Git workflow with branch strategy and CI/CD pipeline design

# Git Workflow & CI/CD Pipeline Design ## Team: 8 developers, SaaS web application --- ## Branch Strategy: Trunk-Based Development with Short-Lived Feature Branches ``` main (production) │ ├── feature/PROJ-123-user-auth (developer branch, lives 1-3 days) ├── feature/PROJ-456-payment-flow (developer branch, lives 1-3 days) ├── fix/PROJ-789-login-crash (bug fix branch) └── hotfix/critical-data-loss (emergency fix, deployed immediately) Environments: main → auto-deploy to staging → manual promote to production feature/* → deploy to preview environment (per-PR) ``` ### Branch Naming Convention - `feature/PROJ-{ticket}-{short-description}` - `fix/PROJ-{ticket}-{short-description}` - `hotfix/{short-description}` (no ticket required — speed matters) - `chore/{description}` (dependencies, CI config, docs) ### Branch Protection Rules (main) - Require 1 approval from code owners - Require status checks to pass (lint, test, build) - Require branch to be up-to-date before merging - No direct pushes (not even admins) - Auto-delete head branches after merge - Require signed commits (GPG) --- ## PR Review Process ### PR Template ```markdown ## Summary < 1-3 bullet points > ## Changes - [ ] New feature / Enhancement / Bug fix / Chore - [ ] Tests added/updated - [ ] Documentation updated (if applicable) ## Test plan < How to verify this works > ## Screenshots < If UI changes > ``` ### Review Flow 1. Developer opens PR against `main` 2. CI runs automatically (lint → test → build → preview deploy) 3. PR gets auto-assigned to 1 reviewer (via CODEOWNERS) 4. Reviewer approves OR requests changes 5. After approval + green CI → developer merges (squash merge) 6. Auto-deploy to staging environment 7. QA verifies on staging (for significant features) 8. Release manager promotes staging → production (manual trigger) ### CODEOWNERS ``` # .github/CODEOWNERS * @team/backend-reviewers /client/** @team/frontend-reviewers /server/prisma/** @team/backend-reviewers @team/db-admin /.github/** @team/devops ``` --- ## CI Pipeline (GitHub Actions) ```yaml # .github/workflows/ci.yml name: CI Pipeline on: pull_request: branches: [main] push: branches: [main] concurrency: group: ci-${{ github.ref }} cancel-in-progress: true env: NODE_VERSION: '20' PNPM_VERSION: '9' jobs: # ── Stage 1: Lint (parallel) ───────────────────────────── lint: name: Lint & Type Check runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: version: ${{ env.PNPM_VERSION }} - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm --filter client lint - run: pnpm --filter server lint - run: pnpm --filter client exec tsc --noEmit - run: pnpm --filter server exec tsc --noEmit # ── Stage 2: Test (parallel with lint) ─────────────────── test-client: name: Client Tests runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: version: ${{ env.PNPM_VERSION }} - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm --filter client test -- --coverage - uses: actions/upload-artifact@v4 with: name: client-coverage path: client/coverage/ test-server: name: Server Tests runs-on: ubuntu-latest services: postgres: image: postgres:16-alpine env: POSTGRES_USER: test POSTGRES_PASSWORD: test POSTGRES_DB: testdb ports: ['5432:5432'] options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 redis: image: redis:7-alpine ports: ['6379:6379'] options: >- --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5 steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: version: ${{ env.PNPM_VERSION }} - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm --filter server exec prisma migrate deploy env: DATABASE_URL: postgresql://test:test@localhost:5432/testdb - run: pnpm --filter server test -- --coverage env: DATABASE_URL: postgresql://test:test@localhost:5432/testdb REDIS_URL: redis://localhost:6379 JWT_SECRET: test-secret-key # ── Stage 3: Build (depends on lint + test) ────────────── build: name: Build needs: [lint, test-client, test-server] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: version: ${{ env.PNPM_VERSION }} - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm --filter client build - run: pnpm --filter server build # ── Stage 4: Deploy to staging (main branch only) ──────── deploy-staging: name: Deploy to Staging needs: [build] if: github.ref == 'refs/heads/main' && github.event_name == 'push' runs-on: ubuntu-latest environment: name: staging url: https://staging.example.com steps: - uses: actions/checkout@v4 - name: Deploy to staging run: | echo "Deploying to staging..." # Your deployment command here (e.g., Vercel, Render, K8s) ``` --- ## Hotfix Process ``` 1. Create branch: hotfix/critical-fix (from main) 2. Fix the issue (minimal change only) 3. Open PR with [HOTFIX] prefix 4. Fast-track review: 1 approval required (any team lead) 5. CI must pass (lint + test — no skipping) 6. Merge to main → auto-deploy staging → verify → promote to production 7. Total target time: < 30 minutes from detection to production ``` --- ## Release Process ### Automated with semantic versioning: ```yaml # .github/workflows/release.yml (triggered manually) name: Release on: workflow_dispatch: inputs: bump: description: 'Version bump type' required: true type: choice options: [patch, minor, major] jobs: release: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Generate changelog run: | # Generate changelog from conventional commits since last tag npx conventional-changelog-cli -p angular -i CHANGELOG.md -s - name: Bump version and tag run: | npm version ${{ inputs.bump }} --no-git-tag-version VERSION=$(node -p "require('./package.json').version") git tag "v$VERSION" git push origin "v$VERSION" - name: Create GitHub Release uses: softprops/action-gh-release@v2 with: tag_name: v${{ steps.version.outputs.version }} body_path: CHANGELOG.md generate_release_notes: true ``` --- ## Environment Promotion Flow ``` PR opened → Preview environment (per-PR, auto-destroyed on merge) │ ▼ Merge to main → Staging (automatic, verified by QA) │ ▼ Manual approval → Production (requires release manager + QA sign-off) ``` | Environment | Deploy Trigger | Who Can Deploy | Rollback Method | |-------------|---------------|----------------|-----------------| | Preview | PR opened/updated | Automatic | Destroy on PR close | | Staging | Push to main | Automatic | Re-deploy previous commit | | Production | Manual trigger | Release manager | Re-deploy previous tag |