This directory contains the CI/CD pipeline configuration for LLM-Forge.
| Workflow | Status | Trigger | Purpose |
|---|---|---|---|
| PR Validation | - | Pull Requests | Code quality checks before merge |
| CI Pipeline | - | Push to main/develop | Continuous integration |
| Release | - | Version tags | Automated releases |
| Security Scan | - | Push, PR, Daily | Security analysis |
| Performance | - | Push, PR, Weekly | Performance monitoring |
| Dependabot Auto-Merge | - | Dependabot PRs | Auto-merge dependencies |
| Stale Management | - | Daily | Clean up inactive issues/PRs |
-
Create a branch
git checkout -b feature/my-feature
-
Make changes and commit
git add . git commit -m "feat: add new feature"
-
Push and create PR
git push origin feature/my-feature
-
Wait for checks to pass
- All PR validation checks must pass
- Code coverage must be maintained
- No security vulnerabilities
-
Creating a Release
# Update version in package.json npm version 1.2.3 --no-git-tag-version # Commit and tag git add package.json package-lock.json git commit -m "chore: bump version to 1.2.3" git tag v1.2.3 git push origin main --tags
-
Manual Workflow Dispatch
- Go to Actions tab
- Select workflow
- Click "Run workflow"
- Fill in required inputs
What it does:
- β Type checking
- β Linting
- β Format checking
- β Tests on Node 20 & 21
- β Coverage verification (92%+ target)
- β Build verification
When it runs:
- When PR is opened
- When PR is updated
- When PR is ready for review
Notes:
- Draft PRs are skipped
- Results posted as PR comment
What it does:
- β Quality checks
- β Multi-OS testing (Ubuntu, macOS, Windows)
- β Performance benchmarks
- β Build verification
- β Package installation test
- β Coverage reporting
- β Documentation deployment
When it runs:
- On push to main or develop
- Can be manually triggered
What it does:
- β Version validation
- β Full test suite
- β Build package
- β Publish to npm
- β Publish to GitHub Packages
- β Create GitHub release
- β Generate changelog
When it runs:
- When version tag is pushed (e.g., v1.2.3)
- Can be manually triggered
Required Secrets:
NPM_TOKEN- npm authentication
What it does:
- β Dependency vulnerability scan
- β CodeQL static analysis
- β Secret detection
- β License compliance
- β SAST analysis
- β OSSF scorecard
When it runs:
- On push to main/develop
- On pull requests
- Daily at 2 AM UTC
- Can be manually triggered
What it does:
- β Run benchmarks
- β Compare with baseline
- β Track performance over time
- β Detect regressions
When it runs:
- On push to main
- On pull requests
- Weekly on Sundays at 3 AM UTC
- Can be manually triggered
Configure these in Settings > Secrets and variables > Actions:
| Secret | Description | Required For |
|---|---|---|
NPM_TOKEN |
npm registry token | Releases |
CODECOV_TOKEN |
Codecov upload token | Coverage reporting |
- β All secrets stored in GitHub Secrets
- β No hardcoded credentials
- β Automated security scanning
- β Dependency updates via Dependabot
- β License compliance checking
- Go to the Actions tab
- Select a workflow from the left sidebar
- View run history and logs
- Click on the failed run
- Expand the failed job
- Review the logs
- Check for error messages
Tests fail in CI but pass locally:
- Ensure you're using the same Node version
- Run
npm ciinstead ofnpm install - Check for environment-specific issues
Coverage below threshold:
- Add tests for new code
- Run
npm run test:coveragelocally
Build failures:
- Check TypeScript errors
- Ensure all dependencies are installed
- Verify build configuration
- Edit workflow files in
.github/workflows/ - Test on a feature branch first
- Create PR with changes
- Merge after review
# Install act (GitHub Actions local runner)
# https://github.com/nektos/act
# Test a workflow locally
act pull_requestSee CONTRIBUTING.md for guidelines on contributing to this project.
This project is licensed under the Apache-2.0 License - see the LICENSE file for details.
Status: β All workflows operational Last Updated: November 8, 2025