Stay Sidekick uses six application-focused GitHub Actions workflows organized into CI validation, Docker image publishing, and security auditing. Every push toDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/sdurutr436/stay-sidekick/llms.txt
Use this file to discover all available pages before exploring further.
dev-herramientas or main triggers the full CI battery — lint, test, and build — across both the Python backend and the Node frontend/web stacks. Docker images are only pushed to Docker Hub when all three CI workflows have completed successfully on the exact same commit SHA, enforced by a dedicated verification job that queries the GitHub API before any build begins.
Workflows
The table below summarises all six workflows, their triggers, runtime environment, and primary action:| Workflow | Trigger | Stack | Action |
|---|---|---|---|
ci-python.yml | Push / PR to dev-herramientas, main | Python 3.12 + pytest | ruff check backend/app lint → pytest with postgres:16-alpine service container |
ci-angular-tests.yml | Push / PR to dev-herramientas, main | Node 22 + Vitest | Tests with Istanbul coverage threshold + production build verification |
ci-angular.yml | Push / PR to dev-herramientas, main | Node 22 + Angular CLI | Production build of the Angular SPA |
ci-web.yml | Push / PR to dev-herramientas, main | Node 22 + 11ty | Production build of the static public site |
docker-publish.yml | After CI Angular, CI 11ty, and CI Python all pass on the same SHA | Docker + GitHub API | Publishes 4 images to Docker Hub with sha-<short>, main, and latest tags |
trivy.yml | PR / push to main, weekly (Mon 04:23 UTC), manual | Trivy + SARIF | Vulnerability and misconfiguration scan with HIGH/CRITICAL filter, results published to GitHub Security |
CI workflow detail
ci-python.yml
Runs two sequential jobs:
- Lint — installs
ruffand runsruff check backend/app. The tests job hasneeds: lintand will not start if lint fails. - Tests — spins up a
postgres:16-alpineservice container, installsrequirements.txtpluspytest, then executes the full suite with--cov-fail-under=90. The HTML and XML coverage reports are uploaded as thebackend-coverageartifact (14-day retention).
pg_isready before tests start, ensuring a live PostgreSQL 16 connection is available throughout the run.ci-angular-tests.yml
Runs two sequential jobs:
- test-frontend — installs dependencies with
pnpm install --frozen-lockfile, then runspnpm exec ng test --watch=false. The coverage report is uploaded as thecoverage-reportartifact (14-day retention). - deploy-check (
needs: test-frontend) — performs a fullpnpm exec ng build --configuration productionto confirm the production build compiles cleanly after tests pass.
ci-angular.yml
A single
build job that installs frontend dependencies and runs pnpm run build. This is the fast build-only check that docker-publish.yml requires to pass before publishing the Angular image. It runs in parallel with ci-angular-tests.yml on every push.ci-web.yml
A single
build job that installs web/ dependencies and runs pnpm run build with TURNSTILE_SITE_KEY set to an empty string (safe for CI). This is the 11ty static site build check required by docker-publish.yml before the web image is built and pushed.Conditional publishing
Thedocker-publish.yml workflow is triggered by workflow_run events — it fires each time any of the three CI workflows (CI Angular, CI 11ty, CI Python) completes on a dev-herramientas or main branch. However, it does not blindly publish on every trigger. Instead, a dedicated verificar job runs first and gates the entire publish pipeline.
verificar job — query the GitHub API
The The result (
verificar job uses the GitHub CLI (gh api) to look up the three required CI workflows by name and filter them to runs matching the exact head_sha of the triggering commit:true or false) is emitted as a job output named todos-pasaron.publicar job — conditional on verificar output
The If any of the three CI workflows has not yet completed, or completed with a status other than
publicar job has needs: verificar and an if condition:success, TODOS is false and the publicar job is skipped entirely. No partial or speculative builds occur.Docker Hub images
Four images are built and published to Docker Hub on every qualifying commit tomain:
| Image | Source directory | Role |
|---|---|---|
sdurutr436/stay-sidekick-backend | ./backend | Flask + Gunicorn API server |
sdurutr436/stay-sidekick-frontend | ./frontend | Angular SPA served by internal Nginx |
sdurutr436/stay-sidekick-web | ./web (root context, web/Dockerfile) | 11ty static site served by internal Nginx |
sdurutr436/stay-sidekick-nginx | ./nginx | Reverse proxy with security headers |
| Tag | Format | Purpose |
|---|---|---|
| Commit SHA | sha-<7-char-short-sha> | Immutable reference to an exact build |
| Branch | main | Latest build on the main branch |
| Convenience | latest | Standard Docker Hub default tag |
web image receives the TURNSTILE_SITE_KEY build argument from the TURNSTILE_SITE_KEY repository secret, so the published image includes the production Cloudflare Turnstile site key baked into the static build.
Branch strategy
All CI workflows (ci-python.yml, ci-angular-tests.yml, ci-angular.yml, ci-web.yml) trigger on pushes and pull requests targeting two branches:
| Branch | Purpose |
|---|---|
dev-herramientas | Active feature development branch — CI runs here to catch issues before merging |
main | Stable branch — CI runs here and, on pass, gates Docker image publishing |
main and on pull requests targeting main. The trivy.yml path filter restricts scans to runs that actually touch relevant files (backend/**, frontend/**, web/**, nginx/**, workflows, Docker Compose, package.json, railway.toml), avoiding unnecessary audit runs on documentation-only changes.
The branch naming conventions for contributors (from CONTRIBUTING.md) are:
| Prefix | Use case |
|---|---|
dev-* | Normal feature work |
fix-* | Bug fixes |
hotfix-* | Urgent production issues |

