GitHub Actions Workflows
🚀 GitHub Actions Workflows - Hatchgrid
Section titled “🚀 GitHub Actions Workflows - Hatchgrid”This documentation provides a comprehensive overview of all workflows and custom actions in the Hatchgrid monorepo.
📋 Workflows Index
Section titled “📋 Workflows Index”🔄 Main Workflows
Section titled “🔄 Main Workflows”- Monorepo CI - Main CI/CD pipeline
- Backend CI - Kotlin/Java specific CI
- Frontend CI - Node.js/TypeScript specific CI
- Deploy - Deployment to multiple environments
🛠️ Support Workflows
Section titled “🛠️ Support Workflows”- Cleanup Cache - Automatic cache management
- Issue Labeler - Automatic issue labeling
- Semantic Pull Request - PR validation
- Test PNPM - Configuration verification
🔧 Custom Actions
Section titled “🔧 Custom Actions”- Setup Java - Java and Gradle configuration
- Setup Node - Node.js and pnpm configuration
- Specialized Docker Actions - Specialized Docker actions
🔄 Monorepo CI
Section titled “🔄 Monorepo CI”File: .github/workflows/monorepo-ci.yml
Description
Section titled “Description”Main workflow that orchestrates the entire CI/CD process, including security analysis, linting, testing, and integration.
Triggers
Section titled “Triggers”on: push: branches: [ main ] paths-ignore: [ '**.md', '.github/workflows/backend-ci.yml', ... ] pull_request: paths-ignore: [ '**.md', '.github/workflows/backend-ci.yml', ... ] workflow_dispatch: inputs: environment: [ development, staging ]Executed Jobs
Section titled “Executed Jobs”- labeler - Automatic PR labeling
- codeql-analysis - Security analysis (JavaScript, Kotlin)
- super-linter - Code validation with multiple linters
- dependency-review - Dependency review in PRs
- owasp-dependency-check - OWASP vulnerability analysis
- backend - Delegation to backend workflow
- frontend - Delegation to frontend workflow
- integration - Post-build integration tests
Special Features
Section titled “Special Features”- Concurrency: Cancels previous runs on the same branch
- Security: Multiple layers of security analysis
- Artifacts: Generates integration and security reports
🏗️ Backend CI
Section titled “🏗️ Backend CI”File: .github/workflows/backend-ci.yml
Description
Section titled “Description”Specific CI for the backend developed in Kotlin/Java with Gradle.
Triggers
Section titled “Triggers”paths: - 'server/**' - 'shared/**' - 'build.gradle.kts' - 'settings.gradle.kts' - 'gradle/**'Lint Job
Section titled “Lint Job”- Tool: Detekt for Kotlin static analysis
- Integration: Reviewdog for automatic PR comments
- Format: SARIF reports for GitHub Security
Build Job
Section titled “Build Job”- Build:
./gradlew build -x test - Testing:
./gradlew test - Coverage: Kover → Codecov
- Artifacts: Compiled JARs and test reports
Environment Variables
Section titled “Environment Variables”NVD_API_KEY: For dependency vulnerability analysis
🎨 Frontend CI
Section titled “🎨 Frontend CI”File: .github/workflows/frontend-ci.yml
Description
Section titled “Description”Specific CI for the frontend developed in Node.js/TypeScript.
Triggers
Section titled “Triggers”paths: - 'client/**' - 'package.json' - 'pnpm-lock.yaml' - 'pnpm-workspace.yaml'Lint Job
Section titled “Lint Job”- Tool: Biome for linting and formatting
- Integration: Reviewdog for PR feedback
- Configuration: Fails on errors, warnings as suggestions
Build Job
Section titled “Build Job”- Command:
pnpm build - Artifacts: Compiled applications and landing page
Test Job
Section titled “Test Job”- Command:
pnpm test - Coverage: LCOV → Codecov
🚀 Deploy
Section titled “🚀 Deploy”File: .github/workflows/deploy.yml
Description
Section titled “Description”Deployment pipeline with support for multiple environments and deployment strategies.
Triggers and Strategies
Section titled “Triggers and Strategies”# Manual with environment selectionworkflow_dispatch: inputs: environment: type: choice description: "Select the deployment environment" options: - development - staging - production
# Automatic based on branch/tagpush: branches: [main] # → development tags: ['v*'] # → productionJobs Pipeline
Section titled “Jobs Pipeline”1. determine-environment
Section titled “1. determine-environment”Environment determination logic:
- Manual: Uses user input
- Tag
v*: production - Push to main: development
2. build-backend
Section titled “2. build-backend”- Compilation with Gradle
- Docker image build
- Security scanning with Trivy
- Push to GitHub Container Registry
3. build-frontend
Section titled “3. build-frontend”- Compilation with pnpm
- Docker image build
- Security scanning with Trivy
- Push to GitHub Container Registry
4. deploy
Section titled “4. deploy”- kubectl configuration
- K8s manifests update
- Cluster deployment
- Rollout verification
Deploy Security
Section titled “Deploy Security”- Image scanning with Trivy
- SARIF results to GitHub Security
- Manifests versioned by SHA
🧹 Cleanup Cache
Section titled “🧹 Cleanup Cache”File: .github/workflows/cleanup-cache.yml
Purpose
Section titled “Purpose”Automatic cache cleanup when a PR is closed to optimize storage usage.
