feat(infra): add Render staging + refactor CI/CD workflows

[jbdevprimary]

Summary

• Add Render.com staging deployment with render.yaml
• Refactor workflows into proper CI/CD split
• DRY up version management with .nvmrc and packageManager
• Update all GitHub Action SHAs to latest versions

Changes

Deployment Infrastructure

• render.yaml: Render.com blueprint for staging deployment
  • Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
  • SPA routing with cache headers
  • Node 22 + pnpm 10

Version Management (DRY)

• .nvmrc: Node 22 LTS
• package.json: Added packageManager: "pnpm@10.11.0"
• setup-thumbcode action: Reads from .nvmrc and packageManager

Workflow Refactoring

Workflow	Purpose
ci.yml	Lint, typecheck, test, build, E2E
cd.yml	EAS updates, Android/iOS builds, store submissions
deploy-gh-pages.yml	Documentation with TypeDoc

Action SHAs Updated

• actions/checkout@v6.0.2 → de0fac2e4500dabe0009e67214ff5f5447ce83dd
• actions/setup-node@v6 → 6044e13b5dc448c55e2357c09f80417699197238
• pnpm/action-setup@v4 → c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c
• expo/expo-github-action@v8 → c7b66a9c327a43a8fa7c0158e7f30d6040d2481e
• codecov/codecov-action@v5 → 671740ac38dd9b0130fbe1cec585b89eea48d3de
• coverallsapp/github-action@v2 → 5cbfd81b66ca5d10c19b062c04de0199c215fb6e
• SonarSource/sonarcloud-github-action@v5 → ffc3010689be73b8e5ae0c57ce35968afd7909e8

Test plan

• CI workflow passes lint, typecheck, tests
• CD workflow correctly triggers EAS builds
• Render staging deployment works after connecting repo
• GitHub Pages deploys documentation

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Automated CD workflow for preview, Android, and iOS EAS builds and production deploys
  • Preview and development build pipelines plus PR preview updates
  • End-to-end web testing added to CI

• Documentation

  • Automated API docs generation and documentation site build

• Chores

  • Standardized Node.js v22 and package manager declaration; added doc tooling and Render staging configuration

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@jbdevprimary has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 29 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 04a9270 and 3e0684b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (7)

• .eas/workflows/production-deploy.yml
• .github/workflows/cd.yml
• .github/workflows/deploy-gh-pages.yml
• app.config.ts
• app.json
• docs/memory-bank/DEVELOPMENT-LOG.md
• package.json

📝 Walkthrough

Walkthrough

Replaces Node/pnpm version sourcing to use .nvmrc and package.json packageManager; adds multiple CI/CD workflows (CD, EAS workflows, E2E web), TypeDoc/docs generation and Pages deploy changes, Render staging config, and related workflow/action updates across GitHub Actions and EAS configs.

Changes

Cohort / File(s)	Summary
Action: setup-thumbcode .github/actions/setup-thumbcode/action.yml	Switched from node-version input to node-version-file (default .nvmrc); removed pnpm-version input (pnpm read from package.json.packageManager); added/updated flags for token/icon/token generation.
CI Workflows .github/workflows/ci.yml	Updated external action versions; renamed build → build-web; added e2e-web job that installs Playwright, downloads web artifact, runs E2E tests, and uploads reports on failure.
CD / EAS Workflows .github/workflows/cd.yml, .eas/workflows/*.yml, .eas/workflows/preview-update.yml, .eas/workflows/production-deploy.yml, .eas/workflows/development-builds.yml	Added CD workflow for EAS preview/build flows; new EAS workflows for preview updates, production deploy orchestration (fingerprint, conditional build/publish), and development build matrix for PRs.
Pages / Docs Deployment .github/workflows/deploy-gh-pages.yml, docs-dist/*	Changed docs workflow trigger paths; setup Node/pnpm from .nvmrc and package.json; install with --frozen-lockfile; added TypeDoc generation to docs-dist/api; build and upload docs-dist artifact and updated Pages upload action.
Repository metadata package.json, .nvmrc	Added packageManager: "pnpm@10.11.0" and devDeps typedoc, typedoc-plugin-markdown; added .nvmrc with 22.12.0.
Render deployment render.yaml	Added Render staging blueprint: static runtime, build/export command, PR previews, security headers, caching policies, SPA fallback, and NODE_VERSION/PNPM_VERSION envs.
App config app.json	Removed experiments.baseUrl while retaining typedRoutes: true.

