Comprehensive guide to Discogsography's CI/CD workflows and automation
📋 Workflows | 🔧 Composite Actions | ⚡ Performance | 🛡️ Security | 🎯 Best Practices
Discogsography uses GitHub Actions for continuous integration, testing, and deployment automation. All workflows follow consistent patterns with emojis for visual clarity and optimal performance through parallelization and caching.
Trigger: Push to main, PRs, two scheduled crons, manual dispatch Purpose: Main CI pipeline that orchestrates all quality checks and Docker builds
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 1 * * 6" # Saturday 01:00 UTC — full build
- cron: "0 4 * * 1" # Monday 04:00 UTC — security-focused build
workflow_dispatch:Jobs:
- Detect Changes 🔍 - Determines which files changed for conditional execution
- List Sub-Projects 📋 - Provides service matrix for downstream jobs
- Code Quality ✅ - Runs linting and formatting checks
- Security 🛡️ - Comprehensive security scanning
- Docker Compose Validate 🐳 - Validates docker-compose syntax
- Docker Validate 🐳 - Dockerfile linting and build testing
- Tests 🧪 - Executes unit and integration tests (parallel with E2E)
- E2E Tests 🎭 - Browser-based testing (parallel with unit tests)
- Aggregate Results 📊 - Collects and summarizes job outcomes
- Docker Build 🐳 - Builds and pushes images to GitHub Container Registry
Key Features:
- ⚡ Parallel test execution for faster feedback
- 💾 Advanced Docker layer caching
- 📊 Build metrics and performance tracking
- 📢 Discord notifications with build status
Trigger: Called by build.yml via workflow_call Purpose: Ensures code quality standards are met
Checks:
- 🎨 Ruff - Fast Python linting and formatting
- 🔍 mypy - Static type checking
- 🛡️ Bandit - Security vulnerability scanning
- 🐳 Hadolint - Dockerfile best practices
- ✅ Pre-commit hooks - All configured checks
Trigger: Called by build.yml via workflow_call Purpose: Runs comprehensive test suite
Features:
- 🎯 Smart test detection - skips if no relevant changes
- 📊 Coverage reporting with pytest-cov
- 💾 Test result caching
- 🔄 Grouped test execution to avoid async conflicts
Trigger: Called by build.yml via workflow_call Purpose: Cross-browser end-to-end testing
Test Matrix:
- 🌐 Browsers: Chromium, Firefox, WebKit
- 📱 Devices: iPhone 15, iPad Pro 11
- 🖥️ Platforms: Ubuntu, macOS
Features:
- 🎥 Video recording on failures
- 📸 Screenshot artifacts
- ⚡ Concurrent test limiting (max 3)
- 💾 Browser caching for faster runs
Trigger: Weekly schedule (Monday 9 AM UTC) or manual Purpose: Automated dependency updates with PR creation
Options:
- 🐍 Python version updates
- 📦 Major version upgrades
- 🔒 Security patch application
Process:
- Runs update script
- Creates PR with detailed summary
- Assigns reviewers
- Sends Discord notification
Trigger: Called by build.yml, weekly schedule (Monday 04:00 UTC) Purpose: Comprehensive
security scanning across Python, Rust, secrets, and containers
Jobs:
- Python Security 🐍 —
pip-audit(dependency vulnerabilities),bandit(SAST),osv-scanner(multi-ecosystem) - Semgrep CE Scan 🔬 — Static analysis with SARIF upload to GitHub Advanced Security; suppressed findings (
# nosemgrep) are stripped before upload - Rust Security 🦀 —
cargo-audit(advisory database),cargo-deny(license and policy checks) - Secret Scanning 🔑 — TruffleHog on full history (
fetch-depth: 0), verified secrets only - Container Scanning 🐳 — Trivy filesystem scan for HIGH/CRITICAL CVEs, SARIF uploaded to GitHub Security tab
Key Features:
- 🔒 Minimal permissions (
contents: read,security-events: write) - 📤 SARIF results uploaded to GitHub Advanced Security for all scanners
- 🚫 Semgrep job skipped for Dependabot PRs (
github.actor != 'dependabot[bot]')
- Trigger: PR closure
- Purpose: Removes PR-specific caches
- Trigger: Monthly schedule, manual dispatch (
workflow_dispatch) - Purpose: Removes old Docker images