Operation
Section titled “Operation”on: pull_request: types: [closed]
jobs: cleanup: steps: - run: gh extension install actions/gh-actions-cache - run: gh actions-cache list -R $REPO -B $BRANCH - run: gh actions-cache delete $cacheKey --confirm🏷️ Issue Labeler
Section titled “🏷️ Issue Labeler”File: .github/workflows/issue-labeler.yml
Purpose
Section titled “Purpose”Automatic issue labeling based on content and patterns.
Configuration
Section titled “Configuration”- Config file:
.github/issue-labeler-config.yml - Trigger: Issues opened/edited
- Action:
github/issue-labeler
✅ Semantic Pull Request
Section titled “✅ Semantic Pull Request”File: .github/workflows/semantic-pull-request.yml
Purpose
Section titled “Purpose”PR title validation according to Conventional Commits.
Features
Section titled “Features”- Validation: Conventional Commits spec
- Feedback: Automatic PR comments
- Auto-cleanup: Removes comments when fixed
Valid Title Examples
Section titled “Valid Title Examples”feat: add user authenticationfix: resolve memory leak in cachedocs: update API documentationchore: update dependencies🧪 Test PNPM
Section titled “🧪 Test PNPM”File: .github/workflows/test-pnpm.yml
Purpose
Section titled “Purpose”Test workflow to verify pnpm configuration.
- Manual execution only (
workflow_dispatch) - Debugging configuration issues
- Version and path verification
🔧 Custom Actions
Section titled “🔧 Custom Actions”Setup Java
Section titled “Setup Java”Location: .github/actions/setup/java/
- name: Setup Java uses: ./.github/actions/setup/javaFeatures:
- Java 21 (Eclipse Temurin)
- Gradle wrapper
- Automatic dependency caching
Setup Node
Section titled “Setup Node”Location: .github/actions/setup/node/
- name: Setup Node.js and pnpm uses: ./.github/actions/setup/nodeFeatures:
- Node.js 22
- pnpm 10.13.1
- Intelligent store caching
- Installation with frozen-lockfile
Specialized Docker Actions
Section titled “Specialized Docker Actions”Location: .github/actions/docker/
Note: Specialized Docker actions have replaced the previous generic Docker action. For more details, see the Docker actions documentation.
Backend Docker Action:
- name: Build and push backend Docker image uses: ./.github/actions/docker/backend/action.yml with: image-name: backend github-token: ${{ secrets.GITHUB_TOKEN }} gradle-args: "-Pversion=latest -Penv=production" module-path: server:thryve deliver: 'true'Frontend Web App Action:
- name: Build and push frontend web app Docker image uses: ./.github/actions/docker/frontend-web/action.yml with: image-name: frontend-web github-token: ${{ secrets.GITHUB_TOKEN }} build-env: production api-url: https://api.example.com deliver: 'true'Frontend Landing Page Action:
- name: Build and push frontend landing page Docker image uses: ./.github/actions/docker/frontend-landing/action.yml with: image-name: frontend-landing github-token: ${{ secrets.GITHUB_TOKEN }} build-env: production base-url: https://example.com deliver: 'true'Security Scanning Action:
- name: Scan Docker image for vulnerabilities uses: ./.github/actions/docker/security-scan/action.yml with: image-ref: ghcr.io/myorg/myapp:latest report-name: myapp-security-scan category: backend-trivyFeatures:
- Specialized actions by application type
- GitHub Container Registry and Docker Hub
- GitHub Actions cache
- Integrated Trivy security scanning
- Automatic metadata
- Multi-platform support
📊 Metrics and Monitoring
Section titled “📊 Metrics and Monitoring”Typical Execution Times
Section titled “Typical Execution Times”- Backend CI: ~8-12 minutes
- Frontend CI: ~5-8 minutes
- Monorepo CI: ~15-20 minutes
- Deploy: ~10-15 minutes
Cache Hit Rates
Section titled “Cache Hit Rates”- Gradle: ~85-90%
- pnpm: ~90-95%
- Docker: ~70-80%
Generated Artifacts
Section titled “Generated Artifacts”- Test reports (JUnit XML)
- Coverage reports (Kover, LCOV)
- Security reports (SARIF)
- Docker images
- Integration reports
🔒 Security and Compliance
Section titled “🔒 Security and Compliance”Security Analysis
Section titled “Security Analysis”- CodeQL: Static code analysis
- OWASP: Dependency vulnerabilities
- Trivy: Docker image scanning
- Dependency Review: New dependency review
Required Secrets
Section titled “Required Secrets”CODECOV_TOKEN # Coverage uploadNVD_API_KEY # Vulnerability APIKUBECONFIG # Kubernetes configurationGITHUB_TOKEN # Automatic, for registryMinimum Permissions
Section titled “Minimum Permissions”Each workflow has specific minimum permissions following the principle of least privilege.
🚀 Best Practices
Section titled “🚀 Best Practices”Versioning
Section titled “Versioning”- Use specific versions with SHA hash
- Regular updates with Dependabot
- Test changes in development branches
Performance
Section titled “Performance”- Parallelization of independent jobs
- Intelligent caching with specific keys
- Concurrency to cancel obsolete runs
Maintenance
Section titled “Maintenance”- Updated documentation
- Execution metrics monitoring
- Regular configuration review
For detailed documentation of specific workflows, see: