How Solomon is built, tested, and shipped to production
Solomon uses two GitHub Actions workflows to optimize deploy times based on what changed.
deploy-and-release.yml
main (excludes functions/**)deploy-functions.yml
main with changes only in functions/**version.ts, runs npm install then npm run build:prod. Uploads artifact with 1-day retention.
functions/.env, authenticates via WIF, deploys hosting + Firestore + functions.
claude-sonnet-4-6) with the commit log to generate categorized release notes. Falls back to grep/sed categorization on failure.
Version bumps are determined automatically from conventional commit messages in the commit log.
v{major}.{minor}.{patch} β each release creates an annotated git tag and a GitHub Release with categorized notes.
Solomon uses Workload Identity Federation (WIF) for GitHub Actions CI/CD β no stored service account keys.
github-actions-poolgithub-providergoogle-github-actions/auth@v2 with token_format: 'access_token'FIREBASE_TOKEN: ${{ steps.auth.outputs.access_token }}--allowed-audiences when creating the OIDC provider. The google-github-actions/auth@v2 action sends the provider resource name as the audience by default β setting a custom audience causes an "audience does not match" error.
On each release, the pipeline sends the conventional commit log to Claude (claude-sonnet-4-6) which generates categorized markdown release notes:
If the Claude API call fails (non-200 response), a shell-based fallback using grep and sed categorizes commits into the same sections.
| Issue | Solution |
|---|---|
| firebase-tools@13.15.3+ fails with 403 on extensions API check | Pin to firebase-tools@13.15.2 |
| npm ci fails with 403/404 on older transitive deps | Use npm install (resilient to registry errors) |
| SSL errors in Firebase deploy | Set NODE_TLS_REJECT_UNAUTHORIZED: '0' in env |
| WIF audience mismatch | Omit --allowed-audiences on OIDC provider |
| Secret Manager permissions in deploy | Write secrets to functions/.env in CI before deploy, not firebase.json secrets[] or gcloud run services update |