Last Updated: 2026-04-28
Purpose: Document the optimized CI tiers and the exact command parity for local debugging.
Workflow Files
- Main gate:
.github/workflows/build.yml - PR guardrails:
.github/workflows/pr-guardrails.yml - DB migration guard:
.github/workflows/db-migration-guard.yml - Supabase migration CI:
.github/workflows/supabase-ci.yml - FHIR fixture validator:
.github/workflows/fhir-validate.yml - Full E2E (nightly/manual):
.github/workflows/e2e-full.yml - Cross-repo mirror:
.github/workflows/lovable-sync.yml
Tiered CI Structure
Tier 1: Fast PR checks (pull_request)
pr-guardrails.yml runs first, then build.yml runs in parallel:
guardrails- PR size limits (changed files and line churn)
- Commit count limit
- Generic commit title limit (
Changes,Update,WIP, etc.) - Override labels for controlled exceptions
build.yml then runs these jobs in parallel:
governancenpm run validate:governance
qualitynpm run format:check -- --toleratenpx turbo run typechecknpm run check-architecture:cinpx turbo run lint:cinpm run docs:comments:baseline(non-blocking)npm run docs:comments:audit:changednpm run audit:settings-consistency- hardcoded color audit gate
testsnpm run test:coverage(SKIP_SUPABASE_TESTS=true)npx tsx scripts/check-rls-coverage.ts --min-coverage 100
build-and-smokenpx turbo run buildnpm run perf:build-metricsnpm run perf:budgets:check(VITE_BUDGETS_WARN_ONLY=1)npx playwright install --with-deps chromiumnpm run test:baseline:smoke
non-blocking-analysisnpm run check:slop:ci(non-blocking)- Dead-code analysis runs in its own
deadcode.ymlworkflow vianpm run deadcode:ci(the orchestrator). The legacy raw-fallowcheck:dead-code*scripts and thecheck:deps(e18e) advisory step were removed.
Tier 2: Main branch validation (push to main)
Uses the same build.yml jobs as Tier 1, plus:
- Sentry release tagging/deploy metadata in
build-and-smoke(push-only step)
Tier 3: Deploy workflows
supabase-deploy-dev.yml(pushtodevwith path filters)supabase-deploy-prod.yml(pushtoproductionwith path filters)supabase-bootstrap-prod.yml(manual break-glass/bootstrap)
Tier 4: Scheduled checks
governance-weekly.yml(weekly governance + weeklynpm audit --audit-level=high)e2e-full.yml(nightly full Playwright suite)migration-lane-audit.yml(weekly informational DB lane audit)db-advisor-quarterly.yml(quarterly issue reminder)
CI Minute Controls
- Concurrency cancellation: enabled on high-churn workflows so superseded runs stop quickly.
- Path skip filters: docs/spec/config-only changes skip
build.ymlentirely. - Push trigger reduction: full
build.ymlpush checks run onmainonly (PRs remain the merge gate fordev). - Timeouts: explicit
timeout-minuteson previously unbounded jobs. - Non-blocking analysis isolation: slop/dead-code/dependency health checks moved out of critical path.
What To Run Locally Before Push
Primary parity command:Manual/GitHub Configuration Follow-ups
- Configure branch protection required checks for
dev,main, andproduction. - Add
PR Guardrails / guardrailsto required checks ondevelopmentandproduction. - Enable GitHub secret scanning and push protection in repository settings.
- Add a
CODEOWNERSfile for critical CI/deploy paths (.github/workflows/**,supabase/**,src/platform/**). - Keep Supabase migration history aligned (
supabase migration repair/supabase db pull) when drift is detected. - Configure
ENCORE_LOVABLE_MIRROR_PATsecret for one-way development mirror workflow.
Related Docs
docs/testing/TESTING_SETUP_AND_RUN.mddocs/development/RLS_CI_CD_GUIDE.mddocs/development/DEPENDENCY_SECURITY.mddocs/development/VERCEL_VITE_NODE_GUARDRAILS.md
CI pipeline overview (GitHub Actions)
Version: 1.0.0Last updated: 2026-04-01
Purpose: Map the primary PR/push workflow to local commands so failures are faster to debug.
Workflow file
- Build gate: .github/workflows/build.yml — runs on
pushandpull_requesttomainandfeature/**.
Job sequence (high level)
Thebuild job runs in order:
- Dependencies:
npm ci --legacy-peer-deps - npm audit:
npm audit --audit-level=high(fails on high/critical) - Governance:
npm run validate:governance - Format:
npm run format:check - Types:
npm run typecheck - Lint:
npm run lint:ci(warning budget enforced in CI) - TSDoc/JSDoc: baseline report (non-blocking) then
npm run docs:comments:audit:changedagainst base/head SHAs - Quality gates (non-blocking unless tuned):
check:slop:ci(dead-code analysis runs separately indeadcode.ymlviadeadcode:ci) - Hardcoded colors:
scripts/utils/audit-hardcoded-colors.sh(fails on violations insrc) - Settings consistency:
npm run audit:settings-consistency(route guards + settings page naming) - Tests:
npm run test:coveragewithSKIP_SUPABASE_TESTS=true - RLS coverage:
npx tsx scripts/check-rls-coverage.ts --min-coverage 100 - Production build:
npm run build - Sentry: release tagging / deploy metadata (requires
SENTRY_AUTH_TOKENin CI) - Playwright:
npx playwright install --with-deps chromium - Smoke gate:
npm run test:baseline:smokewith strict env limits (RLS + E2E smoke + audit completeness) - Artifacts: uploads test completeness and doc-comment coverage reports from
reports/audits/
What to run locally before pushing
For parity with the main gate, prefer:npm run format:check, npm run typecheck, npm run lint:ci, npm run build, npm run test, npm run test:rls:smoke (or full RLS via npm run test:rls as needed). For a stronger local gate before commit: npm run validate:full (runs validate via Turborepo, then test:unit). See TESTING_SETUP_AND_RUN.md for E2E and env requirements.
Non-Blocking Gate Tightening Plan
Step 8 above (check:slop:ci) currently runs with || true to avoid blocking CI while baselines are established. It should be converted to a blocking gate progressively:
Process to tighten a gate:
- Run the check locally and document current count in a GitHub issue
- Create a remediation PR to reduce violations to threshold
- Remove
|| truefrom thebuild.ymlstep - Update this table
Related docs
- RLS_CI_CD_GUIDE.md — RLS tests in CI and local parity
- DEPENDENCY_SECURITY.md — audit, overrides, Dependabot
- VERCEL_BUILD_IMPROVEMENT_PLAN.md — context for the build workflow header
- VERCEL_VITE_NODE_GUARDRAILS.md — Node 22+ baseline, Vite 8/Rolldown, Vercel build pitfalls
- docs/governance/index.md — governance entry point and all gate documentation