fix: consolidate and repair Firebase CI/CD pipelines

chenyuan99 · claude · chenyuan99 · commit fec9abd411ef · 2026-05-24T17:29:09.000-04:00
- firebase-deploy.yml: add path filters, VITE_RECAPTCHA_ENTERPRISE_SITE_KEY,
  google-github-actions/auth for SA auth, multi-path npm caching, npx
  firebase-tools (no global install), remove --debug noise
- frontend.yml: drop deploy job (race condition with firebase-deploy.yml),
  bump all actions to v4, CI-only on PRs and feat/fix branches
- backend.yml: drop broken deploy job (was targeting wrong functions dir),
  fix GOOGLE_APPLICATION_CREDENTIALS misuse, bump actions to v4/v5,
  CI-only

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -1,13 +1,13 @@
-name: Backend CI/CD
+name: Backend CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [main, 'feat/**', 'fix/**']
     paths:
       - 'backend/**'
       - '.github/workflows/backend.yml'
   pull_request:
-    branches: [ main ]
+    branches: [main]
     paths:
       - 'backend/**'
       - '.github/workflows/backend.yml'
@@ -20,71 +20,27 @@ jobs:
         working-directory: ./backend/parser/functions
 
     steps:
-    - uses: actions/checkout@v3
-    
-    - name: Set up Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: '3.12'
-        cache: 'pip'
-        cache-dependency-path: './backend/parser/functions/requirements.txt'
-    
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install pytest pytest-mock pytest-cov
-    
-    - name: Run tests with coverage
-      run: pytest --cov=./ --cov-report=xml
-      env:
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ secrets.FIREBASE_SERVICE_ACCOUNT }}
-        FIREBASE_STORAGE_BUCKET: ${{ secrets.FIREBASE_STORAGE_BUCKET }}
-    
-    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
-      with:
-        file: ./coverage.xml
-        flags: backend
-        name: backend-coverage
-
-  deploy:
-    needs: test
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-
-    steps:
-    - uses: actions/checkout@v3
-
-    - name: Set up Node.js
-      uses: actions/setup-node@v3
-      with:
-        node-version: '22'
-
-    - name: Set up Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: '3.12'
-        cache: 'pip'
-        cache-dependency-path: './backend/parser/functions/requirements.txt'
-
-    - name: Install Python dependencies
-      working-directory: ./backend/parser/functions
-      run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install firebase-admin firebase-functions
-
-    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@v1
-      with:
-        credentials_json: '${{ secrets.FIREBASE_SERVICE_ACCOUNT }}'
-
-    - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@v1
-
-    - name: Install Firebase CLI
-      run: npm install -g firebase-tools
-
-    - name: Deploy to Firebase Functions
-      run: firebase deploy --only functions --project ${{ secrets.FIREBASE_PROJECT_ID }} --non-interactive
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: './backend/parser/functions/requirements.txt'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install pytest pytest-mock pytest-cov
+
+      - name: Run tests with coverage
+        run: pytest --cov=./ --cov-report=xml
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          file: ./coverage.xml
+          flags: backend
+          name: backend-coverage
diff --git a/.github/workflows/firebase-deploy.yml b/.github/workflows/firebase-deploy.yml
@@ -3,11 +3,19 @@ name: Deploy to Firebase
 on:
   push:
     branches: [main]
+    paths:
+      - 'frontend/**'
+      - 'functions/**'
+      - 'firebase.json'
+      - '.github/workflows/firebase-deploy.yml'
   workflow_dispatch:
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
@@ -17,7 +25,9 @@ jobs:
         with:
           node-version: '22'
           cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
+          cache-dependency-path: |
+            frontend/package-lock.json
+            functions/package-lock.json
 
       - name: Install frontend dependencies
         run: npm ci --prefix frontend
@@ -32,19 +42,21 @@ jobs:
           VITE_FIREBASE_MESSAGING_SENDER_ID: ${{ secrets.VITE_FIREBASE_MESSAGING_SENDER_ID }}
           VITE_FIREBASE_APP_ID: ${{ secrets.VITE_FIREBASE_APP_ID }}
           VITE_FIREBASE_MEASUREMENT_ID: ${{ secrets.VITE_FIREBASE_MEASUREMENT_ID }}
+          VITE_RECAPTCHA_ENTERPRISE_SITE_KEY: ${{ secrets.VITE_RECAPTCHA_ENTERPRISE_SITE_KEY }}
 
       - name: Install functions dependencies
         run: npm ci --prefix functions
 
       - name: Build functions
         run: npm run build --prefix functions
 
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.FIREBASE_SERVICE_ACCOUNT }}
+
+      - name: Write functions env
+        run: echo "GOOGLE_GENAI_API_KEY=${{ secrets.GOOGLE_GENAI_API_KEY }}" > functions/.env.taxfront-1e142
+
       - name: Deploy to Firebase
-        run: |
-          echo '${{ secrets.FIREBASE_SERVICE_ACCOUNT }}' > /tmp/sa.json
-          echo "GOOGLE_GENAI_API_KEY=${{ secrets.GOOGLE_GENAI_API_KEY }}" > functions/.env.taxfront-1e142
-          npm install -g firebase-tools
-          GOOGLE_APPLICATION_CREDENTIALS=/tmp/sa.json firebase deploy --project taxfront-1e142 --non-interactive --debug 2>&1
-          EXIT=$?
-          rm -f /tmp/sa.json functions/.env.taxfront-1e142
-          exit $EXIT
+        run: npx firebase-tools deploy --project taxfront-1e142 --non-interactive
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -1,13 +1,13 @@
-name: Frontend CI/CD
+name: Frontend CI
 
 on:
   push:
-    branches: [ main, 'feature/**' ]
+    branches: ['feat/**', 'fix/**']
     paths:
       - 'frontend/**'
       - '.github/workflows/frontend.yml'
   pull_request:
-    branches: [ main, 'feature/**' ]
+    branches: [main]
     paths:
       - 'frontend/**'
       - '.github/workflows/frontend.yml'
@@ -20,70 +20,28 @@ jobs:
         working-directory: ./frontend
 
     steps:
-    - uses: actions/checkout@v3
-    
-    - name: Set up Node.js
-      uses: actions/setup-node@v3
-      with:
-        node-version: '22'
-        cache: 'npm'
-        cache-dependency-path: './frontend/package-lock.json'
-    
-    - name: Install dependencies
-      run: npm ci
-    
-    - name: Run linter
-      run: npm run lint
-    
-    - name: Run tests with coverage
-      run: npm test -- --coverage
-      env:
-        CI: true
-    
-    - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
-      with:
-        flags: frontend
-        name: frontend-coverage
+      - uses: actions/checkout@v4
 
-  deploy:
-    needs: test
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-    defaults:
-      run:
-        working-directory: ./frontend
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: './frontend/package-lock.json'
 
-    steps:
-    - uses: actions/checkout@v3
-    
-    - name: Set up Node.js
-      uses: actions/setup-node@v3
-      with:
-        node-version: '22'
-        cache: 'npm'
-        cache-dependency-path: './frontend/package-lock.json'
-    
-    - name: Install dependencies
-      run: npm ci
-    
-    - name: Build
-      run: npm run build
-      env:
-        VITE_FIREBASE_API_KEY: ${{ secrets.FIREBASE_APIKEY }}
-        VITE_FIREBASE_AUTH_DOMAIN: ${{ secrets.FIREBASE_AUTH_DOMAIN }}
-        VITE_FIREBASE_PROJECT_ID: ${{ secrets.FIREBASE_PROJECT_ID }}
-        VITE_FIREBASE_STORAGE_BUCKET: ${{ secrets.FIREBASE_STORAGE_BUCKET }}
-        VITE_FIREBASE_MESSAGING_SENDER_ID: ${{ secrets.FIREBASE_MESSAGING_SENDER_ID }}
-        VITE_FIREBASE_APP_ID: ${{ secrets.FIREBASE_APP_ID }}
-        VITE_FIREBASE_MEASUREMENT_ID: ${{ secrets.FIREBASE_MEASUREMENT_ID }}
-    
-    - name: Deploy to Firebase
-      uses: FirebaseExtended/action-hosting-deploy@v0
-      with:
-        repoToken: '${{ secrets.GITHUB_TOKEN }}'
-        firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT }}'
-        channelId: live
-        projectId: ${{ secrets.FIREBASE_PROJECT_ID }}
-      env:
-        FIREBASE_CLI_EXPERIMENTS: webframeworks
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linter
+        run: npm run lint
+
+      - name: Run tests with coverage
+        run: npm test -- --coverage
+        env:
+          CI: true
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          flags: frontend
+          name: frontend-coverage
