Summary
Establish and grow the GitHub Actions CI pipeline at .github/workflows/ci.yml.
Initial scope is workflow YAML linting, Markdown linting, generic YAML linting,
and secrets scanning. Additional checks land as the codebase introduces new
file types (Python, Dockerfiles, Terraform).
This Issue stays open until every task below ships. PRs reference it with
Refs #1.
Why
main is protected by a ruleset that requires status checks to pass, but
the required-checks list is empty. The pipeline below provides the checks
that make the gate enforcing.
Tasks
Foundation
Python tooling (when first .py lands)
Testing (when first .py lands)
Container tooling (when Dockerfile lands)
Infrastructure tooling (when Terraform lands)
Shell
Pipeline integration
Per-PR criteria
Every PR against this Issue must satisfy:
- Branch named
ci/<descriptive-slug>
- All workflow YAML lints clean
- All checks visible in the PR's checks panel
- Conventional Commits:
ci(<scope>): ...
- PR description includes summary, what changed, how to verify
- References this Issue with
Refs #1
Technical notes
- Pin third-party actions to major version. SHA-pinning lands separately with Dependabot.
- Linter config files live at the repo root.
- Design choice per PR: parallel jobs vs steps in one job.
- Job structure follows concerns (not tools):
lint, unit-test,
integration-test, e2e-test, security, build. Tools slot
into the relevant concern's job as they're added.
Definition of done
All tasks checked, all checks green on main, status check required by
branch protection, CI badge present in README.
Summary
Establish and grow the GitHub Actions CI pipeline at
.github/workflows/ci.yml.Initial scope is workflow YAML linting, Markdown linting, generic YAML linting,
and secrets scanning. Additional checks land as the codebase introduces new
file types (Python, Dockerfiles, Terraform).
This Issue stays open until every task below ships. PRs reference it with
Refs #1.Why
mainis protected by a ruleset that requires status checks to pass, butthe required-checks list is empty. The pipeline below provides the checks
that make the gate enforcing.
Tasks
Foundation
actionlint— workflow YAML lintermarkdownlint— Markdown linteryamllint— generic YAML lintergitleaks— secrets scannerPython tooling (when first
.pylands)ruff— linter and formattermypy— type checkerpytest— test runnerbandit— Python security scannerpip-audit— dependency CVE scanTesting (when first .py lands)
Container tooling (when Dockerfile lands)
hadolint— Dockerfile lintertrivy— container vulnerability scannerInfrastructure tooling (when Terraform lands)
tflint— Terraform lintercheckov— Terraform security scannerShell
shellcheck— when first.shscript landsPipeline integration
Per-PR criteria
Every PR against this Issue must satisfy:
ci/<descriptive-slug>ci(<scope>): ...Refs #1Technical notes
lint,unit-test,integration-test,e2e-test,security,build. Tools slotinto the relevant concern's job as they're added.
Definition of done
All tasks checked, all checks green on
main, status check required bybranch protection, CI badge present in README.