ci: add compose volume sync check and final CI gate#48
Merged
EraPartner merged 2 commits intomainfrom May 7, 2026
Merged
Conversation
- verify-compose-sync job in ci.yml: extracts named volumes from both docker-compose.yml and packaging/electron/resources/docker-compose.yml and fails if they diverge; included in quality-gate needs list. Catches the v1.0.2 class of data-wipe bug at PR time, not release time. - ci-complete job in ci.yml: aggregates trivy-scan, docker-verify, and test-live-api-contracts so branch protection has one required status check covering the full Docker-tier pipeline. Set "CI Complete" as the required check in branch protection settings. - release.yml verify job: same compose volume sync check runs as the first step before version-tag and audit checks, blocking the release if volumes are out of sync. - ADR-051, docs/guides/cicd-pipelines.md, docs/architecture/electron.md, docs/guides/deployment.md updated to document both changes.
Coverage Report
File CoverageNo changed files found. |
Branch protection requires Trivy code scanning results. The trivy-scan job only output table format — never uploaded SARIF, so the gate was perpetually blocked. Run Trivy twice: once as table (exit-code 1, fails pipeline on HIGH/CRITICAL) and once as SARIF (exit-code 0, always runs so results upload even when the table scan finds issues). Upload SARIF via codeql-action/upload-sarif to satisfy the code scanning requirement.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
verify-compose-syncjob (ci.yml): Extracts named volumes fromdocker-compose.ymlandpackaging/electron/resources/docker-compose.yml, fails if they diverge. Added toquality-gate'sneeds— catches the v1.0.2 attachment-wipe class of bug at PR time.ci-completejob (ci.yml): Aggregatestrivy-scan,docker-verify,test-live-api-contracts. Single required-status-check to set in branch protection settings covering the full Docker-tier pipeline.verifyjob: Same compose volume sync step added as the first check, blocking releases if volumes are out of sync.docs/guides/cicd-pipelines.md,docs/architecture/electron.md,docs/guides/deployment.mdupdated.Test plan
verify-compose-syncon this PR and passes (volumes currently in sync)ci-completeappears as a status check on this PRCI Completeas the required status check in branch protection (replaces or supplementsQuality Gate)verify-compose-syncshould fail🤖 Generated with Claude Code