Cicd pipeline setup megan azmanov

[Megan235]

Summary

Sets up the full CI/CD foundation for Mealchemy including GitHub Actions workflows, Docker infrastructure, and local testing using ACT

Workflows added

ci.yml runs on every pull request and blocks merging on failure:

• Secret scanning with Gitleaks
• Backend: Checkstyle lint, unit tests, integration tests (real PostgreSQL container, no mocking)
• Engine: Ruff lint, Mypy type check, Pytest
• Frontend: flutter analyze, flutter test
• Docker security scan: builds both images and runs Trivy, fails on high/critical vulnerabilities (skipped in local act environment)
• All action references pinned to SHA for supply chain security

wiki-sync.yml runs daily at 02:00 UTC or manually:

• Pulls latest wiki changes and propagates the updated submodule pointer to all open branches except main
• No rebase, uses plain git pull to preserve history

deploy-design-spec.yml triggers on push to main/dev when design-spec/** changes:

• Deploys design-spec/ folder to GitHub Pages via OIDC
• Live at https://cos301-se-2026.github.io/Mealchemy/

pr-labeler.yml + labeler.yml automatically labels PRs by changed files:

backend, frontend, engine, wiki, infrastructure labels applied based on which folders were touched

Docker infrastructure

Dockerfile.backend is a multi-stage Spring Boot build:

• Builder stage compiles the JAR, runtime stage ships only the JRE and JAR
• Non-root user, curl installed for Actuator health check
• HEALTHCHECK hits /actuator/health

Dockerfile.engine is a multi-stage Python build:

• handles empty requirements.txt during early development
• Non-root user, HEALTHCHECK hits /health via urllib
• Placeholder main.py keeps the container alive with a minimal HTTP server until the real engine is implemented

docker-compose.yml is the local dev stack:

• PostgreSQL and backend run by default
• Engine is behind profiles: [engine] and is opt-in until implementation is ready
• All credentials injected from .env, no hardcoded values
• Health checks and resource limits on every service

Tooling and templates

• .env.example - template for local Docker credentials
• .secrets.example - template for local act secrets
• .actrc - pre-configured for testing and includes Apple Silicon flags
• backend/pom.xml - Checkstyle plugin added with google_checks.xml
• frontend/analysis_options.yaml - activates flutter_lints ruleset
• wiki - configured as a Git submodule pointing to the wiki repo

To implement:

• cd.yml (continuous deployment) not yet implemented
• Engine main.py is a placeholder and will be replaced when recommendation engine development begins
• Branch Protection rules after this PR is accepted into main.

[GabrielaBerimbau]

Looks great, thanks Megs. Will do an in-depth explanation in our meeting later.

[sofiafinlayson]

Thank you megs, for the added workflows, docker infrastructure, tooling and templates. Will look into the "to implement" section.