This document provides comprehensive information about the CI/CD pipeline configured for this React + Next.js + Tauri project.
The CI/CD pipeline is implemented using GitHub Actions and includes the following jobs:
- Code Quality & Security - Linting, type checking, and security audits
- Test Suite - Unit tests with coverage reporting
- Deploy Preview - Automatic preview deployments for pull requests
- Deploy Production - Production deployments (disabled by default)
- Build Tauri - Cross-platform desktop application builds
- Create Release - Automated GitHub releases for tagged versions
The pipeline runs on:
- Push to
mainordevelopbranches - Pull requests to
mainordevelopbranches - Tags starting with
v(for releases)
Runs on: All pushes and pull requests
Duration: ~2-3 minutes
This job performs:
- ESLint code linting
- TypeScript type checking (
tsc --noEmit) - Security audit of dependencies (
pnpm audit) - Check for outdated dependencies
Note: Some steps continue on error to avoid blocking the pipeline for warnings.
Runs on: All pushes and pull requests
Duration: ~3-5 minutes
This job performs:
- Runs all Jest tests with coverage
- Generates multiple coverage report formats (HTML, LCOV, Cobertura, JUnit)
- Uploads coverage to Codecov (if configured)
- Posts coverage summary as PR comment
- Publishes test results with annotations
- Builds the Next.js application
- Checks bundle size
Coverage Thresholds:
- Branches: 60%
- Functions: 60%
- Lines: 70%
- Statements: 70%
Runs on: Pull requests only
Duration: ~2-3 minutes
Automatically deploys preview versions of the application for pull requests.
Required Secrets:
VERCEL_TOKEN- Vercel deployment tokenVERCEL_ORG_ID- Vercel organization IDVERCEL_PROJECT_ID- Vercel project ID
Setup Instructions:
-
Install Vercel CLI:
npm i -g vercel -
Run
vercel loginand authenticate -
Run
vercel linkin your project directory -
Get your tokens:
vercel whoami cat .vercel/project.json
-
Add secrets to GitHub repository settings
Runs on: Pushes to main branch (when enabled)
Duration: ~2-3 minutes
To Enable Production Deployments:
-
Set up GitHub Environment Protection:
- Go to
Settings > Environments - Create a new environment named
production - Add required reviewers (recommended)
- Add deployment branch restrictions (optional)
- Add environment secrets
- Go to
-
Configure Required Secrets:
VERCEL_TOKENVERCEL_ORG_IDVERCEL_PROJECT_ID
-
Uncomment the job in
.github/workflows/ci.yml -
Update the environment URL to match your production domain
Additional Safety Measures:
- Consider requiring specific labels on commits
- Only deploy on tagged releases
- Add time-based deployment windows
- Require manual approval via GitHub Environments
Runs on: All pushes and pull requests
Duration: ~10-20 minutes per platform
Builds cross-platform desktop applications for:
- Linux (x86_64): AppImage and .deb packages
- Windows (x64): MSI and NSIS installers
- macOS (x64 and ARM64): DMG and .app bundles
Platform-Specific Requirements:
No additional setup required. System dependencies are installed automatically:
- libgtk-3-dev
- libwebkit2gtk-4.1-dev
- libappindicator3-dev
- librsvg2-dev
- patchelf
- libssl-dev
Optional Code Signing:
To enable code signing, add these secrets:
WINDOWS_CERTIFICATE- Base64-encoded PFX certificateWINDOWS_CERTIFICATE_PASSWORD- Certificate password
How to prepare certificate:
# Convert PFX to base64
$bytes = [System.IO.File]::ReadAllBytes("certificate.pfx")
$base64 = [System.Convert]::ToBase64String($bytes)
$base64 | Out-File certificate.txtOptional Code Signing and Notarization:
To enable code signing and notarization, add these secrets:
APPLE_CERTIFICATE- Base64-encoded .p12 certificateAPPLE_CERTIFICATE_PASSWORD- Certificate passwordAPPLE_SIGNING_IDENTITY- Developer ID Application identityAPPLE_ID- Apple ID emailAPPLE_PASSWORD- App-specific passwordAPPLE_TEAM_ID- Apple Developer Team ID
How to prepare certificate:
# Export certificate from Keychain as .p12
# Then convert to base64
base64 -i certificate.p12 -o certificate.txtHow to create app-specific password:
- Go to https://appleid.apple.com
- Sign in with your Apple ID
- Go to Security > App-Specific Passwords
- Generate a new password
Tauri Configuration:
Update src-tauri/tauri.conf.json for code signing:
{
"bundle": {
"macOS": {
"signingIdentity": "Developer ID Application: Your Name (TEAM_ID)",
"entitlements": "path/to/entitlements.plist"
},
"windows": {
"certificateThumbprint": null,
"digestAlgorithm": "sha256",
"timestampUrl": "http://timestamp.digicert.com"
}
}
}Runs on: Tags starting with v (e.g., v1.0.0)
Duration: ~1-2 minutes
Automatically creates a GitHub release with all built artifacts when you push a version tag.
