This document describes the comprehensive CI/CD pipeline implementation for StackShare, covering automated testing, building, security scanning, and deployment processes.
The CI/CD system consists of multiple specialized workflows that work together to ensure code quality, security, and reliable deployments:
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Push/PR βββββΆβ Change Detection βββββΆβ Targeted Builds β
β to main/dev β β (paths-filter) β β (backend/ β
βββββββββββββββββββ ββββββββββββββββββββ β frontend/mcp) β
βββββββββββββββββββ
β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Security Scan ββββββ Docker Registry ββββββ Quality Gates β
β (Trivy/CodeQL) β β (ghcr.io) β β (tests/lint) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Release βββββΆβ Full Stack βββββΆβ Deployment β
β (tags only) β β Integration β β Package β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
Trigger: Changes to backend/** or workflow file
Purpose: Build, test, and publish backend API and MCP server
Jobs:
- Test: Unit + Integration tests with PostgreSQL
- Build & Push: Docker images for API and MCP
- Security Scan: Trivy vulnerability scanning
Key Features:
- .NET matrix testing (8.0.x)
- Testcontainers for integration tests
- Multi-architecture builds (amd64, arm64)
- Code coverage reporting
- Cached NuGet packages
Trigger: Changes to frontend/** or workflow file
Purpose: Build, test, lint, and publish frontend application
Jobs:
- Lint & Test: ESLint, TypeScript, unit tests
- E2E Tests: Full stack Playwright testing
- Build & Push: Docker image for frontend
- Security Scan: Trivy vulnerability scanning
- Lighthouse: Performance auditing (main branch only)
Key Features:
- Node.js caching
- Multi-browser E2E testing
- Performance monitoring
- Bundle size tracking
Trigger: Changes to MCP server code or workflow file Purpose: Specialized pipeline for Model Context Protocol server
Jobs:
- Test: MCP-specific testing
- Build & Push: Docker image for MCP server
- Integration Test: End-to-end MCP connectivity
- Security Scan: Vulnerability assessment
Trigger: Push/PR to main branch Purpose: Coordinate all pipelines and run integration tests
Jobs:
- Change Detection: Determine which components changed
- Workflow Orchestration: Call appropriate sub-workflows
- Full Stack Integration: Test complete system
- Deployment Gate: Quality gate for production readiness
Trigger: Daily schedule (2 AM UTC) + manual Purpose: Automated security scanning and dependency updates
Jobs:
- Dependency Review: Check for vulnerable dependencies
- Update .NET Dependencies: Automated minor/patch updates
- Update NPM Dependencies: Frontend dependency management
- Security Audit: Regular vulnerability scanning
- CodeQL Analysis: Static analysis for C# and JavaScript
- Docker Security Scan: Container and filesystem scanning
Trigger: Git tags (v*) or manual workflow dispatch
Purpose: Create releases with deployment packages
Jobs:
- Create Release: Generate GitHub release with changelog
- Build Release Images: Multi-architecture production images
- Deployment Package: Ready-to-deploy bundles
- Notifications: Release summaries and deployment instructions
All workflows use these standard environment variables:
env:
DOTNET_VERSION: '8.0.x'
NODE_VERSION: '20'
REGISTRY: ghcr.io
IMAGE_NAME_API: ${{ github.repository }}/stackshare-api
IMAGE_NAME_FRONTEND: ${{ github.repository }}/stackshare-frontend
IMAGE_NAME_MCP: ${{ github.repository }}/stackshare-mcpThe following secrets must be configured in GitHub repository settings:
| Secret | Purpose | Scope |
|---|---|---|
GITHUB_TOKEN |
Container registry access | Auto-provided |
LHCI_GITHUB_APP_TOKEN |
Lighthouse CI integration | Optional |
All images are published to GitHub Container Registry (ghcr.io):
- API:
ghcr.io/tassosgomes/stackview/stackshare-api - Frontend:
ghcr.io/tassosgomes/stackview/stackshare-frontend - MCP:
ghcr.io/tassosgomes/stackview/stackshare-mcp
Tagging Strategy:
latest: Latest main branch builddevelop: Latest develop branch buildsha-<commit>: Specific commit buildsv1.0.0: Release tags
- β All unit tests pass (xUnit)
- β All integration tests pass (Testcontainers + PostgreSQL)
- β Code builds without warnings
- β No high/critical security vulnerabilities
- β Docker images build successfully
- β ESLint passes (no errors)
- β TypeScript compilation succeeds
- β Unit tests pass (Vitest)
- β E2E tests pass (Playwright)
- β Performance audit passes (Lighthouse)
- β No high/critical security vulnerabilities
- β Backend pipeline success
- β Frontend pipeline success (if changed)
- β MCP pipeline success (if changed)
- β Full stack integration tests pass
- β Security scans complete
- β All images published to registry
Each pipeline produces comprehensive artifacts:
- Test Results: xUnit XML, Playwright HTML reports
- Code Coverage: Codecov integration
- Security Reports: SARIF format for GitHub Security tab
- Performance Reports: Lighthouse CI integration
- Build Artifacts: Compiled applications and Docker images
- Pull Requests: Status checks and required reviews
- Main Branch: Deployment summaries with quick-deploy commands
- Releases: Automated changelogs and deployment packages
- Security: GitHub Security tab integration
- Push to
developβ Triggers targeted pipelines - Quality gates pass β Images tagged as
develop - Deploy to staging environment (manual or automated)
- Create release tag β
git tag v1.0.0 && git push origin v1.0.0 - Release workflow runs β Creates GitHub release
- Download deployment package β Ready-to-deploy bundle
- Run deployment script β
./deploy.sh
Use the deployment package for any environment:
# Download and extract release
curl -L -o deploy.tar.gz "https://github.com/tassosgomes/stackview/releases/download/v1.0.0/stackshare-v1.0.0-deployment.tar.gz"
tar -xzf deploy.tar.gz
# Configure environment
cp .env.template .env
# Edit .env with your settings
# Deploy
./deploy.shThe security workflow runs daily to:
- Check for outdated .NET packages
- Check for outdated NPM packages
- Create automated PRs for minor/patch updates
- Ensure security vulnerabilities are addressed promptly
- Caching: NPM and NuGet packages cached between runs
- Parallel Jobs: Independent components build simultaneously
- Docker Layer Caching: GitHub Actions cache for faster image builds
- Change Detection: Only affected components are built/tested
- Least Privilege: Minimal permissions for each job
- Secrets Management: No hardcoded secrets, environment-based configuration
- Regular Scanning: Daily Trivy scans for vulnerabilities
- Dependency Review: Automatic dependency vulnerability checks
- SARIF Integration: Security findings integrated with GitHub Security tab
# Check for dependency conflicts
npm ls --depth=0 # Frontend
dotnet list package --vulnerable # Backend# Test builds locally
docker build -f backend/src/StackShare.API/Dockerfile .
docker build -f frontend/Dockerfile ./frontend# Run E2E tests locally
cd frontend
npm run test:e2e# Run security scans locally
npm audit # Frontend
dotnet list package --vulnerable # Backend- Check Workflow Logs: GitHub Actions β Workflow run β Job details
- Review Artifacts: Download test reports and build outputs
- Local Reproduction: Run the same commands locally
- Environment Issues: Verify secrets and environment variables
Force pipeline runs:
# Trigger specific workflows
gh workflow run backend.yml
gh workflow run frontend.yml
gh workflow run security.ymlSkip CI for commits:
git commit -m "docs: update README [skip ci]"The CI/CD system tracks:
- Build Success Rate: Percentage of successful pipeline runs
- Build Duration: Time from trigger to completion
- Test Coverage: Backend and frontend code coverage trends
- Security Posture: Number and severity of vulnerabilities
- Deployment Frequency: Release cadence and deployment success rate
- Performance Metrics: Lighthouse scores and bundle size trends
All metrics are available through GitHub Actions insights and can be integrated with external monitoring tools.