- Remove `if: always()` from integration-gate, coverage-gate, codecov-gate, pipeline-gate
- Gates now naturally skip when their upstream dependencies are skipped (fork PR behavior)
- Prevents confusing "complete" status when nothing actually ran
- Fork PRs will show "skipped" in UI instead of obscuring behavior behind gate success
- Aligns with GitHub Actions standard job dependency semantics
- Fixed github.head_ref actionlint error by passing via environment variable
instead of direct shell interpolation in ci-pipeline.yml
- Aligned E2E coverage artifact handling to shard artifacts and updated
Codecov upload to use glob pattern for multi-shard merge
- Added workflow_run trigger to security-pr.yml for docker-build integration
while retaining workflow_dispatch for manual runs
- Added workflow_run trigger to supply-chain-pr.yml for docker-build integration
while retaining workflow_dispatch for manual runs
- All individual workflows now support both automatic (workflow_run) and manual
(workflow_dispatch) triggering, maintaining design intent
- Audited remaining workflows; no additional blockers found
- All actionlint and pre-commit validations now passing
- Full pipeline trigger chain now functional
- Updated environment variable assignments in multiple workflow files to use double quotes for consistency and to prevent potential issues with variable expansion.
- Refactored echo commands to group multiple lines into a single block for improved readability in the following workflows:
- release-goreleaser.yml
- renovate_prune.yml
- security-pr.yml
- security-weekly-rebuild.yml
- supply-chain-pr.yml
- supply-chain-verify.yml
- update-geolite2.yml
- waf-integration.yml
- weekly-nightly-promotion.yml
- Updated quality-checks.yml to support manual dispatch with frontend checks.
- Modified rate-limit-integration.yml to remove workflow_run triggers and adjust conditions for execution.
- Removed pull request triggers from repo-health.yml, retaining only scheduled and manual dispatch.
- Adjusted security-pr.yml and supply-chain-pr.yml to eliminate workflow_run dependencies and refine execution conditions.
- Cleaned up supply-chain-verify.yml by removing workflow_run triggers and ensuring proper execution conditions.
- Updated waf-integration.yml to remove workflow_run triggers, allowing manual dispatch only.
- Revised current_spec.md to reflect the consolidation of CI workflows into a single pipeline, detailing objectives, research findings, and implementation plans.
Fixed syntax errors in playwright.config.js (duplicate identifiers)
Verified all E2E and Integration workflows have correct push triggers
Confirmed immediate feedback loop for feature/hotfix branches
Validated E2E environment by running core test suite (100% pass)
- Added push and pull_request triggers to integration test workflows (waf, cerberus, crowdsec, rate-limit)
- Added push and pull_request triggers to security scan workflows (security-pr, supply-chain-pr)
- Implemented logic to locate build artifacts when triggered directly via push/PR
- Ensured consistent testing coverage across main, development, feature, and hotfix branches
Linter Configuration Updates:
Add version: 2 to .golangci.yml for golangci-lint v2 compatibility
Scope errcheck exclusions to test files only via path-based rules
Maintain production code error checking while allowing test flexibility
CI/CD Documentation:
Fix CodeQL action version comment in security-pr.yml (v3.28.10 → v4)
Create workflow modularization specification (docs/plans/workflow_modularization_spec.md)
Document GitHub environment protection setup for releases
Verification:
Validated linter runs successfully with properly scoped rules
Confirmed all three workflows (playwright, security-pr, supply-chain-pr) are properly modularized
Update branch triggers and downstream workflow logic to support all
branches defined in docker-build.yml (main, development, feature/**).
Changes:
docker-build.yml: Expand branch glob to feature/**, use branch-based tags
playwright.yml: Replace is_beta_push with generic is_push detection
security-pr.yml: Same branch-agnostic pattern
supply-chain-pr.yml: Same pattern, skip PR comments for push events
The workflows now support any push that triggers docker-build:
main branch → tag: latest
development branch → tag: dev
feature/* branches → tag: {branch-name}
Pull requests → tag: pr-{number}
Dynamic artifact naming:
Push events: push-image (shared across all branches)
Pull requests: pr-image-{number}
This ensures CI/CD pipelines work for stable releases, bug fixes,
and new feature development without hardcoded branch names.
Separate PR-specific tests from docker-build.yml into dedicated workflows
that trigger via workflow_run. This creates a cleaner CI architecture where:
playwright.yml: E2E tests triggered after docker-build completes
security-pr.yml: Trivy binary scanning for PRs
supply-chain-pr.yml: SBOM generation + Grype vulnerability scanning
