Add and validate CI/CD workflows one bundle at a time
Adds and validates CI/CD workflows one bundle at a time, fixing failures and addressing PR review comments.
/plugin marketplace add moshehbenavraham/apex-spec-system/plugin install apex-spec@apex-spec-marketplaceAdd and validate CI/CD workflows one bundle at a time. Follows the universal 9-step flow shared with /audit and /infra.
Industry standard order (fast feedback to comprehensive):
| Priority | Bundle | Contents |
|---|---|---|
| 1 | Code Quality | Lint + format check + type check |
| 2 | Build & Test | Build + unit tests + coverage reporting |
| 3 | Security | Secrets scanning (gitleaks) + SAST/CodeQL + dependency review |
| 4 | Integration | E2E tests + integration tests + DB migration dry-run |
| 5 | Operations | Failure notifications + Dependabot/Renovate + release tagging |
| Flag | Default | Description |
|---|---|---|
--dry-run | false | Preview what would happen without changes |
--skip-install | false | Don't create workflow files |
--verbose | false | Show full CI output |
--pr <number> | none | Focus on specific PR (fix CI failures, address reviews) |
Check for .spec_system/CONVENTIONS.md
Detect CI platform from existing files:
.github/workflows/ = GitHub Actions.gitlab-ci.yml = GitLab CI (note: limited support)Check for open PRs with CI issues:
gh pr list --state open --json number,title,statusCheckRollup,reviewDecision
--pr <number> specified, focus on that PRCheck for .spec_system/audit/known-issues.md
If --dry-run: Skip to Dry Run Output
Compare CI/CD table in CONVENTIONS.md against 5-bundle master list:
.github/workflows/ for existing workflow filesIf all bundles configured: "All CI/CD workflows configured. Jumping to Step 5"
Pick the highest-priority missing bundle from Step 2.
Output: "Selected: [Bundle Name] - not yet configured"
Generate workflow file(s) for the selected bundle.
Workflow templates by bundle:
| Bundle | Workflow File | Triggers |
|---|---|---|
| Code Quality | .github/workflows/quality.yml | push, pull_request |
| Build & Test | .github/workflows/test.yml | push, pull_request |
| Security | .github/workflows/security.yml | push, pull_request, schedule |
| Integration | .github/workflows/integration.yml | pull_request (to main) |
| Operations | .github/workflows/release.yml + dependabot.yml | push to main, tags |
For monorepos: Use matrix builds or path filters per package.
Language-specific jobs (from CONVENTIONS.md Stack):
| Language | Quality | Build & Test | Security |
|---|---|---|---|
| Python | ruff check, ruff format --check, mypy | pytest --cov | CodeQL, gitleaks, pip-audit |
| TypeScript | biome ci | vitest run --coverage | CodeQL, gitleaks, npm audit |
| Rust | cargo fmt --check, cargo clippy | cargo test | cargo audit |
| Go | gofmt -d, golangci-lint | go test | govulncheck |
Trigger and monitor CI:
gh run list --limit 5 for up to 3 minutesgh run view <id> --log for failuresIf --pr specified or open PRs detected:
Check PR CI status:
gh pr checks <number>
Get PR review comments:
gh pr view <number> --json reviews,comments
Identify actionable items:
If still running after 3 minutes:
CI in progress. Rerun /pipeline to check status.
For CI failures:
gh run view --logFor each category:
For PR review comments (when --pr or PRs detected):
Fetch review comments:
gh api repos/{owner}/{repo}/pulls/{number}/comments
For each actionable comment:
For review threads:
Review comment categories:
After 3 failed attempts per issue: Log for manual review, continue.
Filter out workflows in known-issues.md Skipped Workflows section.
Update .spec_system/CONVENTIONS.md CI/CD table:
| Bundle | Status | Workflow |
|--------|--------|----------|
| Code Quality | configured | .github/workflows/quality.yml |
| Build & Test | configured | .github/workflows/test.yml |
| Security | not configured | - |
REPORT
- Added: Code Quality workflow
- File: .github/workflows/quality.yml
- Jobs: lint (ruff), format (ruff), typecheck (mypy)
- Fixed: 23 lint errors, 8 format issues
- Remaining: 0
- CI Status: All workflows passing
Required setup (if any):
- Add CODECOV_TOKEN to repository secrets for coverage upload
For PRs (when --pr or PRs addressed):
REPORT
- PR #42: "Add user authentication"
- CI Status: All checks passing (was: 3 failing)
- Fixed: 2 type errors, 1 test failure
- Reviews addressed: 4 comments resolved
- Remaining reviews: 1 (question - needs manual response)
- Review status: Changes requested -> Ready for re-review
For monorepos:
[apps/web] Quality: passing | Test: 2 failures
[apps/api] Quality: passing | Test: passing
If CI failures remain:
ACTION REQUIRED:
1. Fix test failures in apps/web (see logs above)
2. Review security finding: CVE-2024-1234 in lodash
Rerun /pipeline after addressing these issues.
If PR has unresolved items:
PR #42 STATUS:
- CI: All passing
- Reviews: 1 unresolved (question requires manual response)
Manual action needed:
1. Respond to reviewer question on src/auth.ts:45
After responding, rerun /pipeline --pr 42 or request re-review.
If PR is ready:
PR #42 is ready for merge:
- CI: All checks passing
- Reviews: All comments addressed
- No merge conflicts
Recommendation: Merge PR or request final approval.
If all clean but bundles remain:
More bundles remain, they will be added in further runs! Recommendation: Run /infra
If all 5 bundles configured and passing:
All CI/CD workflows configured and passing.
Recommendation: Run /infra
PIPELINE PREVIEW (DRY RUN)
Repository: monorepo (Turborepo)
Platform: GitHub Actions
Stack: Python 3.12, TypeScript
Configured: Code Quality, Build & Test
Missing: Security, Integration, Operations
Would add: Security
Would create: .github/workflows/security.yml
Would include: gitleaks, CodeQL (python, typescript), dependency review
Open PRs with issues:
- #42 "Add auth" - 2 failing checks, 3 review comments
- #38 "Fix bug" - 1 failing check
Required secrets:
- None for this bundle
Run without --dry-run to apply.
With --pr 42:
PIPELINE PREVIEW (DRY RUN) - PR #42
PR: #42 "Add user authentication"
Branch: feature/auth -> main
CI Status: 2 failing (quality, test)
Reviews: 3 comments (2 actionable, 1 question)
Would fix:
- src/auth.ts:23 - type error (missing null check)
- src/auth.ts:45 - lint error (unused import)
- tests/auth.test.ts - failing assertion
Would address reviews:
- src/auth.ts:30 - "Add error handling" (actionable)
- src/auth.ts:52 - "Rename variable" (actionable)
- src/auth.ts:67 - "Why this approach?" (question - manual response needed)
Run without --dry-run to apply.
When a workflow requires secrets:
Required setup:
1. Add CODECOV_TOKEN to repository secrets
2. Add SLACK_WEBHOOK_URL for failure notifications
Workflows will fail until secrets are configured.
Do NOT attempt to create or manage secrets.