- Create dedicated PR workflow (pr.yml) with comprehensive CI checks
- Remove pull_request triggers from ci.yml, security.yml, and deploy.yml
- Remove develop branch references for trunk-based development
- Include security scans, CodeQL analysis, and Docker builds in PR workflow
- Prevent automated PR review from triggering multiple times
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add explicit check to skip build job on pull requests
- Ensures Docker images are only built after merge to main or on version tags
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Replace all self-hosted runners with ubuntu-latest
- Docker builds now only run on main branch or version tags, not on PRs
- Reduces stress on self-hosted infrastructure
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add path filtering to deploy.yml to match ci.yml pattern.
This should prevent Docker builds when only documentation changes.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Prevent malicious PRs from forks running on self-hosted infrastructure by
restricting self-hosted jobs to only run for:
- Direct pushes (not PRs from forks)
- PRs from intelligence-assist org members
This protects against potential security vulnerabilities while maintaining
functionality for trusted contributors.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Using standard ubuntu-latest (2-core) runners for light jobs to avoid
additional costs beyond GitHub Team plan. Heavy jobs still use self-hosted.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fix label capitalization: linux,x64 → Linux,X64 to match actual runner
- Strategic job distribution: heavy tasks on self-hosted, light tasks on GitHub 4-core
- Ensures jobs are picked up by homeserver runner instead of queuing indefinitely
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Simplified runner labels from complex arrays to simple 'self-hosted' to match
actual runner configuration and ensure jobs are picked up properly.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Move all jobs from GitHub-hosted to self-hosted runners
- Leverage 16-core self-hosted infrastructure for all workloads
- Maintain parallel execution benefits with dedicated hardware
- Expected dramatic performance improvement across all pipelines
- Split test jobs into parallel units (lint, unit, integration, e2e, coverage)
- Move Docker builds to self-hosted runners for better performance
- Use ubuntu-latest-4-cores for faster GitHub-hosted CI jobs
- Add aggressive caching for npm dependencies and Docker layers
- Parallelize security scans with other jobs instead of sequential execution
- Optimize job dependencies to reduce pipeline wall-clock time
Expected performance improvements:
- CI Pipeline: ~60% faster due to parallel execution
- Docker Builds: ~40% faster on self-hosted infrastructure
- Overall pipeline: ~50% reduction in total execution time
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Security scanning requires pushed images, which are not available
in PR context. Only run security scans on push events.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Extract only the first tag from Docker metadata output to fix
"could not parse reference" error when multiple tags are present.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Only push Docker images when not in a pull request context. PRs don't have
permission to push to ghcr.io, so we should only build without pushing.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove branch prefix from sha-based tags to avoid invalid tag format
when branch name is empty. Tags cannot start with a hyphen.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
The project is written in JavaScript, not TypeScript, so there's no
typecheck script in package.json. Removing this step prevents CI failures.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add GitHub Actions deployment workflow for staging and production
- Add deployment scripts for automated deployments
- Add GitHub runner management scripts
- Add staging docker-compose configuration
- Enable automatic deployments on push to main (staging) and version tags (production)
- Move build-and-push and deploy jobs to dedicated deploy.yml workflow
- CI workflow now only contains essential PR checks (test, security, docker)
- Prevents skipped deployment jobs from blocking PR review automation
- Fixes issue where PR #36 couldn't trigger automated reviews
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
