Skip to content

Expand CI guides from stubs to full reference docs; update primer and lessons#3

Merged
beejak merged 2 commits into
mainfrom
claude/repo-testing-strategy-rygscm
Jul 1, 2026
Merged

Expand CI guides from stubs to full reference docs; update primer and lessons#3
beejak merged 2 commits into
mainfrom
claude/repo-testing-strategy-rygscm

Conversation

@beejak

@beejak beejak commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • docs/ci/github-actions.md — rewritten from 29-line stub to 336-line comprehensive guide
  • docs/ci/azure-devops.md — rewritten from 29-line stub to 336-line comprehensive guide
  • docs/ci/gitlab-ci.md — rewritten from 29-line stub to 283-line comprehensive guide
  • docs/ci/jenkins.md — rewritten from 29-line stub to 371-line comprehensive guide
  • docs/ci-cd-primer.md — added "Supported platforms" table linking all 9 platform guides
  • docs/LESSONS-LEARNED.md — added session entry for Phase 1 tests, CI integrations, PR monitoring, and doc sweep

What changed in each guide

All four CI guides were placeholder stubs ("see the template file") with no real content. Each is now a full reference document matching the depth of the CircleCI/CodeBuild/GCB/Bitbucket/Tekton guides added in PR #2. Every guide includes:

  • Prerequisites and runner requirements
  • Built-in variables table with example values and usage context
  • Full annotated pipeline config embedded inline (not just a pointer to the template file)
  • Image ref passing between build and scan steps explained explicitly
  • --fail-on-severity gate: how exit code 1 propagates, why if: always() / condition: always() / when: always is needed on downstream report steps
  • SARIF upload to the platform's native security dashboard (GitHub Code Scanning, Azure Defender for DevOps, GitLab Security dashboard, Warnings Next Generation plugin)
  • Artifact storage and download walkthrough
  • Secrets setup step-by-step (GitHub Secrets, Azure Library Variable Groups, GitLab CI/CD Variables, Jenkins Credentials)
  • Registry auth specifics per platform (GHCR GITHUB_TOKEN vs PAT, ACR service connection vs env var, GitLab auto-injected registry credentials, Jenkins withCredentials)

Test plan

  • Verify all four guides render correctly in GitHub markdown (headers, tables, code blocks)
  • Spot-check that variable names in each guide match the platform's actual built-in variable names
  • Confirm docs/ci-cd-primer.md platform table links resolve correctly

🤖 Generated with Claude Code

https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t


Generated by Claude Code

Greptile Summary

This PR expands four CI guide stubs (GitHub Actions, Azure DevOps, GitLab CI, Jenkins) into full reference documents, adds a nine-platform "Supported platforms" table to the CI/CD primer, and appends a lessons-learned session entry.

  • Four guides rewritten — each now covers prerequisites, built-in variables, full annotated pipeline config, image-ref passing, --fail-on-severity gate behaviour, SARIF upload, artifact storage, secrets setup, and registry auth.
  • CI/CD primer updated — new platform table links all nine guides and templates; inline GitHub Actions example updated to use SHA-based image tags.
  • Three correctness issues found — missing packages: read permission in the GitHub Actions workflow, a redundant tags input in the Azure DevOps Docker@2 build task that creates a spurious second image tag, and an unconditional recordIssues() call in the Jenkins post { always } block that will throw MissingMethodException and fail otherwise-passing builds when the optional Warnings NG plugin is absent.

Confidence Score: 4/5

Safe to merge after addressing three copy-paste errors in the new guide examples.

All three findings affect the example pipeline YAML that users are expected to copy verbatim. The Jenkins issue is the most disruptive: recordIssues() placed unconditionally in post { always } will throw MissingMethodException on every build for users who don't have the Warnings NG plugin, turning a clean scan result into a build failure. The Azure DevOps double-tag creates silent ambiguity in how the built image is referenced. The missing packages: read in the GitHub Actions workflow contradicts the prerequisites section and will bite anyone adapting the example to pull a private scanner image.

docs/ci/jenkins.md (unconditional optional plugin step), docs/ci/azure-devops.md (Docker@2 tags input), docs/ci/github-actions.md (permissions block)

