CI/CD Pipeline Overview
The TEA Platform CI/CD pipeline follows a two-gate approach with automated quality checks and deployments to Azure staging and production environments.
Two-Gate Architecture
The pipeline implements a clean two-gate system for maximum transparency and efficiency:
Gate 1: Pre-commit Hooks (Fast, Local)
Minimal checks that run automatically on git commit:
- Syntax & safety: JSON/YAML validation, merge conflict detection, large file checks, secret detection
- Linting: Ultracite (Biome) lint and format on staged
.js,.ts,.tsx,.jsonfiles - Type checking: TypeScript compiler (
tsc --noEmit) on staged TypeScript files - Cleanup: Debug statement detection, trailing whitespace, end-of-file fixes
See .pre-commit-config.yaml for the full configuration.
Gate 2: GitHub Actions (Comprehensive)
Four workflow files handle all CI/CD needs:
1. build.yaml — Build & Quality Checks
Runs on pushes to main/staging and all pull requests:
- Linting: Ultracite check (Biome linting and formatting)
- Type checking: TypeScript compiler (
tsc --noEmit) - Unit tests: Vitest test suite
- Docker build: Builds and pushes container image to GitHub Container Registry (ghcr.io)
- Deployment: Deploys to Azure App Service (staging or production)
- Health check: Verifies
/api/healthreturns 200 after deployment
2. release.yaml — Production Release
Triggered by version tags (v*.*.*):
- Creates a GitHub Release with auto-generated release notes
3. seed-staging.yml — Staging Database Reset
Runs on push to staging or manual dispatch:
- Resets the staging database (
prisma migrate reset --force) - Grants permissions to the
tea_appdatabase user - Seeds test data (users: chris, alice, bob, charlie)
4. purge-trash.yml — Maintenance
Scheduled cleanup of soft-deleted records.
Branch Strategy
- Feature branches →
staging→main - Feature branches are created from
stagingfor development - Pull requests merge into
stagingfor integration testing stagingis merged intomainfor production release
Quality Gates
Gate 1 (Pre-commit)
- Lint check: TypeScript/JavaScript files properly formatted
- Type check: No TypeScript errors
- Syntax validation: No invalid JSON/YAML
- File safety: No large files, merge conflicts, or secrets
Gate 2 (GitHub Actions)
- Code quality: Ultracite linting and TypeScript compilation pass
- Tests: Vitest suite passes
- Build success: Docker image builds correctly
- Deployment health:
/api/healthendpoint responds
Tools & Technologies
Version Control & CI/CD
- Git & GitHub: Source control with branch protection
- GitHub Actions: Four workflow files for all CI/CD
- GitHub Container Registry (ghcr.io): Container image storage
Quality Tools
- Ultracite (Biome wrapper): Linting and formatting
- TypeScript: Type checking (
tsc --noEmit) - Vitest: Unit and integration testing
- Pre-commit: Local hooks for fast feedback
- detect-secrets: Secret detection in staged files
Infrastructure
- Docker: Multi-stage builds for efficient images
- Azure App Service: Staging and production hosting
- PostgreSQL: Database
Environment Variables
The pipeline manages environment-specific configurations:
- Development: Local
.envfiles - CI/CD: GitHub Secrets
- Staging/Production: Azure App Service settings
Security Considerations
- Secrets never committed to repository (enforced by
detect-secretshook) - Environment variables injected at build/runtime
- Container images built from verified base images
- Least-privilege database users (
tea_appfor runtime, admin for migrations)
Rollback Strategy
In case of issues:
- Automatic: Health checks verify deployment; failure blocks promotion
- Manual: Previous container image tags available in ghcr.io
- Database: Migration rollback via
prisma migrate resolve