Merge feature/ci-cd-optimization improvements

[arkid15r]

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Summary by CodeRabbit

• New Features

  • Added staging and production CI/CD pipelines for automated deployments
  • Added Mobile Chrome device testing to end-to-end tests
  • Introduced build cache optimization for Docker images

• Bug Fixes

  • Fixed environment detection in frontend configuration
  • Standardized navigation timeouts in end-to-end tests

• Chores

  • Modularized GitHub Actions workflows for improved maintainability
  • Enhanced infrastructure-as-code organization with dedicated cache modules
  • Updated custom spell-check dictionary

Walkthrough

This PR refactors the monolithic GitHub Actions CI/CD pipeline into a scalable, reusable workflow architecture by converting run-ci-cd.yaml into a callable orchestrator, creating delegated workflows for testing and deployment, introducing composite actions for dependency management and infrastructure, and updating infrastructure as code with a new Terraform ECR cache module. Additionally, E2E tests are modernized with custom Playwright device helpers and timeout cleanup.

Changes

CI/CD Workflow Refactoring & Infrastructure Modernization

Layer / File(s)	Summary
CI/CD Reusable Orchestrator & Event-Triggered Entry Points .github/workflows/run-ci-cd.yaml, .github/workflows/ci.yaml, .github/workflows/ci-cd-staging.yaml, .github/workflows/ci-cd-production.yaml	The monolithic run-ci-cd.yaml is converted from event-triggered to a workflow_call reusable interface exposing inputs/secrets for configuration-driven execution. Three event-triggered workflows (CI for PR/merge/push, staging for schedule/dispatch, production for releases) invoke the orchestrator with environment-specific settings, enabling a single orchestrator to serve multiple deployment scenarios.
Test & Quality Assurance Workflows .github/workflows/run-code-checks.yaml, .github/workflows/run-code-tests.yaml, .github/workflows/run-backend-tests.yaml, .github/workflows/run-frontend-tests.yaml, .github/workflows/run-fuzz-tests.yaml, .github/workflows/run-infrastructure-tests.yaml	New reusable workflows abstract CI quality and test execution: dependency audit, frontend linting, pre-commit checks, security scanning (Semgrep/Trivy), and spelling checks run in run-code-checks; backend unit tests, frontend a11y/unit tests, end-to-end Playwright tests, fuzz tests, and infrastructure tests run via delegated workflows called from the orchestrator, each handling its own setup/caching/artifact upload.
Composite Actions for Dependencies & Infrastructure .github/actions/install-poetry/action.yaml, .github/actions/install-backend-dependencies/action.yaml, .github/actions/install-frontend-dependencies/action.yaml, .github/actions/apply-infrastructure-changes/action.yaml, .github/actions/setup-backend-environment/action.yaml, .github/actions/run-trivy-scan/action.yaml	Reusable composite actions encapsulate dependency installation (Poetry with pip cache, backend/frontend with lock-file caching), Terraform execution (plugin cache, init/validate/plan/apply with summary output), Trivy scanning with cache, and backend test environment setup (S3 dump fetch, Postgres readiness, Django migrations, gunicorn startup, health polling).
Image Build, Scan & Deployment Workflows .github/workflows/run-release-version-resolution.yaml, .github/workflows/run-image-build.yaml, .github/workflows/run-image-scan.yaml, .github/workflows/run-infrastructure-bootstrap.yaml, .github/workflows/run-deploy.yaml, .github/workflows/run-lighthouse-ci.yaml, .github/workflows/run-zap-baseline-scan.yaml, .github/workflows/run-coverage-upload.yaml	Release version resolution, Docker multi-stage build with caching and OWASP UID/GID args, Trivy image scanning and SBOM generation, infrastructure bootstrap with Terraform remote state setup, ECS deployment with migrate/index-data tasks and service stability verification, and post-deploy Lighthouse CI/ZAP baseline scans form the delivery pipeline. Coverage upload to Codecov bridges test and build execution.
Terraform ECR Cache Module & Live Configuration infrastructure/modules/ecr-cache/main.tf, infrastructure/modules/ecr-cache/variables.tf, infrastructure/modules/ecr-cache/outputs.tf, infrastructure/modules/ecr-cache/tests/ecr-cache.tftest.hcl, infrastructure/modules/ecr-cache/README.md, infrastructure/modules/ecr-cache/.terraform.lock.hcl, infrastructure/live/main.tf, infrastructure/live/README.md, .trivyignore.yaml	New Terraform module provisions AWS ECR repositories for build cache with lifecycle policies retaining only the last 3 images. Backend and frontend cache instances are instantiated in the live environment with shared tags. Module includes documentation, test assertions, lockfile, and Trivy misconfiguration ignores for ECR-specific rules.
E2E Test Modernization & Application Configuration e2e/helpers/devices.ts, e2e/playwright.config.ts, e2e/pages/*.spec.ts, e2e/components/*.spec.ts, frontend/next.config.ts, .github/workflows/code-ql.yaml, .github/workflows/dependency-review.yaml, backend/entrypoint.fuzz.sh, cspell/custom-dict.txt, README.md	Playwright configuration adds a custom iphone13Chromium device helper, swapping iPhone Safari for Chrome mobile emulation. Explicit 25-second navigation timeouts are removed from 15+ E2E page tests, relying on Playwright defaults instead. Next.js config conditionally enables source maps only for staging/production and async rewrites with trailing slashes for E2E backend routing. CodeQL/dependency-review workflows are updated with concurrency/permissions; fuzz entry point path quoting improved; cspell dictionary updated; README badges updated; PR labeler points to new config path.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• OWASP/Nest#4807: Lighthouse CI workflow extraction and integration overlaps with main PR's new run-lighthouse-ci.yaml and wiring into orchestrator.
• OWASP/Nest#4679: Infrastructure testing refactor shares the same run-infrastructure-tests.yaml extraction into reusable workflow.
• OWASP/Nest#4818: New deploy workflow refactor uses the same .github/actions/apply-infrastructure-changes composite action for Terraform apply.

Suggested labels

ci, infrastructure, backend, frontend, docs

Suggested reviewers

• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Merge feature/ci-cd-optimization improvements' accurately describes the main change: merging CI/CD optimization improvements into the codebase through a large refactoring of GitHub Actions workflows.
Description check	✅ Passed	The description, while minimal, is directly related to the changeset by confirming the contributor followed the contributing workflow, verified code functionality, and ran required tests with passing results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/ci-cd-optimization-merge

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud