- Updated quality-checks.yml to support manual dispatch with frontend checks.
- Modified rate-limit-integration.yml to remove workflow_run triggers and adjust conditions for execution.
- Removed pull request triggers from repo-health.yml, retaining only scheduled and manual dispatch.
- Adjusted security-pr.yml and supply-chain-pr.yml to eliminate workflow_run dependencies and refine execution conditions.
- Cleaned up supply-chain-verify.yml by removing workflow_run triggers and ensuring proper execution conditions.
- Updated waf-integration.yml to remove workflow_run triggers, allowing manual dispatch only.
- Revised current_spec.md to reflect the consolidation of CI workflows into a single pipeline, detailing objectives, research findings, and implementation plans.
Fixed syntax errors in playwright.config.js (duplicate identifiers)
Verified all E2E and Integration workflows have correct push triggers
Confirmed immediate feedback loop for feature/hotfix branches
Validated E2E environment by running core test suite (100% pass)
- Added push and pull_request triggers to integration test workflows (waf, cerberus, crowdsec, rate-limit)
- Added push and pull_request triggers to security scan workflows (security-pr, supply-chain-pr)
- Implemented logic to locate build artifacts when triggered directly via push/PR
- Ensured consistent testing coverage across main, development, feature, and hotfix branches
Linter Configuration Updates:
Add version: 2 to .golangci.yml for golangci-lint v2 compatibility
Scope errcheck exclusions to test files only via path-based rules
Maintain production code error checking while allowing test flexibility
CI/CD Documentation:
Fix CodeQL action version comment in security-pr.yml (v3.28.10 → v4)
Create workflow modularization specification (docs/plans/workflow_modularization_spec.md)
Document GitHub environment protection setup for releases
Verification:
Validated linter runs successfully with properly scoped rules
Confirmed all three workflows (playwright, security-pr, supply-chain-pr) are properly modularized
Update branch triggers and downstream workflow logic to support all
branches defined in docker-build.yml (main, development, feature/**).
Changes:
docker-build.yml: Expand branch glob to feature/**, use branch-based tags
playwright.yml: Replace is_beta_push with generic is_push detection
security-pr.yml: Same branch-agnostic pattern
supply-chain-pr.yml: Same pattern, skip PR comments for push events
The workflows now support any push that triggers docker-build:
main branch → tag: latest
development branch → tag: dev
feature/* branches → tag: {branch-name}
Pull requests → tag: pr-{number}
Dynamic artifact naming:
Push events: push-image (shared across all branches)
Pull requests: pr-image-{number}
This ensures CI/CD pipelines work for stable releases, bug fixes,
and new feature development without hardcoded branch names.
Separate PR-specific tests from docker-build.yml into dedicated workflows
that trigger via workflow_run. This creates a cleaner CI architecture where:
playwright.yml: E2E tests triggered after docker-build completes
security-pr.yml: Trivy binary scanning for PRs
supply-chain-pr.yml: SBOM generation + Grype vulnerability scanning
