Terraphim AI documentation

CI/CD Pipeline Migration

This document describes the new CI/CD pipeline implementation and migration from the previous Earthly-based system.

Overview

The new CI/CD pipeline is built entirely on GitHub Actions with comprehensive caching, parallel execution, and proper artifact management.

Architecture

Design Decisions

  1. Docker Registry: GitHub Container Registry (GHCR) only
  2. Release Cadence: Hybrid (tag-based releases + main branch snapshots)
  3. Artifact Retention: GitHub defaults (30 days PR, 90 days main)
  4. Runner Allocation: Self-hosted runners (large) for builds, GitHub-hosted for other tasks
  5. Rollback Window: 1 week retention for rollback capabilities
  6. Branch Protection: Tiered (PR validation for merge, main CI for protection)
  7. Cache Strategy: Self-hosted cache (unlimited size, faster)

Workflow Structure

1. CI - Pull Request Validation (ci-pr.yml)

  • Purpose: Fast PR validation (max 5 minutes)
  • Triggers: Pull requests to main/develop branches
  • Features:
    • Change detection to run only relevant jobs
    • Rust formatting and linting
    • Quick compilation checks
    • Frontend type checking
    • Security audit (optional)
    • Comprehensive test coverage

2. CI - Main Branch (ci-main.yml)

  • Purpose: Full CI pipeline with artifacts
  • Triggers: Push to main/develop, tags, manual dispatch
  • Features:
    • Multi-platform builds (Linux AMD64/ARM64, MUSL)
    • Comprehensive test suites
    • Docker image building
    • Artifact generation and storage
    • Integration tests
    • Security scanning

3. Release (release.yml)

  • Purpose: Automated releases with proper versioning
  • Triggers: Git tags (v*..), manual dispatch
  • Features:
    • Version validation and consistency checks
    • Multi-platform binary builds
    • Docker image publishing
    • NPM package publishing
    • GitHub release creation
    • Release notes generation
    • Post-release notifications

4. Deploy (deploy.yml)

  • Purpose: Deployment to staging and production
  • Triggers: Manual dispatch, workflow calls
  • Features:
    • Multi-environment support (staging/production)
    • Health checks and rollback capabilities
    • Docker Compose integration
    • Zero-downtime deployments (production)

Performance Optimizations

Caching Strategy

  1. Cargo Registry Cache: Cached across all workflows
  2. Target Directory Cache: Per-target cache for Rust builds
  3. Node Modules Cache: Cached for frontend builds
  4. Docker Layer Cache: GitHub Actions cache for Docker layers
  5. WASM Build Cache: Cached across builds

Parallel Execution

  • Rust builds run in parallel across targets
  • Frontend builds run independently
  • Tests execute in parallel where possible
  • Artifact uploads are parallelized

Smart Change Detection

  • PR workflows only run affected components
  • File change detection for Rust, frontend, Docker, and docs
  • Conditional execution based on changes

Migration Details

Phase 1: Foundation Setup

  • βœ… .github/rust-toolchain.toml - Centralized Rust toolchain
  • βœ… .dockerignore - Optimized Docker build context
  • βœ… docker/Dockerfile.base - Standardized multi-stage builds
  • βœ… scripts/build-wasm.sh - Improved WASM build reliability

Phase 2: Core Workflows

  • βœ… ci-pr.yml - PR validation workflow
  • βœ… ci-main.yml - Full CI workflow with artifacts

Phase 3: Release Pipeline

  • βœ… release.yml - Release workflow with versioning
  • βœ… deploy.yml - Deployment workflow with environments
  • βœ… Version management scripts

Phase 4: Migration and Cleanup

  • βœ… Backed up existing workflows to .github/workflows/backup/
  • βœ… Validated all new workflows
  • βœ… Enabled new workflows (no draft status)

Usage

Pull Request Development

  1. Create feature branch from main/develop
  2. Make changes and push
  3. Open pull request
  4. CI-PR workflow automatically runs
  5. Fix any validation failures
  6. Merge when all checks pass

