Corentin JOGUET
460f7effe0
Some checks are pending
CI / Lint bridge (Biome) (push) Waiting to run
CI / Type-check bridge (push) Blocked by required conditions
CI / Tests unit bridge (push) Blocked by required conditions
CI / Tests integration bridge (push) Blocked by required conditions
CI / Security scan (push) Waiting to run
CI / Docker build + healthcheck (push) Blocked by required conditions
Workflows (playbooks markdown) pour orchestrer les 4 agents specialises : - README.md : index + conventions communes + integration BYAN web futur - build-story.md : cycle complet livrer 1 story Phase 2 (bridge-dev → bridge-tester → review → CI → deploy staging → validation metier) - sync-bidirec.md : sync Docmost ↔ Baserow event-driven (idempotence + anti-loop X-Bridge-Origin) - release.md : process release semver (E2E staging → tag → approval → deploy prod → watch 30min) - incident.md : SEV1/2/3 response + post-mortem blameless + runbooks - bump-deps.md : Dependabot PRs + major bumps + Docmost/Baserow upstream Chaque workflow specifie : trigger, acteurs (agents + humains), sequence ordonnee avec outputs, gates humains bloquants, rollback, comm templates. Workflows = playbooks declaratifs pour Claude main qui orchestre les agents via Agent tool sequentiel. A migrer plus tard vers BYAN web workflow runs quand le runtime BYAN sera fix. Equipe complete pour formation-hub : - 4 agents specialises (bridge-dev, bridge-tester, acadenice-devops, docmost-fork-dev) - 5 workflows orchestrant leur collaboration
5.1 KiB
5.1 KiB
Workflow : BUMP DEPENDENCIES
Process de mise a jour des dependances (Dependabot PRs, bumps manuels, CVE security fixes).
Trigger
L'un des suivants :
- Dependabot PR auto (configure dans
.github/dependabot.yml) - CVE alert GitHub Security
- Bump manuel decide (ex: passer Docmost de v0.8.x a v0.9.x)
- Cron mensuel review (Corentin oncall)
Acteurs
- acadenice-devops (orchestrateur)
- bridge-tester (validation post-bump)
- bridge-dev (fix si breaking change dans deps)
- Corentin (decideur sur bumps majeurs)
Categories de bumps
| Type | Frequence | Process |
|---|---|---|
| Security patch (CVE high/critical) | ASAP | Auto Dependabot + auto-merge si CI vert |
| Patch (1.2.3 → 1.2.4) | Hebdo | Auto Dependabot + review 5 min + merge |
| Minor (1.2.x → 1.3.0) | Hebdo | Auto Dependabot + review + tests + merge |
| Major (1.x.x → 2.0.0) | Manuel | Branche feat dediee, test exhaustif, decision Corentin |
| Docmost upstream | Mensuel ou sur signal Yan/Corentin | Process specifique fork (cf docmost-fork-dev) |
| Baserow upstream | Mensuel ou sur changelog interessant | Pin nouvelle version, test compose, deploy staging |
| Postgres major | Annuel max, planifie | Backup obligatoire + migration test + restore + deploy carefull |
| Node LTS | Tous les 2 ans (changement LTS) | Test exhaustif bridge, possible refactor |
Sequence — Patch / Minor (auto Dependabot)
[1] Dependabot PR cree (auto, hebdo lundi 06:00)
- Configure dans .github/dependabot.yml
- PR avec changelog du package + diff
- Output : PR ouverte sur Forgejo + GitHub mirror
[2] CI auto execute
- Workflow ci.yml lance sur la PR
- Tests + lint + security scan + docker build
- Output : CI status
[3] Review humaine (Corentin, 5-10 min)
- Lire le changelog du package
- Verifier impact potentiel
- Si nouveau type / breaking : check tests
- Output : decision merge / hold / close
[4] Si CI vert + review OK : merge (squash)
- Auto-delete branch
- Output : commit sur main
[5] Deploy auto staging (workflow deploy-staging.yml)
- Phase 0/1 : workflow_dispatch only
- Phase 2+ : auto sur push main
- Output : staging fonctionnel ou alerte si fail
Sequence — Major (manuel)
[1] Decision (Corentin)
- Lire le changelog upgrade guide officiel du package
- Identifier breaking changes
- Decider : on bump ou on attend
- Output : go/no-go
[2] Branche feat (bridge-dev)
- feat/bump-<package>-vX.Y
- Bump dans package.json
- npm install + commit lockfile
- Output : branche avec bump
[3] Migration code (bridge-dev)
- Adapter le code aux breaking changes
- Run tests : npm test
- Fix iteratif jusqu'a vert
- Output : code adapte
[4] Tests exhaustifs (bridge-tester)
- Run unit + integration : npm test
- Run E2E sur staging si Phase 2.3+
- Verifier coverage maintenu (>= 80% domain)
- Output : test report
[5] Validation staging (Corentin)
- Deploy staging
- Tester flows critiques
- Output : sign-off staging
[6] PR + merge (cf workflow build-story.md etapes [4]-[7])
[7] Deploy prod (cf workflow release.md)
- Suit le process release standard avec watch period
- Output : prod deployee
Sequence — Docmost / Baserow upstream
[1] Detect new version (Corentin via GitHub release watch)
[2] Lire release notes officielles
[3] Test sur env clone : pull image + restore data backup → smoke
[4] Si OK : update compose.yml ou Dockerfile.fork
[5] Process release standard (cf release.md)
[6] Si KO : reporter au upstream (issue) ou attendre prochaine release
Cf workflow BYAN docker-stack-safe-upgrade (id 75abc7aa-8ba7-47ce-b6b8-bf5573e82f62) pour les bumps stateful en prod (12 phases avec gates).
Gates humains
| Gate | Decision | Owner |
|---|---|---|
| Review Dependabot PR (3) | merge / hold / close | Corentin |
| Decision major (1) | go / no-go | Corentin |
| Validation staging (5) | OK / RETOUR | Corentin |
Rollback / gestion d'erreurs
| Scenario | Action |
|---|---|
| CI rouge sur Dependabot PR | hold PR, analyser logs, decider fix ou close |
| Major bump introduit regression non detectee en CI | rollback (revert commit + redeploy) + add regression test |
| Docmost upgrade casse data | restore backup pre-upgrade + downgrade image + investigate |
Frequence et planning
- Lundi matin : review Dependabot PRs (15-30 min Corentin)
- 1er du mois : audit security alerts + capacity planning + DR test
- Trimestriel : review major bumps possibles (Node, Postgres, Hono, Tiptap, etc.)
Outputs
- package.json + lock file a jour
- CI vert post-bump
- Tests + coverage maintenus
- CHANGELOG.md update si user-facing
- Si major bump : doc migration interne dans
docs/migrations/<package>-vX.md
Notes
- Dependabot configure dans
.github/dependabot.yml(deja fait) :- Ecosystem npm (bridge/) : weekly
- Ecosystem github-actions : weekly
- Ecosystem docker (compose) : weekly
- Limite open PRs Dependabot : 10 max (eviter spam)
- Group production-deps + dev-deps separement
- Pas de bump prod le vendredi (tradition + meme reason que release)