Sequence Diagram(s)

sequenceDiagram
    participant GHA as GitHub Actions
    participant Repo as Repository
    participant EAS as Expo EAS
    participant StoreA as Google Play
    participant StoreB as Apple App Store

    rect rgba(100,150,200,0.5)
    note over GHA,Repo: CD workflow — checkout & setup
    end

    GHA->>Repo: checkout
    GHA->>GHA: setup-thumbcode (node from .nvmrc, pnpm from package.json)
    GHA->>EAS: trigger build / create preview update
    EAS-->>GHA: build artifact / update result
    alt platform includes Android & profile=production
        GHA->>StoreA: submit Android build
        StoreA-->>GHA: submission response
    end
    alt platform includes iOS & profile=production
        GHA->>StoreB: submit iOS build
        StoreB-->>GHA: submission response
    end

Loading

sequenceDiagram
    participant GHA as GitHub Actions
    participant Runner as CI Runner
    participant Artifact as Web Build Artifact
    participant Playwright as Playwright

    rect rgba(150,100,200,0.5)
    note over GHA,Playwright: CI E2E Web flow
    end

    GHA->>Runner: build-web job -> produce artifact
    Runner->>Artifact: upload artifact
    GHA->>Runner: e2e-web job downloads artifact
    Runner->>Playwright: install browsers
    Runner->>Playwright: run tests against artifact
    alt tests fail
        Playwright-->>GHA: upload report
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Extract and bootstrap ThumbCode with programmatic design system, pnpm, and Biome (merged with release/initial-0.1) #2: Overlaps on Node/pnpm version sourcing (.nvmrc, packageManager) and workflow changes for pnpm-based setup.
• Add files via upload #1: Modifies the same .github/actions/setup-thumbcode/action.yml inputs and behavior; directly related.
• fix(deploy): add baseUrl for GitHub Pages and disable caching #62: Related to Pages/docs deployment and app.json experiments (baseUrl) — overlapping changes to deploy-gh-pages and app config.

Poem

🐰 I nibble .nvmrc beneath the moonlit tree,
pnpm whispers versions from package.json to me.
EAS sends builds that hop and glide,
Playwright checks ponds where bugs might hide.
Docs bloom bright — a carrot for the review spree. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding Render staging deployment configuration and refactoring CI/CD workflows across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/cd.yml:
- Around line 41-43: The eas-update job is unreachable because its conditional
if: github.event_name == 'pull_request' doesn't match the workflow triggers;
update the workflow triggers (the top-level on: block) to include pull_request,
or alternatively remove/adjust the job's if condition to match existing triggers
(push/workflow_dispatch). Locate the eas-update job and the on: triggers in the
same file, then either add pull_request to the on: block or change the job's if
to a condition that matches push/workflow_dispatch so the job can run.
- Around line 202-205: The Android submission step "Submit to Play Store" is
missing the required EXPO_ANDROID_SERVICE_ACCOUNT_KEY_PATH env var needed by
eas.json; update the Android submit step that runs "eas submit --platform
android --latest --non-interactive" to include an env block setting
EXPO_ANDROID_SERVICE_ACCOUNT_KEY_PATH: ${{
secrets.EXPO_ANDROID_SERVICE_ACCOUNT_KEY_PATH }} so the Play Store submission
has the service account key available.

In `@render.yaml`:
- Around line 22-32: The Cache-Control rules overlap because the general rule
"path: /*" can match asset requests like "/assets/*" and "/_expo/*"; reorder the
rules so the specific patterns ("/assets/*" and "/_expo/*") appear before the
general "/*" entry or replace the general rule with a root-only pattern for HTML
(e.g., a root-level or explicit HTML path) to ensure static assets keep "public,
max-age=31536000, immutable" while HTML uses "no-cache, no-store,
must-revalidate".

🧹 Nitpick comments (4)

render.yaml (1)

11-25: Consider adding HSTS and CSP security headers.

The current security headers are good. For a staging environment, consider adding:

• Strict-Transport-Security (HSTS) to enforce HTTPS
• Content-Security-Policy for XSS protection

🔒 Suggested additional security headers

       - path: /*
         name: Referrer-Policy
         value: strict-origin-when-cross-origin
+      - path: /*
+        name: Strict-Transport-Security
+        value: max-age=31536000; includeSubDomains

.github/workflows/deploy-gh-pages.yml (2)

46-49: Silent failure in TypeDoc generation may hide issues.

Using || true suppresses all TypeDoc errors, meaning the workflow will succeed even if API documentation generation completely fails. Consider logging a warning or checking if output was generated.

🔧 Suggested improvement to detect TypeDoc failures

      - name: Generate API documentation with TypeDoc
        run: |
          pnpm add -D typedoc typedoc-plugin-markdown
-          npx typedoc --out docs-dist/api src/index.ts --plugin typedoc-plugin-markdown || true
+          if ! npx typedoc --out docs-dist/api src/index.ts --plugin typedoc-plugin-markdown; then
+            echo "::warning::TypeDoc generation failed - API docs may be missing"
+          fi

---

113-116: Markdown links won't render as HTML on GitHub Pages.

