You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
**Context:** This is the pipeline implementation from [devops-labs Module-3 Mini-Project 9](https://github.com/darestack/devops-labs/tree/main/Module-3/mini-project-09). Full implementation notes live there.
7
6
@@ -11,11 +10,11 @@
11
10
12
11
| Stage | What It Does | Key Detail |
13
12
|---|---|---|
14
-
|`test`| Unit tests across multiple Node.js versions | Build matrix: Node 12, 14, 16 with npm dependency caching |
15
-
|`code-quality`| ESLint static analysis|Configured to **fail the build** on lint errors — no `continue-on-error`|
13
+
|`test`| Unit tests across multiple Node.js versions | Build matrix: Node 18 and 20 with npm dependency caching. This job also runs the hard lint gate.|
14
+
|`code-quality`| ESLint SARIF upload|Publishes lint annotations to GitHub Code Scanning. The hard lint gate lives in the `test` job.|
16
15
|`security`| Trivy vulnerability scan | Results uploaded as SARIF to GitHub Code Scanning |
17
16
|`build`| Docker image creation | Pushes to GHCR tagged with both `branch-name` and `commit-SHA`|
**GHCR image tagging:** Each image is tagged with both `latest` and the commit SHA — enabling rollback to any previous build without relying on the `latest` tag alone.
50
49
51
-
**ESLint as a hard gate:**Removed `continue-on-error: true` from the lint step. If ESLint finds errors, the entire pipeline stops — no broken code reaches Docker build.
50
+
**ESLint as a hard gate:**The matrix `test` job runs `npm run lint` before tests. The separate `code-quality` job keeps `continue-on-error` for SARIF upload so annotations can still be published for review.
52
51
53
52
**Trivy SARIF upload:** Required adding `security-events: write` to the job-level permissions block. Without this, the upload fails silently.
54
53
55
54
**Docker Buildx:** The default GitHub Actions Docker driver does not support cache export. Fixed by adding `docker/setup-buildx-action@v3` before the build step.
56
55
57
-
**GHCR push permissions:**`GITHUB_TOKEN` requires explicit `packages: write` in the job permissions to create new container packages.
56
+
**GHCR push permissions:**`GITHUB_TOKEN` requires explicit `packages: write` in the build job permissions to create new container packages.
58
57
59
58
---
60
59
@@ -72,6 +71,12 @@ Push to `main` or open a PR to trigger the full pipeline.
72
71
73
72
---
74
73
74
+
## Current Boundary
75
+
76
+
The staging and production deploy jobs are intentionally simulated in this lab. They show environment flow and dependency ordering, but they do not deploy to a real target yet. To make this a production deployment project, replace the `echo` deployment steps with a real target such as EC2, ECS, Kubernetes, or a PaaS and add deployment logs.
0 commit comments