feat(config): implement commitlint + husky with controlled github actions

- add commitlint with conventional commit format requiring scopes
- set up husky pre-commit hook to block multi-project commits
- update github actions to run conditionally based on commit scope
- firebase admin deploy only runs for (admin|config) commits
- cloud run web deploy only runs for (web|config) commits
- add npm scripts for commit format examples

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: Lukecsharpwalker

.github/workflows/firebase-admin-deploy.yml

@@ -4,23 +4,49 @@ on:
   push:
     branches:
       - main
-    paths:
-      - 'projects/admin/**'
-      - 'firebase.json'
-      - '.firebaserc'
-      - 'package*.json'
   pull_request:
     branches:
       - main
-    paths:
-      - 'projects/admin/**'
-      - 'firebase.json'
-      - '.firebaserc'
-      - 'package*.json'
 
 jobs:
+  check-commit:
+    runs-on: ubuntu-latest
+    outputs:
+      should-run: ${{ steps.check.outputs.should-run }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check commit message
+        id: check
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            COMMITS=$(git rev-list --no-merges ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }})
+          else
+            COMMITS="${{ github.sha }}"
+          fi
+          
+          should_run=false
+          for commit in $COMMITS; do
+            message=$(git log --format=%B -n 1 $commit)
+            echo "Checking commit: $commit"
+            echo "Message: $message"
+            
+            if echo "$message" | grep -E "^[^(]+\((admin|config)\):" > /dev/null; then
+              should_run=true
+              break
+            fi
+          done
+          
+          echo "should-run=$should_run" >> $GITHUB_OUTPUT
+          echo "Admin workflow should run: $should_run"
+
   build-and-deploy:
     runs-on: ubuntu-latest
+    needs: check-commit
+    if: needs.check-commit.outputs.should-run == 'true'
 
     steps:
       - name: Checkout code

.github/workflows/google-cloudrun-docker.yml

@@ -6,8 +6,34 @@ on:
       - main
 
 jobs:
+  check-commit:
+    runs-on: ubuntu-latest
+    outputs:
+      should-run: ${{ steps.check.outputs.should-run }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check commit message
+        id: check
+        run: |
+          message=$(git log --format=%B -n 1 ${{ github.sha }})
+          echo "Checking commit: ${{ github.sha }}"
+          echo "Message: $message"
+          
+          should_run=false
+          if echo "$message" | grep -E "^[^(]+\((web|config)\):" > /dev/null; then
+            should_run=true
+          fi
+          
+          echo "should-run=$should_run" >> $GITHUB_OUTPUT
+          echo "Web workflow should run: $should_run"
   test:
     runs-on: ubuntu-latest
+    needs: check-commit
+    if: needs.check-commit.outputs.should-run == 'true'
     steps:
       - uses: actions/checkout@v4
 

.husky/commit-msg

@@ -0,0 +1 @@
+npx --no -- commitlint --edit $1

.husky/pre-commit

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Get list of staged files
+staged_files=$(git diff --cached --name-only)
+
+# Define project directories
+web_pattern="^projects/web/"
+admin_pattern="^projects/admin/"
+mfe_pattern="^projects/code-samples-mfe/"
+shared_pattern="^projects/shared/"
+config_patterns="^(package\.json|package-lock\.json|angular\.json|tsconfig\.json|\.eslint|\.prettier|tailwind\.config|commitlint\.config|\.github/|\.husky/|scripts/|supabase/|e2e/|.*\.md$)"
+
+# Count files in each category
+web_count=0
+admin_count=0
+mfe_count=0
+shared_count=0
+config_count=0
+
+for file in $staged_files; do
+  if [[ $file =~ $web_pattern ]]; then
+    web_count=$((web_count + 1))
+  elif [[ $file =~ $admin_pattern ]]; then
+    admin_count=$((admin_count + 1))
+  elif [[ $file =~ $mfe_pattern ]]; then
+    mfe_count=$((mfe_count + 1))
+  elif [[ $file =~ $shared_pattern ]]; then
+    shared_count=$((shared_count + 1))
+  elif [[ $file =~ $config_patterns ]]; then
+    config_count=$((config_count + 1))
+  fi
+done
+
+# Count non-zero project types (exclude shared from count - it can be combined)
+project_types=0
+if [ $web_count -gt 0 ]; then project_types=$((project_types + 1)); fi
+if [ $admin_count -gt 0 ]; then project_types=$((project_types + 1)); fi
+if [ $mfe_count -gt 0 ]; then project_types=$((project_types + 1)); fi
+
+# Allow config-only, shared-only, or single project + shared + config
+if [ $project_types -gt 1 ]; then
+  echo "❌ Error: Cannot commit changes to multiple projects in a single commit."
+  echo ""
+  echo "Staged files by project:"
+  if [ $web_count -gt 0 ]; then echo "  📱 Web: $web_count files"; fi
+  if [ $admin_count -gt 0 ]; then echo "  🔧 Admin: $admin_count files"; fi
+  if [ $mfe_count -gt 0 ]; then echo "  📦 MFE: $mfe_count files"; fi
+  if [ $shared_count -gt 0 ]; then echo "  🔄 Shared: $shared_count files"; fi
+  if [ $config_count -gt 0 ]; then echo "  ⚙️  Config: $config_count files"; fi
+  echo ""
+  echo "Please commit changes to one project at a time:"
+  echo "  git reset"
+  echo "  git add projects/web/  # or projects/admin/, etc."
+  echo "  git add projects/shared/  # shared can be combined"
+  echo "  git commit -m 'feat(web): your changes'"
+  exit 1
+fi
+
+echo "✅ Single project commit validation passed"

angular.json

@@ -42,8 +42,8 @@
                 },
                 {
                   "type": "anyComponentStyle",
-                  "maximumWarning": "4kB",
-                  "maximumError": "8kB"
+                  "maximumWarning": "8kB",
+                  "maximumError": "12kB"
                 }
               ],
               "outputHashing": "all"

commitlint.config.js

@@ -0,0 +1,28 @@
+module.exports = {
+  extends: ['@commitlint/config-conventional'],
+  rules: {
+    'scope-enum': [
+      2,
+      'always',
+      ['web', 'admin', 'mfe', 'shared', 'config']
+    ],
+    'scope-empty': [2, 'never'],
+    'subject-case': [2, 'always', 'lower-case'],
+    'type-enum': [
+      2,
+      'always',
+      [
+        'feat',
+        'fix',
+        'docs',
+        'style',
+        'refactor',
+        'test',
+        'build',
+        'ci',
+        'chore',
+        'revert'
+      ]
+    ]
+  }
+};

firebase.json

@@ -2,12 +2,32 @@
   "hosting": [
     {
       "target": "admin",
-      "public": "dist/apps/admin-spa",
+      "public": "dist/admin/browser",
       "ignore": ["**/.*", "**/node_modules/**"],
-      "rewrites": [{ "source": "**", "destination": "/index.html" }],
+      "rewrites": [
+        { "source": "**", "destination": "/index.html" }
+      ],
+      "redirects": [
+        {
+          "source": "/admin",
+          "destination": "/",
+          "type": 301
+        }
+      ],
       "headers": [
         {
-          "source": "**/*.@(js|css)",
+          "source": "/",
+          "headers": [
+            { "key": "Cache-Control", "value": "no-cache, no-store, must-revalidate" },
+            { "key": "X-Frame-Options", "value": "DENY" },
+            { "key": "X-Content-Type-Options", "value": "nosniff" },
+            { "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
+            { "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=()" },
+            { "key": "Content-Security-Policy", "value": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://*.supabase.co wss://*.supabase.co; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" }
+          ]
+        },
+        {
+          "source": "**/*.@(js|css|woff|woff2|ttf|otf|eot|svg|png|jpg|jpeg|gif|webp|ico)",
           "headers": [
             { "key": "Cache-Control", "value": "public, max-age=31536000, immutable" }
           ]
@@ -16,18 +36,29 @@
     },
     {
       "target": "samples",
-      "public": "dist/apps/code-samples-mfe",
+      "public": "dist/code-samples-mfe",
       "ignore": ["**/.*", "**/node_modules/**"],
-      "rewrites": [{ "source": "**", "destination": "/index.html" }],
+      "rewrites": [
+        { "source": "**", "destination": "/index.html" }
+      ],
       "headers": [
+        {
+          "source": "/",
+          "headers": [
+            { "key": "Cache-Control", "value": "no-cache, no-store, must-revalidate" },
+            { "key": "X-Frame-Options", "value": "SAMEORIGIN" },
+            { "key": "X-Content-Type-Options", "value": "nosniff" }
+          ]
+        },
         {
           "source": "**/remoteEntry.@(js|mjs)",
           "headers": [
-            { "key": "Cache-Control", "value": "public, max-age=31536000, immutable" }
+            { "key": "Cache-Control", "value": "public, max-age=31536000, immutable" },
+            { "key": "Access-Control-Allow-Origin", "value": "*" }
           ]
         },
         {
-          "source": "**/*.@(js|css)",
+          "source": "**/*.@(js|css|woff|woff2|ttf|otf|eot|svg|png|jpg|jpeg|gif|webp|ico)",
           "headers": [
             { "key": "Cache-Control", "value": "public, max-age=31536000, immutable" }
           ]