Links like ./README.md will prompt users to download raw markdown files rather than viewing rendered content. Consider using a static site generator (e.g., Jekyll which GitHub Pages supports natively) or converting markdown to HTML.

If you want a quick fix without adding a build tool, you could link to the GitHub repo's rendered markdown instead:

-                <li><a href="./README.md">README</a></li>
-                <li><a href="./CLAUDE.md">Agent Playbook (CLAUDE.md)</a></li>
-                <li><a href="./DECISIONS.md">Technical Decisions</a></li>
+                <li><a href="https://github.com/agentic-dev-library/thumbcode/blob/main/README.md">README</a></li>
+                <li><a href="https://github.com/agentic-dev-library/thumbcode/blob/main/CLAUDE.md">Agent Playbook (CLAUDE.md)</a></li>
+                <li><a href="https://github.com/agentic-dev-library/thumbcode/blob/main/DECISIONS.md">Technical Decisions</a></li>

Alternatively, consider enabling Jekyll or adding a markdown-to-HTML conversion step.

.github/workflows/cd.yml (1)

51-57: Consider using environment variable for secret check.

The current pattern works, but using ${{ secrets.EXPO_TOKEN }} directly in the shell expands the secret value. A cleaner pattern uses an environment variable, which GitHub Actions will mask regardless.

♻️ Alternative pattern

      - name: Check for EXPO_TOKEN
+        env:
+          EXPO_TOKEN: ${{ secrets.EXPO_TOKEN }}
        run: |
-          if [ -z "${{ secrets.EXPO_TOKEN }}" ]; then
+          if [ -z "$EXPO_TOKEN" ]; then
            echo "EXPO_TOKEN secret is required for EAS operations"
            echo "Learn more: https://docs.expo.dev/eas-update/github-actions"
            exit 1
          fi

[jbdevprimary]

CodeRabbit Review - Fixes Applied ✅

Addressed the remaining review comments in commit e332f68:

1. Android submission credentials (cd.yml:222)

Added EXPO_ANDROID_SERVICE_ACCOUNT_KEY_PATH env var to the submit-android job, matching the pattern used for iOS submission.

2. render.yaml header precedence (render.yaml:38)

Reordered Cache-Control headers so specific paths (/assets/*, /_expo/*) come before the general /* rule to avoid nondeterministic matching, as documented in Render's static-site headers docs.

Both threads can now be resolved.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/cd.yml:
- Around line 11-17: The pull_request paths filter currently lists 'src/**',
'app.json', and 'eas.json' which means changes to package.json won't trigger the
PR preview; update the pull_request.paths array to include 'package.json' so
dependency or script changes trigger the workflow (locate the pull_request ->
paths block in .github/workflows/cd.yml and add 'package.json' to that list).
- Around line 62-88: The "Check for EXPO_TOKEN" step currently exits 0 but does
not prevent later steps ("Setup Expo and EAS", "Create preview update") from
running; change the check to set a step output (e.g., has_token) or set
EXPO_TOKEN at the job env level and then add conditional guards (if:
steps.<check-step-id>.outputs.has_token == 'true' or if: env.EXPO_TOKEN != '')
to the subsequent steps so they are skipped when the token is missing; update
the "Check for EXPO_TOKEN" step to emit the chosen output (true/false) when it
detects the secret and ensure "Setup Expo and EAS" and "Create preview update"
reference that output in their if conditions.

In @.github/workflows/deploy-gh-pages.yml:
- Around line 111-114: The links in deploy-gh-pages.yml point to raw markdown
(README.md, CLAUDE.md, DECISIONS.md) which will be served unrendered; update the
workflow to either (a) add a build step that converts those markdown files to
HTML (e.g., run Jekyll build or a pandoc/markdown-to-html step) so the output
contains README.html, CLAUDE.html, DECISIONS.html (and an HTML version of the
api/ docs), or (b) change the nav links to point to the rendered pages produced
by your site generator (e.g., README.html) and ensure the deploy step publishes
the generated site folder; modify the job in deploy-gh-pages.yml that produces
the site artifact to run the converter (or jekyll build) and deploy the
generated HTML files instead of raw .md files.

♻️ Duplicate comments (1)

.github/workflows/cd.yml (1)

192-193: Add Play Store service account env for Android submit.

The Play Store submission step still doesn’t supply EXPO_ANDROID_SERVICE_ACCOUNT_KEY_PATH, which eas.json expects. This will likely fail at submit time.

