chore: set up GitHub Actions CI/CD pipeline

[William-Hill]

Overview

Add a GitHub Actions CI/CD pipeline covering the two main workstreams (Next.js dashboard + Python ML pipeline) and production deployment. No CI currently exists.

---

Proposed Workflows

1. ci-dashboard.yml — Dashboard CI

Trigger: Push or PR targeting main or rebranding/bishop-state that touches codebenders-dashboard/**

Steps:

1. npm ci inside codebenders-dashboard/
2. npx tsc --noEmit — TypeScript type check (strict mode is enabled)
3. npm run lint — Next.js ESLint
4. npm run build — production build smoke test (catches missing env vars, import errors, etc.)

Why: Catches type errors, lint violations, and broken builds before they land on main. Currently nothing prevents a broken build from merging.

---

2. ci-python.yml — ML Pipeline CI

Trigger: Push or PR that touches ai_model/**, operations/**, or requirements.txt

Steps:

1. Set up Python 3.11
2. pip install ruff + ruff check ai_model/ operations/ — fast linter (replaces flake8)
3. pip install -r requirements.txt — validate all deps install cleanly
4. python -m py_compile ai_model/complete_ml_pipeline.py operations/db_config.py — syntax check entry points

Why: Catches syntax errors and import issues in the ML pipeline without needing a live DB or GPU. Full pipeline run is too expensive for CI.

---

3. deploy-preview.yml — Vercel Preview Deployment

Trigger: PR opened or updated (any branch)

Steps:

1. Install Vercel CLI
2. vercel pull --environment=preview
3. vercel build
4. vercel deploy --prebuilt → post preview URL as PR comment

Why: Gives reviewers a live URL to test every PR without manual deploys. Requires VERCEL_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID as repo secrets.

Note: If the Vercel GitHub App is already connected to the repo, preview deploys are automatic and this workflow may be redundant — skip it if so.

---

4. deploy-production.yml — Vercel Production Deployment

Trigger: Push to main (after PR merge)

Steps:

1. Install Vercel CLI
2. vercel pull --environment=production
3. vercel build
4. vercel deploy --prebuilt --prod

Why: Explicit, auditable production deploys that show up in the Actions tab. Pairs with branch protection to enforce CI passing before any production deploy.

---

5. security-audit.yml — Dependency Security Audit

Trigger: Weekly schedule (cron: '0 9 * * 1') + push to main

Steps:

1. npm audit --audit-level=high in codebenders-dashboard/
2. pip install pip-audit + pip-audit -r requirements.txt

Why: Surfaces known CVEs in dependencies automatically. Low noise (high severity only for npm).

---

Branch Protection Rules (prerequisite)

Once workflows are in place, enable these on main:

• Require status checks: ci-dashboard and ci-python must pass
• Require at least 1 approving review
• Dismiss stale reviews on new pushes
• No direct pushes to main

---

Secrets Required

Secret	Used by
VERCEL_TOKEN	deploy-preview, deploy-production
VERCEL_ORG_ID	deploy-preview, deploy-production
VERCEL_PROJECT_ID	deploy-preview, deploy-production

Build-time env vars (NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY, DB_HOST, etc.) also need to be added to Vercel project settings (already done via .env.local locally).

---

Acceptance Criteria

• ci-dashboard.yml runs on every PR touching the dashboard; blocks merge on failure
• ci-python.yml runs on every PR touching ML/operations code; blocks merge on failure
• Production deploy triggers automatically on merge to main
• Security audit runs weekly and on main pushes
• Branch protection rules enforced on main

[William-Hill]

Implemented in PR #84.