Jason Woltje
a8e580e1a3
Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
3.1 KiB
CI/CD Configuration Guide
Configure Woodpecker CI, GitHub Actions, or GitLab CI for quality enforcement.
Woodpecker CI
Quality Rails includes .woodpecker.yml template.
Pipeline Stages
- Install - Dependencies
- Security Audit - npm audit for CVEs
- Lint - ESLint checks
- Type Check - TypeScript compilation
- Test - Jest with coverage thresholds
- Build - Production build
Configuration
No additional configuration needed. Push to repository and Woodpecker runs automatically.
Blocking Merges
Configure Woodpecker to block merges on pipeline failure:
- Repository Settings → Protected Branches
- Require Woodpecker pipeline to pass
GitHub Actions
Copy from templates/typescript-node/.github/workflows/quality.yml:
name: Quality Enforcement
on: [push, pull_request]
jobs:
quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npm ci
- run: npm audit --audit-level=high
- run: npm run lint
- run: npm run type-check
- run: npm run test -- --coverage
- run: npm run build
Blocking Merges
- Repository Settings → Branches → Branch protection rules
- Require status checks to pass:
quality
GitLab CI
Copy from templates/typescript-node/.gitlab-ci.yml:
stages:
- install
- audit
- quality
- build
install:
stage: install
script:
- npm ci
audit:
stage: audit
script:
- npm audit --audit-level=high
lint:
stage: quality
script:
- npm run lint
typecheck:
stage: quality
script:
- npm run type-check
test:
stage: quality
script:
- npm run test -- --coverage
build:
stage: build
script:
- npm run build
Coverage Enforcement
Configure Jest coverage thresholds in package.json:
{
"jest": {
"coverageThreshold": {
"global": {
"branches": 80,
"functions": 80,
"lines": 80,
"statements": 80
}
}
}
}
CI will fail if coverage drops below threshold.
Security Scanning
npm audit
Runs automatically in CI. Adjust sensitivity:
npm audit --audit-level=moderate # Block moderate+
npm audit --audit-level=high # Block high+critical only
npm audit --audit-level=critical # Block critical only
Snyk Integration
Add to CI for additional security:
- run: npx snyk test
Requires SNYK_TOKEN environment variable.
Notification Setup
Woodpecker
Configure in Woodpecker UI:
- Slack/Discord webhooks
- Email notifications
- Status badges
GitHub Actions
Add notification step:
- name: Notify on failure
if: failure()
run: |
curl -X POST $WEBHOOK_URL -d "Build failed"
Troubleshooting
Pipeline fails but pre-commit passed:
- CI runs all packages, pre-commit only checks changed files
- Fix issues in all packages, not just changed files
npm audit blocks on low-severity:
- Adjust
--audit-leveltomoderateorhigh
Coverage threshold too strict:
- Lower thresholds in package.json
- Add coverage exceptions for specific files