🛠️ Suggested fix

      - name: Submit to Play Store
        run: eas submit --platform android --latest --non-interactive
+       env:
+         EXPO_ANDROID_SERVICE_ACCOUNT_KEY_PATH: ${{ secrets.EXPO_ANDROID_SERVICE_ACCOUNT_KEY_PATH }}

🧹 Nitpick comments (3)

.github/workflows/deploy-gh-pages.yml (2)

6-10: Consider adding path filters for TypeDoc configuration files.

The path filters may miss documentation-relevant changes:

• package.json changes (TypeDoc version updates)
• tsconfig.json changes (affects TypeDoc's type resolution)
• typedoc.json if a config file is added later

Suggested path filters

     paths:
       - 'docs/**'
       - 'src/**/*.ts'
       - 'src/**/*.tsx'
       - '.github/workflows/deploy-gh-pages.yml'
+      - 'package.json'
+      - 'tsconfig.json'
+      - 'typedoc.json'

---

46-47: Prefer pnpm exec over npx for installed dependencies.

Since typedoc is a devDependency, using pnpm exec ensures the installed version is used rather than potentially downloading a different one via npx.

Suggested change

      - name: Generate API documentation with TypeDoc
-        run: npx typedoc --out docs-dist/api src/index.ts --plugin typedoc-plugin-markdown
+        run: pnpm exec typedoc --out docs-dist/api src/index.ts --plugin typedoc-plugin-markdown

.github/workflows/cd.yml (1)

78-82: Pin eas-version to a specific version instead of latest for reproducible builds.

Using latest causes non-deterministic builds across workflow runs. While EAS CLI follows semantic versioning with breaking changes only on major version bumps (reducing surprise breakage), pinning to an explicit version (e.g., 16.18.0) ensures consistency across all jobs and makes dependency updates intentional. Update eas-version at lines 81, 119, 157, 189, and 218.

[jbdevprimary]

Additional Fixes (b111e5b)

1. App Store Submission Jobs Removed

Removed submit-android and submit-ios jobs pending credential setup. Created issue #66 to track the required configuration.

Current Release Strategy:

• Web staging: Automatic via Render.com (render.yaml)
• Mobile builds: Download from expo.dev after EAS build completes
• App store submissions: Pending credential configuration (issue feat: Configure EAS production builds and app store submissions #66)

2. Fixed typedoc-plugin-markdown Version

Changed from ^5.0.0 (doesn't exist) to ^4.9.0 (latest available) and updated pnpm-lock.yaml.

CI should now pass with the corrected lockfile.

[jbdevprimary]

CodeRabbit Review - Final Fixes (15edabe)

1. Added package.json to PR path filters ✅

Dependency changes will now trigger EAS Update PR previews.

2. GitHub Pages markdown rendering → Issue #67

Created issue #67 to track upgrading the documentation site to Astro SSG. This is a larger enhancement that will be addressed separately.

All review comments have now been addressed or tracked.

[jbdevprimary]

Re: Markdown Rendering on GitHub Pages

The remaining CodeRabbit comment about markdown files not rendering as HTML has been tracked in issue #67 (Astro SSG upgrade).

This is a larger enhancement that doesn't block the current PR goals:

• ✅ Render staging deployment configuration
• ✅ CI/CD workflow refactoring
• ✅ DRY version management (.nvmrc, packageManager)
• ✅ All CI checks passing

Ready for merge pending any final review.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.eas/workflows/production-deploy.yml:
- Around line 47-55: The workflow currently may skip in-progress builds because
get_android_build (the job producing needs.get_android_build.outputs.build_id)
relies on the default behavior that returns only completed builds; update the
get_android_build job configuration to include wait_for_in_progress: true if you
want the workflow to wait for any matching in-progress builds to finish and thus
ensure publish_android_update runs, otherwise document that skipping in-progress
builds is intentional; reference the get_android_build job and the
publish_android_update step when making the change so the outputs and
conditional if: ${{ needs.get_android_build.outputs.build_id }} behave as
expected.

🧹 Nitpick comments (1)

.github/workflows/cd.yml (1)

86-89: Consider pinning EAS CLI version for reproducibility.

Using eas-version: latest across all jobs (lines 88, 127, 165) may cause unexpected behavior if EAS CLI introduces breaking changes. Consider pinning to a specific version to match the reproducibility approach used for other action SHAs.

♻️ Suggested change

       uses: expo/expo-github-action@c7b66a9c327a43a8fa7c0158e7f30d6040d2481e # v8
       with:
-        eas-version: latest
+        eas-version: 16.x
         token: ${{ secrets.EXPO_TOKEN }}

Also applies to: 125-128, 163-166

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🚀 Expo preview is ready!

• Project → thumbcode
• Platforms → android, ios
• Scheme → thumbcode
• Runtime Version → 0.1.0
• More info

Learn more about 𝝠 Expo Github Action