11 Workflow Details
Your comprehensive guide to Zopio's automated workflow ecosystem - Deep-dive into all 13 GitHub Actions workflows, their configurations, triggers, and optimizations. From build automation to security scanning, everything you need to understand our streamlined CI/CD pipeline.
- β‘ Quick Reference
- π― Workflow Overview
- ποΈ Build Workflows
- π Security Workflows
- π¦ Release & Version Workflows
- π€ PR Management Workflows
- π§Ή Maintenance Workflows
- π§ Utility Workflows
- π Workflow Architecture
- β‘ Performance & Optimization
- π¨ Troubleshooting
- πͺ Next Steps
- π Related Documentation
Essential workflow commands and status overview
|
π Total Workflows |
β‘ Performance |
π Security |
π€ Automation |
# View all workflows
gh workflow list
# Check recent runs
gh run list --limit 10
# Trigger workflow manually
gh workflow run <workflow-name> --ref <branch>
# Watch running workflow
gh run watch
# Cancel workflow
gh run cancel <run-id>
# Re-run failed jobs
gh run rerun --failed| Metric | Value | Status |
|---|---|---|
| Average Build Time | ~8-10 min | π’ Optimized |
| Security Scan Coverage | 100% | π’ Complete |
| Automation Level | Full CI/CD | π’ Automated |
| Success Rate | >95% | π’ Reliable |
Complete ecosystem of 13 automated workflows
flowchart TB
subgraph "Core Workflows (5)"
BUILD[ποΈ Build]
CI[β‘ CI Pipeline]
SEC[π‘οΈ Security]
REL[π¦ Release]
CHANGE[π Changelog]
end
subgraph "PR Management (3)"
PRVAL[β
PR Validation]
LABEL[π·οΈ Auto Label]
ASSIGN[π€ PR Assignment]
end
subgraph "Maintenance (3)"
WELCOME[π Welcome]
STALE[π§Ή Stale Management]
LOCK[π Thread Locking]
end
subgraph "Utility (2)"
DOCS[π Documentation]
SETUP[π§ Setup Node]
end
subgraph "Triggers"
PUSH[Push Events]
PR[Pull Requests]
SCHEDULE[Scheduled]
MANUAL[Manual]
end
PUSH --> BUILD & CI & SEC & REL & CHANGE
PR --> BUILD & CI & SEC & PRVAL & LABEL & ASSIGN & WELCOME & DOCS
SCHEDULE --> SEC & STALE & LOCK
MANUAL --> CHANGE & STALE & LOCK
style BUILD fill:#4ECDC4
style SEC fill:#FF6B6B
style REL fill:#95E1D3
style PUSH fill:#FFD93D
style PR fill:#6BCF7F
This page provides in-depth documentation for all 13 workflows in the Zopio project, optimized for performance and security.
Comprehensive build and quality assurance workflows
Purpose: Comprehensive build, lint, typecheck, and test pipeline for pull requests targeting the main branch.
Key Features:
- Full monorepo build with bundle analysis
- Environment variable generation for testing
- Multi-app configuration (app, web, api)
- Artifact storage for bundle analysis
Environment Setup:
# Authentication
CLERK_SECRET_KEY=sk_test_JA==
CLERK_WEBHOOK_SECRET=whsec_test
# Email & Database
RESEND_FROM=test@test.com
DATABASE_URL=postgresql://test:test@localhost:5432/test
# Payments & Monitoring
STRIPE_SECRET_KEY=sk_test
BETTERSTACK_API_KEY=test
# Real-time & CMS
LIVEBLOCKS_SECRET=sk_test
BASEHUB_TOKEN=${{ secrets.BASEHUB_TOKEN }}Runtime: ~8-10 minutes
Triggers: PRs to main
Artifacts: Bundle analysis reports
Purpose: Fast CI workflow for develop and staging branches focusing on code quality and test coverage.
Parallel Jobs:
- Lint: Biome code quality checks
- Test: Vitest test suite
- Build: Compilation verification
- Security: CodeQL analysis
Special Features:
- Graceful handling of missing scripts
- Frozen lockfile for reproducibility
- Concurrency control for efficiency
Runtime: ~5-7 minutes
Triggers: Push/PR to develop, staging
Key Feature: Parallel execution for faster feedback
Multi-layered security scanning and vulnerability detection
Purpose: Unified security scanning combining multiple tools and vulnerability detection methods.
The security workflow includes:
- CodeQL for static code analysis
- Trivy for dependency vulnerability scanning
- TruffleHog for secret detection
- Container scanning for Docker images
For complete details on security scanning, vulnerability reporting, and best practices, see the π‘οΈ Security Framework.
