Skip to content
GOVERN Internal

CI/CD

CI pipeline (GitHub Actions)

Every pull request runs the full CI pipeline:

.github/workflows/ci.yml
name: CI
on: [pull_request]
jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
      - uses: actions/setup-node@v4
        with: { node-version: '20' }
      - run: pnpm install --frozen-lockfile
      - run: pnpm typecheck
      - run: pnpm test
      - run: pnpm build

All three steps (typecheck, test, build) must pass before a PR can merge.

Deployment pipeline

Deployments are triggered by merges to main:

.github/workflows/deploy.yml
name: Deploy
on:
  push:
    branches: [main]
jobs:
  deploy-api:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
      - run: pnpm install --frozen-lockfile
      - run: pnpm --filter @jarvis/api-gateway deploy
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}

Separate jobs deploy each package in parallel.

Secrets

All secrets are stored in GitHub Actions secrets and injected as environment variables. Never commit secrets to the repository.

Required GitHub secrets:

  • CLOUDFLARE_API_TOKEN — Wrangler deployment
  • CLOUDFLARE_ACCOUNT_ID — Wrangler account
  • SUPABASE_SERVICE_ROLE_KEY — Database migrations
  • ANTHROPIC_API_KEY — AI provider (used in migration scripts only)

Branch protection

The main branch requires:

  • All CI checks passing
  • At least one code review approval
  • No direct pushes (PRs only)