- Updated GO_VERSION to 1.25.7 across all GitHub Actions workflows to fix immediate build failures
- Added custom regex manager to `.github/renovate.json` to explicitly track `GO_VERSION` in YAML files
- Ensures Renovate detects and automerges Go updates for workflows alongside the main project
Fixed syntax errors in playwright.config.js (duplicate identifiers)
Verified all E2E and Integration workflows have correct push triggers
Confirmed immediate feedback loop for feature/hotfix branches
Validated E2E environment by running core test suite (100% pass)
Implements all 13 fixes identified in the CI/CD audit against
github-actions-ci-cd-best-practices.instructions.md
Critical fixes:
Remove hardcoded encryption key from playwright.yml (security)
Fix artifact filename mismatch in supply-chain-pr.yml (bug)
Pin GoReleaser to ~> v2.5 instead of latest (supply chain)
High priority fixes:
Upgrade CodeQL action from v3 to v4 in supply-chain-pr.yml
Add environment protection for release workflow
Fix shell variable escaping ($$ → $) in release-goreleaser.yml
Medium priority fixes:
Add timeout-minutes to playwright.yml (20 min)
Add explicit permissions to quality-checks.yml
Add timeout-minutes to codecov-upload.yml jobs (15 min)
Fix benchmark.yml permissions (workflow-level read, job-level write)
Low priority fixes:
Add timeout-minutes to docs.yml jobs (10/5 min)
Add permissions block to docker-lint.yml
Add timeout-minutes to renovate.yml (30 min)
- Replace Go interface{} with any (Go 1.18+ standard)
- Add database indexes to frequently queried model fields
- Add JSDoc documentation to frontend API client methods
- Remove deprecated docker-compose version keys
- Add concurrency groups to all 25 GitHub Actions workflows
- Add YAML front matter and fix H1→H2 headings in docs
Coverage: Backend 85.5%, Frontend 87.73%
Security: No vulnerabilities detected
Refs: docs/plans/instruction_compliance_spec.md
