Main Branch CI/CD Workflow

Overview

The Main Branch CI/CD workflow is the primary continuous integration and deployment pipeline for the main branch of the repository. This workflow runs automatically when changes are pushed to the main branch, ensuring code quality and deploying documentation to GitHub Pages.

Features

Performs comprehensive security scanning with CodeQL analysis across multiple languages
Runs individual lint jobs for static code analysis across multiple languages and file formats
Validates documentation standards for both Terraform and Bicep configurations
Deploys documentation to GitHub Pages when documentation changes are detected
Runs automated dependency scanning to identify security vulnerabilities
Orchestrates multiple specialized workflows in a coordinated sequence

Inputs

This workflow does not accept any inputs when triggered automatically. When manually triggered using workflow_dispatch, no additional parameters are required.

Outputs

This workflow doesn't produce any direct output variables, but it generates the following:

GitHub code scanning alerts for any security issues found
Static analysis results via individual lint jobs
Documentation validation results
Deployed GitHub Pages documentation site (on successful execution)

Usage Examples

Automatic Execution

The workflow is automatically triggered on pushes to the main branch and doesn't need manual invocation.

Manual Execution

The workflow can also be triggered manually from the GitHub Actions tab:

Navigate to the "Actions" tab in the repository
Select the "Main Branch CI/CD" workflow
Click "Run workflow"
Select the branch (typically main)
Click "Run workflow"

Implementation Details

The workflow consists of multiple jobs that run in a specific sequence:

CodeQL Analysis: Scans code for security vulnerabilities across JavaScript, Python, TypeScript, and C#
Dependency Scan: Analyzes project dependencies for known security issues
Lint Jobs: Performs comprehensive linting and static analysis
Terraform Documentation Check: Validates Terraform documentation consistency
Bicep Documentation Check: Validates Bicep documentation consistency
Deploy Pages: Publishes documentation to GitHub Pages when changes are detected

Workflow Steps

CodeQL Analysis

Checks out the repository code
Initializes CodeQL for the specified language
Automatically builds the codebase
Performs CodeQL analysis for security vulnerabilities
Uploads results to GitHub Security tab

Dependency Scan

Checks out the repository code
Performs dependency review for security vulnerabilities
Reports findings as GitHub annotations

Lint Jobs

Runs dedicated lint jobs for shell scripts, YAML, Python, PowerShell, Bicep, Terraform, documentation, and code quality analysis across the entire codebase.

Terraform Documentation Check

Calls the reusable docs-check-terraform.yml workflow with:

break_build: false - Warnings won't fail the workflow, but will be reported

Bicep Documentation Check

Calls the reusable docs-check-bicep.yml workflow with:

break_build: false - Warnings won't fail the workflow, but will be reported

Deploy Pages

Calls the reusable pages-deploy.yml workflow with:

source_branch: main - Deploys documentation from the main branch
deploy_environment: production - Deploys to the production environment

Troubleshooting

Common Issues

Failed CodeQL Analysis:
- Solution: Review security issues in the GitHub Security tab and fix identified vulnerabilities
Lint Job Failures:
- Solution: Check the individual lint job logs in the workflow run for specific issues to fix
Documentation Validation Issues:
- Solution: Use the documentation generation scripts (update-all-terraform-docs.sh or update-all-bicep-docs.sh) to regenerate documentation
Pages Deployment Failed:
- Solution: Verify that the GitHub Pages source is correctly configured in the repository settings

Extending the Workflow

To enhance this workflow:

To add additional validation steps:
- Add new jobs after existing checks
- Ensure proper dependencies between jobs using needs: [job-name]
To modify documentation deployment:
- Edit parameters passed to the pages-deploy.yml workflow

pr-validation.yml: Similar workflow that runs on pull requests
docs-check-terraform.yml: Terraform documentation validation
docs-check-bicep.yml: Bicep documentation validation
pages-deploy.yml: GitHub Pages deployment workflow

Security Considerations

This workflow requires specific permissions to function correctly:

security-events: write: Required for CodeQL analysis
actions: read: Required for workflow execution
contents: read: Required for repository access

The workflow uses secrets inheritance (secrets: inherit) to pass repository secrets to called workflows.

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.

Overview​

Features​

Inputs​

Outputs​

Usage Examples​

Automatic Execution​

Manual Execution​

Implementation Details​

Workflow Steps​

CodeQL Analysis​

Dependency Scan​

Lint Jobs​

Terraform Documentation Check​

Bicep Documentation Check​

Deploy Pages​

Troubleshooting​

Common Issues​

Extending the Workflow​

Related Workflows​

Security Considerations​