feat : CI/CD pipeline created

[Prasad-D-Ware]

Solves : #145 CI/CD pipeline

Purpose: Automates testing, building, and deployment for both frontend and backend 1.
When It Runs
On Pull Requests: Validates code quality
On Main Branch: Validates + deploys to production

Pipeline Steps

1. Build & Validation Job
Install dependencies → Run linter → Build all packages
What: Ensures code compiles and follows style guidelines
Why: Catches errors before they reach production

2. Backend Deployment Job (main branch only)
Build Docker image → Push to GitHub Registry (ghcr.io)
What: Packages the API (apps/api) into a Docker container
Why: Ready for deployment to Railway or any container platform

3. Frontend Deployment Job (main branch only)
Build Next.js app → Deploy to Vercel
What: Deploys the web app (apps/web) to Vercel
Why: Provides fast, global CDN-backed hosting for the frontend

Required Setup
Add these secrets in GitHub repo settings:
VERCEL_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID - For frontend deployment
GITHUB_TOKEN - Auto-provided for Docker registry access

Result
✅ Every merge to main auto-deploys frontend and backend
✅ No manual deployment needed

Summary by CodeRabbit

• Chores
  • Added CI/CD automation: automated build, lint and package build on push/PR.
  • Automated Docker image build and push for main branch.
  • Automated deployment of the web app to Vercel from main branch.
  • Workflow respects configured Node version and registry settings and streamlines release steps for faster, more reliable deployments.

[vercel]

@Prasad-D-Ware is attempting to deploy a commit to the AJEET PRATAP SINGH's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Walkthrough

Adds a GitHub Actions CI/CD workflow at .github/workflows/ci-cd.yml that runs build, Docker image build-and-push, and Vercel deployment jobs. The workflow triggers on push and pull_request for main and uses environment-configured Node/PNPM and token-based authentication for registry and Vercel.

Changes

Cohort / File(s)

Summary

CI/CD Workflow Configuration \.github/workflows/ci-cd\.yml

Adds a GitHub Actions workflow defining three jobs: build (checkout, setup PNPM/Node, install, lint, build), docker-build-and-push (ghcr.io login, QEMU/Buildx setup, metadata extraction, build & push with caching) and deploy-vercel (setup PNPM/Node, install Vercel CLI, pull env, build & deploy from apps/web). Triggers on push and pull_request to main; registry and Vercel auth use tokens; Docker/Deploy jobs run after build and are conditional on branch.

Sequence Diagram

sequenceDiagram
    autonumber
    actor Trigger as Push/PR (main)
    participant GHA as GitHub Actions
    participant Build as build
    participant Docker as docker-build-and-push
    participant Vercel as deploy-vercel

    Trigger->>GHA: trigger workflow
    GHA->>Build: run build job
    Build->>Build: checkout, setup PNPM/Node\ninstall deps, lint, build
    Build-->>GHA: build complete

    par After build (parallel)
        GHA->>Docker: start docker-build-and-push
        Docker->>Docker: login ghcr.io\nsetup QEMU & Buildx\nextract metadata\nbuild & push image (cache)
        Docker-->>GHA: docker complete
    and
        GHA->>Vercel: start deploy-vercel
        Vercel->>Vercel: setup PNPM/Node\ninstall Vercel CLI\npull env info\nbuild & deploy from apps/web
        Vercel-->>GHA: deploy complete
    end

    GHA-->>Trigger: workflow finished

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify job dependency and branch conditionals (if: github.ref == 'refs/heads/main').
• Check secrets/tokens usage for registry and Vercel authentication.
• Inspect Docker buildx/QEMU setup and caching steps.
• Confirm PNPM/Node version sourcing and Vercel deploy path (apps/web).

Poem

🐰 A small CI seed planted in files so neat,
Build hops, Docker rolls, Vercel greets the feat.
From checkout to deploy, the pipeline sings,
I nibble the tests and celebrate wings! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat : CI/CD pipeline created' accurately describes the main change—introduction of a GitHub Actions CI/CD workflow. It is concise, clear, and specific enough for teammates to understand the primary change when scanning history.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80e725d and dea83de.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• .github/workflows/ci-cd.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci-cd.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cla-assistant]

All committers have signed the CLA.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci-cd.yml (2)

106-114: Consider using environment variables for sensitive tokens to improve log safety.

Passing VERCEL_TOKEN as a command-line argument (lines 106, 110, 114) may inadvertently expose it in logs or error messages, even though GitHub Actions masks some secret values. The Vercel CLI supports reading VERCEL_TOKEN from environment variables.

Refactor the deploy-vercel job to use environment variables instead:

  deploy-vercel:
    needs: build
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    env:
      VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
      VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
+     VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
    steps:
      ...
      - name: Pull Vercel Environment Information
-       run: vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}
+       run: vercel pull --yes --environment=production
        working-directory: ./apps/web

      - name: Build Project Artifacts
-       run: vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}
+       run: vercel build --prod
        working-directory: ./apps/web

      - name: Deploy Project Artifacts to Vercel
-       run: vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }}
+       run: vercel deploy --prebuilt --prod
        working-directory: ./apps/web

---

82-115: Recommend adding explicit handling for missing Vercel secrets.

The deploy-vercel job relies on three Vercel secrets (VERCEL_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID) without validation. If any secret is missing, the job will fail silently during the vercel pull step, making debugging harder for the team.

Consider adding an early validation step to fail fast with a clear error message:

      - name: Validate Vercel secrets
        run: |
          if [ -z "$VERCEL_TOKEN" ]; then
            echo "ERROR: VERCEL_TOKEN secret is not set"
            exit 1
          fi
          if [ -z "$VERCEL_ORG_ID" ]; then
            echo "ERROR: VERCEL_ORG_ID secret is not set"
            exit 1
          fi
          if [ -z "$VERCEL_PROJECT_ID" ]; then
            echo "ERROR: VERCEL_PROJECT_ID secret is not set"
            exit 1
          fi

Add this step immediately after the setup-node step and before the Vercel CLI install.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5445fd9 and 80e725d.

📒 Files selected for processing (1)

• .github/workflows/ci-cd.yml (1 hunks)

🔇 Additional comments (4)

.github/workflows/ci-cd.yml (4)

3-37: Good workflow structure with proper build foundation.

The build job is well-configured: uses --frozen-lockfile for reproducible dependencies, runs linting before build, and establishes a dependency that other jobs can wait on. The use of pnpm caching is efficient for CI/CD.

---

42-61: Good Docker registry security practices.

The docker-build-and-push job correctly restricts permissions (read contents, write packages) and uses GitHub-provided GITHUB_TOKEN for authentication to ghcr.io rather than storing credentials separately.

---

63-80: Docker image tagging and caching strategy is sound.

Using SHA-based tags alongside latest enables both rolling deployments and precise version tracking. GHA cache backend reduces build times on subsequent runs.

---

39-80: No action required — Dockerfile is correctly configured.

The verification confirms the Dockerfile exists at the repository root and is properly structured to package apps/api for deployment. The multi-stage build correctly:

• Builds the shared package and API in the builder stage
• Copies built artifacts to the production image
• Generates the Prisma client at runtime
• Exposes port 4000 and runs the API with CMD ["node", "dist/index.js"]

The build context (.) in the docker-build-and-push job aligns correctly with the Dockerfile structure.

[apsinghdev]

nice work! @Prasad-D-Ware i'll check it soon and will come back to you!

[Prasad-D-Ware]

let me know if there are any changes needed. Thankyou!
@apsinghdev