How to Create a Release:
# Create and push a version tag
git tag v1.0.0
git push origin v1.0.0The release will be created as a draft with:
- Auto-generated release notes
- All platform-specific installers attached
- Changelog based on commits since last tag
Review and publish the draft release manually after verifying the artifacts.
The pipeline uses multiple caching strategies to improve performance:
- pnpm Store Cache - Caches downloaded packages
- Next.js Build Cache - Caches Next.js build outputs
- Rust Cache - Caches Rust dependencies and build artifacts
Expected Speed Improvements:
- First run: ~15-25 minutes (full build)
- Cached runs: ~5-10 minutes (incremental build)
The pipeline uses concurrency groups to automatically cancel outdated workflow runs when new commits are pushed to the same branch or PR.
Configuration:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: trueAll jobs upload artifacts that are retained for 7-30 days:
| Artifact | Retention | Description |
|---|---|---|
test-results |
30 days | JUnit XML test results |
coverage-report |
30 days | HTML coverage reports |
nextjs-build |
7 days | Built Next.js application |
tauri-* |
30 days | Platform-specific installers |
VERCEL_TOKENVERCEL_ORG_IDVERCEL_PROJECT_ID
CODECOV_TOKEN
WINDOWS_CERTIFICATEWINDOWS_CERTIFICATE_PASSWORD
APPLE_CERTIFICATEAPPLE_CERTIFICATE_PASSWORDAPPLE_SIGNING_IDENTITYAPPLE_IDAPPLE_PASSWORDAPPLE_TEAM_ID
- Check Node.js version matches (20.x)
- Ensure
pnpm-lock.yamlis committed - Check for environment-specific issues
- Review test logs in GitHub Actions
- Linux: Check system dependencies are installed
- Windows: Verify Rust toolchain is properly set up
- macOS: Check Xcode Command Line Tools are available
- Review Tauri configuration in
src-tauri/tauri.conf.json
- Verify secrets are properly set in GitHub
- Check certificate validity and expiration
- Ensure signing identity matches certificate
- Review Tauri documentation for platform-specific requirements
- Verify all required secrets are set
- Check Vercel project configuration
- Review deployment logs in GitHub Actions
- Ensure build artifacts are generated correctly
- Always test locally before pushing
- Use feature branches for development
- Create pull requests for code review
- Tag releases with semantic versioning (v1.0.0)
- Review draft releases before publishing
- Monitor CI/CD costs and optimize as needed
- Keep dependencies updated regularly
- Review security audit results
View workflow runs at: https://github.com/YOUR_ORG/YOUR_REPO/actions
Configure in: Settings > Notifications > Actions
Add Slack notifications using the slack-send action.
- Free tier: 2,000 minutes/month for private repos
- Paid plans: Additional minutes available
- Use caching effectively (already implemented)
- Cancel outdated runs (already implemented)
- Run expensive jobs only when needed
- Consider self-hosted runners for heavy workloads