ci: process hardening — 18 CI workflows, E2E expansion, local guardra… (#1028)

…ils, docs overhaul

- Harden js.yml: add tsc --noEmit, prettier --check, next build
- Harden go.yml: add go test -race, atlas migrate validate
- New security.yml: npm audit + govulncheck (informational)
- New docker.yml: Dockerfile build validation
- Add develop branch trigger to all 10 check workflows
- Add post-deploy smoke test to deploy-prod.yml and deploy-staging.yml
- New E2E: discover.cy.ts, smoke.cy.ts, i18n.cy.ts
- New Makefile target: make pre-push (6-step local check suite)
- New .githooks/pre-push: opt-in git hook
- New CONTRIBUTING.md: GitFlow-lite workflow documentation
- Consolidate CHANGELOG.md to v0.8.0 with post-mortem
- Update README.md: CI badges, Contributing section, make pre-push

---------

Co-authored-by: zxxma <zxxma@users.noreply.github.com>

Author: zxxma

.githooks/pre-push

@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Pre-push hook for Zenao
+# Runs all local checks before allowing a push to remote.
+#
+# To enable: git config core.hooksPath .githooks
+# To bypass (emergencies only): git push --no-verify
+#
+
+echo "🔍 Running pre-push checks..."
+echo ""
+
+# Run the full pre-push check suite
+make pre-push
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ Pre-push checks FAILED. Push aborted."
+  echo "   Fix the issues above and try again."
+  echo "   To bypass (emergencies only): git push --no-verify"
+  exit 1
+fi
+
+echo ""
+echo "✅ All checks passed. Pushing..."

.github/workflows/buf-gen.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - develop
   pull_request:
   merge_group:
 

.github/workflows/buf-lint.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - develop
   pull_request:
   merge_group:
 

.github/workflows/deploy-prod.yml

@@ -100,4 +100,20 @@ jobs:
 
             docker compose -f prod.backend.docker-compose.yml up -d --wait otel-collector jaeger
             git restore prod.backend.docker-compose.yml
-            docker compose -f prod.backend.docker-compose.yml up -d --build backend
+            docker compose -f prod.backend.docker-compose.yml up -d --build backend
+
+      - name: Post-deploy smoke test
+        run: |
+          echo "⏳ Waiting 60s for services to stabilize..."
+          sleep 60
+          for i in 1 2 3 4 5; do
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 15 https://zenao.io/)
+            if [ "$STATUS" = "200" ]; then
+              echo "✅ Smoke test passed (HTTP $STATUS)"
+              exit 0
+            fi
+            echo "⏳ Attempt $i/5: HTTP $STATUS — retrying in 30s..."
+            sleep 30
+          done
+          echo "❌ Smoke test FAILED after 5 attempts"
+          exit 1

.github/workflows/deploy-staging.yml

@@ -100,4 +100,20 @@ jobs:
 
             docker compose -f staging.docker-compose.yml up -d --wait otel-collector jaeger
             git restore staging.docker-compose.yml
-            docker compose -f staging.docker-compose.yml up -d --build backend
+            docker compose -f staging.docker-compose.yml up -d --build backend
+
+      - name: Post-deploy smoke test
+        run: |
+          echo "⏳ Waiting 60s for services to stabilize..."
+          sleep 60
+          for i in 1 2 3 4 5; do
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 15 https://staging.zenao.io/)
+            if [ "$STATUS" = "200" ]; then
+              echo "✅ Smoke test passed (HTTP $STATUS)"
+              exit 0
+            fi
+            echo "⏳ Attempt $i/5: HTTP $STATUS — retrying in 30s..."
+            sleep 30
+          done
+          echo "❌ Smoke test FAILED after 5 attempts"
+          exit 1

.github/workflows/docker.yml

@@ -0,0 +1,20 @@
+name: Docker Build
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+  merge_group:
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build Docker image
+        run: docker build --target builder -t zenao-backend-test .

.github/workflows/e2e.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
     - main
+    - develop
   pull_request:
   merge_group:
 

.github/workflows/go-fmt.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - develop
   pull_request:
   merge_group:
 

.github/workflows/go.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - develop
   pull_request:
   merge_group:
 
@@ -22,11 +23,29 @@ jobs:
       - name: Tidy go.mod
         run: go mod tidy
 
-      - name: Test
-        run: go test ./backend/...
+      - name: Test (with race detection)
+        run: go test -race -p 1 ./backend/...
 
       - name: Build
         run: go build -o zenao-backend ./backend
 
+      - name: Get go binaries path
+        id: go-bin-path
+        run: echo "PATH=$(go env GOPATH)/bin" >> "$GITHUB_OUTPUT"
+
+      - name: Cache atlas
+        id: cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.go-bin-path.outputs.PATH }}
+          key: ${{ runner.os }}-atlas-bin5-v1.1.0
+
+      - name: Install atlas
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: make install-atlas
+
+      - name: Validate migrations
+        run: atlas migrate validate --dir "file://migrations" --dev-url "sqlite://file?mode=memory"
+
       - name: Check diff
         run: git diff --exit-code

.github/workflows/golangci-lint.yml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - develop
   pull_request:
   merge_group: