E-007: CI/CD & First Deployment
Status: In Progress Owner: @bilal @deen Priority: P1 — Ship to Production Last Updated: 2026-02-22
Objective
Get the application deployed to production with a reliable CI/CD pipeline.
What’s Done
- CI-001: Basic CI workflow (lint + test on PR)
- DEPLOY-001: Supabase cloud project (
cslpfplavhdkfprrmwno) — migrations run on deploy - DEPLOY-002: Cloudflare Workers deployment (via
@opennextjs/cloudflare,wrangler deploy) - DEPLOY-004: Production secrets (GitHub Actions secrets + wrangler secrets configured)
- DEPLOY-005: Domain + DNS + CORS (
app.ehq.tech→ Cloudflare Workers, Terraform-managed) - Cloudflare Access ZTNA (email OTP auth gate for dashboard)
- Hyperdrive connection pooling (Supabase Postgres)
- Terraform IaC for dashboard + brain infrastructure
- Brain docs site deployed to Cloudflare Pages (
brain.ehq.tech)
What’s Next
| Task | ID | Description | Status |
|---|---|---|---|
| Build step in CI | CI-002 | Add type-check + build to GitHub Actions | Next |
| Health check endpoint | DEPLOY-003 | GET /api/health — checks DB + LLM availability | Next |
| Security scanning | CI-003 | Trufflehog (secrets), Semgrep (SAST), pnpm audit (deps) | Planned |
| Error monitoring | DEPLOY-006 | Sentry SDK, source maps | Planned |
Pipeline Design
PR → Lint + Type-Check → Tests → Build → Security Scan → AI Code Review
→ (on merge to main) → DB Migrations → Deploy to Cloudflare Workers → Smoke Tests
Infrastructure
| Component | Service |
|---|---|
| Hosting | Cloudflare Workers (via @opennextjs/cloudflare) |
| Connection Pool | Cloudflare Hyperdrive |
| Auth Gate (ZTNA) | Cloudflare Access (email OTP) |
| Database | Supabase Cloud |
| Domain | ehq.tech (app.ehq.tech, brain.ehq.tech) |
| IaC | Terraform Cloud + Cloudflare provider |
| CI/CD | GitHub Actions |
| Errors | Sentry (planned) |
| Uptime | UptimeRobot (planned) |
Dependencies
Domain registration (ehq.tech)DoneSupabase cloud projectDone- LLM API keys for production (configured)