AcadeNice/Wiki
1
0
Fork 0
Code Issues Pull requests Releases Activity Actions
Wiki/.claude/workflows/bump-deps.md
Corentin JOGUET 460f7effe0
Some checks are pending
CI / Lint bridge (Biome) (push) Waiting to run
Details
CI / Type-check bridge (push) Blocked by required conditions
Details
CI / Tests unit bridge (push) Blocked by required conditions
Details
CI / Tests integration bridge (push) Blocked by required conditions
Details
CI / Security scan (push) Waiting to run
Details
CI / Docker build + healthcheck (push) Blocked by required conditions
Details
feat(workflows): create 5 BYAN workflows for agent collaboration 
Workflows (playbooks markdown) pour orchestrer les 4 agents specialises :

- README.md : index + conventions communes + integration BYAN web futur
- build-story.md : cycle complet livrer 1 story Phase 2 (bridge-dev → bridge-tester → review → CI → deploy staging → validation metier)
- sync-bidirec.md : sync Docmost ↔ Baserow event-driven (idempotence + anti-loop X-Bridge-Origin)
- release.md : process release semver (E2E staging → tag → approval → deploy prod → watch 30min)
- incident.md : SEV1/2/3 response + post-mortem blameless + runbooks
- bump-deps.md : Dependabot PRs + major bumps + Docmost/Baserow upstream

Chaque workflow specifie : trigger, acteurs (agents + humains), sequence
ordonnee avec outputs, gates humains bloquants, rollback, comm templates.

Workflows = playbooks declaratifs pour Claude main qui orchestre les agents
via Agent tool sequentiel. A migrer plus tard vers BYAN web workflow runs
quand le runtime BYAN sera fix.

Equipe complete pour formation-hub :
- 4 agents specialises (bridge-dev, bridge-tester, acadenice-devops, docmost-fork-dev)
- 5 workflows orchestrant leur collaboration
2026-05-07 19:30:48 +02:00

