chore(ci): cache & restructure GHAs + Docker, fix race in deploy (#53)

chore: Update CI/CD workflows and Docker configurations

* Enhanced `.dockerignore` to exclude additional build artifacts and environment files.
* Updated `claude.md` with detailed descriptions of CI/CD workflows, including new deployment strategies.
* Refactored GitHub Actions workflows for code quality, deployment, and Terraform management to improve efficiency and clarity.
* Removed obsolete Docker build and push workflows, consolidating functionality into the new deployment strategies.
* Improved Dockerfile configurations for better caching and installation processes.

These changes streamline the CI/CD pipeline and enhance the overall development experience.

Co-authored-by: Tushar Shah <twoshark@users.noreply.github.com>

Author: twoshark

.dockerignore

@@ -3,3 +3,13 @@ terraform
 .vscode
 .git
 .cache
+
+node_modules
+**/node_modules
+**/build
+**/dist
+
+*.log
+.env
+.env.*
+!.env.example

.github/workflows/code-quality.yml

@@ -1,63 +1,55 @@
 name: Code Quality and Styles
 
 on:
+  pull_request:
   push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   code-quality-and-style:
     strategy:
+      fail-fast: false
       matrix:
         project:
-          - packages/backend
-          - packages/frontend
+          - frontend
+          - backend
 
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install Node.js
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: 21
-
-      - name: Install Tools
-        run: |
-          echo "Installing tools..."
-          npm install -g pnpm eslint
+          node-version: 22
+          cache: 'yarn'
+
+      # pnpm is needed because `lint`/`style` scripts use `pnpx` to pin the
+      # eslint/prettier version. eslint is intentionally NOT installed
+      # globally; `pnpx eslint@8.57.0` fetches the pinned version itself.
+      # Pinned to v9 because (a) `pnpx` was deprecated and removed from
+      # later versions, and (b) leaving it unpinned silently drifts on
+      # every CI run.
+      - name: Install pnpm
+        run: npm install -g pnpm@9
 
       - name: Install dependencies
-        run: |
-          echo "Installing dependencies..."
-          cd ${{ matrix.project }}
-          yarn install
+        run: yarn install --frozen-lockfile
 
       - name: Style Check
-        run: |
-          echo "Running style check..."
-          cd ${{ matrix.project }}
-          yarn style
+        run: yarn workspace ${{ matrix.project }} style
 
       - name: Lint
-        run: |
-          echo "Running lint..."
-          cd ${{ matrix.project }}
-          yarn lint
+        run: yarn workspace ${{ matrix.project }} lint
 
       - name: Build
-        run: |
-          echo "Running build..."
-          cd ${{ matrix.project }}
-          yarn build
-
-      #      - name: Test
-      #        run: |
-      #          cd ${{ matrix.project }}
-      #          yarn test --all
-
-      - name: Clean up
-        run: |
-          echo "Cleaning up..."
-          cd ${{ matrix.project }}
-          rm -f eslint-report.json
+        run: yarn workspace ${{ matrix.project }} build

.github/workflows/deploy-frontend.yml

@@ -14,6 +14,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   deploy-frontend:
     name: Deploy Frontend
@@ -31,42 +35,26 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.ref || github.ref }}
 
       - name: Install Node.js
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: 21
-
-      - name: Install Tools
-        run: npm install -g pnpm eslint
+          node-version: 22
+          cache: 'yarn'
 
       - name: Install dependencies
-        run: |
-          cd packages/frontend
-          yarn install
-
-      - name: Style Check
-        run: |
-          cd packages/frontend
-          yarn style
-
-      - name: Lint
-        run: |
-          cd packages/frontend
-          yarn lint
+        run: yarn install --frozen-lockfile
 
       - name: Build
-        run: |
-          cd packages/frontend
-          yarn build
+        run: yarn workspace frontend build
         env:
           NODE_ENV: production
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/terraform.yml .github/workflows/deploy.yml.github/workflows/terraform.yml renamed to .github/workflows/deploy.yml

@@ -1,4 +1,4 @@
-name: 'Infrastructure Deployment'
+name: Deploy
 
 on:
   push:
@@ -7,22 +7,84 @@ on:
 permissions:
   contents: read
 
+# Don't cancel mid-deploy: cancelling Terraform apply would leave state
+# inconsistent. Queue follow-up runs instead.
+concurrency:
+  group: deploy-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
+  build-app:
+    name: Build & Push App Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push primary Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./docker/Dockerfile
+          push: true
+          tags: rnavt/people-manager:latest,rnavt/people-manager:${{ github.sha }}
+          cache-from: type=gha,scope=app
+          cache-to: type=gha,scope=app,mode=max
+
+  build-migration:
+    name: Build & Push Migration Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push migration Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./docker/Dockerfile.migration
+          push: true
+          tags: rnavt/people-manager:latest-migration,rnavt/people-manager:${{ github.sha }}-migration
+          cache-from: type=gha,scope=migration
+          cache-to: type=gha,scope=migration,mode=max
+
   terraform:
-    name: 'Terraform'
+    name: Terraform Apply & Migrate
+    # Wait for both images so Terraform never references a tag that hasn't
+    # been pushed yet.
+    needs: [build-app, build-migration]
     runs-on: ubuntu-latest
     environment: production
-
     defaults:
       run:
         shell: bash
+    env:
+      TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform.d/plugin-cache
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -31,13 +93,23 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
 
+      - name: Cache Terraform plugins
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.TF_PLUGIN_CACHE_DIR }}
+          key: ${{ runner.os }}-terraform-${{ hashFiles('terraform/.terraform.lock.hcl', 'terraform/**/*.tf') }}
+          restore-keys: ${{ runner.os }}-terraform-
+
+      - name: Create plugin cache dir
+        run: mkdir -p "$TF_PLUGIN_CACHE_DIR"
+
       - name: Terraform Init
         working-directory: terraform/
         run: terraform init -backend-config "bucket=terraform-state-nilo2024" -backend-config "key=people-manager.tfstate"
 
       - name: Terraform Format
         working-directory: terraform/
-        run: terraform fmt
+        run: terraform fmt -check -recursive
 
       - name: Terraform Plan
         working-directory: terraform/

.github/workflows/destroy.yml

@@ -6,6 +6,10 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: destroy-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   terraform:
     name: 'Terraform'
@@ -18,10 +22,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -31,7 +35,7 @@ jobs:
         uses: hashicorp/setup-terraform@v3
 
       - name: Terraform Init
-        working-directory: terraform/`
+        working-directory: terraform/
         run: terraform init -backend-config "bucket=terraform-state-nilo2024" -backend-config "key=people-manager.tfstate"
 
       - name: Terraform Plan Check