ui/_docs/02_document/deployment/ci_cd_pipeline.md

Azaion UI — CI/CD Pipeline

Synthesis output of /document Step 3d (ci_cd_pipeline). Derived from .woodpecker/build-arm.yml.

1. Triggers

Branch	Triggers	Image tag
dev	every push	${REGISTRY_HOST}/azaion/ui:dev-arm
stage	every push	${REGISTRY_HOST}/azaion/ui:stage-arm
main	every push	${REGISTRY_HOST}/azaion/ui:main-arm

Other branches do NOT build (PR builds, feature-branch builds, tag builds — none configured today).

2. Steps

#	Step	What	Notes
1	Checkout	git clone + git checkout $CI_COMMIT_SHA	Standard Woodpecker behaviour
2	Build + Push image	Multi-stage Dockerfile produces nginx:alpine image with dist/ baked in	Pushes to ${REGISTRY_HOST}/azaion/ui:${branch}-arm with OCI labels (revision, created, source)

Missing steps (recommended for autodev Steps 5–7):

Step	Purpose	Tool candidates
bun install --frozen-lockfile smoke	Catch lockfile drift before build	First few seconds of the build stage cover this
tsc --noEmit	Type-check the whole project	Already part of bun run build (tsc -b && vite build)
bun test (or vitest / jest)	Run test suite	Required — there is no test runner today
eslint / biome	Lint	Not configured today
bun audit --severity high	Block build on new HIGH/CRITICAL CVEs in deps	Tracked as Phase B follow-up F-INF-1 (cycle 2 security audit). Today the audit is run manually; without a CI gate the dev-only Vite/PostCSS HIGH advisories that AZ-502 closed could re-enter the lockfile undetected.
Vulnerability scan (image)	CVE scan on the image	trivy or grype candidates — Phase B follow-up F-INF-3
SBOM emission	Software bill of materials	syft candidate — Phase B follow-up F-INF-4
Image signing	Supply-chain trust	cosign candidate — Phase B follow-up F-INF-4
Multi-arch build	Add AMD64 alongside ARM64	docker buildx candidates

These are tracked as Step 4–7 deliverables under autodev; the current pipeline is correct but minimal.

2a. Dependency overrides (AZ-502, cycle 2)

Both package.json and mission-planner/package.json carry an overrides block:

"overrides": {
  "vite": ">=6.4.2",
  "postcss": ">=8.5.10"
}

Why: bun audit flagged 3 advisories (1 HIGH, 2 MODERATE) in vite <= 6.4.1 and postcss < 8.5.10 introduced via nested transitive copies through vitest / vite-node. A direct bun update vite did not displace those nested copies. Forcing a floor via overrides plus a clean reinstall (rm -rf node_modules bun.lock && bun install) cleared the advisories.

Maintenance rule: do NOT remove these overrides until both vite and postcss are direct (non-transitive) at safe versions everywhere — verify with bun pm ls vite postcss before deleting. The bun audit CI gate (F-INF-1) will catch regressions if the overrides drift.

3. Secrets & registry

• ${REGISTRY_HOST} — provided by Woodpecker secrets at runtime.
• Registry credentials — stored as Woodpecker secrets; not in this repo.
• No GPG/TLS signing keys today.

4. Branch model

• dev is the active development branch (per .cursor/rules/git-workflow.mdc).
• stage is for pre-production validation.
• main is production.
• No release/* long-lived branches.
• PR builds are not configured (Woodpecker build only fires on push, not on PR open).

5. Build artifact

The output of the pipeline is exactly one OCI image per push: ${REGISTRY_HOST}/azaion/ui:${branch}-arm. There is no versioned image tag (e.g., 1.2.3-arm); branch tags are mutable. The OCI revision label is the deterministic anchor (= $CI_COMMIT_SHA).

Future: when this UI ships under a versioned suite release, the pipeline should also tag images with vMAJOR.MINOR.PATCH-arm derived from package.json version.