Runtime: ~12-15 minutes
Triggers: Push/PR + Daily at 2 AM UTC
Coverage: Code analysis, dependencies, secrets, containers
flowchart LR
subgraph "Security Layers"
CODEQL[CodeQL<br/>SAST Analysis]
TRIVY[Trivy<br/>CVE Scanner]
TRUFFLEHOG[TruffleHog<br/>Secret Scanner]
CONTAINER[Container<br/>Security]
end
subgraph "Results"
SARIF[SARIF Reports]
ALERTS[Security Alerts]
BLOCK[Block on Critical]
end
CODEQL & TRIVY & TRUFFLEHOG & CONTAINER --> SARIF
SARIF --> ALERTS --> BLOCK
style CODEQL fill:#FF6B6B
style TRIVY fill:#FFD93D
style TRUFFLEHOG fill:#4ECDC4
style CONTAINER fill:#95E1D3
Automated semantic versioning and package publishing
Purpose: Automatically publishes new releases when changes are pushed to main.
Process Flow:
- Skip detection (
ci skiporskip ci) - Repository preparation with full history
- Dependency installation with caching
- CLI build with tsup
- Auto release with GitHub and NPM
Dependencies:
-
autotool for semantic versioning - NPM_TOKEN for package publishing
- GH_TOKEN for GitHub operations
Runtime: ~3-5 minutes
Triggers: Push to main
Outputs: NPM package, GitHub release, Git tags
Purpose: Automatically generates CHANGELOG.md based on conventional commits.
Configuration:
- Preset: Angular
- Tag format:
v1.2.3 - Bot identity:
zopio-bot - Includes all releases (release-count: 0)
Runtime: ~2-3 minutes
Triggers: Push to main, Manual dispatch
Output: Updated CHANGELOG.md with semantic versioning
flowchart LR
MERGE[Merge to main] --> ANALYZE[Analyze Commits]
ANALYZE --> GENERATE[Generate Changelog]
GENERATE --> VERSION[Bump Version]
VERSION --> TAG[Create Tag]
TAG --> RELEASE[GitHub Release]
TAG --> NPM[NPM Publish]
style MERGE fill:#FF6B6B,color:#fff
style TAG fill:#FFD93D
style NPM fill:#4ECDC4
Intelligent PR automation and validation systems
Purpose: Comprehensive PR validation with multiple checks.
Validation Steps:
-
Branch Naming:
- Allowed patterns:
feat/*,fix/*,release/v*.*.*, etc. - Protected branches:
main,develop,staging
- Allowed patterns:
-
PR Title Format:
- Types: feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert
- Optional scopes: api, app, auth, build, etc.
- Subject must not start with uppercase
-
Size Limits:
- Soft limit: 1000 lines
- Hard limit: 5000 lines
- File limit: 100 files
-
Breaking Changes:
- Requires documentation if title contains "!"
- Must include migration instructions
Runtime: ~30 seconds
Triggers: PR events (opened, edited, synchronized)
Consolidates: Branch naming, semantic titles, size checks, breaking changes
Purpose: Automatically applies labels based on multiple criteria.
Label Sources:
-
File paths (via
.github/labeler.yml) - PR title parsing (conventional commits)
- Priority keywords (critical, urgent)
- Breaking changes (! or "breaking")
- Community status (non-org members)
Debug Features:
- Lists changed files
- Shows detected labels
- Tracks label application
- Retry logic for API calls
Runtime: ~10-15 seconds
Triggers: PR opened/synchronized
Labels Applied: Type, path-based, size, priority, community status
Purpose: Automatically assigns PRs to authors and relevant reviewers.
Assignment Rules:
- Author assignment for tracking
- Team assignment based on code ownership:
packages/auth* β core team packages/database β core team packages/core|crud|data β core team security files β core team - Skips draft PRs for reviewer assignment
- Preserves manual assignments
Runtime: ~5-10 seconds
Triggers: PR opened, ready for review
Team Integration: Uses CODEOWNERS for smart reviewer assignment
Automated repository housekeeping and community management
Purpose: Identifies and closes inactive issues/PRs.
Timing Configuration:
| Type | Days to Stale | Days to Close | Total |
|---|---|---|---|
| Issues | 60 | 14 | 74 days |
| PRs | 30 | 7 | 37 days |
Exemption Labels:
securitypinnedgood first issuehelp wantedpriority: critical/highstatus: blocked/needs discussion
Runtime: ~1-2 minutes
Schedule: Daily at 1 AM UTC
Exemptions: Security, pinned, help wanted, high priority items
Purpose: Prevents necroposting on old, closed items.
