Skip to content

Infrastructure beta

GitHub Actions is the only deployment forge. Every push and pull request runs the full pipeline; main-branch pushes additionally trigger production deploys to GitHub Pages and three Cloudflare Pages projects.

Pipeline Stages

Defined in .github/workflows/ci.yml. Stages run in order; a failure in any stage blocks all subsequent stages and the merge.

#JobToolsFails on
1AuditTrivy fs scan, Semgrep (typescript), dependency-reviewsecret/misconfig, high-severity rules, banned deps
2Lintoxfmt, oxlint, svelte-check, stylelint, knip, markdownlint, cspell, eslintany non-zero exit
3Buildvite build with ANALYZE=true (emits target/stats.html + stats.json)type errors, broken imports
4Playwrightmatrix: chrome-{desktop,mobile}, firefox-{desktop,mobile}spec failure or visual regression
5LighthouseLHCI on chrome-desktop and chrome-mobileperf / a11y / best-practices / SEO < 0.9
6CoverageVitest v8< 90% global
7Bundlebundle-report.mjs vs misc/bundle-baseline.jsonsize regression

Deploy Targets

TargetURLTrigger
GitHub Pages (app)arttet.github.iopush to main
Cloudflare Pages (app, preview)<pr>.arttet-app.pages.devpull request
Cloudflare Pages (app, prod)arttet.devpush to main
Cloudflare Pages (infra)infra.arttet.devpush to main
Cloudflare Pages (docs)docs.arttet.devpush to main

PR sticky comment aggregates: app preview link, docs preview link, infra-report links (Playwright HTML report, Lighthouse report, bundle report).

Cloudflare Provisioning

Cloudflare Pages projects are managed via Wrangler. Project setup commands live in misc/justfiles/deployment.just:

sh
just deploy list           # list CF Pages projects in the account
just deploy create <name>  # provision a new project
just deploy delete <name>  # remove a project

Observability

  • Codecov: every Vitest run uploads coverage; PR comment posts delta.
  • Lighthouse CI: HTML report is bundled into infra.arttet.dev and linked in the PR sticky comment.
  • Bundle baseline: misc/bundle-baseline.json — update via just bb after intentional growth, then commit the new baseline alongside the change that caused it.
  • Bundle report: bundle-report.mjs writes a markdown summary uploaded to infra.arttet.dev.

Secrets

Stored in Settings → Secrets and variables → Actions at the repository level:

SecretPurpose
CLOUDFLARE_API_TOKENWrangler deploy auth (token must have Cloudflare Pages: Edit)
CLOUDFLARE_ACCOUNT_IDCF account scope
CODECOV_TOKENCoverage upload (required for private repos; optional otherwise)
LHCI_GITHUB_APP_TOKENLighthouse PR status check

Secrets are referenced by name in workflow YAML ($\{\{ secrets.CLOUDFLARE_API_TOKEN \}\}). Never inline.

Local pipeline parity

just ci runs the local equivalent of stages 1-3 (audit + fmt + check + spell + lint + build). For full parity including matrix Playwright and Lighthouse, run them under Docker:

sh
just baseline ci         # Docker-pinned Playwright snapshot update (Linux/chrome-desktop)
just test lhci           # local Lighthouse run
just test bundle         # bundle baseline check