The daily docling-compat job manually installed only pytest, pytest-asyncio
and httpx, which made test_architecture.py fail with ModuleNotFoundError:
no module named 'pytestarch' — wrongly opening 'Docling compatibility break'
issues. Align with ci.yml by installing requirements-test.txt instead.
aquasecurity/trivy-action@v0.35.0 defaults to Trivy CLI v0.69.3, but
that tag was removed from GitHub releases mid-run on 2026-04-29 — the
HIGH step on Security scan — local started failing at setup time:
aquasecurity/trivy info checking GitHub for tag 'v0.69.3'
aquasecurity/trivy crit unable to find 'v0.69.3'
##[error]Process completed with exit code 1.
The CRITICAL step still passed (binary was in cache from a prior run),
so this only surfaced as a HIGH-step failure — but the job exit code
still propagates and breaks the gate.
Following `latest` rather than chasing a specific tag that upstream
can yank without notice.
Refs #189
The CRITICAL + HIGH Trivy steps in release-gate.yml were invoking
aquasecurity/trivy-action without the `trivyignores` input, so the
.trivyignore.yaml at the repo root (committed in #190 to mitigate
CVE-2026-40393 / Mesa) was silently ignored — the gate kept failing
on a CVE we explicitly chose to defer.
Pass `trivyignores: .trivyignore.yaml` to both Trivy steps so the file
takes effect. The HIGH step also gets it for consistency (it doesn't
fail the gate, but reporting a CVE we ignore as HIGH would be noise).
Refs #189
CI was missing pytestarch dependency, causing test_architecture.py to fail
at collection time. Switch to requirements-test.txt which includes all
test dependencies.
The Release summary job was downloading ALL artifacts (~780 MB)
including Docker images it never uses. The 648 MB docker-image-local
consistently timed out after 5 retries. Now downloads only the 4
small artifacts actually needed (~2 KB total).
Force Node.js 24 in all GitHub Actions workflows to suppress the
upcoming Node.js 20 deprecation warnings. Disable vue/html-indent and
vue/html-closing-bracket-newline ESLint rules that conflict with
Prettier formatting.
Closes#122
The backend container only exposes port 8000 internally (expose, not
ports). The health check and Karate tests must go through the nginx
proxy on port 3000, the only port published to the host.
Set up a full E2E test suite (39 scenarios) using Karate against
the real API stack. Hybrid architecture: domain-based features +
cross-domain workflows, with data-driven testing and callable helpers.
Structure:
- e2e/pom.xml: Maven + karate-core 1.5
- 3 helpers (upload, analyze+poll, cleanup)
- 3 JSON schemas (health, document, analysis)
- 12 feature files across health, documents, analyses, workflows
- Tags: @smoke (2), @regression (35), @e2e (2)
- generate-test-data.py: fpdf2-based PDF generation (no binaries)
Also adds:
- RATE_LIMIT_RPM env var to make rate limiter configurable (0=disabled)
- CI job e2e with needs: [backend, frontend]
- e2e/ in .dockerignore
Closes#119
GitHub only auto-closes issues when PRs target the default branch.
This workflow scans commit messages for Closes/Fixes patterns on
push to release/** and closes the referenced issues via gh CLI.
Closes#115
Replace hardcoded version strings with build-time injection:
- Frontend: Vite __APP_VERSION__ from env or package.json
- Backend: APP_VERSION env var exposed via /health endpoint
- Docker: build arg propagated through both stages
- CI: release workflow extracts version from git tag
Document branching strategy and release process in CONTRIBUTING.md.
Catch up CHANGELOG with v0.2.0 and Unreleased sections.
Sync package.json version to 0.3.0.