Implements all 13 fixes identified in the CI/CD audit against
github-actions-ci-cd-best-practices.instructions.md
Critical fixes:
Remove hardcoded encryption key from playwright.yml (security)
Fix artifact filename mismatch in supply-chain-pr.yml (bug)
Pin GoReleaser to ~> v2.5 instead of latest (supply chain)
High priority fixes:
Upgrade CodeQL action from v3 to v4 in supply-chain-pr.yml
Add environment protection for release workflow
Fix shell variable escaping ($$ → $) in release-goreleaser.yml
Medium priority fixes:
Add timeout-minutes to playwright.yml (20 min)
Add explicit permissions to quality-checks.yml
Add timeout-minutes to codecov-upload.yml jobs (15 min)
Fix benchmark.yml permissions (workflow-level read, job-level write)
Low priority fixes:
Add timeout-minutes to docs.yml jobs (10/5 min)
Add permissions block to docker-lint.yml
Add timeout-minutes to renovate.yml (30 min)
- Updated references from `CPMP_TOKEN` to `CHARON_TOKEN` in beta release draft PR body, beta release PR body, and GitHub setup documentation.
- Enhanced clarity in documentation regarding the use of `GITHUB_TOKEN` and fallback options.
- Removed outdated sections from the archived plan for the Docs-to-Issues workflow fix, streamlining the document.
- Initiated integration of Staticcheck into pre-commit hooks to improve code quality, including updates to Makefile, VS Code tasks, and documentation.
- Replace Go interface{} with any (Go 1.18+ standard)
- Add database indexes to frequently queried model fields
- Add JSDoc documentation to frontend API client methods
- Remove deprecated docker-compose version keys
- Add concurrency groups to all 25 GitHub Actions workflows
- Add YAML front matter and fix H1→H2 headings in docs
Coverage: Backend 85.5%, Frontend 87.73%
Security: No vulnerabilities detected
Refs: docs/plans/instruction_compliance_spec.md
- Update .goreleaser.yaml:
- Split builds into linux, windows, and darwin
- Configure Zig as the C/C++ compiler for cross-compilation (CGO enabled)
- Add zip archive format for Windows
- Restrict deb/rpm packages to Linux builds
- Update .github/workflows/release-goreleaser.yml:
- Add setup-zig action to install Zig compiler
- Remove manual apt-get cross-compiler installation
- Update Makefile with new targets:
- lint-backend: Run golangci-lint via Docker
- lint-docker: Run hadolint via Docker
- test-race: Run Go tests with race detection
- benchmark: Run Go benchmarks
- integration-test: Run local integration tests
- Update .pre-commit-config.yaml:
- Add go-test-race hook
- Add golangci-lint hook
- Add hadolint hook
- Add .goreleaser.yaml configuration:
- Define builds for linux/amd64 and linux/arm64
- Configure archive creation (tar.gz)
- Configure package creation (deb, rpm)
- Add .github/workflows/release-goreleaser.yml:
- New workflow to test GoReleaser builds
- Builds frontend first, then uses GoReleaser
- Handles cross-compilation dependencies
