From 659896f09652b92c60c027aa1025be2b9cb35db4 Mon Sep 17 00:00:00 2001 From: ilia Date: Wed, 24 Dec 2025 21:54:25 -0500 Subject: [PATCH] Add pipeline setup guide for branch protection --- PIPELINE_SETUP_GUIDE.md | 378 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 378 insertions(+) create mode 100644 PIPELINE_SETUP_GUIDE.md diff --git a/PIPELINE_SETUP_GUIDE.md b/PIPELINE_SETUP_GUIDE.md new file mode 100644 index 0000000..a01b24c --- /dev/null +++ b/PIPELINE_SETUP_GUIDE.md @@ -0,0 +1,378 @@ +# ๐Ÿ”ง Pipeline Setup Guide for Branch Protection + +## โ“ Do You Need a Pipeline? + +**YES!** If you want to use "Require status checks" in branch protection, you need a CI pipeline. + +**Good news:** You already have one! โœ… + +--- + +## โœ… What You Already Have + +### CI Pipeline: `.github/workflows/ci.yml` + +**Status:** โœ… Exists and working +**Runs on:** Push to `main`, `qa`, `dev` (just updated!) +**What it does:** +- Runs linters (ruff, black, mypy) +- Runs 93 tests +- Checks code quality +- Uses PostgreSQL for integration tests + +--- + +## ๐Ÿš€ Setup Order (IMPORTANT!) + +### โš ๏ธ **DO THIS IN ORDER:** + +### Step 1: Merge CI Updates to Main (FIRST!) + +**Why:** Branch protection needs the CI pipeline to exist in the branch you're protecting. + +**How:** +1. Go to: https://git.levkin.ca/ilia/POTE/compare/main...dev +2. Click "New Pull Request" +3. Title: "Update CI for multi-branch support" +4. **Merge this PR** (you can merge without protection for now) + +**What this does:** +- Updates CI to run on `main`, `qa`, and `dev` +- Makes CI available for branch protection + +--- + +### Step 2: Verify CI is Working + +After merging the PR, check: +1. Go to: https://git.levkin.ca/ilia/POTE/actions +2. You should see the CI workflow running +3. Wait for it to complete (green checkmark โœ…) + +**If CI fails:** +- Don't set up branch protection yet +- Fix the CI issues first +- Ensure tests pass + +--- + +### Step 3: Configure Branch Protection (AFTER CI WORKS) + +**Only after CI is passing**, go to: +https://git.levkin.ca/ilia/POTE/settings/branches + +#### For `main` Branch (Already Protected) + +**Verify these settings:** +- Branch pattern: `main` +- โœ… Enable push protection +- โœ… Require pull request +- โœ… Require 1-2 approvals +- โœ… **Require status checks to pass before merging** + - Select: `CI / lint-and-test` (this appears after CI runs once) +- โœ… Block force push +- โœ… Block deletion + +#### For `qa` Branch + +Click "Add New Rule": +- Branch pattern: `qa` +- โœ… Enable push protection +- โœ… Require pull request +- โœ… Require 1 approval +- โœ… **Require status checks to pass before merging** + - Select: `CI / lint-and-test` +- โœ… Block force push +- โœ… Block deletion + +#### For `dev` Branch + +Click "Add New Rule": +- Branch pattern: `dev` +- โœ… **Require status checks to pass before merging** + - Select: `CI / lint-and-test` +- โš ๏ธ **Allow direct push** (no PR required for dev) +- โš ๏ธ Allow force push (optional, for rebasing) + +--- + +## ๐Ÿ” What "Require Status Checks" Means + +When you enable "Require status checks": + +**Before merge:** +``` +PR created: dev โ†’ qa + โ†“ +CI pipeline runs automatically + โ†“ +Tests must pass โœ… + โ†“ +Only then can you merge +``` + +**If CI fails:** +``` +PR created: dev โ†’ qa + โ†“ +CI pipeline runs + โ†“ +Tests fail โŒ + โ†“ +Merge button is DISABLED + โ†“ +Must fix code and push again +``` + +--- + +## ๐Ÿ“‹ Status Checks Available + +After your CI runs once, you'll see these options in branch protection: + +**Available checks:** +- `CI / lint-and-test` - Main CI pipeline (93 tests) +- `CI / security-scan` - Security scanning +- `CI / dependency-scan` - Dependency vulnerabilities +- `CI / docker-build-test` - Docker build verification + +**Recommended:** +- **For `main`:** Require ALL checks โœ… +- **For `qa`:** Require `lint-and-test` + `security-scan` โœ… +- **For `dev`:** Require `lint-and-test` only โœ… + +--- + +## ๐ŸŽฏ Step-by-Step Setup (Complete) + +### 1. Merge CI Updates (5 minutes) + +``` +1. Go to: https://git.levkin.ca/ilia/POTE/compare/main...dev +2. Create PR: "Update CI for multi-branch support" +3. Merge (you can approve your own PR for now) +4. Wait for CI to run on main branch +``` + +### 2. Check CI Status (2 minutes) + +``` +1. Go to: https://git.levkin.ca/ilia/POTE/actions +2. Click on the latest workflow run +3. Verify all jobs pass โœ… +``` + +### 3. Configure Branch Protection (10 minutes) + +``` +1. Go to: https://git.levkin.ca/ilia/POTE/settings/branches + +2. For main (update existing rule): + - โœ… Require status checks + - Select: CI / lint-and-test + +3. Add rule for qa: + - Branch: qa + - โœ… Require PR + - โœ… Require status checks + - Select: CI / lint-and-test + +4. Add rule for dev: + - Branch: dev + - โœ… Require status checks + - Select: CI / lint-and-test + - โš ๏ธ Allow direct push +``` + +--- + +## โš ๏ธ Common Issues + +### Issue 1: "No status checks found" + +**Cause:** CI hasn't run on that branch yet + +**Fix:** +```bash +# Push something to trigger CI +git checkout dev +git commit --allow-empty -m "Trigger CI" +git push origin dev + +# Wait for CI to run, then configure protection +``` + +### Issue 2: "Status check never completes" + +**Cause:** CI is failing or stuck + +**Fix:** +1. Go to Actions tab +2. Check the failing job +3. Fix the issue +4. Push again + +### Issue 3: "Can't select status checks in dropdown" + +**Cause:** CI workflow name doesn't match + +**Fix:** +- Workflow must be named exactly: `CI` +- Job must be named: `lint-and-test` +- Already correct in your `.github/workflows/ci.yml` โœ… + +--- + +## ๐Ÿงช Test Your Setup + +### After configuring protection: + +**Test 1: Try to push directly to main** +```bash +git checkout main +git commit --allow-empty -m "Test" +git push origin main +# Should fail: "Not allowed to push to protected branch" +``` + +**Test 2: Create PR with failing tests** +```bash +git checkout dev +# Break a test intentionally +git commit -m "Break test" +git push origin dev +# Create PR to qa +# Merge button should be disabled until CI passes +``` + +**Test 3: Create PR with passing tests** +```bash +git checkout dev +# Fix the test +git commit -m "Fix test" +git push origin dev +# Create PR to qa +# Merge button should be enabled after CI passes โœ… +``` + +--- + +## ๐Ÿ“Š What Happens After Setup + +### Workflow with Protection: + +``` +Developer pushes to dev + โ†“ +CI runs automatically + โ†“ +โœ… Tests pass + โ†“ +Developer creates PR: dev โ†’ qa + โ†“ +CI runs on PR + โ†“ +โœ… Tests pass + โ†“ +Reviewer approves + โ†“ +โœ… Merge button enabled + โ†“ +Merge to qa + โ†“ +CI runs on qa branch + โ†“ +โœ… Tests pass + โ†“ +Auto-deploy to QA server (if configured) +``` + +**If tests fail at any point:** +``` +CI runs + โ†“ +โŒ Tests fail + โ†“ +Merge button DISABLED + โ†“ +Developer fixes code + โ†“ +Pushes again + โ†“ +CI runs again + โ†“ +Loop until tests pass โœ… +``` + +--- + +## โœ… Checklist + +Before configuring branch protection: +- [ ] CI workflow exists (`.github/workflows/ci.yml`) โœ… +- [ ] CI runs on all branches (`main`, `qa`, `dev`) โœ… +- [ ] CI has run at least once on each branch +- [ ] All tests are passing โœ… +- [ ] You can see workflow runs in Actions tab + +After configuring: +- [ ] `main` branch requires status checks +- [ ] `qa` branch requires status checks +- [ ] `dev` branch requires status checks +- [ ] Tested: Can't push directly to `main` +- [ ] Tested: PR merge blocked when CI fails +- [ ] Tested: PR merge allowed when CI passes + +--- + +## ๐ŸŽฏ Quick Start (TL;DR) + +```bash +# 1. Merge CI updates +# Go to: https://git.levkin.ca/ilia/POTE/compare/main...dev +# Create and merge PR + +# 2. Wait for CI to run +# Check: https://git.levkin.ca/ilia/POTE/actions + +# 3. Configure branch protection +# Go to: https://git.levkin.ca/ilia/POTE/settings/branches +# Add rules for main, qa, dev +# Enable "Require status checks" +# Select "CI / lint-and-test" + +# Done! โœ… +``` + +--- + +## ๐Ÿ“š Related Documentation + +- **CI Workflow:** `.github/workflows/ci.yml` +- **Branch Strategy:** `docs/14_branch_strategy_and_deployment.md` +- **Setup Checklist:** `BRANCH_SETUP_COMPLETE.md` +- **Gitea Secrets:** `GITEA_SECRETS_GUIDE.md` + +--- + +## ๐Ÿš€ Summary + +**Do you need a pipeline?** +- โœ… YES, to use "Require status checks" +- โœ… You already have one! +- โœ… Just need to merge it to main first + +**Setup order:** +1. Merge CI updates to main (via PR) +2. Verify CI runs and passes +3. Configure branch protection +4. Test the protection + +**After setup:** +- All branches protected by CI +- Can't merge failing code +- Professional development workflow +- Ready for Ansible integration + +**You're almost there! Just merge the PR and configure protection.** ๐ŸŽ‰ +