Skip to content
hieuck edited this page Jul 5, 2026 · 1 revision

CI/CD

All workflows live in .github/workflows/ and are modular by responsibility.

Workflows

Workflow Trigger Purpose
ci.yml PR, push to main Lint, test, build, security audit, quality gate
node.js.yml PR, push Node.js 22 compatibility matrix
docker-image.yml PR Build Docker image + Trivy container scan
docker-publish.yml Release Publish image to registry
release.yml Manual / tag Generate release notes and create GitHub release
deploy-staging.yml Manual Deploy to staging VPS (requires STAGING_HOST, SSH_KEY)
codeql.yml PR, push, schedule Security analysis
label.yml PR Auto-label pull requests
stale.yml Schedule Mark stale issues/PRs

Key security gates

  • Container scan with Trivy (detect-only for upstream base-image CVEs).
  • CodeQL static analysis.
  • Leaked-secret scan.
  • Dependency audit via pnpm audit.

See .github/workflows/ and docs/security/codeql-setup.md for full details.

Clone this wiki locally