Commit Graph
15 Commits
Author SHA1 Message Date
Kai (Tam Nhu) TranandGitHub 107b5b5db4 fix(docker): apply red-team findings — drop :full, rc.1 soak, healthcheck, signing (#1251) (#1262)
* docs(quickstart): fix raw URL for corporate-proxy fallback (H1)

* feat(docker)!: drop :full image variant — use sibling containers on ccs-net (Q3)

No AI CLIs (claude-code/gemini-cli/grok-cli/opencode) are bundled in the image.
Use sibling containers attached to ccs-net instead.
See docker/README.md#connect-your-app-to-cliproxy.

Also removes bash from apk deps (entrypoint uses #!/bin/sh — L2).

ci(docker): publish only immutable :<ver> tag pre-smoke; promote-mutable-tags
job adds :latest/:MAJOR/:MINOR aliases only after smoke tests pass (H3)

ci(docker): smoke-test-compose-url runs network-contract.sh against the
downloaded /tmp/ccs-compose.yaml instead of re-cloning the repo (H4)

ci(docker): sign published images with cosign keyless OIDC + attach
provenance/SBOM via build-push-action (M8)

test(docker): network-contract.sh now accepts compose-file and image-ref
positional args; replaces python3 healthcheck parser with jq (L4)

* chore(release): cut every main release as rc.N prerelease, manual promote flow (H2)

- .releaserc.cjs: main branch now uses prerelease 'rc' channel — every
  semantic-release cut becomes vX.Y.Z-rc.N
- add promote-release.yml: workflow_dispatch flips rc → stable via
  'gh release edit --prerelease=false'; triggers docker promote-mutable-tags
- add docs/release-process.md: full soak + promote procedure, rollback steps,
  cosign verification command
- releaseNotesGenerator: add revert section, document chore hidden behaviour (L8)

* fix(docker): healthcheck probes both dashboard and cliproxy ports (M1)

compose.yaml healthcheck now checks :3000 and :8317 concurrently with
a 4.5s internal timeout, within Docker's 5s timeout budget.

Also:
- docs(docker): document npm lockfile ephemeral tradeoff above install
  layer; note size-budget regression test as the practical safeguard (M3)
- docs(docker): drop :full row from Choosing an image table; add sibling
  container note pointing to connect-your-app-to-cliproxy (Q3/docs)
- docs(docker): remove :full docker run block; fix release-tag sentence (Q3)
- docs(docker): fix raw URL in migration section (H1 parity)
- docs(docker): add Volume warning — 'down -v' deletes named volumes (L13)
- docs(docker): update What changes table — remove :full reference (Q3)
- docs(docker): add Image Signatures and SBOM section with cosign verify
  and sbom download commands (M8/docs)
- changelog: add Unreleased entries for rc soak, cosign signing, :full
  removal with migration guidance

* ci(docker): assert image-size budget per platform; add compose parity + breaking-change guard (M6/L9/L12)

- image-size.sh: add --platform flag; uses 'docker buildx imagetools
  inspect' to sum compressed layer sizes from registry manifest for
  linux/amd64 and linux/arm64 separately (M6)
- docker-release.yml smoke-test: runs size check for both platforms
- compose-parity.sh: diffs docker/compose.yaml vs
  docker/docker-compose.integrated.yml for image name, ports 3000/8317,
  volume mounts /root/.ccs and /var/log/ccs, ccs-net definition (L12)
- ci.yml: add compose-parity job wired to cliproxy runner (L12)
- breaking-change-guard.yml: fails PR if compose.yaml changes image name,
  network name, or container_name without a feat!/fix! commit (L9)

* chore(ci): fix cosign shell substitution — use tr instead of bash @L expansion (L6/nit)

* test(docker): fix compose-parity port regex for variable-interpolated host ports
2026-05-16 13:33:12 -04:00
Kai (Tam Nhu) TranandGitHub 2273757c83 fix(ci): harden self-hosted workflow trust boundaries
Keep active CCS workflows on self-hosted runners, gate self-hosted PR execution to trusted authors, and scope privileged release credentials to the exact git operations that need them.
2026-05-12 12:34:15 -04:00
Tam Nhu Tran 051f78aee7 chore(ci): split dev quality checks from release automation 2026-04-22 15:05:44 -04:00
Tam Nhu Tran 08edf1eef4 fix(ci): isolate bun cache per job 2026-04-21 12:34:43 -04:00
Tam Nhu Tran 1b3ca82a84 fix(ci): stop caching node_modules in GitHub Actions
- cache only Bun's package cache so CI stops restoring partial hard-linked node_modules trees

