Changes:
- Add step to convert image names to lowercase in CD workflow
- Update docker-compose.production.yml generation to use lowercase image names
- Enhance production deployment with nginx reverse proxy and certgen service
- Update CSRF configuration documentation with IP access guidance
- Improve deployment manifest generation with better service orchestration
- Normalize line endings from CRLF to LF across all files to match .editorconfig
- Standardize quote style from single quotes to double quotes
- Normalize whitespace and formatting throughout codebase
- Apply consistent code style across 372 files including:
* Application code (models, routes, services, utils)
* Test files
* Configuration files
* CI/CD workflows
This ensures consistency with the project's .editorconfig settings and
improves code maintainability.
Improved the Release Build workflow to clearly show that PostHog and Sentry
credentials are being injected from the GitHub Secret Store, providing better
transparency and auditability.
Changes:
- Enhanced workflow step name to explicitly mention "GitHub Secrets"
- Added comprehensive logging with visual separators and clear sections
- Added before/after file content display showing placeholder replacement
- Added secret availability verification with format validation
- Added detailed error messages with step-by-step fix instructions
- Enhanced release summary to highlight successful credential injection
- Updated build configuration documentation with cross-references
Benefits:
- Developers can immediately see credentials come from GitHub Secret Store
- Security teams have clear audit trail of credential injection process
- Better troubleshooting with detailed error messages
- Secrets remain protected with proper redaction (first 8 + last 4 chars)
- Multiple validation steps ensure correct injection
The workflow now outputs 50+ lines of structured logging showing:
- Secret store location (Settings → Secrets and variables → Actions)
- Target file being modified (app/config/analytics_defaults.py)
- Verification that secrets are available
- Format validation (phc_* pattern for PostHog)
- Confirmation of successful placeholder replacement
- Summary with redacted credential previews
Workflow: .github/workflows/cd-release.yml
Documentation: docs/cicd/README_BUILD_CONFIGURATION.md
Fully backward compatible - no breaking changes.
Refactor GitHub Actions workflows to support a release candidate (RC)
branch workflow instead of direct develop->main flow.
Changes:
- cd-development.yml: Trigger on PRs to RC branches (not push to develop)
* Updated summary to show PR context (source/target branches)
* Build development images when code is promoted to RC
- cd-release.yml: Trigger on PRs from RC to main/master
* Added path filters for code changes only
* Enables release validation before merge to main
- ci-comprehensive.yml: Run tests on PRs to RC branches
* Full test suite now runs for PRs to main, master, and RC branches
* Ensures code quality before RC promotion
New workflow:
develop (push) -> no actions
develop -> rc (PR) -> run tests + development build
rc -> main (PR) -> run tests + release build
Supports both single RC branch (rc) and versioned RC branches (rc/*)
Breaking change: Development builds no longer trigger on push to develop.
They now require a PR to an RC branch.
Implement a complete, production-ready CI/CD pipeline that runs 100% on
GitHub Actions with zero external dependencies. This replaces and consolidates
existing workflows with an optimized, streamlined pipeline.
## Major Changes
- Add 3 new workflows (ci-comprehensive, cd-development, cd-release)
- Remove 2 redundant workflows (backed up)
- Add 130+ tests across 4 new test files
- Add 8 documentation guides (60+ KB)
- Add developer tools and scripts