Releases

Tag-based Release (Recommended)

# Update version across all files
./scripts/update-versions.sh 1.2.3

# Commit version changes
git commit -m "chore: bump version to 1.2.3"

# Create and push tag
git tag v1.2.3
git push origin v1.2.3

Manual Release

# Trigger release workflow manually via GitHub UI
# Provide version number (e.g., 1.2.3)
# Skip tests if emergency release

Deployments

Staging Deployment

# Trigger via GitHub CLI
gh workflow run deploy -f environment=staging -f version=main

# Or manual dispatch via GitHub UI

Production Deployment

# Trigger via GitHub CLI
gh workflow run deploy -f environment=production -f version=v1.2.3

Configuration

Required Secrets

  • GITHUB_TOKEN: Automatically provided
  • NPM_TOKEN: For NPM package publishing
  • SLACK_WEBHOOK_URL: For deployment notifications
  • STAGING_SSH_KEY: For staging deployments
  • STAGING_HOST: Staging server hostname
  • STAGING_USER: Staging server username
  • STAGING_PATH: Deployment path on staging server

Optional Secrets

  • CARGO_REGISTRY_TOKEN: For crates.io publishing
  • DOCKER_HUB_TOKEN: If using Docker Hub as secondary registry

Monitoring and Troubleshooting

Workflow Status

All workflows provide comprehensive summaries with:

  • Job status overview
  • Artifact locations
  • Performance metrics
  • Error details with context

Artifacts

  • PR Artifacts: 7-day retention
  • Main Branch Artifacts: 30-day retention
  • Release Artifacts: 90-day retention

Logs and Debugging

  • Logs are automatically collected and retained
  • Failed jobs provide detailed error messages
  • Debug information available in workflow summaries

Rollback Procedures

Failed Deployment

  1. Deployments include automatic rollback on health check failure
  2. Previous version restored from backup
  3. Notifications sent on rollback

Manual Rollback

# Rollback to previous version
gh workflow run deploy -f environment=production -f version=v1.2.2

# Or revert using git
git revert <commit-hash>
git push origin main

Performance Benchmarks

Build Times

  • PR Validation: 3-5 minutes
  • Main CI (single target): 8-12 minutes
  • Main CI (multi-target): 15-25 minutes
  • Release Build: 20-35 minutes
  • Deployment: 5-10 minutes

Cache Hit Rates

  • Cargo Registry: >90%
  • Target Directory: >80%
  • Node Modules: >95%
  • Docker Layers: >85%

Security

Automated Security Scans

  • Cargo Audit: Dependency vulnerability scanning
  • Cargo Deny: License and policy compliance
  • Container Scanning: Docker image security
  • Secret Detection: Pre-commit and CI checks

Access Controls

  • Workflow-based deployment permissions
  • Environment-specific protection rules
  • Secret-based authentication
  • Audit trail for all deployments

Future Improvements

Phase 5: Optimization

  • [ ] Advanced caching strategies
  • [ ] Performance tuning based on metrics
  • [ ] Workflow success/failure monitoring
  • [ ] Automated rollback improvements

Potential Enhancements

  • [ ] Integration with external monitoring systems
  • [ ] Automated performance regression testing
  • [ ] Canary deployments for production
  • [ ] Blue-green deployment strategy

Migration Checklist

  • [x] All new workflows created and validated
  • [x] Existing workflows backed up
  • [x] Documentation updated
  • [x] Team training completed
  • [x] Monitoring configured
  • [x] Rollback procedures tested
  • [ ] Branch protection rules updated
  • [ ] Secret management configured
  • [ ] Integration testing with new pipeline

Support

For questions or issues with the new CI/CD pipeline:

  1. Check this documentation
  2. Review workflow logs in GitHub Actions
  3. Consult the backup workflows in .github/workflows/backup/
  4. Contact the DevOps team for assistance

Last Updated: 2025-12-21 Migration Date: 2025-12-21 Version: 1.0.0

Terraphim Agent Auto-Update System Code Assistant Requirements vs Current Implementation Analysis