- bump the cache key to avoid reusing corrupt node_modules archives on self-hosted runners
2026-04-20 13:23:42 -04:00
Tam Nhu Tran 69da284104 test(proxy): gate proxy e2e coverage in checks 2026-04-20 12:44:53 -04:00
Wooseong Kim 02747edb72 fix(ci): validate cached ui dependencies 2026-04-20 14:15:00 +09:00
Tam Nhu Tran ad54e179b6 ci: add concurrency group and split build/test with artifact sharing
- Add concurrency group keyed on github.ref with cancel-in-progress to stop superseded runs on rapid pushes
- Split validate matrix into: validate (typecheck/lint/format), build, test
- Build uploads dist/ artifact; test downloads instead of rebuilding (removes inline build:all duplication)
- Net: faster feedback, less runner time, DRY build step
2026-04-19 15:40:21 -04:00
Tam Nhu Tran b014b5cb51 chore(ci): parallelize CI matrix + cache, tighten AI-facing quality gate
- ci.yml: 5-job matrix (typecheck/lint/format/build/test), fail-fast off,
  actions/cache on ~/.bun/install/cache + node_modules + ui/node_modules.
  Target wall time ~60-90s vs prior ~3-4min.
- .husky/pre-push: add bun run build:all to feature-branch fast gate so
  UI tsc -b errors are caught pre-push (~18s warm).
- CLAUDE.md (symlinked as AGENTS.md): fix validate drift (maintainability
  is NOT part of validate), add CI-First Protocol mandating gh pr checks
  --watch after every push, replace pre-commit checklist with two-tier
  model (iterative push vs pre-merge).

Branch protection on main/dev must be updated post-merge to require the
new matrix status checks instead of the single legacy "validate" check.
2026-04-19 14:47:18 -04:00
Tam Nhu Tran 41a31c8a4f fix(ci): resolve flaky api-command module resolution and migrate to self-hosted runner
Root cause: Bun's test runner fails to resolve exports from directory
index.ts files during parallel test execution. The api-command/index.ts
imports 8 subcommand modules — if any fail to load during concurrent
test runs, the entire module fails with "Export not found."

Fix: extract createApiCommandHandler into handler.ts (lightweight, only
imports named-command-router). Test imports from handler.ts directly,
bypassing the heavy index.ts that loads all subcommand modules.

Also:
- Remove stale api-command.ts barrel file
- Use explicit /index import paths in source
- Migrate CI validate to self-hosted runner with clean artifact step
- Disable Bun cache (no-cache: true) on self-hosted runner
2026-03-26 18:12:32 -04:00
Tam Nhu Tran 03a0fb27ca fix(ci): remove maintainability baseline gate blocking releases
The maintainability gate (process.exit count + sync FS API count) was
a raw grep counter that provided no actionable signal for a CLI tool.
It blocked the v7.53.0 stable release because new features naturally
increased the counts beyond the baseline.

Removed:
- scripts/maintainability-baseline.js
- scripts/maintainability-check.js
- docs/metrics/maintainability-baseline.json
- All maintainability:* npm scripts
- Gate references from release, dev-release, and CI workflows

Quality gates retained: typecheck, eslint, prettier, full test suite.
2026-03-11 10:51:05 +07:00
Tam Nhu Tran fdb32e2c53 fix(maintainability): make gate parallel-pr friendly 2026-02-26 14:46:56 +07:00
Tam Nhu Tran 0aed60febb fix(ci): enforce parity gate and stabilize test execution 2026-02-23 23:53:09 +07:00
kaitranntt 8095a4bc07 ci: optimize build pipeline to eliminate redundant builds
- validate now uses test:all directly (build already done)
- Added test:ci script for explicit CI usage
- ci.yml now builds UI deps and uses build:all
- dev-release.yml separates build and validate steps
- Reduces build count from 3-4 to 1 per release cycle
2025-12-09 17:47:33 -05:00
kaitranntt 9063c11e1f ci: add pr validation workflow for install, build, and lint 2025-12-05 15:01:40 -05:00