This directory contains the Continuous Integration and Continuous Deployment (CI/CD) configuration for the Case Law Explorer project.
Our CI/CD pipeline is built using GitHub Actions and provides automated testing, linting, security scanning, and deployment capabilities.
Trigger: Push to main or develop, Pull Requests
Jobs:
- Runs code formatting checks with Black
- Checks import sorting with isort
- Validates Python code style with Flake8
- Ensures code quality standards
- Runs unit tests with pytest
- Generates code coverage reports
- Uploads coverage to Codecov
- Checks Airflow DAG syntax
- Ensures all DAGs can be parsed
- Validates DAG structure
- Tests Docker image building
- Verifies image can run successfully
- Caches Docker layers for faster builds
- Scans dependencies for known vulnerabilities (Safety)
- Runs security linting (Bandit)
- Generates security reports
- Detects merge conflict markers
- Prevents merging conflicted code
- Verifies required documentation files exist
- Checks for broken links in markdown files
- Aggregates all job results
- Provides clear pass/fail status
- Blocks merge on critical failures
Status Badge: Add to README
Trigger: Git tags (e.g., v1.0.0), Releases
Purpose: Automatically builds and publishes Docker images to GitHub Container Registry
Steps:
- Builds Docker image from
airflow/Dockerfile - Tags image with version number
- Pushes to
ghcr.io/maastrichtlawtech/case-law-explorer - Generates build attestation for security
Usage:
# Pull published image
docker pull ghcr.io/maastrichtlawtech/case-law-explorer:v1.0.0
# Use in docker-compose
image: ghcr.io/maastrichtlawtech/case-law-explorer:latestTrigger: Pull Requests to main or develop
Purpose: Automatically reviews dependency changes for security and licensing issues
Features:
- Detects vulnerable dependencies
- Flags GPL-3.0 and AGPL-3.0 licenses
- Fails on moderate or higher severity issues
Configuration file: .pre-commit-config.yaml
# Install pre-commit
pip install pre-commit
# Set up git hooks
pre-commit install
# Run manually on all files
pre-commit run --all-files-
General Checks
- Remove trailing whitespace
- Fix end of file
- Check YAML syntax
- Detect large files (>1MB)
- Detect private keys
-
Python
- Black (code formatter)
- isort (import sorter)
- Flake8 (style checker)
- pydocstyle (docstring checker)
- Bandit (security)
-
Docker
- hadolint (Dockerfile linter)
-
Documentation
- Markdown linter
- YAML formatter
-
Security
- Secret detection
# Skip hooks for a specific commit (not recommended)
git commit --no-verify -m "message"Location: .github/PULL_REQUEST_TEMPLATE.md
Sections:
- Description of changes
- Type of change
- Related issues
- Testing performed
- Checklist for code quality, testing, documentation
- Deployment notes
Usage: Automatically loaded when creating a PR
Use when: Reporting a bug or error
Includes:
- Bug description
- Steps to reproduce
- Expected vs actual behavior
- Environment details
- Error messages and logs
Use when: Proposing new functionality
Includes:
- Feature description
- Problem statement
- Proposed solution
- Use cases
- Implementation considerations
Bandit security scanner configuration
Key Settings:
- Excludes test directories
- Skips overly strict tests (e.g., asserts)
- Medium severity and confidence levels
Pre-commit hooks configuration
Key Settings:
- Python 3.11 as target version
- Line length: 100 characters
- Black profile for isort
- Google convention for docstrings
-
Before Committing
# Run pre-commit checks pre-commit run --all-files # Run tests locally pytest tests/ # Validate DAGs python airflow/dags/your_dag.py
-
Creating Pull Requests
- Fill out PR template completely
- Ensure all CI checks pass
- Request review from maintainers
- Address review comments promptly
-
Resolving CI Failures
- Check workflow logs in GitHub Actions
- Fix issues locally and push updates
- Re-run failed jobs if transient failure
-
Merging Pull Requests
- Require all checks to pass
- Use "Squash and merge" for clean history
- Delete branch after merge
-
Creating Releases
# Create and push tag git tag -a v1.0.0 -m "Release version 1.0.0" git push origin v1.0.0 # This triggers docker-publish workflow
-
Monitoring CI/CD
- Check GitHub Actions regularly
- Review security scan results
- Update dependencies periodically
Cause: Workflow file syntax error or wrong branch
Solution:
- Validate YAML syntax
- Check branch filters in
on:section - Ensure workflow is on correct branch
Cause: Dockerfile errors or dependency issues
Solution:
- Check Dockerfile syntax
- Verify requirements.txt has compatible versions
- Test build locally:
cd airflow docker build -t test .
Cause: Running on large codebase
Solution:
- Use
--filesflag for specific files - Skip hooks for large files
- Configure hook to run on changed files only
Common Errors:
- E501: Line too long (max 100 chars)
- E203: Whitespace before ':'
- W503: Line break before binary operator
Solution:
# Auto-fix with black
black airflow/dags/
# Check remaining issues
flake8 airflow/dags/-
Testing
- Add comprehensive unit tests
- Implement integration tests
- Add E2E tests for DAGs
-
Deployment
- Add staging environment
- Implement blue-green deployment
- Add rollback automation
-
Monitoring
- Integrate with monitoring tools
- Add performance benchmarks
- Track deployment metrics
-
Security
- Add SAST (Static Application Security Testing)
- Implement secret scanning
- Add container scanning
- GitHub Actions Documentation
- Pre-commit Documentation
- Black Code Formatter
- Flake8 Style Guide
- Bandit Security
For issues with CI/CD:
- Check workflow logs in GitHub Actions
- Review this documentation
- Check TROUBLESHOOTING.md
- Create an issue using the bug report template
Last Updated: October 2025