🚀 CI/CD & Deployment

BayanCore's continuous integration and continuous deployment (CI/CD) pipelines automate testing, building, and deploying services onto OCI clusters.

---

1. Environment Topology

We maintain three isolated environments inside OCI Saudi regions:

Environment	OCI Region	Purpose	Access Control
Development	Riyadh	Automated integration testing & developer builds	Internal Developers
Staging	Riyadh	Pre-release QA, ZATCA Sandbox testing, performance audits	QA Teams & Select Pilot Users
Production	Riyadh (DR Jeddah)	Customer live operations, real ledger transactions	Strict RBAC / Auditor Access

---

2. CI Pipeline (Validation & Verification)

On every Pull Request trigger:

1. Lint & Format Check: Runs ESLint/Prettier (frontend) and Ruff (backend).
2. Security Scan: Executes SAST security scanners to flag vulnerabilities and check for hardcoded secrets.
3. Unit & Integration Tests: Runs tests (Mocha/Jest for frontend, PyTest for Python backends), including local mock ZATCA schema validation checks.
4. Docker Build Check: Verifies that containers build successfully without caching errors.

---

3. CD Pipeline (Deployment Engine)

When code merges into the main branch:

[PR Merged to main] ──> [Build & Tag Docker Image] ──> [Push to OCI Container Registry]
                                                                │
                                                    [Deploy to Staging (OKE)]
                                                                │
                                                   [Promote to Production (OKE)]

1. Release Tagging: The pipeline automatically increments the semantic version tag based on Conventional Commits structure and creates a GitHub Release.
2. Container Registry Push: Compiles production Docker images, tags them, and pushes them to the secure OCI Container Registry (OCIR) in Riyadh.
3. Kubernetes Deployment (OKE): Updates deployment manifests and executes rolling updates on OCI Kubernetes Engine (OKE) node pools.
4. Zero-Downtime Rolling Update: Containers update progressively (e.g. maxSurge = 25%, maxUnavailable = 0%), ensuring the system remains accessible.
5. Post-Deployment Verification: Executes health checks against active routes. If a container returns failing status checks for >120 seconds, the pipeline halts and rolls back to the previous stable release automatically.