CI/CD Hardening TASKSETs 1-4 — Business Learnings
Context
The platform had 20 repos but only 1 (family-hub) with proper quality gates. Services handling user data — chat, media, API gateway — had no security scanning, no Docker validation, and no automated deployment pipeline. A bug in the Docker CI meant vulnerability scanning was silently failing.What changed
Every repo now has automated quality checks that run on every code change:- 4 deployed services (family-hub, api-gateway, chat-service, media-service) have full pipelines: code quality → security audit → Docker build → vulnerability scan → container registry push
- 3 libraries (sdk-go, sdk-js, proto-contracts) have code quality + security checks appropriate to their language
- 9 scaffolded repos have lightweight checks that will scale up as code is added
- Docker vulnerability scanning now actually works — was silently broken before
Key insight
The silent Trivy failure was the highest-risk finding. The CI was showing green checkmarks while skipping the security scan entirely (continue-on-error: true masked the issue). In a family platform handling personal data, unscanned containers are a liability.
Operational Takeaways
- Reusable workflows pay off at scale: One change to
infra-cipropagates to all 20 repos. No per-repo maintenance burden. - Progressive CI: Scaffold repos get a green badge immediately with relaxed linting. When real code lands, swap one line to enable the full pipeline. No friction for new projects.
- Deployment gating: No container reaches the registry without passing code quality, security audit, and vulnerability scan. Three independent gates, all required.
Action Items
- Push TASKSET 4 changes to infra-ci first (other repos depend on the fixed/new workflows)
- Push TASKSETs 1-3 to each submodule repo, update parent workspace refs
- Verify Trivy scan runs successfully on family-hub after ci-docker.yml fix
- Next: TASKSET 5 (Coolify CD) wires deployment to VPS after GHCR push
- Next: TASKSET 6 (Vercel CD) for frontend deployment