chore(ci): add GitHub Actions, release-please, and Docker publish automation (#148)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: XOlegator

.github/workflows/ci.yml

@@ -0,0 +1,101 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+  cs-fixer:
+    name: PHP CS Fixer
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: intl, pdo_mysql
+          coverage: none
+
+      - uses: actions/cache@v4
+        with:
+          path: ~/.composer/cache
+          key: composer-8.4-${{ hashFiles('composer.lock') }}
+          restore-keys: composer-8.4-
+
+      - run: composer install --no-interaction --prefer-dist --no-scripts
+
+      - run: vendor/bin/php-cs-fixer fix --dry-run --diff
+
+  phpstan:
+    name: PHPStan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.4'
+          extensions: intl, pdo_mysql
+          coverage: none
+
+      - uses: actions/cache@v4
+        with:
+          path: ~/.composer/cache
+          key: composer-8.4-${{ hashFiles('composer.lock') }}
+          restore-keys: composer-8.4-
+
+      - run: composer install --no-interaction --prefer-dist --no-scripts
+
+      # phpstan-symfony reads the compiled DI container to resolve service types
+      - name: Warm up Symfony dev container
+        env:
+          APP_ENV: dev
+          APP_DEBUG: '1'
+          DATABASE_URL: mysql://pinba:pinba@127.0.0.1:3306/pinba?serverVersion=8.4.0
+        run: php bin/console cache:warmup
+
+      - uses: actions/cache@v4
+        with:
+          path: var/phpstan
+          key: phpstan-${{ hashFiles('phpstan.neon', 'composer.lock') }}
+          restore-keys: phpstan-
+
+      - run: vendor/bin/phpstan analyse --no-progress
+
+  phpunit:
+    name: PHPUnit (PHP ${{ matrix.php }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        php: ['8.4', '8.5']
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          extensions: intl, pdo_mysql
+          coverage: none
+
+      - uses: actions/cache@v4
+        with:
+          path: ~/.composer/cache
+          key: composer-${{ matrix.php }}-${{ hashFiles('composer.lock') }}
+          restore-keys: composer-${{ matrix.php }}-
+
+      - run: composer install --no-interaction --prefer-dist --no-scripts
+
+      - name: Run test suite
+        env:
+          APP_ENV: test
+          DATABASE_URL: mysql://pinba:pinba@127.0.0.1:3306/pinba?serverVersion=8.4.0
+        run: vendor/bin/phpunit --no-progress

.github/workflows/docker.yml

@@ -0,0 +1,37 @@
+name: Docker
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build-push:
+    name: Build and push Docker image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: meta
+        run: |
+          TAG="${{ github.ref_name }}"
+          VERSION="${TAG#v}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile.pinboard
+          push: true
+          tags: |
+            xolegator/pinboard:${{ steps.meta.outputs.version }}
+            xolegator/pinboard:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/release-please.yml

@@ -0,0 +1,22 @@
+name: Release Please
+
+on:
+  push:
+    branches: [master]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.rp.outputs.release_created }}
+      tag_name: ${{ steps.rp.outputs.tag_name }}
+    steps:
+      - uses: googleapis/release-please-action@v4
+        id: rp
+        with:
+          config-file: release-please-config.json
+          manifest-file: .release-please-manifest.json

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "2.0.0"
+}

AGENTS.md

@@ -48,6 +48,21 @@ PHPStan runs at level 10. All violations must be fixed with real engineering sol
 - Annotate repository methods with typed PHPDoc array shapes, e.g. `@return list<array{id: int, name: string}>`, and cast at the boundary.
 - For `Yaml::parseFile()` and session `get()` returning `mixed`, validate with `is_array()` and iterate to enforce string keys.
 
