Skip to main content

MR Pipeline

Every merge request triggers a validation pipeline that gates code quality, security, builds, and test coverage before merge is allowed.

Pipeline DAG

All jobs use the .node-setup template: Node 22 image, pnpm cache keyed on pnpm-lock.yaml, frozen lockfile install.

Validate Stage

Lint

Runs NX lint across all projects in parallel:

pnpm exec nx run-many --target=lint --parallel=3

This is the first gate -- every other job depends on lint passing.

Trivy SCA (Software Composition Analysis)

Scans the filesystem for vulnerabilities and secrets using Trivy:

trivy fs --scanners vuln,secret --severity CRITICAL,HIGH --exit-code 1 .

Fails the pipeline on any CRITICAL or HIGH severity finding. Known false positives for dev-only dependencies are tracked in .trivyignore.

Trivy IaC (Infrastructure as Code)

Scans configuration files (Dockerfiles, CI config, etc.) for misconfigurations:

trivy config --severity CRITICAL,HIGH --exit-code 1 --ignorefile .trivyignore .

Build Stage

Parallel matrix build of all 5 deployable apps. Runs after lint + both Trivy scans pass:

parallel:
  matrix:
    - PROJECT: [fastlane-portal, fastlane-admin, fastlane-api-gateway, docs, components]

Each app builds via pnpm exec nx build ${PROJECT}. This catches compilation errors, missing imports, and TypeScript issues before merge.

Test Stage

Coverage

Runs unit tests with coverage for the three main apps:

parallel:
  matrix:
    - PROJECT: [fastlane-portal, fastlane-admin, fastlane-api-gateway]
pnpm exec nx test ${PROJECT} --coverage

Coverage reports are saved as artifacts for 7 days. The docs and components apps are excluded since they don't have meaningful unit test suites.

Claude AI Review

Dual AI review that posts findings directly as MR notes. Runs in parallel as two matrix jobs:

parallel:
  matrix:
    - REVIEW_TYPE: [code_quality, security]

Code Quality Review checks against:

  • Function length (flag >50 lines, note >30)
  • Cyclomatic complexity (flag >6)
  • Nesting depth (flag >3 levels)
  • Code duplication
  • Naming conventions
  • Error handling
  • Type safety (any types)
  • Test coverage (80% target)
  • Relaxed standards for e2e/** and tools/**

Security Review checks against OWASP-aligned concerns:

  • Authentication and authorization
  • SQL injection (parameterized queries only)
  • XSS (output encoding, input sanitization)
  • Sensitive data in logs/errors/responses
  • API security (rate limiting, CORS)
  • Session management (secure cookies)

Each review posts a structured note to the MR with a summary, confidence score (X/5), recommended action, and top findings with file/line references. Previous review notes are automatically deleted before posting new ones to avoid clutter.

The review is allow_failure: true -- it informs but never blocks merge. It also skips merge train pipelines to avoid redundant reviews.

Script: ci/scripts/claude-mr-review.sh

Workflow Rules

The MR pipeline only runs when $CI_MERGE_REQUEST_IID is set. Branch pipelines that have an open MR are skipped (deduplicated via the workflow rules in .gitlab-ci.yml).

Required CI Variables

VariablePurpose
CLAUDE_API_KEYAnthropic API key for AI reviews
CLAUDE_REVIEW_BOTGitLab token (group-level) for posting MR review notes and fetching diffs