chore(ci): refactor build and release workflows #195
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Consolidate build process with unified artifact generation - Add Docker image build support with multi-platform capability - Implement NPM package preparation workflow - Enhance security scanning with CodeQL integration - Replace DeepSource with SonarQube for code quality analysis - Add comprehensive issue templates and PR template - Improve artifact naming with commit SHA for traceability - Add build manifest generation for transparency - Update release process to create tag before artifacts - Add reusable Docker workflow for modularity 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Here's the code health analysis summary for commits Analysis Summary
Code Coverage Report
|
There was a problem hiding this comment.
Pull Request Overview
This PR performs a major refactoring of GitHub Actions workflows to consolidate build processes, enhance security scanning, and improve release automation. The changes separate concerns between validation, security scanning, artifact building, and publishing while adding Docker support and switching from DeepSource to SonarQube for code quality analysis.
Key changes include:
- Unified build process with reusable artifacts and build manifests for better traceability
- Separation of test execution from linting with dedicated security scanning workflow
- Addition of Docker multi-platform builds and container security scanning with Trivy
- Enhanced NPM package preparation with SLSA provenance attestations
Reviewed Changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/reusable-validate.yml |
Split validation into separate test and lint jobs, replaced DeepSource with SonarQube, added changeset validation |
.github/workflows/reusable-setup.yml |
Deleted - functionality merged into other workflows |
.github/workflows/reusable-security.yml |
Consolidated security scanning with dependency audit and OSV scanner |
.github/workflows/reusable-docker.yml |
New Docker workflow with multi-platform builds and Trivy security scanning |
.github/workflows/publish.yml |
Enhanced to use pre-built artifacts with attestations and improved Docker publishing |
.github/workflows/pr.yml |
Updated to use new validation structure with optional Docker builds |
.github/workflows/main.yml |
Major refactor with unified build phase and separate artifact preparation jobs |
.github/workflows/codeql.yml |
New dedicated CodeQL security scanning workflow |
.github/scripts/determine-artifact.sh |
New script for resolving build artifacts from GitHub releases |
.github/pull_request_template.md |
New PR template for contributor guidance |
.github/ISSUE_TEMPLATE/feature_request.md |
New feature request issue template |
.github/ISSUE_TEMPLATE/bug_report.md |
New bug report issue template |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
- revert sonarqube changes to use deepsource for test coverage - update main.yml to pass DEEPSOURCE_DSN secret - update pr.yml to pass DEEPSOURCE_DSN secret - update reusable-validate.yml to expect DEEPSOURCE_DSN - preserve existing deepsource test coverage workflow integration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- add nodejs user with UID 1001 and GID 1001 (DS002 HIGH) - change ownership of /app directory to nodejs user - switch to non-root user before starting application - add HEALTHCHECK instruction for container monitoring (DS026 LOW) - resolves Trivy security scan failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- remove HEALTHCHECK instruction as it doesn't provide meaningful verification for stdio-based MCP servers - DS026 (LOW severity) will be flagged but won't block builds - only HIGH/CRITICAL severities cause build failures 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- document workflow improvements and consolidation - highlight docker security enhancements - note developer experience improvements - patch version bump for infrastructure changes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- add HEALTHCHECK instruction for container monitoring - resolves DS026 (LOW severity) Trivy finding - ensures clean security scan with no findings 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Major refactoring of GitHub Actions workflows to improve build consistency, security, and release automation. This PR consolidates the build process, adds Docker support, enhances security scanning, and improves overall workflow efficiency.
Key Changes
Build & Release Improvements
Docker Support
reusable-docker.ymlfor multi-platform image builds (linux/amd64, linux/arm64)ENABLE_DOCKER_RELEASEvariableNPM Package Preparation
Security Enhancements
reusable-security.ymlDeveloper Experience
determine-artifact.shfor artifact resolutionWorkflow Optimization
reusable-setup.yml(functionality merged into other workflows)Files Changed
.github/workflows/main.yml- Major refactoring of main release workflow.github/workflows/pr.yml- Updated PR validation workflow.github/workflows/publish.yml- Enhanced publish workflow.github/workflows/reusable-docker.yml- New Docker build workflow.github/workflows/reusable-security.yml- Consolidated security scanning.github/workflows/reusable-validate.yml- Enhanced validation workflow.github/workflows/codeql.yml- New CodeQL security scanning.github/ISSUE_TEMPLATE/- New issue templates.github/pull_request_template.md- New PR template.github/scripts/determine-artifact.sh- New artifact resolution script.github/workflows/reusable-setup.ymlTesting
Benefits
Migration Notes
SONAR_TOKENsecret (replacesDEEPSOURCE_DSN)ENABLE_DOCKER_RELEASEvariable set totrueENABLE_NPM_RELEASEvariable set totruepackages: writefor container registry🤖 Generated with Claude Code