Lock Timing:
- Issues: 90 days after closing
- PRs: 60 days after closing
Messages:
- Issues: Encourages opening new issues for related bugs
- PRs: Suggests new PR for further contributions
Runtime: ~30 seconds
Schedule: Daily at 2 AM UTC
Purpose: Prevents necroposting on resolved issues
Purpose: Welcomes first-time contributors with resources.
Welcome Content:
- Personal mention with @username
- Links to contributing guidelines
- Different messages for issues vs PRs
- Resource links and encouragement
Runtime: ~5 seconds
Triggers: First-time issue/PR from new contributors
Personalization: Mentions user by @username
Supporting workflows and reusable components
Purpose: Lightweight validation for documentation-only changes.
Checks:
- Required files: README.md, CHANGELOG.md
- Structure validation
- Section presence (installation, setup)
- Format compliance
Runtime: ~30 seconds
Triggers: PRs with only documentation changes
Purpose: Lightweight validation for docs-only updates
Purpose: Centralized Node.js and pnpm setup.
Parameters:
-
node-version: Default '20' -
pnpm-version: Default '10.11.0' -
install-deps: Default true -
frozen-lockfile: Default true
Usage Example:
jobs:
example:
uses: ./.github/workflows/setup-node.yml
with:
node-version: '20'
pnpm-version: '10.11.0'Usage: Called by other workflows for consistent Node.js setup
Parameters: Configurable Node/pnpm versions, dependency installation
Benefits: Standardized environment, reduced duplication
System design and workflow interactions
flowchart TB
subgraph "Event Sources"
DEV[Developer Push]
PR_EVENT[Pull Request]
CRON[Scheduled Jobs]
MANUAL[Manual Trigger]
end
subgraph "Core Pipeline"
VALIDATION[PR Validation<br/>β
Branch naming<br/>β
Semantic titles<br/>β
Size limits]
BUILD[Build Pipeline<br/>ποΈ Full monorepo<br/>ποΈ Bundle analysis<br/>ποΈ Environment setup]
CI[CI Pipeline<br/>β‘ Parallel jobs<br/>β‘ Quality checks<br/>β‘ Fast feedback]
SECURITY[Security Scan<br/>π‘οΈ CodeQL SAST<br/>π‘οΈ Dependency scan<br/>π‘οΈ Secret detection]
end
subgraph "Automation Layer"
LABEL[Auto Labeling<br/>π·οΈ Path-based<br/>π·οΈ Type detection<br/>π·οΈ Priority marking]
ASSIGN[PR Assignment<br/>π€ Author assign<br/>π€ CODEOWNERS<br/>π€ Team routing]
WELCOME[Welcome Bot<br/>π First-timer greeting<br/>π Resource links<br/>π Personalized]
end
subgraph "Release Pipeline"
CHANGELOG[Changelog<br/>π Conventional commits<br/>π Version bumping<br/>π Release notes]
RELEASE[Release<br/>π¦ NPM publish<br/>π¦ GitHub release<br/>π¦ Git tagging]
end
subgraph "Maintenance"
STALE[Stale Management<br/>π§Ή Issue cleanup<br/>π§Ή PR cleanup<br/>π§Ή Auto-close]
LOCK[Thread Locking<br/>π Prevent necropost<br/>π 90d/60d delays<br/>π Explanatory msgs]
end
%% Event routing
PR_EVENT --> VALIDATION & BUILD & CI & SECURITY & LABEL & ASSIGN & WELCOME
DEV -->|to protected branches| CI & SECURITY & CHANGELOG & RELEASE
CRON --> SECURITY & STALE & LOCK
MANUAL --> CHANGELOG & STALE & LOCK
%% Pipeline flow
VALIDATION -->|pass| BUILD
BUILD -->|pass| CI
CI -->|pass| SECURITY
SECURITY -->|pass| MERGE{Can Merge?}
MERGE -->|yes| CHANGELOG & RELEASE
style VALIDATION fill:#FFD93D
style BUILD fill:#4ECDC4
style SECURITY fill:#FF6B6B
style RELEASE fill:#95E1D3
style MERGE fill:#6BCF7F
|
π Required Sequences
|
β‘ Parallel Executions
|
π Reusable Components
|
- Concurrency Control: All workflows use concurrency groups to cancel outdated runs
- Path Ignoring: Most workflows skip documentation-only changes
- Permission Scoping: Minimal permissions requested for security
- Error Handling: Graceful failures with informative messages
- Caching Strategy: Strategic caching for dependencies and build artifacts
How we achieved 40-50% faster workflows
|
π Before Optimization |
π After Optimization |
-
Concurrency Controls
concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true
βοΈ Automatically cancels outdated runs
βοΈ Prevents duplicate executions
βοΈ Saves GitHub Actions minutes -
Smart Path Filtering
paths-ignore: - '**/*.md' - 'docs/**' - 'LICENSE'
