Add CI/CD pipeline with GHCR and VPS deployment

[Aiiion]

Summary

• Adds CLAUDE.md with project context for Claude Code
• Adds .github/workflows/deploy.yml — triggers after tests pass on master, builds and pushes the Docker image to GHCR, then SSHes to the VPS to pull and restart the API container
• Adds image: ghcr.io/aiiion/express-api:latest to docker-compose.yml so Compose knows where to pull from on the VPS

Deploy flow

push to master → tests pass → build & push image to GHCR → SSH to VPS → docker compose pull api && docker compose up -d

First-time VPS step after merging

cd /your/deploy/path && git pull

Required once to get the updated docker-compose.yml onto the VPS before the pipeline takes over.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Implemented automated deployment workflow that builds and deploys the application to production upon successful test completion.
  • Updated container deployment configuration to use pre-built Docker images.
  • Added internal development and architecture documentation.

[coderabbitai]

Warning

Review limit reached

@Aiiion, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 33 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58c84d34-88a8-4322-a957-18f02e2a0a30

📥 Commits

Reviewing files that changed from the base of the PR and between bc807d5 and 5983b7e.

📒 Files selected for processing (1)

• .github/workflows/deploy.yml

📝 Walkthrough

Walkthrough

A new Deploy GitHub Actions workflow is added, triggered on successful completion of the Test express-api workflow on master. It builds and pushes a Docker image to GHCR with latest and commit-SHA tags, then SSHes into a VPS to pull and restart the api service via Docker Compose. The docker-compose.yml is updated to reference the published GHCR image, and a CLAUDE.md is added with architecture and development documentation.

Changes

Deploy Pipeline

Layer / File(s)	Summary
Workflow trigger and image build/push .github/workflows/deploy.yml, docker-compose.yml	Workflow triggers on successful Test express-api runs on master. The build-and-push job checks out code, sets up Docker Buildx, authenticates to GHCR, and pushes the image with :latest and commit-SHA tags. docker-compose.yml adds the ghcr.io/aiiion/express-api:latest image reference to the api service.
VPS deploy job .github/workflows/deploy.yml	The deploy job (depends on build-and-push) SSHes into a VPS via appleboy/ssh-action, logs into GHCR on the remote host using GITHUB_TOKEN, runs docker compose pull api and docker compose up -d --remove-orphans, then prunes unused images.

Repository Documentation

Layer / File(s)	Summary
CLAUDE.md architecture and usage docs CLAUDE.md	New file documenting dev/test/DB commands, routing and validation patterns, per-route CORS, weather aggregation flow, Redis-backed two-step auth, request logging, cron scheduling, migration-only DB management, response shape conventions, and ESM/testing/fixture conventions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 Hop, hop, the pipeline's set,
A workflow built with no regret.
Push to GHCR with a SHA tag bright,
SSH to VPS in the night.
Compose pulls up, images pruned clean—
The freshest deploy a rabbit's seen! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a CI/CD pipeline with GHCR (GitHub Container Registry) and VPS deployment automation, which aligns with the three major changes (deploy.yml workflow, docker-compose.yml update, and CLAUDE.md documentation).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch CI.mvp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/deploy.yml (2)

57-62: ⚡ Quick win

Add set -e to fail fast on errors.

If docker compose pull or any other command fails, the script continues execution. This could leave the deployment in an inconsistent state (e.g., running up -d with a stale image).

🛡️ Suggested improvement

           script: |
+            set -e
             echo "$GHCR_TOKEN" | docker login ghcr.io -u "$ACTOR" --password-stdin
             cd "$DEPLOY_PATH"
             docker compose pull api
             docker compose up -d --remove-orphans
             docker image prune -f

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 57 - 62, The bash script in the
deploy.yml workflow file lacks error handling that would cause it to continue
executing even if critical commands fail. Add `set -e` at the very beginning of
the script section (right after the `script: |` line) to ensure the script exits
immediately if any command returns a non-zero exit status. This will prevent the
subsequent commands like `docker compose up -d` from running with stale or
incomplete state if earlier commands like `docker compose pull` or `docker
login` fail, ensuring consistent deployment behavior.

---

17-18: ⚡ Quick win

Pin actions to commit SHAs and disable credential persistence.

Using version tags (e.g., @v4) instead of commit SHAs exposes the workflow to supply chain attacks if an action is compromised. Additionally, setting persist-credentials: false prevents Git credentials from being stored in the runner's git config.

🔒 Suggested improvement

     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false

Apply similar SHA pinning to other actions (docker/setup-buildx-action, docker/login-action, docker/build-push-action, appleboy/ssh-action).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy.yml around lines 17 - 18, Replace the version tag
reference in the actions/checkout action with its specific commit SHA to prevent
supply chain attacks. In addition to pinning the commit SHA for
actions/checkout@v4, add persist-credentials: false to disable Git credential
persistence. Apply the same commit SHA pinning pattern to all other GitHub
Actions used in the workflow, specifically docker/setup-buildx-action,
docker/login-action, docker/build-push-action, and appleboy/ssh-action,
replacing their version tags with their corresponding commit SHAs.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy.yml:
- Around line 35-37: In the tags section of the Docker build-push-action where
`ghcr.io/aiiion/express-api:${{ github.sha }}` is being set, replace
`github.sha` with `github.event.workflow_run.head_sha`. This ensures the image
tag correctly references the commit that triggered the "Test express-api"
workflow rather than the latest commit on the default branch, which may not have
been tested.

---

Nitpick comments:
In @.github/workflows/deploy.yml:
- Around line 57-62: The bash script in the deploy.yml workflow file lacks error
handling that would cause it to continue executing even if critical commands
fail. Add `set -e` at the very beginning of the script section (right after the
`script: |` line) to ensure the script exits immediately if any command returns
a non-zero exit status. This will prevent the subsequent commands like `docker
compose up -d` from running with stale or incomplete state if earlier commands
like `docker compose pull` or `docker login` fail, ensuring consistent
deployment behavior.
- Around line 17-18: Replace the version tag reference in the actions/checkout
action with its specific commit SHA to prevent supply chain attacks. In addition
to pinning the commit SHA for actions/checkout@v4, add persist-credentials:
false to disable Git credential persistence. Apply the same commit SHA pinning
pattern to all other GitHub Actions used in the workflow, specifically
docker/setup-buildx-action, docker/login-action, docker/build-push-action, and
appleboy/ssh-action, replacing their version tags with their corresponding
commit SHAs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 18d9986c-494a-4955-a55d-bd52d40ee565

📥 Commits

Reviewing files that changed from the base of the PR and between 21117f1 and bc807d5.

📒 Files selected for processing (3)

• .github/workflows/deploy.yml
• CLAUDE.md
• docker-compose.yml