9 docs tagged with "github-actions"

Operationalises ADR-022 §3 (Phase 3f) for the dev tier: the stable demo VM at dev-azure.securityv0.com deploys on every main CI success via Azure Run Command using a new tightly-scoped Entra app + OIDC federation from GitHub Actions. No SSH key in the deploy path. Hetzner stays warm as fallback during cutover (no behavior change on the Hetzner side). PR-preview ephemeral VMs are explicitly out of scope; the design for that surface is banked in [docs/infrastructure/azure-ephemeral-pr-previews-design.md](../../infrastructure/azure-ephemeral-pr-previews-design.md) for re-activation when triggered.

Controls GitHub Actions minute consumption by cutting per-run cost, not PR count. The org's 50k included-minute pool is effectively a single-repo pool that follows active development; in May 2026 sv0-platform's ci.yml alone was ~80% of it (~36k measured minutes), dominated by a tail of multi-arch (amd64+arm64-via-QEMU) image builds that HUNG for hours on PR pushes (67 runs over 300 min, worst 18h). Decision: amd64-only image builds on PRs (multi-arch stays on main/release tags), cancel superseded PR runs, path-gate the non-required image build, and cap heavy jobs with timeout-minutes. Keeps the PR-per-change workflow intact. Shipped in sv0-platform#1301 (issue #1300); timeout follow-up pending.

Plan to add automated Claude-driven analysis and auto-fix of simple CI failures across the three sv0 repos, with reviewer-agent gating before human merge.

Deferred design for ephemeral Azure PR-preview VMs with a cap-of-3 hard-fail policy, deployment-stacks lifecycle, drift sweeper, and composite RBAC. NOT active infrastructure — the implementation work was cut from ADR-024 (2026-05-14) on the grounds that (a) Hetzner already runs PR previews and (b) no concrete trigger demands the move. This document preserves the design so it can be lifted into an active ADR when a trigger materialises (Hetzner OOM pattern, partner with concurrent-review load, regulatory data-residency requirement, etc.). Lives in docs/infrastructure/ alongside operational infra docs but is distinguishable by the `-design` filename suffix and `status: deferred` frontmatter.

GitHub Actions workflows across the SecurityV0 workspace. All repos live under the securityv0 GitHub organization.

Comprehensive CI/CD strategy for sv0-platform deployment and sv0-connectors scan pipelines, including secrets management evaluation (GitHub Secrets, SOPS+age, Tailscale, Vault, Doppler, self-hosted...

Deployment strategy options for SecurityV0 from MVP to production scale, including container orchestration paths, observability/logging tradeoffs, CLI operability, and CI/CD automation

Registry of recurring automations and scheduled routines across SecurityV0 — what runs unattended, when, where, who owns it, and how to pause it

Plan for isolated self-hosted GitHub Actions runner on Mac mini to eliminate Actions minutes billing limit