Important Files Changed

Filename Overview
docs/ci/github-actions.md Rewritten from 29-line stub to full reference guide; packages: read is missing from the workflow permissions block despite being required for GHCR auth with GITHUB_TOKEN.
docs/ci/azure-devops.md Rewritten to comprehensive guide; Docker@2 build task has both tags: "$(Build.BuildId)" and arguments: "-t $(imageName)", creating a redundant spurious tag that will confuse users adapting the example.
docs/ci/jenkins.md Rewritten to full declarative-pipeline reference guide; unconditional recordIssues() call in post { always } will throw MissingMethodException and fail otherwise-passing builds when the optional Warnings NG plugin is absent.
docs/ci/gitlab-ci.md Rewritten from stub to full guide with DinD setup, SHA-based image tagging, SARIF artifact wiring, and CI/CD variable instructions. No new issues beyond those already flagged in previous review threads.
docs/ci-cd-primer.md Added a nine-platform "Supported platforms" table with template and guide links; updated inline GitHub Actions example to use SHA-based image tags.
docs/LESSONS-LEARNED.md Appended a session entry documenting Phase 1 CLI tests, 9-platform CI/CD integrations, PR monitoring findings, and doc sweep results. No issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push / PR / Schedule] --> B[Checkout]
    B --> C[Build app image\ndocker build -t app:SHA .]
    C --> D[Pull scanner image\nghcr.io/beejak/docker-scanner:latest]
    D --> E[Run container scan\n--fail-on-severity CRITICAL,HIGH]
    E -->|exit 0 — no findings| F[Upload SARIF\nif: always]
    E -->|exit 1 — findings found| F
    F --> G[Upload artifacts\nif: always]
    G -->|exit 0| H[✅ Build passes]
    G -->|exit 1 propagated| I[❌ Build fails\nreports still archived]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Push / PR / Schedule] --> B[Checkout]
    B --> C[Build app image\ndocker build -t app:SHA .]
    C --> D[Pull scanner image\nghcr.io/beejak/docker-scanner:latest]
    D --> E[Run container scan\n--fail-on-severity CRITICAL,HIGH]
    E -->|exit 0 — no findings| F[Upload SARIF\nif: always]
    E -->|exit 1 — findings found| F
    F --> G[Upload artifacts\nif: always]
    G -->|exit 0| H[✅ Build passes]
    G -->|exit 1 propagated| I[❌ Build fails\nreports still archived]
Loading

Reviews (2): Last reviewed commit: "Fix P1/P2 Greptile findings in github-ac..." | Re-trigger Greptile

Context used:

  • Context used - Integrations agent — Azure, GitHub, GitLab, Jenkin... (source)
  • Context used - Docs/UX agent — Getting started, CLI reference, in... (source)

… lessons

docs/ci/{github-actions,azure-devops,gitlab-ci,jenkins}.md: rewritten from
29-line stubs to comprehensive 280-370 line guides matching the depth of
the new CircleCI/CodeBuild/GCB/Bitbucket/Tekton guides added in the PR.
Each guide now includes: prerequisites, built-in variables table, full
annotated config embedded inline, image ref passing explanation, secrets
setup walkthrough, SARIF upload to the platform's security dashboard,
artifact storage, and --fail-on-severity gate behaviour.

docs/ci-cd-primer.md: added "Supported platforms" table linking all 9
platform guides; updated GitHub/Azure examples to reference the full guides.

docs/LESSONS-LEARNED.md: added session entry covering Phase 1 CLI tests,
5-platform CI integration, PR monitoring (runc pre-release fix), and the
post-merge stale-doc sweep.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t
Comment thread docs/ci/github-actions.md Outdated
Comment thread docs/ci/gitlab-ci.md Outdated
Comment thread docs/ci/github-actions.md Outdated
Comment thread docs/ci/gitlab-ci.md Outdated
Comment thread docs/ci/github-actions.md
Comment on lines 1 to +10
# GitHub Actions integration

Add the Docker Container Scanner to your workflow so every push/PR is scanned and SARIF is uploaded to the Security tab.
Add the Docker Container Scanner to your GitHub Actions workflow so every push and pull request is scanned, findings are surfaced in the Security tab as Code Scanning alerts, and full reports are available as downloadable artifacts.

## Prerequisites

- Workflow runs on a runner with Docker (e.g. `ubuntu-latest`).
- Scanner image is available: build from this repo or use a published image.
- **Runner**: the workflow must run on a runner that has Docker installed. `ubuntu-latest` (GitHub-hosted) satisfies this out of the box.
- **Docker socket**: the scanner runs as a container and needs to reach the host Docker daemon via `/var/run/docker.sock`. GitHub-hosted Ubuntu runners expose this socket without any additional configuration.
- **Permissions**: the job needs `security-events: write` to upload SARIF to GitHub Code Scanning, and `contents: read` to check out the repository. If you are authenticating to GHCR with the built-in `GITHUB_TOKEN`, you also need `packages: read` (or `packages: write` if you are pushing images).
- **Scanner image**: either build the scanner from this repository (shown in the example below) or pull a published image from `ghcr.io/beejak/docker-scanner:latest`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Guide length conflicts with integrations rule: "keep each pipeline guide short"

The integrations.mdc rule specifies: "Keep each pipeline guide short: one page per pipeline with a minimal example and links to troubleshooting." All four rewritten guides range from 283 to 371 lines with full annotated configs embedded inline. The docs-ux.mdc rule also says: "Long duplicate pipeline YAML in prose; use snippets from ci/ and link." Each guide does reference the existing ci/<platform>/ example file at the bottom, but the full pipeline config is duplicated in the prose rather than delegated to those files. The same pattern appears in all four new guides (github-actions.md, azure-devops.md, gitlab-ci.md, jenkins.md).

Context Used: Integrations agent — Azure, GitHub, GitLab, Jenkin... (source)

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Fix in Claude Code Fix in Cursor

- github-actions.md: Invert scanner image step to pull from GHCR by
  default (build-from-source is now the commented alternative); fixes
  the case where a user copies the workflow into their own repo and
  docker build targets their application Dockerfile instead of the
  scanner. Remove stale "mid-2025" date from PAT note; link to GitHub
  PAT docs instead.
- gitlab-ci.md: Same inversion for the scanner image step (pull from
  GHCR as default). Fix YAML scalar folding in both docker login blocks
  so multi-line commands use a proper | literal block rather than
  implicit continuation indent.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t
@beejak beejak merged commit 112ccd9 into main Jul 1, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants