StarterApp Docs
CI/CD

GitHub Integration

Repository automation with branch protection and secrets management

GitHub provides automation features for code quality enforcement. Branch protection prevents direct commits to main, automated workflows handle repetitive tasks, and secrets management secures deployment credentials.

Pro Tip

The framework leverages GitHub Actions for CI/CD, branch protection for quality gates, secrets management for secure deployment, and PR automation for efficient code review.

Branch Protection Rules

Branch protection creates quality gates:

Configure Protection Rules

Navigate to Settings → Branches → Add branch protection rule on GitHub.

Pattern: main

Enable these settings:

Verify Configuration

Test branch protection by attempting to:

  1. Push directly to main (should fail)
  2. Merge PR with failing CI (should fail)
  3. Merge PR without approval (should fail)

Secrets Management

GitHub Secrets provides secure storage for API keys and tokens:

Organization Secrets

For credentials shared across repositories:

Settings → Secrets and variables → Actions → New organization secret

Organization secrets
CONVEX_DEPLOY_KEY=<production-deployment-key>
AUTUMN_SECRET_KEY=<billing-production-key>
SENTRY_AUTH_TOKEN=<error-monitoring-token>

Secrets remain encrypted at rest and in transit.

Repository Secrets

For repository-specific credentials:

Settings → Secrets and variables → Actions → New repository secret

Repository secrets
VERCEL_TOKEN=<deployment-token>
NETLIFY_AUTH_TOKEN=<netlify-access-token>

Visible only during workflow execution.

Environment Secrets

For environment-specific configuration:

Settings → Environments → New environment

Create production and staging environments with distinct secrets:

.github/workflows/deploy-production.yml
jobs:
  deploy:
    environment:
      name: production
    steps:
      - run: echo "${{ secrets.AUTUMN_SECRET_KEY }}"
        # Uses production secret

Production secrets use live API keys.

.github/workflows/deploy-staging.yml
jobs:
  deploy:
    environment:
      name: staging
    steps:
      - run: echo "${{ secrets.AUTUMN_SECRET_KEY }}"
        # Uses staging secret

Staging secrets use test API keys.

Secret Isolation

Environment secrets prevent test transactions from affecting production. Always use separate credentials per environment.

Advanced Workflow Patterns

Pull Request Automation

Code Ownership with CODEOWNERS

Create .github/CODEOWNERS to route reviews automatically:

.github/CODEOWNERS
# Default owners for everything
* @team/core-maintainers

# Frontend specialists
/apps/marketing/ @team/frontend
/apps/dashboard/ @team/frontend
/packages/ui/ @team/design-system

# Backend specialists
/packages/convex/ @team/backend
/packages/auth/ @team/backend @team/security

# Security team
/packages/security/ @team/security
/apps/*/middleware.ts @team/security

# DevOps
/.github/workflows/ @team/devops
/Dockerfile @team/devops

Automatic review requests eliminate manual assignment.

Automatic PR Labeling

Use GitHub Actions to label PRs based on changed files:

.github/workflows/label-pr.yml
name: Label PR

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  label:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/labeler@v4
        with:
          configuration-path: .github/labeler.yml
.github/labeler.yml
frontend:
  - apps/marketing/**/*
  - apps/dashboard/**/*
  - packages/ui/**/*

backend:
  - packages/convex/**/*
  - packages/auth/**/*

security:
  - packages/security/**/*
  - '**/middleware.ts'

documentation:
  - apps/docs/**/*
  - '**/*.md'

Dependabot Auto-Merge

Automatically merge low-risk dependency updates:

.github/workflows/dependabot-auto-merge.yml
name: Dependabot Auto-Merge

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  auto-merge:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1

      - name: Enable auto-merge for patch updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Security patches apply automatically after CI passes.

Safety First

Only auto-merge patch updates. Minor and major updates require manual review.

Issue and PR Templates

Bug Report Template

Create .github/ISSUE_TEMPLATE/bug_report.md:

Bug report template
---
name: Bug Report
about: Report a bug to help us improve
title: '[BUG] '
labels: bug
assignees: ''
---

## Description
A clear description of the bug.

## Steps to Reproduce
1. Go to '...'
2. Click on '...'
3. See error

## Expected Behavior
What should have happened.

## Actual Behavior
What actually happened.

## Environment
- OS: [e.g., macOS 13.0]
- Browser: [e.g., Chrome 120]
- Node.js: [e.g., 20.10.0]

## Screenshots
If applicable, add screenshots.

## Additional Context
Any other relevant information.

Pull Request Template

Create .github/PULL_REQUEST_TEMPLATE.md:

PR template
## Description
Brief description of changes.

## Type of Change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Documentation update

## Testing
- [ ] Unit tests pass locally
- [ ] E2E tests pass locally
- [ ] Tested manually in browser

## Checklist
- [ ] Code follows project style guidelines
- [ ] Self-review completed
- [ ] Comments added to complex code
- [ ] Documentation updated
- [ ] No new warnings generated

## Related Issues
Closes #<issue-number>

## Screenshots
If applicable, add screenshots of UI changes.

Templates ensure consistent PR submissions.

Security Automation

Deployment Integration

Platform integrations connect code changes to deployed environments:

Vercel GitHub App provides:

  • Automatic production deployments from main branch
  • Preview deployments for every PR
  • Deployment status in PR checks
  • Comments with preview URLs

Configuration:

vercel.json
{
  "git": {
    "deploymentEnabled": {
      "main": true,
      "staging": true
    }
  },
  "github": {
    "autoAlias": true,
    "silent": false,
    "autoJobCancelation": true
  }
}

Preview URL appears in PR comments within minutes.

Netlify GitHub Integration provides:

  • Branch deploys
  • Deploy previews
  • Build notifications
  • Split testing

Configuration:

netlify.toml
[context.production]
  publish = "apps/marketing/.next"
  command = "pnpm turbo run build --filter=marketing"

[context.deploy-preview]
  publish = "apps/marketing/.next"
  command = "pnpm turbo run build --filter=marketing"
  environment = { ENABLE_HSTS = "0" }

[[plugins]]
  package = "@netlify/plugin-nextjs"

AWS Amplify Console provides:

  • Automatic builds on push
  • PR previews
  • Custom domain management
  • Monitoring and alerts

Connected via AWS Console → Amplify → Connect repository.

Workflow Monitoring

Track metrics to identify improvement opportunities:

AI-Powered GitHub Configuration

AI assistants understand GitHub automation:

Conversational Setup

Describe configuration needs in natural language, and AI generates complete workflow files, protection rules, and automation scripts.

AI commands
Set up branch protection for main with required CI checks

The assistant generates:

  • Complete branch protection configuration
  • Required status check list
  • Review requirements
  • CODEOWNERS file template
AI dependency automation
Create Dependabot config for weekly updates with grouped PRs

The assistant creates:

  • .github/dependabot.yml with intelligent grouping
  • Auto-merge workflow for patch updates
  • Security vulnerability alerts

CI/CD Process

Code flow from commit to production deployment

Marketing App

Production-ready marketing surface with authentication, billing, and AI patterns built in

On this page

Branch Protection RulesConfigure Protection RulesVerify ConfigurationSecrets ManagementOrganization SecretsRepository SecretsEnvironment SecretsAdvanced Workflow PatternsPull Request AutomationCode Ownership with CODEOWNERSAutomatic PR LabelingDependabot Auto-MergeIssue and PR TemplatesBug Report TemplatePull Request TemplateSecurity AutomationDeployment IntegrationWorkflow MonitoringAI-Powered GitHub Configuration