βοΈ Skips workflows for non-code changes
βοΈ Reduces unnecessary runs by ~30% -
Parallel Job Execution
- Lint, test, build, and security scans run simultaneously
- Matrix strategies for multi-environment testing
- Independent job failures don't block others
-
Intelligent Caching
- pnpm dependencies cached with smart invalidation
- Build artifacts cached between runs
- Docker layer caching for container builds
- ~70% cache hit rate achieved
| Workflow | Original Time | Optimized Time | Improvement |
|---|---|---|---|
| Build (main) | ~15 min | ~8-10 min | 40% faster |
| CI (dev/staging) | ~10 min | ~5-7 min | 45% faster |
| Security Suite | ~20 min | ~12-15 min | 35% faster |
| PR Validation | ~30 sec | ~10 sec | 67% faster |
| Release Process | ~8 min | ~3-5 min | 50% faster |
Common issues and solutions for workflow failures
| Issue | Symptoms | Solution | Prevention |
|---|---|---|---|
| Workflow Not Triggering | No runs appear in Actions | β’ Check branch filters β’ Verify path filters β’ Validate YAML syntax |
Use actionlint for validation |
| Permission Denied | Resource not accessible |
β’ Check GITHUB_TOKEN perms β’ Use pull_request_target β’ Verify repo settings |
Test with minimal permissions |
| Build Out of Memory | heap out of memory |
NODE_OPTIONS=--max-old-space-size=8192 |
Monitor bundle size growth |
| Flaky Tests | Random test failures | Add retry logic with backoff | Fix race conditions |
| Cache Miss | Slow dependency installs | Check cache key stability | Use semantic cache keys |
# Check workflow syntax
actionlint .github/workflows/*.yml
# View recent workflow runs
gh run list --workflow=build.yml --limit 10
# Get detailed logs for specific run
gh run view <run-id> --log
# Download artifacts for analysis
gh run download <run-id> --name bundle-analysis
# Re-run failed jobs only
gh run rerun <run-id> --failed
# Check workflow file content
gh workflow view build.yml
# Monitor live workflow run
gh run watchAdd this step to any workflow for debugging:
- name: Debug Workflow Context
run: |
echo "Event: ${{ github.event_name }}"
echo "Action: ${{ github.event.action }}"
echo "Ref: ${{ github.ref }}"
echo "SHA: ${{ github.sha }}"
echo "Actor: ${{ github.actor }}"
echo "Workflow: ${{ github.workflow }}"
echo "Job: ${{ github.job }}"Critical Production Issues:
- Create hotfix branch from
main - Use
[skip ci]in commit message if needed - Merge with emergency review process
- Monitor deployment and rollback if needed
Workflow System Outage:
- Check GitHub Status
- Use manual deployment if critical
- Queue fixes for when system recovers
- Communicate status to team
Continue your workflow journey
|
π Learn More
|
βοΈ Customize & Extend
|
- First Contribution: Start with Quick Start Guide
- Understand Branches: Read Branch Overview
- Security Setup: Review Branch Protection Rules
- Advanced Topics: Explore Automated Dependencies
- π GitHub Actions Documentation
- π― Workflow Syntax Reference
- π¨ Actions Marketplace
- π GitHub CLI Manual
- π Security Best Practices
Complete reference library
|
π Getting Started |
π Workflow Guides |
π€ Automation & Security |
- Workflow Triggers: See Triggers Matrix for complete trigger reference
- Security Details: Deep-dive into Security Framework
- Visual Flows: Check Workflow Diagram for flowcharts
- Performance: Review Pipeline Overview for optimization tips
- Branch Strategy: Understand Branch Types for context
This page serves as the comprehensive reference for all workflow implementations. For:
- Visual representations β Workflow Diagram
- Trigger details β Triggers Matrix
- Security specifics β Security Framework
- Quick overviews β Pipeline Overview
π« Questions about workflows? Check Troubleshooting | Need implementation details? See actual workflow files in .github/workflows/
Performance issues? Review Performance & Optimization | Security concerns? Visit Security Framework
β¬οΈ Back to Top | β¬ οΈ Previous: Triggers Matrix | β‘οΈ Next: Automation Features