Skip to content

Enhance CI/CD pipeline with code quality, security, and release automation#1204

Open
maheshkumargangula wants to merge 1 commit intodevelopfrom
claude/automation-opportunities-KbKJx
Open

Enhance CI/CD pipeline with code quality, security, and release automation#1204
maheshkumargangula wants to merge 1 commit intodevelopfrom
claude/automation-opportunities-KbKJx

Conversation

@maheshkumargangula
Copy link
Collaborator

@maheshkumargangula maheshkumargangula commented Mar 20, 2026

Summary

This PR significantly enhances the CI/CD pipeline with comprehensive code quality checks, security scanning, and automated release management. The changes introduce:

  1. Code Quality & Formatting: Added Scalafmt configuration and automated formatting checks in the CI pipeline
  2. Security Scanning: Integrated OWASP Dependency Check and Trivy Docker image scanning
  3. Test Coverage Enforcement: Added JaCoCo code coverage analysis with 80% minimum threshold across all services
  4. Release Automation: Implemented Release Drafter for semantic versioning and automated changelog generation
  5. Code Ownership: Added CODEOWNERS file for team-based PR review requirements
  6. Dependency Management: Configured Dependabot for automated dependency updates
  7. PR Template Enhancement: Updated PR template with clearer structure and modern testing guidance

Type of Change

  • New feature (non-breaking change which adds functionality)
  • This change requires a documentation update

Changes Made

CI/CD Pipeline (Code-Quality-check.yml)

  • Scalafmt Check: New job to enforce Scala code formatting standards
  • OWASP Dependency Check: New job to scan for known vulnerabilities in dependencies with NVD API integration
  • JaCoCo Coverage: Enhanced all service test jobs (content, assessment, taxonomy, search, knowlg) with:
    • Code coverage reporting
    • Minimum coverage threshold enforcement (80%)
    • Coverage report artifacts
  • SonarCloud Integration: Updated to download and use JaCoCo reports, added assessment service analysis
  • PR Summary Comment: Enhanced with status table and improved formatting
  • Action Versions: Updated all GitHub Actions to v4 (checkout, setup-java, cache, upload-artifact, download-artifact)

Configuration Files

  • .scalafmt.conf: New Scala formatting configuration (max 120 columns, semantic versioning rules)
  • .github/release-drafter.yml: New release automation with semantic versioning and changelog categorization
  • .github/CODEOWNERS: New file defining team ownership for different modules
  • .github/dependabot.yml: New dependency update automation for Maven and GitHub Actions

Docker Build Workflows

  • Added Trivy vulnerability scanning to all service build workflows (content, assessment, taxonomy, search, knowlg)
  • Scans for CRITICAL and HIGH severity vulnerabilities (non-blocking, warning only)
  • Uploads scan reports as artifacts

Root POM

  • Added JaCoCo Maven plugin configuration with coverage check rules
  • Added Spotless Maven plugin for Scala formatting support

PR Template

  • Restructured with clearer sections (Jira Ticket, Summary, Type of Change, Testing, Checklist)
  • Updated test configuration examples to match current stack (Java 11, Scala 2.13.12, Play 3.0.5, Pekko 1.0.3)
  • Improved guidance on testing and code review requirements

How Has This Been Tested?

  • CI pipeline configuration validated against GitHub Actions syntax
  • Scalafmt configuration tested with Scala 2.13 dialect
  • JaCoCo configuration follows Maven best practices
  • Release Drafter configuration follows semantic versioning conventions
  • Trivy scanning integrated with existing Docker build workflows
  • All changes are non-breaking and additive to existing pipeline

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code where logic is non-obvious
  • My changes generate no new compiler warnings
  • Configuration files are syntactically valid
  • Any dependent changes have been merged and published in downstream modules

Notes

  • The 80% code coverage threshold is enforced via CI but can be overridden per-module via Maven properties
  • OWASP Dependency Check uses NVD API key from secrets for faster scanning
  • Trivy scanning is non-blocking to allow image pushes even if vulnerabilities are found
  • Release Drafter requires PR labels for proper semantic versioning (breaking-change, feature, bug, etc.)

https://claude.ai/code/session_018wd8d1rrtgeQJnWs4Skv8T

@claude
feat(automation): add comprehensive CI/CD automation across SDLC
ae80f35 
- Code Quality: Add Scalafmt check (via Spotless) as mandatory PR gate,
  enforce 80% JaCoCo instruction coverage on all services
- Test Coverage: Add assessment-service and knowlg-service to the test
  matrix (both were missing from CI); upload coverage reports as artifacts
- Security: Add OWASP Dependency Check (CVSS>=9 fails build) to PR gate;
  add Trivy container image scan (warn mode, continue-on-error) to all 5
  service build workflows before image push
- Dependency Management: Add Dependabot config for Maven (weekly, grouped
  by library family) and GitHub Actions
- Release Readiness: Add release-drafter with semantic versioning labels
  and conventional-commit autolabeler; add release-drafter workflow
- PR Process: Update PR template with correct stack versions (Scala 2.13.12,
  Play 3.0.5, Pekko 1.0.3), add Jira ticket field, update checklist
- CODEOWNERS: Add module-level code ownership mapping to team groups
- pom.xml: Add jacoco-maven-plugin check execution (minimum coverage
  via ${jacoco.minimum.coverage} property) and Spotless plugin for
  Scalafmt integration
- Upgrade actions/setup-java, actions/cache to v4 across all workflows

https://claude.ai/code/session_018wd8d1rrtgeQJnWs4Skv8T
@coderabbitai
Copy link

coderabbitai bot commented Mar 20, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0de405eb-ccfb-48bd-b466-602068779a0f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/automation-opportunities-KbKJx
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can use Trivy to scan for security misconfigurations and secrets in Infrastructure as Code files.

Add a .trivyignore file to your project to customize which findings Trivy reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maheshkumargangula @claude