SDLC & CI/CD Workflow

How DIAL is built, tested, and deployed — from commit to release
← Back to DIAL Docs
Last updated: 2026-03-10
Pipeline Trigger
push to main branch
Skipped if commit message contains [skip ci]
🔀 Pipeline Overview
Job 1
Version
version
Job 2
Build
build
Job 3
Deploy
deploy
Job 4
Release Notes
release-notes
Job 5
Release
create-release
🧰 CI/CD Technology Matrix

Workflow source: .github/workflows/deploy-and-release.yml

Layer Technology Version / Pin Role
CI Orchestration GitHub Actions Hosted Runs 5-job pipeline on push to main
Runtime Node.js 20 Build and deploy runtime in workflow
Build Tooling actions/setup-node, npm, Angular CLI v4 / npm install Installs dependencies and runs npm run build:prod
Cloud Auth Workload Identity Federation + OIDC google-github-actions/auth@v2 Provides short-lived Google access token without key files
Deployment Firebase CLI firebase-tools@13.15.2 (pinned) Deploys Hosting, Firestore rules/indexes, and Functions
Release Notes Anthropic Messages API via curl claude-sonnet-4-6 Generates categorized release notes with grep/sed fallback
Release Publishing GitHub CLI (gh) runner-provided Creates tag and publishes GitHub Release
📋 Stage Details
1
Version — Calculate next semantic version
job: version
  • Fetches all git tags to find the latest release tag
  • Reads all commits since the last tag to determine the version bump
  • Applies Conventional Commits rules: BREAKING CHANGE → major, feat: → minor, anything else → patch
  • Outputs new_version, new_tag, previous_tag, and commit_log as job outputs for downstream jobs
2
Build — Compile and bundle the Angular app
job: build  |  needs: version
  • Sets up Node.js 20 with npm cache
  • Injects version number: echo "export const appVersion = '...';" > src/environments/version.ts
  • Runs npm install (not npm ci — see Quick Reference for why)
  • Runs npm run build:prod — optimized production Angular build
  • Uploads build artifact (dist/dora-tma/browser/) with 1-day retention for the deploy job
3
Deploy — Push to Firebase Hosting + Functions
job: deploy  |  needs: build, version
  • Downloads the Angular build artifact from Job 2
  • Installs and compiles Cloud Functions: cd functions && npm install && npm run build
  • Installs Firebase Tools pinned to v13.15.2 (must not upgrade — see Quick Reference)
  • Authenticates via Workload Identity Federation — no stored service account keys
  • Deploys with NODE_TLS_REJECT_UNAUTHORIZED=0 and FIREBASE_TOKEN from WIF access token
  • Deploys: hosting (dial-app + docs targets), firestore rules, functions
4
Release Notes — AI-generated changelog
job: release-notes  |  needs: deploy, version
  • Calls the Anthropic API directly via curl with the commit log as input
  • Model: claude-sonnet-4-6 — generates categorized markdown release notes
  • Sections: ✨ Features, 🐛 Bug Fixes, ⚡ Performance, 📝 Documentation, ♻️ Refactoring
  • On API failure (non-200): falls back to a shell grep/sed pipeline that categorizes commits by prefix — same section structure, no AI
🤖 AI Release Notes: The ANTHROPIC_API_KEY used here is a separate GitHub Actions secret — used only in CI, never deployed to any runtime. The Cloud Functions use their own key set via gcloud run services update.
5
Create Release — Tag and publish GitHub Release
job: create-release  |  needs: release-notes, version
  • Creates and pushes a git tag: vMAJOR.MINOR.PATCH
  • Writes release notes to release-notes.md
  • Creates the GitHub Release with gh release create using the release notes file
  • Release is immediately visible on the GitHub Releases page with the full categorized changelog
🏷️ Semantic Versioning Rules
Commit Prefix Version Bump Example
BREAKING CHANGE or [major] Major (x.0.0) API redesign, data model change
feat: or [minor] Minor (0.x.0) New capability, new user-facing feature
fix:, docs:, refactor:, chore: Patch (0.0.x) Bug fix, documentation update, cleanup

All commits since the previous tag are evaluated. The highest-priority bump wins — a release with one feat: and ten fix: commits bumps the minor version.

👨‍💻 Developer Workflow
📝
Commit Messages
Follow Conventional Commits format. Claude Code authors commit messages following the feat:, fix:, docs:, refactor: prefixes — ensuring consistent style and accurate version bumping.
🤖
AI-Assisted Development
Features, bug fixes, and refactors are implemented with Claude Code in paired sessions. Architecture docs, AGENTS.md, and agent instruction files are maintained alongside code changes.
🚀
Merge to Deploy
Every push to main triggers a full pipeline run. There is no separate release step — versioning and deployment are automatic from the commit log.
🔐 Security & Authentication
Concern Approach
CI Authentication Workload Identity Federation (WIF) — no stored service account keys. GitHub Actions OIDC token exchanged for a short-lived Google access token.
ANTHROPIC_API_KEY (runtime) Set directly on Cloud Run services via gcloud run services update --update-env-vars. Never in firebase.json or source control.
ANTHROPIC_API_KEY (CI) Stored as GitHub Actions secret. Used only in the release-notes job. Never deployed to any runtime.
Firestore Access Security rules enforce org-scoped access. Users can only read/write data within their own organization.
Pipeline Concurrency concurrency: group: deploy-$ref, cancel-in-progress: false — concurrent runs queue rather than cancel to prevent lost deploys.