This page provides an operational overview of the NovaTrek Continuous Architecture Platform — CI/CD pipelines, deployment targets, cost controls, and integration points.
GitHub Actions Pipelines
All workflows live in .github/workflows/ on the main branch.
Documentation
| Workflow | Trigger | Purpose |
| Deploy Documentation | Push/PR to main (doc paths) | Build MkDocs, deploy to Azure SWA, publish Confluence mirror |
| Validate Solution Design | PR to main (architecture paths) | YAML lint, folder structure check, data isolation audit, portal build |
Service CI/CD
| Workflow | Trigger | Purpose |
| svc-check-in | Push/PR to main (services/svc-check-in/, config/adventure-classification.yaml) | Full CI/CD chain: build, test, OWASP scan, Docker push, Flyway migrate, deploy to dev and prod |
| Service CI (Reusable) | Called by per-service workflows | Gradle build, test, OWASP dependency check, Docker build to ACR, Trivy container scan |
| Service CD (Reusable) | Called by per-service workflows | Container Apps update + health check (30 attempts, 10s intervals) |
| Database Migrations | Called by per-service CD chains | Flyway migration against PostgreSQL; auto-detects schema from service name |
Infrastructure
| Workflow | Trigger | Purpose |
| Infrastructure Deploy | Push to main (infra/**) or manual dispatch | Bicep lint, what-if preview, deploy platform.bicep to target environment |
| Infrastructure Teardown | Manual dispatch (requires DESTROY confirmation) | Destroy rg-novatrek-dev or all ephemeral resource groups |
| Ephemeral Environment | PR events on services/ or infra/ paths | Spin up rg-novatrek-pr-{N} on PR open, tear down on PR close |
Confluence Integration
| Workflow | Trigger | Purpose |
| Confluence Drift Check | Weekdays 6 AM UTC; manual dispatch | Detect unauthorized edits to auto-generated Confluence pages |
| Wipe Confluence Space | Manual dispatch (requires WIPE confirmation) | Delete all content from the ARCH Confluence space; supports dry-run |
Cost Controls
| Workflow | Trigger | Purpose |
| Nightly Start Dev | 1 PM UTC (8 AM EST) Mon-Fri; manual dispatch | Start PostgreSQL server, restore Container Apps scaling (0-2 replicas) |
| Nightly Stop Dev | 1 AM UTC (8 PM EST) Tue-Sat; manual dispatch | Stop PostgreSQL server, scale all Container Apps to 0 replicas |
Ticketing Integration
| Workflow | Trigger | Purpose |
| Sync Vikunja Tickets | Every 30 min Mon-Fri 12-22 UTC; manual dispatch; webhook relay | Bi-directional sync between tickets.yaml and Vikunja board |
Deployment Targets
Environments
| Environment | Resource Group | Purpose | Lifecycle |
| production | rg-novatrek-prod | Live microservices platform | Always on |
| dev | rg-novatrek-dev | Development and testing | Nightly start/stop (business hours EST) |
| ephemeral | rg-novatrek-pr-{N} | Per-PR preview environments | Created on PR open, destroyed on PR close |
Static Web Apps
The platform Bicep template deploys:
- Azure Container Apps Environment — hosts all 19 microservices
- PostgreSQL Flexible Server — per-service schemas via Flyway
- Azure Container Registry — Docker images from CI
- Azure Service Bus — event-driven integration between services
- Redis Cache — required by
svc-scheduling-orchestrator - Key Vault — secrets management
- Managed Identity — workload identity for OIDC auth
- Budget Alerts — configurable monthly budget (default $50/month)
Deployment Flows
Service Deployment (push to main)
Code push (services/svc-check-in/**)
→ Service CI: build, test, OWASP scan, Docker push, Trivy scan
→ DB Migrate (dev): Flyway against dev PostgreSQL
→ Service CD (dev): Container Apps update + health check
→ DB Migrate (prod): Flyway against prod PostgreSQL
→ Service CD (prod): Container Apps update + health check
Documentation Deployment (push to main)
Code push (portal/**)
→ Build: MkDocs + PlantUML generators + portal scripts
→ Deploy: Azure Static Web Apps (production)
→ Confluence: prepare staging → publish pages → lock pages
PR Preview Flow
PR opened (services/** or infra/**)
→ Ephemeral: create rg-novatrek-pr-{N}, deploy platform.bicep
→ Post PR comment with preview URLs
→ Cost: ~$0.50-2.00 per PR lifetime
PR closed
→ Ephemeral: delete rg-novatrek-pr-{N}
Cost Control Cycle
8 AM EST Mon-Fri → Start PostgreSQL, scale services 0-2 replicas
8 PM EST Mon-Fri → Stop PostgreSQL, scale all services to 0 replicas
Weekend → Dev environment fully stopped
Secrets and Variables
GitHub Actions Secrets
| Secret | Used By | Purpose |
AZURE_CLIENT_ID | All deployment workflows | Service principal — OIDC auth |
AZURE_TENANT_ID | All deployment workflows | Azure AD tenant |
AZURE_SUBSCRIPTION_ID | All deployment workflows | Target subscription |
ACR_NAME | Service CI | Container Registry name |
ACR_LOGIN_SERVER | Service CI | Container Registry login server |
POSTGRES_ADMIN_USER | DB Migrate, Infra Deploy | PostgreSQL admin username |
POSTGRES_ADMIN_PASSWORD | DB Migrate, Infra Deploy | PostgreSQL admin password |
AZURE_STATIC_WEB_APPS_API_TOKEN | Docs Deploy | SWA deployment token (architecture portal) |
AZURE_STATIC_WEB_APPS_PRESENTATION_API_TOKEN | Docs Deploy | SWA deployment token (presentation site) |
CONFLUENCE_USERNAME | Docs Deploy, Confluence workflows | Confluence service account |
CONFLUENCE_API_TOKEN | Docs Deploy, Confluence workflows | Confluence API token |
VIKUNJA_TOKEN | Validate Solution, Sync Vikunja | Vikunja ticketing API token |
GitHub Actions Variables
| Variable | Used By | Purpose |
CONFLUENCE_BASE_URL | Docs Deploy, Confluence workflows | Confluence instance URL |
CONFLUENCE_SPACE | Docs Deploy, Confluence workflows | Space key (ARCH) |
VIKUNJA_URL | Validate Solution, Sync Vikunja | Vikunja instance URL |
VIKUNJA_SPACE | Sync Vikunja | Vikunja space identifier |
Key Links