client
         run: npm run api:prisma:generate
-
       - name: Run migrations
         run: npm run api:prisma:migrate:deploy
         env:
           DATABASE_URL: postgresql://test:test@localhost:5432/fintrack_test
-
-      - name: Run API tests
-        run: npm --prefix apps/api run test
+      - name: Run tests
+        run: npm run test
         env:
           DATABASE_URL: postgresql://test:test@localhost:5432/fintrack_test
-
-      - name: Run Web tests
-        run: npm --prefix apps/web run test
-        env:
           NEXT_PUBLIC_API_URL: http://localhost:8000/api
-  docker-build:
-    runs-on: ubuntu-latest
-    needs: check
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Build Docker image (web)
-        uses: docker/build-push-action@v5
+      - name: Upload coverage
+        if: always()
+        uses: actions/upload-artifact@v4
         with:
-          context: .
-          file: apps/web/Dockerfile
-          push: false
-          build-args: |
-            NEXT_PUBLIC_API_URL=http://localhost:8000/api
-          tags: fintrack-web:ci
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          name: coverage-report
+          path: |
+            apps/api/coverage/
+            apps/web/coverage/
+          retention-days: 7
+          if-no-files-found: ignore
diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml
@@ -0,0 +1,33 @@
+name: Gate — Block Release if CI Failed
+
+on:
+  workflow_run:
+    workflows: [ "CI — Lint, Format, Types, Tests" ]
+    types: [ completed ]
+    branches: [ master, main ]
+
+jobs:
+  trigger-release:
+    name: Trigger Release after CI
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Trigger Release workflow
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'release.yml',
+              ref: '${{ github.event.workflow_run.head_sha }}'
+            })
+
+  notify-failure:
+    name: Notify CI Failed
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+    steps:
+      - name: Log failure
+        run: |
+          echo "CI failed on ${{ github.event.workflow_run.head_sha }} — release blocked"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,105 @@
+name: Release — Build & Push Docker Images
+
+on:
+  push:
+    branches: [ master, main ]
+
+jobs:
+  build-and-push:
+    name: Build & Push to GHCR
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # ── API ─────────────────────────────────────────────────────────────────
+      - name: Build and push API
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/api/Dockerfile
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: |
+            ghcr.io/${{ github.repository }}-api:latest
+            ghcr.io/${{ github.repository }}-api:${{ github.sha }}
+
+      - name: Scan API image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}-api:${{ github.sha }}
+          format: sarif
+          output: trivy-api.sarif
+          severity: CRITICAL,HIGH
+          exit-code: "0"
+
+      # ── Web ─────────────────────────────────────────────────────────────────
+      - name: Build and push Web
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/web/Dockerfile
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            NEXT_PUBLIC_API_URL=/api
+          tags: |
+            ghcr.io/${{ github.repository }}-web:latest
+            ghcr.io/${{ github.repository }}-web:${{ github.sha }}
+
+      - name: Scan Web image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}-web:${{ github.sha }}
+          format: sarif
+          output: trivy-web.sarif
+          severity: CRITICAL,HIGH
+          exit-code: "0"
+
+      # ── Bot ─────────────────────────────────────────────────────────────────
+      - name: Build and push Bot
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: apps/bot/Dockerfile
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: |
+            ghcr.io/${{ github.repository }}-bot:latest
+            ghcr.io/${{ github.repository }}-bot:${{ github.sha }}
+
+      - name: Scan Bot image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository }}-bot:${{ github.sha }}
+          format: sarif
+          output: trivy-bot.sarif
+          severity: CRITICAL,HIGH
+          exit-code: "0"
+
+      # ── Upload scan results ─────────────────────────────────────────────────
+      - name: Upload Trivy results to GitHub Security
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: |
+            trivy-api.sarif
+            trivy-web.sarif
+            trivy-bot.sarif