Expand CI guides from stubs to full reference docs; update primer and lessons#3
Conversation
… lessons
docs/ci/{github-actions,azure-devops,gitlab-ci,jenkins}.md: rewritten from
29-line stubs to comprehensive 280-370 line guides matching the depth of
the new CircleCI/CodeBuild/GCB/Bitbucket/Tekton guides added in the PR.
Each guide now includes: prerequisites, built-in variables table, full
annotated config embedded inline, image ref passing explanation, secrets
setup walkthrough, SARIF upload to the platform's security dashboard,
artifact storage, and --fail-on-severity gate behaviour.
docs/ci-cd-primer.md: added "Supported platforms" table linking all 9
platform guides; updated GitHub/Azure examples to reference the full guides.
docs/LESSONS-LEARNED.md: added session entry covering Phase 1 CLI tests,
5-platform CI integration, PR monitoring (runc pre-release fix), and the
post-merge stale-doc sweep.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t
| # GitHub Actions integration | ||
|
|
||
| Add the Docker Container Scanner to your workflow so every push/PR is scanned and SARIF is uploaded to the Security tab. | ||
| Add the Docker Container Scanner to your GitHub Actions workflow so every push and pull request is scanned, findings are surfaced in the Security tab as Code Scanning alerts, and full reports are available as downloadable artifacts. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - Workflow runs on a runner with Docker (e.g. `ubuntu-latest`). | ||
| - Scanner image is available: build from this repo or use a published image. | ||
| - **Runner**: the workflow must run on a runner that has Docker installed. `ubuntu-latest` (GitHub-hosted) satisfies this out of the box. | ||
| - **Docker socket**: the scanner runs as a container and needs to reach the host Docker daemon via `/var/run/docker.sock`. GitHub-hosted Ubuntu runners expose this socket without any additional configuration. | ||
| - **Permissions**: the job needs `security-events: write` to upload SARIF to GitHub Code Scanning, and `contents: read` to check out the repository. If you are authenticating to GHCR with the built-in `GITHUB_TOKEN`, you also need `packages: read` (or `packages: write` if you are pushing images). | ||
| - **Scanner image**: either build the scanner from this repository (shown in the example below) or pull a published image from `ghcr.io/beejak/docker-scanner:latest`. |
There was a problem hiding this comment.
Guide length conflicts with integrations rule: "keep each pipeline guide short"
The integrations.mdc rule specifies: "Keep each pipeline guide short: one page per pipeline with a minimal example and links to troubleshooting." All four rewritten guides range from 283 to 371 lines with full annotated configs embedded inline. The docs-ux.mdc rule also says: "Long duplicate pipeline YAML in prose; use snippets from ci/ and link." Each guide does reference the existing ci/<platform>/ example file at the bottom, but the full pipeline config is duplicated in the prose rather than delegated to those files. The same pattern appears in all four new guides (github-actions.md, azure-devops.md, gitlab-ci.md, jenkins.md).
