## Context (P1 — delivery) CI only runs tests. There is no released artifact: no image publish, no image/dependency scanning, no automated dependency updates. ## Scope - CI job: build + push image to GHCR on push of version tags (`v*`) and on `main`, tagged `latest` + semver; use docker/build-push-action with layer caching - Trivy scan of the built image (fail on HIGH/CRITICAL, allowlist file for accepted findings) - Dependabot config for Maven + GitHub Actions - Raise `jacoco.line.coverage` above 0.00 now that the security package has real coverage (existing follow-up from #3/#4) ## Acceptance criteria - [ ] Tagged release produces a pullable GHCR image with semver tags - [ ] Trivy gate blocks HIGH/CRITICAL vulnerabilities - [ ] Dependabot opens PRs for Maven/Actions updates - [ ] Coverage ratchet raised to current actual coverage floor
Context (P1 — delivery)
CI only runs tests. There is no released artifact: no image publish, no image/dependency scanning, no automated dependency updates.
Scope
v*) and onmain, taggedlatest+ semver; use docker/build-push-action with layer cachingjacoco.line.coverageabove 0.00 now that the security package has real coverage (existing follow-up from test: add JaCoCo coverage reporting + CI test gate #3/test: add coverage for security filter chains and PermissionService #4)Acceptance criteria