SDLC & CI/CD Workflow

How DIAL is built, tested, and deployed — from commit to release
Pipeline Trigger
push to main branch
Skipped if commit message contains [skip ci]

Pipeline Overview

Job 1
Version
version
Job 2
Build
build
Job 3
Test
test
Job 4
Deploy
deploy
Job 5
Release Notes
release-notes
Job 6
Release
create-release

CI/CD Technology Matrix

Workflow source: .github/workflows/deploy-and-release.yml

Layer Technology Version / Pin Role
CI Orchestration GitHub Actions Hosted Runs 6-job pipeline on push to main
Runtime Node.js 20 Build, test, and deploy runtime in workflow
Build Tooling actions/setup-node, npm, Angular CLI v4 / npm install Installs dependencies and runs npm run build:prod
Test Runner Angular CLI + Karma + ChromeHeadless npx ng test Runs unit tests after build; deploy is blocked until tests pass
Cloud Auth Workload Identity Federation + OIDC google-github-actions/auth@v2 Provides short-lived Google access token without key files
Deployment Firebase CLI firebase-tools@13.15.2 (pinned) Deploys Hosting, Firestore rules/indexes, and Functions
Release Notes Anthropic Messages API via curl claude-sonnet-4-6 Generates categorized release notes with grep/sed fallback
Release Publishing GitHub CLI (gh) runner-provided Creates tag and publishes GitHub Release
Doc Automation Anthropic Messages API via scripts/apply-doc-updates.js claude-sonnet-4-6 Post-deploy doc update via doc-update.yml workflow

Stage Details

1
Version — Calculate next semantic version
job: version
  • Fetches all git tags to find the latest release tag
  • Reads all commits since the last tag to determine the version bump
  • Applies Conventional Commits rules: BREAKING CHANGE → major, feat: → minor, anything else → patch
  • Outputs new_version, new_tag, previous_tag, and commit_log as job outputs for downstream jobs
2
Build — Compile and bundle the Angular app
job: build  |  needs: version
  • Sets up Node.js 20 with npm cache
  • Injects version number: echo "export const appVersion = '...';" > src/environments/version.ts
  • Runs npm install (not npm ci — see Quick Reference for why)
  • Runs npm run build:prod — optimized production Angular build
  • Uploads build artifact (dist/dora-tma/browser/) with 1-day retention for the deploy job
3
Test — Run unit tests against the built app
job: test  |  needs: build
  • Sets up Node.js 20 and installs dependencies via npm install
  • Runs npx ng test --watch=false --browsers=ChromeHeadless — full unit test suite in headless Chrome
  • Covers AppComponent, AssessmentSummaryComponent, and other component specs
  • Pipeline is blocked — the deploy job does not run unless all tests pass
4
Deploy — Push to Firebase Hosting + Functions
job: deploy  |  needs: test, version
  • Downloads the Angular build artifact from Job 2
  • Installs and compiles Cloud Functions: cd functions && npm install && npm run build
  • Installs Firebase Tools pinned to v13.15.2 (must not upgrade — see Quick Reference)
  • Authenticates via Workload Identity Federation — no stored service account keys
  • Deploys with NODE_TLS_REJECT_UNAUTHORIZED=0 and FIREBASE_TOKEN from WIF access token
  • Deploys: hosting (dial-app + docs targets), firestore rules, functions
5
Release Notes — AI-generated changelog
job: release-notes  |  needs: deploy, version
  • Calls the Anthropic API directly via curl with the commit log as input
  • Model: claude-sonnet-4-6 — generates categorized markdown release notes
  • Sections: Features, Bug Fixes, Performance, Documentation, Refactoring
  • On API failure (non-200): falls back to a shell grep/sed pipeline that categorizes commits by prefix — same section structure, no AI
AI Release Notes: The ANTHROPIC_API_KEY used here is a separate GitHub Actions secret — used only in CI, never deployed to any runtime. The Cloud Functions use their own key set via gcloud run services update.
6
Create Release — Tag and publish GitHub Release
job: create-release  |  needs: release-notes, version
  • Creates and pushes a git tag: vMAJOR.MINOR.PATCH
  • Writes release notes to release-notes.md
  • Creates the GitHub Release with gh release create using the release notes file
  • Release is immediately visible on the GitHub Releases page with the full categorized changelog

Post-Deploy Documentation Update

After every successful deploy, a second workflow (doc-update.yml) automatically updates these documentation pages:

Property Detail
Trigger workflow_run on Deploy and Release completing successfully on main
Loop prevention Skipped automatically if only docs/ files changed; doc update commits use [skip ci]
Diff scope src/, functions/, firestore.rules, firebase.json, .github/workflows/
AI model claude-sonnet-4-6 via scripts/apply-doc-updates.js
Agent instructions .github/agents/docs-website.agent.md — loaded at runtime and passed to the API
Auth WIF (same as deploy workflow) — deploys updated docs via firebase deploy --only hosting:docs
Commit message docs: auto-update via docs-website agent [skip ci]

Semantic Versioning Rules

Commit Prefix Version Bump Example
BREAKING CHANGE or [major] Major (x.0.0) API redesign, data model change
feat: or [minor] Minor (0.x.0) New capability, new user-facing feature
fix:, docs:, refactor:, chore: Patch (0.0.x) Bug fix, documentation update, cleanup

All commits since the previous tag are evaluated. The highest-priority bump wins — a release with one feat: and ten fix: commits bumps the minor version.

Developer Workflow

🔌
Feature Branch Workflow
All work happens on short-lived branches off main, named with conventional prefixes: feat/, fix/, refactor/, docs/. Branches are squash-merged back to main (collapsing all branch commits into one clean commit), then deleted — both locally and on the remote. Never commit directly to main.
📝
Commit Messages
Follow Conventional Commits format. Claude Code authors commit messages following the feat:, fix:, docs:, refactor: prefixes — ensuring consistent style and accurate version bumping.
🤖
AI-Assisted Development
Features, bug fixes, and refactors are implemented with Claude Code in paired sessions. Architecture docs, AGENTS.md, and agent instruction files are maintained alongside code changes.
🚀
Merge to Deploy
Every push to main triggers a full pipeline run — including unit tests that must pass before deployment. There is no separate release step — versioning and deployment are automatic from the commit log. Docs are then updated automatically by the post-deploy doc-update.yml workflow.

Security & Authentication

Concern Approach
CI Authentication Workload Identity Federation (WIF) — no stored service account keys. GitHub Actions OIDC token exchanged for a short-lived Google access token.
ANTHROPIC_API_KEY (runtime) Set directly on Cloud Run services via gcloud run services update --update-env-vars. Never in firebase.json or source control.
ANTHROPIC_API_KEY (CI) Stored as GitHub Actions secret. Used in the release-notes job and the doc-update workflow. Never deployed to any runtime.
Firestore Access Security rules enforce org-scoped access. Users can only read/write data within their own organization.
Pipeline Concurrency concurrency: group: deploy-$ref, cancel-in-progress: false — concurrent runs queue rather than cancel to prevent lost deploys.