Skip to content

Pipeline Automation

Jack Edwards edited this page Jun 8, 2026 · 8 revisions

Repository CI/CD Introduction

This repository uses several tools to scan code, commits and dependencies. These are primarily driven through the use of PR checks and deployment runs using GitHub actions.

The aim is to use free and open source tools wherever possible to detect bugs, vulnerabilities and codesmells as early as possible before any changes are merged to main. Dependabot is used to automatically manage dependencies via Pull Requests, so version bumps are not necessary unless you have an opinion on the matter of course.

If you wish to contribute, please read the contributing.md file in the repository for details on what tooling you will need to make sure your Pull Request will merge successfully.

Checking Pull Requests

Pull Requests are checked automatically when they are raised, the comment action must show 0 vulnerabilities to be acceptable for merge.

Tip

Run the tooling locally on your changes first, for a faster feedback loop than Pull Requests give you.

Caution

A Pull Request with an unfixed vulnerability of medium severity or higher will be blocked from merging, unless fixed or justified to a CODEOWNER.

Tooling

This is a list of tooling used by this repository:

Capability Tools
File linting Super Linter
Commit Standardisation Conventional Commits
Code Bugs CodeQL semgrep
Container Vulnerabilities Grype Scout Trivy
Static Asset Deployment Custom S3/CLI R2 Action
Versioning Semver via Tag action by anothrNick

Deployment

As part of the security checks run on PRs and merges to the main branch, this repository is configured to build and push a docker image to a repository on Dockerhub (set with the environment variables in the GitHub Action runners). From there, it is recommended that you use webhooks on Dockerhub to trigger builds on your runtime environment.

Demonstration app

Tip

This is just an example of how to host the container image built by this repository, other runtime environments are available.

cubel.ink is a demonstration app deployed from this repository. The GitHub Actions in repository that build and push images to Dockerhub, uses webhooks to trigger a build with Google Cloud Build and deploy to Google Cloud Run

sequenceDiagram
    participant Main branch
    participant GitHub Action
    participant Dockerhub
    participant Cloud Build
    participant Cloud Run
    Main branch->>GitHub Action: Runs build as part of pipeline
    GitHub Action->>Dockerhub: Pushes built image
    Dockerhub->>Dockerhub: Update latest image
    Dockerhub->>Cloud Build: Send webhook request
    Cloud Build->>Cloud Run: Deploy image to runtime
Loading

Clone this wiki locally