-
Notifications
You must be signed in to change notification settings - Fork 7
CI CD
hieuck edited this page Jul 5, 2026
·
1 revision
All workflows live in .github/workflows/ and are modular by responsibility.
| Workflow | Trigger | Purpose |
|---|---|---|
ci.yml |
PR, push to main
|
Lint, test, build, security audit, quality gate |
node.js.yml |
PR, push | Node.js 22 compatibility matrix |
docker-image.yml |
PR | Build Docker image + Trivy container scan |
docker-publish.yml |
Release | Publish image to registry |
release.yml |
Manual / tag | Generate release notes and create GitHub release |
deploy-staging.yml |
Manual | Deploy to staging VPS (requires STAGING_HOST, SSH_KEY) |
codeql.yml |
PR, push, schedule | Security analysis |
label.yml |
PR | Auto-label pull requests |
stale.yml |
Schedule | Mark stale issues/PRs |
- Container scan with Trivy (detect-only for upstream base-image CVEs).
- CodeQL static analysis.
- Leaked-secret scan.
- Dependency audit via
pnpm audit.
See .github/workflows/ and docs/security/codeql-setup.md for full details.