CI-CD Workflows
20 GitHub Actions workflow files in .github/workflows/ automate testing, building, and deployment .
Core Pipeline
Workflow Trigger Purpose main-deploy.ymlPush to main Build, test, deploy to development pr-preview.ymlPR open/update Preview deployment with ephemeral DBpr-cleanup.ymlPR close Destroy preview apps promote-image.ymlManual dispatch Promote images: dev → staging → production quality-checks.ymlPR + main push Typecheck, lint, test, coverage
Security Workflows
Workflow Trigger Purpose security-scan.ymlDaily (2 AM UTC) + PR 4-layer security scan container-security-scan.ymlOn image build Trivy container vulnerability scan
Database Workflows
Workflow Trigger Purpose migration-tests.ymlPR (schema changes) Migration syntax, ordering, destructive opsstaging-db-sync.ymlManual Sync staging DB from production backup-verify.ymlScheduled Verify backup integrity
Maintenance Workflows
Workflow Trigger Purpose cleanup-registry.ymlScheduled Prune old container images cleanup-orphaned-previews.ymlScheduled Remove stale preview apps cache-warmup.ymlPost-deploy Warm application caches
Other Workflows
Workflow Trigger Purpose e2e-tests.ymlPR + main End-to-end Playwright tests claude-code-review.ymlPR review request AI-assisted code review deploy-log-shipper.ymlManual Deploy log shipping infrastructure
Required Status Check
The ci-gate job (in pr-preview.yml) is the single required status check for merging. It validates that all upstream jobs passed or were correctly skipped. See Git Workflow for branch protection rules.
Tag Pattern Source main-<sha>Main branch builds dev-latestLatest development build pr-<number>PR preview builds
development --> staging --> production
(auto) (manual) (manual)
gh workflow run promote-image.yml -f source_environment=development -f target_environment=staging
Same immutable Docker image is promoted across environments.
See Also