App CI/CD: GitHub Actions Quality Gates

The PhenomApp GitHub Actions pipeline: lint, typecheck, tests and secret scanning on every PR, plus husky pre-commit hooks, CODEOWNERS and Dependabot.

App CI/CD: GitHub Actions Quality Gates

Status: LIVE since 2026-06-04 (issue #93, PR #94). Before this date the PhenomApp repository had no CI at all; every gate ran only on individual laptops.

The pipeline

.github/workflows/ci.yml runs on every pull request and every push to main:

Job	Steps
Lint, typecheck, test	`npm ci`, then `npm run lint:check` (ESLint), `npm run compile` (`tsc --noEmit`), `npm test` (Jest), all in the nested `PhenomApp/` directory
Secret scan	TruffleHog OSS over the full history diff

Notes for maintainers:

The repo layout is nested. The app and its package-lock.json live in PhenomApp/PhenomApp/; the workflow sets working-directory: PhenomApp. The outer directory is a husky shell, and its package.json does not describe the app (its expo/react-native versions are unrelated to what ships).
The legacy functions/ directory (Firebase scaffold) is excluded via .eslintignore; its own eslint config extends eslint-config-google, which is not installed.
The repo enforces issue-numbered branch names (feature/<issue>-description).

Pre-commit hooks (husky)

Both husky shells previously invoked pnpm lint in an npm-only repository, so the hook failed open for anyone without pnpm. The hooks now run prettier on staged files, then npm run lint:check and npm run compile. Run npm install in PhenomApp/ to activate them.

Security measures

C2PA signing key: Ext/react-native-simple-c2pa/signing.key was tracked in git until 2026-06-04. It is now untracked and *.key is ignored repo-wide. Key rotation and history purge are still pending; the old key must be treated as exposed until rotated.
TruffleHog scans every PR for committed credentials.
Dependabot is enabled: weekly npm updates for both package.json locations, weekly GitHub Actions updates, and vulnerability alerts.

Review routing

.github/CODEOWNERS routes all PRs to @smsmatt. Branch protection (required reviews, required CI) is not available on the current GitHub plan for this private repo; CODEOWNERS plus the CI checks are the working substitute until the org moves to GitHub Pro/Team.

Relationship to EAS builds

This CI pipeline covers code quality only. Device builds remain on EAS (see EAS Deployment Pipeline); CI does not currently trigger EAS builds on merge.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 22, 2026: docs(#383): GlitchTip runbook + register in nest-ops asset index (#384) (fbe78ef)