+## Development Workflow
+
+All changes enter `master` exclusively via pull request — direct pushes are blocked.
+
+**Branch → PR → CI → squash merge → master → Release Please → GitHub Release → Docker Hub**
+
+- Branch names: `fix/description`, `feat/description`, `chore/description`, etc.
+- Commit titles must follow Conventional Commits (see `docs/contributing.md`).
+- CI runs three mandatory jobs: `PHP CS Fixer`, `PHPStan`, `PHPUnit (8.4 + 8.5)`.
+- After a PR merges, Release Please automatically opens or updates a Release PR.
+- Merging the Release PR creates a `vX.Y.Z` tag and GitHub Release.
+- The Docker workflow fires on the published release and pushes `xolegator/pinboard:<version>` and `xolegator/pinboard:latest` to Docker Hub.
+
+Full details: `docs/contributing.md` (PR workflow) and `docs/releasing.md` (release process).
+
 ## Commit Messages
 
 - Use Conventional Commits style.

docs/contributing.md

@@ -0,0 +1,76 @@
+# Contributing
+
+## Workflow overview
+
+All changes enter `master` exclusively via pull request. Direct pushes to `master` are blocked by branch protection rules.
+
+```
+feature-branch  →  PR  →  CI (cs-fixer, phpstan, phpunit)  →  merge to master
+```
+
+After merge, CI runs again on `master`. Release Please then opens or updates a "Release PR" that tracks the next version. When that Release PR is merged, a GitHub Release is created automatically and the Docker image is published.
+
+## Branch naming
+
+Use a descriptive lowercase name, optionally prefixed by the change type:
+
+```
+fix/timer-table-layout
+feat/db-user-sync
+refactor/sass-build
+chore/composer-update
+```
+
+No enforced pattern beyond keeping it readable.
+
+## Commit messages
+
+This project follows [Conventional Commits](https://www.conventionalcommits.org/). Every commit reachable from `master` must have a conforming title because Release Please reads them to determine the next version and generate the changelog.
+
+```
+type(scope): short imperative description
+```
+
+Common types and their effect on versioning:
+
+| Type       | SemVer bump | Appears in changelog |
+|------------|-------------|----------------------|
+| `feat`     | minor       | yes                  |
+| `fix`      | patch       | yes                  |
+| `perf`     | patch       | yes                  |
+| `refactor` | patch       | yes                  |
+| `chore`    | patch       | yes                  |
+| `docs`     | patch       | hidden               |
+| `test`     | patch       | hidden               |
+| `ci`       | patch       | hidden               |
+
+A `!` suffix or `BREAKING CHANGE:` footer triggers a **major** bump regardless of type.
+
+Useful scopes for this project: `ui`, `auth`, `api`, `db`, `config`, `docker`, `ci`, `docs`.
+
+## Creating a pull request
+
+1. Create a branch from the latest `master`.
+2. Make commits with Conventional Commit titles.
+3. Push and open a PR against `master`.
+4. CI runs three jobs automatically: `PHP CS Fixer`, `PHPStan`, `PHPUnit`.
+5. All three must pass before the PR can be merged.
+6. Request review or merge it yourself if you are a maintainer.
+
+## Merge policy
+
+Use **squash merge** when merging PRs. The squash commit title becomes the changelog entry, so make sure it is a valid Conventional Commit title (GitHub pre-fills it from the PR title).
+
+After merge, CI reruns on `master`. If it passes, Release Please updates or creates its Release PR.
+
+## Code style
+
+Run the following before pushing to avoid CI failures:
+
+```bash
+vendor/bin/php-cs-fixer fix
+vendor/bin/phpstan analyse --no-progress
+vendor/bin/phpunit --no-progress
+```
+
+See [testing.md](testing.md) for the full checklist and [standards.md](standards.md) for code conventions.

docs/releasing.md

@@ -0,0 +1,60 @@
+# Releasing
+
+Releases are fully automated via [Release Please](https://github.com/googleapis/release-please). No manual tagging or changelog editing is needed.
+
+## How it works
+
+1. A developer merges a PR into `master` (squash merge, Conventional Commit title).
+2. The `Release Please` GitHub Actions workflow runs and inspects unreleased commits since the last tag.
+3. Release Please opens (or updates) a **Release PR** titled `chore(main): release X.Y.Z`.
+   - The PR contains a changelog diff for `CHANGELOG.md` and the new version number.
+4. When a maintainer merges the Release PR, Release Please creates a GitHub Release and pushes a `vX.Y.Z` tag.
+5. The `Docker` workflow triggers on the new release and publishes the image to Docker Hub.
+
+## Version bump rules
+
+Release Please derives the next version from Conventional Commits:
+
+- `BREAKING CHANGE` footer or `!` suffix → major bump
+- `feat` → minor bump
+- anything else (`fix`, `perf`, `refactor`, `chore`, …) → patch bump
+
+## Docker image publishing
+
+The `docker.yml` workflow fires on every published GitHub Release. It:
+
+- Builds `Dockerfile.pinboard` from the release commit.
+- Tags the image as `xolegator/pinboard:<version>` and `xolegator/pinboard:latest`.
+- Pushes both tags to Docker Hub using BuildKit layer caching.
+
+### Required repository secrets
+
+| Secret              | Purpose                                      |
+|---------------------|----------------------------------------------|
+| `DOCKERHUB_USERNAME`| Docker Hub account username                  |
+| `DOCKERHUB_TOKEN`   | Docker Hub access token (read/write, no delete) |
+
+Add these under **Settings → Secrets and variables → Actions** in the GitHub repository.
+
+## Manifest seed
+
+`.release-please-manifest.json` records the current released version (`2.0.0`). Release Please reads this to know where to start. Do not edit this file manually — Release Please updates it automatically when it creates a Release PR.
+
+## Configuration
+
+`release-please-config.json` controls:
+
+- `release-type: simple` — manages `CHANGELOG.md` and git tags; does not modify `composer.json`.
+- `changelog-path: CHANGELOG.md` — separate from the hand-maintained `CHANGELOG` file which covers the pre-2.x history.
+- Changelog sections and which commit types are shown or hidden.
+
+## Branch protection requirements
+
+For the workflow to function correctly, `master` should have the following branch protection rules active:
+
+- Require a pull request before merging (no direct pushes).
+- Require status checks to pass before merging: `PHP CS Fixer`, `PHPStan`, `PHPUnit (PHP 8.4)`, `PHPUnit (PHP 8.5)`.
+- Require branches to be up to date before merging.
+- Allow repository admins to bypass (so Release Please can push the release commit).
+
+See [GitHub documentation](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) for how to configure rulesets.

docs/testing.md

@@ -1,21 +1,51 @@
 # Testing
 
-## Code checks
+## Local checks before pushing
 
-- PHP syntax: `php -l path/to/file.php`
-- Twig syntax: `php bin/console lint:twig templates/...`
-- Frontend build: `pnpm build`
-- Static analysis: `vendor/bin/phpstan analyse`
-- Code style: `vendor/bin/php-cs-fixer fix --dry-run`
+Run these before every push to avoid CI failures:
+
+```bash
+# PHP syntax (touched files only)
+php -l src/Path/To/File.php
+
+# Twig syntax (touched templates only)
+php bin/console lint:twig templates/
+
+# Code style — check, then fix
+vendor/bin/php-cs-fixer fix --dry-run --diff
+vendor/bin/php-cs-fixer fix
+
+# Static analysis (level 10)
+vendor/bin/phpstan analyse --no-progress
+
+# Unit and functional tests
+vendor/bin/phpunit --no-progress
+
+# Frontend assets
+pnpm build
+```
+
+## CI pipeline
+
+Three jobs run automatically on every PR and on every push to `master`:
+
+| Job            | Command                                         |
+|----------------|-------------------------------------------------|
+| PHP CS Fixer   | `vendor/bin/php-cs-fixer fix --dry-run --diff`  |
+| PHPStan        | `vendor/bin/phpstan analyse --no-progress`       |
+| PHPUnit        | `vendor/bin/phpunit --no-progress` (PHP 8.4 + 8.5) |
+
+All three must pass before a PR can be merged. See `.github/workflows/ci.yml` for the full configuration.
 
 ## What to verify after changes
 
-- Templates and layout — in a browser.
-- Sass and JS — after rebuilding the frontend.
-- Symfony Console commands — on a real local environment.
-- Pinba data changes — on admin pages and in the database.
+- Templates and layout — open the relevant pages in a browser.
+- Sass and JS — after rebuilding with `pnpm build`.
+- Symfony Console commands — run on a real local environment.
+- Pinba data changes — verify on admin pages and in the database.
 
 ## Practices
 
 - For targeted changes, run only the checks relevant to the modified files.
 - If a change touches the shared layout or build pipeline, rebuild the frontend and open key pages manually.
+- PHPStan runs at level 10. All violations must be fixed with real solutions — see `AGENTS.md` for the full list of allowed and forbidden patterns.