152 lines
5.1 KiB
Markdown
Raw Blame History

# Workflow : BUMP DEPENDENCIES
Process de mise a jour des dependances (Dependabot PRs, bumps manuels, CVE security fixes).
## Trigger
L'un des suivants :
- Dependabot PR auto (configure dans `.github/dependabot.yml`)
- CVE alert GitHub Security
- Bump manuel decide (ex: passer Docmost de v0.8.x a v0.9.x)
- Cron mensuel review (Corentin oncall)
## Acteurs
- **acadenice-devops** (orchestrateur)
- **bridge-tester** (validation post-bump)
- **bridge-dev** (fix si breaking change dans deps)
- **Corentin** (decideur sur bumps majeurs)
## Categories de bumps
| Type | Frequence | Process |
|------|-----------|---------|
| **Security patch** (CVE high/critical) | ASAP | Auto Dependabot + auto-merge si CI vert |
| **Patch** (1.2.3 → 1.2.4) | Hebdo | Auto Dependabot + review 5 min + merge |
| **Minor** (1.2.x → 1.3.0) | Hebdo | Auto Dependabot + review + tests + merge |
| **Major** (1.x.x → 2.0.0) | Manuel | Branche feat dediee, test exhaustif, decision Corentin |
| **Docmost upstream** | Mensuel ou sur signal Yan/Corentin | Process specifique fork (cf docmost-fork-dev) |
| **Baserow upstream** | Mensuel ou sur changelog interessant | Pin nouvelle version, test compose, deploy staging |
| **Postgres major** | Annuel max, planifie | Backup obligatoire + migration test + restore + deploy carefull |
| **Node LTS** | Tous les 2 ans (changement LTS) | Test exhaustif bridge, possible refactor |
## Sequence — Patch / Minor (auto Dependabot)
```
[1] Dependabot PR cree (auto, hebdo lundi 06:00)
- Configure dans .github/dependabot.yml
- PR avec changelog du package + diff
- Output : PR ouverte sur Forgejo + GitHub mirror
[2] CI auto execute
- Workflow ci.yml lance sur la PR
- Tests + lint + security scan + docker build
- Output : CI status
[3] Review humaine (Corentin, 5-10 min)
- Lire le changelog du package
- Verifier impact potentiel
- Si nouveau type / breaking : check tests
- Output : decision merge / hold / close
[4] Si CI vert + review OK : merge (squash)
- Auto-delete branch
- Output : commit sur main
[5] Deploy auto staging (workflow deploy-staging.yml)
- Phase 0/1 : workflow_dispatch only
- Phase 2+ : auto sur push main
- Output : staging fonctionnel ou alerte si fail
```
## Sequence — Major (manuel)
```
[1] Decision (Corentin)
- Lire le changelog upgrade guide officiel du package
- Identifier breaking changes
- Decider : on bump ou on attend
- Output : go/no-go
[2] Branche feat (bridge-dev)
- feat/bump-<package>-vX.Y
- Bump dans package.json
- npm install + commit lockfile
- Output : branche avec bump
[3] Migration code (bridge-dev)
- Adapter le code aux breaking changes
- Run tests : npm test
- Fix iteratif jusqu'a vert
- Output : code adapte
[4] Tests exhaustifs (bridge-tester)
- Run unit + integration : npm test
- Run E2E sur staging si Phase 2.3+
- Verifier coverage maintenu (>= 80% domain)
- Output : test report
[5] Validation staging (Corentin)
- Deploy staging
- Tester flows critiques
- Output : sign-off staging
[6] PR + merge (cf workflow build-story.md etapes [4]-[7])
[7] Deploy prod (cf workflow release.md)
- Suit le process release standard avec watch period
- Output : prod deployee
```
## Sequence — Docmost / Baserow upstream
```
[1] Detect new version (Corentin via GitHub release watch)
[2] Lire release notes officielles
[3] Test sur env clone : pull image + restore data backup → smoke
[4] Si OK : update compose.yml ou Dockerfile.fork
[5] Process release standard (cf release.md)
[6] Si KO : reporter au upstream (issue) ou attendre prochaine release
```
Cf workflow BYAN `docker-stack-safe-upgrade` (id `75abc7aa-8ba7-47ce-b6b8-bf5573e82f62`) pour les bumps stateful en prod (12 phases avec gates).
## Gates humains
| Gate | Decision | Owner |
|------|----------|-------|
| Review Dependabot PR (3) | merge / hold / close | Corentin |
| Decision major (1) | go / no-go | Corentin |
| Validation staging (5) | OK / RETOUR | Corentin |
## Rollback / gestion d'erreurs
| Scenario | Action |
|----------|--------|
| CI rouge sur Dependabot PR | hold PR, analyser logs, decider fix ou close |
| Major bump introduit regression non detectee en CI | rollback (revert commit + redeploy) + add regression test |
| Docmost upgrade casse data | restore backup pre-upgrade + downgrade image + investigate |
## Frequence et planning
- **Lundi matin** : review Dependabot PRs (15-30 min Corentin)
- **1er du mois** : audit security alerts + capacity planning + DR test
- **Trimestriel** : review major bumps possibles (Node, Postgres, Hono, Tiptap, etc.)
## Outputs
- package.json + lock file a jour
- CI vert post-bump
- Tests + coverage maintenus
- CHANGELOG.md update si user-facing
- Si major bump : doc migration interne dans `docs/migrations/<package>-vX.md`
## Notes
- Dependabot configure dans `.github/dependabot.yml` (deja fait) :
* Ecosystem npm (bridge/) : weekly
* Ecosystem github-actions : weekly
* Ecosystem docker (compose) : weekly
- Limite open PRs Dependabot : 10 max (eviter spam)
- Group production-deps + dev-deps separement
- **Pas de bump prod le vendredi** (tradition + meme reason que release)
Reference in a new issue View git blame Copy permalink