Context Used: Integrations agent — Azure, GitHub, GitLab, Jenkin... (source)
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
- github-actions.md: Invert scanner image step to pull from GHCR by default (build-from-source is now the commented alternative); fixes the case where a user copies the workflow into their own repo and docker build targets their application Dockerfile instead of the scanner. Remove stale "mid-2025" date from PAT note; link to GitHub PAT docs instead. - gitlab-ci.md: Same inversion for the scanner image step (pull from GHCR as default). Fix YAML scalar folding in both docker login blocks so multi-line commands use a proper | literal block rather than implicit continuation indent. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t
Summary
docs/ci/github-actions.md— rewritten from 29-line stub to 336-line comprehensive guidedocs/ci/azure-devops.md— rewritten from 29-line stub to 336-line comprehensive guidedocs/ci/gitlab-ci.md— rewritten from 29-line stub to 283-line comprehensive guidedocs/ci/jenkins.md— rewritten from 29-line stub to 371-line comprehensive guidedocs/ci-cd-primer.md— added "Supported platforms" table linking all 9 platform guidesdocs/LESSONS-LEARNED.md— added session entry for Phase 1 tests, CI integrations, PR monitoring, and doc sweepWhat changed in each guide
All four CI guides were placeholder stubs ("see the template file") with no real content. Each is now a full reference document matching the depth of the CircleCI/CodeBuild/GCB/Bitbucket/Tekton guides added in PR #2. Every guide includes:
--fail-on-severitygate: how exit code 1 propagates, whyif: always()/condition: always()/when: alwaysis needed on downstream report stepsGITHUB_TOKENvs PAT, ACR service connection vs env var, GitLab auto-injected registry credentials, JenkinswithCredentials)Test plan
docs/ci-cd-primer.mdplatform table links resolve correctly🤖 Generated with Claude Code
https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t
Generated by Claude Code
Greptile Summary
This PR expands four CI guide stubs (GitHub Actions, Azure DevOps, GitLab CI, Jenkins) into full reference documents, adds a nine-platform "Supported platforms" table to the CI/CD primer, and appends a lessons-learned session entry.
--fail-on-severitygate behaviour, SARIF upload, artifact storage, secrets setup, and registry auth.packages: readpermission in the GitHub Actions workflow, a redundanttagsinput in the Azure DevOpsDocker@2build task that creates a spurious second image tag, and an unconditionalrecordIssues()call in the Jenkinspost { always }block that will throwMissingMethodExceptionand fail otherwise-passing builds when the optional Warnings NG plugin is absent.Confidence Score: 4/5
Safe to merge after addressing three copy-paste errors in the new guide examples.
All three findings affect the example pipeline YAML that users are expected to copy verbatim. The Jenkins issue is the most disruptive: recordIssues() placed unconditionally in post { always } will throw MissingMethodException on every build for users who don't have the Warnings NG plugin, turning a clean scan result into a build failure. The Azure DevOps double-tag creates silent ambiguity in how the built image is referenced. The missing packages: read in the GitHub Actions workflow contradicts the prerequisites section and will bite anyone adapting the example to pull a private scanner image.
docs/ci/jenkins.md (unconditional optional plugin step), docs/ci/azure-devops.md (Docker@2 tags input), docs/ci/github-actions.md (permissions block)
Important Files Changed
packages: readis missing from the workflow permissions block despite being required for GHCR auth with GITHUB_TOKEN.tags: "$(Build.BuildId)"andarguments: "-t $(imageName)", creating a redundant spurious tag that will confuse users adapting the example.recordIssues()call inpost { always }will throw MissingMethodException and fail otherwise-passing builds when the optional Warnings NG plugin is absent.Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[Push / PR / Schedule] --> B[Checkout] B --> C[Build app image\ndocker build -t app:SHA .] C --> D[Pull scanner image\nghcr.io/beejak/docker-scanner:latest] D --> E[Run container scan\n--fail-on-severity CRITICAL,HIGH] E -->|exit 0 — no findings| F[Upload SARIF\nif: always] E -->|exit 1 — findings found| F F --> G[Upload artifacts\nif: always] G -->|exit 0| H[✅ Build passes] G -->|exit 1 propagated| I[❌ Build fails\nreports still archived]%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% flowchart TD A[Push / PR / Schedule] --> B[Checkout] B --> C[Build app image\ndocker build -t app:SHA .] C --> D[Pull scanner image\nghcr.io/beejak/docker-scanner:latest] D --> E[Run container scan\n--fail-on-severity CRITICAL,HIGH] E -->|exit 0 — no findings| F[Upload SARIF\nif: always] E -->|exit 1 — findings found| F F --> G[Upload artifacts\nif: always] G -->|exit 0| H[✅ Build passes] G -->|exit 1 propagated| I[❌ Build fails\nreports still archived]Reviews (2): Last reviewed commit: "Fix P1/P2 Greptile findings in github-ac..." | Re-trigger Greptile
Context used: