CI Feature Pipeline Optimization

Status

Implemented.

Task board: OP-D049.
ADR references: AWS bootstrap/state and CI/CD deployment strategy.
Client response references: Phase 1 expects secure CI/CD, AWS deployment readiness, and operational handoff discipline.

Problem Statement

Feature branch pipelines were running broad validation and Docker build work on every push. That kept confidence high but slowed developer feedback while AWS deployment work was still being stabilized.

Architectural Intent

Feature branches should validate the surfaces they change. Integration branches should remain comprehensive. Deployment-capable stages must stay limited to develop, demo, and main.

What Was Implemented

Split GitLab validation into focused jobs:
- backend validation,
- Postgres runtime validation,
- contract validation,
- frontend validation,
- docs validation,
- infrastructure validation.
Added path-aware rules:changes for feature branches.
Kept full split validation on develop, demo, and main.
Kept ECR publish, Terraform plan/apply, Helm deploy, docs deploy, and AWS smoke jobs restricted to deploy-capable branches.
Added a manual full_validation_manual job for feature branches.
Kept CI jobs interruptible so newer pushes can cancel older work.
Added an allowlisted .dockerignore so Docker images do not receive Terraform caches, docs output, PDFs, local secrets, tests, or repo metadata.
Kept AWS dev image publishing on linux/arm64 and moved the publish job to a native arm64 GitLab SaaS runner to avoid QEMU build overhead.

Components Involved

.gitlab-ci.yml
.dockerignore
scripts/ci/validate.sh
CI guardrail docs
AWS CI/CD strategy docs

APIs / Events / Schemas

No API, event, or schema contracts changed.

Deployment Notes

This change affects CI execution only. It does not deploy workloads or change AWS infrastructure.

Deployment-capable branches remain:

develop
demo
main

Security / Tenant Isolation

Feature branches cannot publish images, assume AWS deploy roles, run Terraform apply, deploy Helm releases, deploy docs, or run AWS smoke checks. Tenant runtime behavior is unchanged.

Validation Steps

UI Validation

No application UI changed.

API Validation

No API changed.

Smoke Validation

Run:

make ci-lint
make docs-check
make aws-iac-check
docker compose config
git diff --check

In GitLab, validate that:

feature branches run only relevant changed-surface jobs,
develop, demo, and main run the full split validation set,
AWS publish/deploy jobs are absent from feature branches,
the manual full_validation_manual job is available on feature branches.

Known Limitations

Path-aware rules are intentionally conservative; shared script or Makefile changes may trigger infrastructure validation.
Docker layer caching is not yet optimized beyond existing runner behavior.
Exact GitLab UI job availability depends on branch and merge-request pipeline configuration.

Follow-Up Work

Observe pipeline timings after several feature and develop runs.
Add Docker layer cache only if the GitLab runner supports it reliably.
Consider splitting backend validation further if Postgres runtime checks become a bottleneck.

Acceptance Criteria Mapping

Feature branches are faster by default: path-aware jobs implemented.
Developer velocity is preserved: manual full validation remains available.
Integration confidence remains: develop, demo, and main run the full split validation set.
Deployment safety remains: AWS publish/deploy jobs are restricted to deploy-capable branches.

Status​

Related Requirements​

Problem Statement​

Architectural Intent​

What Was Implemented​

Components Involved​

APIs / Events / Schemas​

Deployment Notes​

Security / Tenant Isolation​

Validation Steps​

UI Validation​

API Validation​

Smoke Validation​

Known Limitations​

Follow-Up Work​

Acceptance Criteria Mapping​