Comprehensive GitHub Actions-based CI/CD pipeline providing quality gates, security scanning, deployment automation, and monitoring for the Claude Code Quickstart project. Implements enterprise-grade practices with TDD-first methodology and progressive test architecture.
- In: Automated testing, security scanning, quality gates, deployment coordination, monitoring
- Out: Manual testing, external infrastructure management, third-party service configuration
workflows/ci.yml— Main CI pipeline with multi-Node.js matrix testingworkflows/security.yml— Dedicated security scanning and compliance checksworkflows/dashboard.yml— Pipeline health monitoring and metrics collectionworkflows/pr-validation.yml— Pull request specific validationsworkflows/deploy.yml— Production deployment workflowworkflows/release.yml— Release management automation../test/ci-cd/github-actions.spec.js— Comprehensive test suite../test/utils/github-actions-helpers.js— Pipeline testing utilities../.githooks/— Git hooks for local validation
# Progressive validation with proper dependency chains
ci → security-compliance → deploy → notify- Node.js 18.x, 20.x, 22.x on macOS-latest
- Fail-fast disabled for comprehensive coverage
- Caching enabled for npm dependencies
- SAST Analysis — ESLint security rules
- Dependency Audit — npm audit with moderate threshold
- Secret Scanning — 8 pattern types with exclusion logic
- License Compliance — Approved license validation
- Supply Chain Security — Package signature verification
All workflows reference REQ IDs in job comments:
# REQ-109 — Comprehensive CI/CD Pipeline with Quality Gates
# REQ-111 — CI/CD Pipeline Health Monitoring
# REQ-112 — Security and Compliance Validation- Source Code — Main project files and tests
- Git Repository — Branch protection and commit history
- Package Configuration — package.json and dependencies
- npm Registry — Package deployment target
- GitHub Artifacts — Test results and reports storage
- GitHub Environments — Production deployment controls
on:
push:
branches: [ main ]
tags: [ 'v*' ]on:
pull_request: [ opened, synchronize, reopened ]schedule:
- cron: '0 2 * * *' # Daily security scans
- cron: '0 * * * *' # Hourly dashboard updatesworkflow_dispatch:
inputs:
deploy:
description: 'Deploy to npm'
type: booleanpermissions:
contents: read
security-events: write
issues: write
pull-requests: read- NODE_AUTH_TOKEN — npm registry authentication
- GitHub Secrets — Proper
${{ secrets.NAME }}syntax - Environment Protection — Production environment gates
- License Validation — MIT, Apache-2.0, BSD variants allowed
- Dependency Review — GitHub's supply chain security
- Secret Pattern Detection — 8 comprehensive regex patterns
- SAST Integration — Security-focused linting rules
- Success Rate Tracking — 95% target threshold
- Execution Time Monitoring — 8-minute average target
- Failure Pattern Analysis — Categorized recovery mechanisms
- Artifact Collection — Test results, coverage reports, security scans
{
"pipeline_status": "healthy",
"success_rate": "95%",
"avg_duration": "8 minutes",
"builds_today": 12,
"avg_test_time": "2.5 minutes"
}- GitHub Step Summary — Automated pipeline reports
- Artifact Retention — 30-365 days based on artifact type
- Notification Job — Status aggregation across all pipeline stages
environment: production
needs: [ci, security-compliance]
if: |
success() &&
(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))- Package Integrity —
npm pack --dry-run - Test Suite Execution — Full test battery
- Security Verification — Complete security pipeline
- Build Artifact Creation — Deployment record generation
- Failure Detection — Automated failure monitoring
- Notification System — Immediate failure alerting
- Manual Intervention Points — Environment protection rules
- Format Validation — Prettier compliance check
- Linting — ESLint validation
- Quick Tests — Subset execution for speed
- Basic Secret Scan — Simple pattern detection
- Full Test Suite — Complete test execution
- Build Verification — Package integrity check
- Security Scan — Comprehensive validation
- Performance Check — Regression detection
- Add step to
workflows/security.yml - Update
validateSecurityScanning()in test helpers - Add test case in
github-actions.spec.js - Reference appropriate REQ ID in comments
- Update
workflows/deploy.ymlenvironment configuration - Adjust
validateDeploymentPipeline()helper function - Update deployment-related tests
- Consider canary deployment patterns
- Add validation step to
workflows/ci.yml - Update dependency chain in
needs:arrays - Add corresponding test validation
- Update monitoring dashboard metrics
- Git Secrets — May not be pre-installed, requires fallback patterns
- License Checker — Use
npxfor consistent availability - npm audit signatures — Not universally supported, use
|| echofallback
- Job Ordering — Security must complete before deployment
- Failure Propagation — Use
if: success()for strict gates - Matrix Strategy — Disable
fail-fastfor comprehensive coverage
- Pattern Exclusions — Exclude test/spec/mock files from secret scanning
- Environment Variables — Use GitHub environments for sensitive deployments
- Dry-run Safety — Always test with
--dry-runbefore actual deployment
- REQ ID Traceability — All workflow jobs must reference requirement IDs
- Helper Function Updates — Maintain test helpers in sync with workflow changes
- Artifact Validation — Ensure test artifacts are collected for debugging
- CI Pipeline: < 8 minutes average execution
- Security Scan: < 5 minutes completion time
- Deployment: < 3 minutes end-to-end
- Test Suite: < 2.5 minutes execution time
- Success Rate: > 95% reliability target