- Retention: Keeps 2 most recent tagged versions
Trigger: Called by build.yml via workflow_call Purpose: Validates Dockerfiles
Checks:
- 🔍 Dockerfile linting with Hadolint
- 🏗️ Builder-stage Docker build test for all services
Trigger: issue_comment (when mentioning @claude) Purpose: Enables AI-assisted development on issues and PRs
Features:
- 💬 Responds to @claude mentions in issue and PR comments
- 🤖 Provides AI assistance for code questions and tasks
Trigger: pull_request (open, synchronize, reopened) Purpose: Automated AI code review on pull requests
Features:
- 📝 Performs automated code review on new and updated PRs
- 🔍 Analyzes code changes for quality, bugs, and best practices
Trigger: Called by build.yml via workflow_call Purpose: Validates docker-compose syntax
Checks:
- 📋 docker-compose configuration syntax validation
Trigger: Called by other workflows Purpose: Provides service matrix for build jobs
Output: JSON matrix of services with cache settings
Reusable actions that reduce duplication and improve maintainability:
Sets up Python environment with UV package manager and caching.
- uses: ./.github/actions/setup-python-uv
with:
python-version: "3.13"
cache-dependency-glob: "**/uv.lock"Features:
- 🐍 Python setup with specified version
- 📦 UV package manager installation
- 💾 Intelligent dependency caching
- ⚡ Cache restoration with fallbacks
Advanced Docker layer caching for faster builds.
- uses: ./.github/actions/docker-build-cache
with:
service-name: dashboard
dockerfile-path: dashboard/Dockerfile
use-cache: trueFeatures:
- 💾 BuildKit cache optimization
- 🔄 Cache hit detection
- 📊 Performance metrics
- 🎯 Service-specific caching
- Tests and E2E tests run in parallel after code quality
- Independent Docker builds use matrix strategy
- Concurrent browser tests limited to prevent resource exhaustion
- Hierarchical cache keys with multiple fallback levels
- Docker BuildKit inline caching and cache namespaces
- Dependency caching for Python, UV, and pre-commit
- Test result caching for faster subsequent runs
- Skip tests when no relevant files changed in PRs
- Smart file change detection for targeted workflows
- Resource-aware execution based on context
- Build duration tracking
- Cache hit rate reporting
- Performance notices in workflow logs
- Enhanced Discord notifications with metrics
All workflows specify minimal required permissions:
permissions:
contents: read # Most workflows
packages: write # For Docker push
pull-requests: write # For PR creation- Non-GitHub/Docker actions pinned to specific SHA
- Regular updates through dependabot
- Version comments for clarity
- Non-root user execution (1000:1000)
- No-new-privileges security option
- Trivy container and filesystem scanning for HIGH/CRITICAL CVEs
- Anchore security scanning for images
- Hadolint validation for Dockerfiles
- Steps: Start with emoji for visual scanning
- Jobs: Descriptive names with purpose
- Workflows: Clear, action-oriented names
- Expressions: Single quotes (
${{ }}) - YAML strings: Double quotes when needed
- Simple values: Unquoted when appropriate
- Discord webhooks for build status
- Detailed error messages in logs
- PR comments for dependency updates
- Workflow status badges in README
- Weekly dependency updates
- Monthly Docker image cleanup
- Automated cache management
- Regular security scanning
Monitor workflow health through status badges:
Use act to test workflows locally:
# Run specific workflow
act -W .github/workflows/test.yml
# Run with specific event
act pull_request -W .github/workflows/build.yml
# List available workflows
act -l-
Enable debug logging:
env: ACTIONS_RUNNER_DEBUG: true ACTIONS_STEP_DEBUG: true
-
Add debugging steps:
- name: 🐛 Debug context run: | echo "Event: ${{ github.event_name }}" echo "Ref: ${{ github.ref }}" echo "SHA: ${{ github.sha }}"
-
Check workflow runs: Navigate to Actions tab in GitHub