মেইনটেইনার প্লেবুক
প্রজেক্ট মেইনটেনেন্স
অপারেশনাল মেইনটেনেন্স cadence সহ CI, release এবং dependency troubleshooting runbook।
Project Maintenance
Purpose
A project is like a garden — it needs regular care to stay healthy. This guide gives you a **maintenance routine** organized by how often you should do each task. Follow it, and your repository will stay stable, secure, and up to date.
If you're a solo developer, you can combine daily and weekly tasks into one session. For teams, assign different tasks to different members.
Daily Routine (Every Push)
These are things you should do every time you work on the project.
1. Sync Your Branch
Before starting any new work, make sure your feature branch is up to date with `main`:
git checkout main
git pull origin main
git checkout your-feature-branch
git merge main2. Run the Standard Pre-Push Checks
These are the same checks that run in CI. Running them locally saves time and prevents broken commits:
pnpm run lint
pnpm run typecheck
pnpm run test
pnpm run format:check
pnpm run buildIf any of these fail, fix the issue **before** pushing.
3. Keep Docs Aligned
If your change affects how something works (auth flow, environment variables, API endpoints), update the relevant docs in `docs/` before committing. This prevents documentation from going stale.
Weekly Routine (Every Week)
Set aside 15–30 minutes each week for these tasks.
1. Review Dependency PRs
Dependabot (or Renovate) will open PRs when dependencies have updates. Each week:
- ✅ Review open dependency PRs
- ✅ Check the release notes for breaking changes
- ✅ Merge patch updates (`x.y.z` → `x.y.z+1`) — these are safe bug fixes
- ⚠️ Review minor/major updates more carefully — they may require code changes
2. Check CI Health
Go to the **Actions** tab and look at recent workflow runs:
- Are any workflows failing?
- Are any tests flaky (pass sometimes, fail others)?
- Is the build time increasing unexpectedly?
Address failures promptly — a red CI badge is a sign that something is broken.
Also check for `Expected — Waiting for status to be reported` on recent PRs. If seen repeatedly, audit branch ruleset required checks and re-add them from live check sources.
3. Review Open Issues
Quick scan through new issues:
- ✅ Are there any auth/security related issues?
- ✅ Are there reproducible bugs?
- ✅ Can any issues be closed (answered, duplicate, stale)?
Monthly Routine (Every Month)
Set aside 1–2 hours each month for deeper maintenance.
1. Audit Environment Variables & Secrets
Environment variables tend to accumulate over time. Check:
- ✅ Are all variables in `.env.example` still in use?
- ✅ Are there any variables that are no longer referenced in code?
- ✅ Are secrets rotated? (Best practice: rotate `AUTH_SESSION_SECRET` every few months)
- ✅ Are there any hardcoded values that should be environment variables?
2. Verify Release Automation Health
- ✅ Check that the last release was generated correctly
- ✅ Is the CHANGELOG being updated properly?
- ✅ Are Conventional Commits being followed?
- ✅ Check `.release-please-config.json` and manifest are in sync
- ✅ Confirm release PRs are mergeable (no stuck required checks)
3. Verify Documentation Accuracy
Docs drift from reality over time. Pick a few docs and verify:
- ✅ Do the instructions still produce the expected result?
- ✅ Are the code examples up to date?
- ✅ Are the CLI commands still correct (package manager, flags, etc.)?
Quarterly Routine (Every 3 Months)
Set aside half a day each quarter for a deeper review.
1. Validate Deployment Guides
Deployment providers change their UIs, pricing, and requirements regularly:
- ✅ Try following the deployment guide from scratch on a fresh environment
- ✅ Update any UI screenshots or step descriptions
- ✅ Check if there are new provider features worth adopting
- ✅ Verify Dockerfile and docker-compose.yml still work with the latest Node.js version
2. Full Test Suite Run
Run the **entire** test suite, including e2e tests (if configured):
pnpm run test
pnpm run test:integrationFailing tests after a long time? It could be:
- A dependency update that changed behavior
- A change in the testing environment (Node version, OS)
- Drift between test data and actual data
3. Review Dependencies for Major Upgrades
Check which major version upgrades are available:
pnpm outdatedFor each major upgrade:
- Read the library's changelog / migration guide
- Check if it affects your code (breaking changes)
- Plan the upgrade in a dedicated PR (don't mix with feature work)
- Run the full test suite after upgrading
4. Security Review
- ✅ Check if any new CVEs affect your dependencies (`pnpm audit`)
- ✅ Verify CSP headers in `next.config.ts` are still appropriate
- ✅ Review access to the repository (who has admin/ write access?)
- ✅ Check if GitHub has flagged any security advisories for the repo
Maintainer Troubleshooting Playbook
Use this section when recurring operational issues appear in CI/release workflows.
1. Dependabot auto-merge fails in guarded merge script
Symptoms:
- Dependabot auto-merge workflow fails early
- logs show GitHub CLI output or schema-related errors
Typical causes:
- script depends on unstable `gh` JSON fields
- script path/permission issues in workflow
- missing token permissions
What to check:
- `.github/scripts/guarded-pr-merge.sh` exists and is executable
- workflow step runs `chmod +x .github/scripts/guarded-pr-merge.sh`
- workflow uses `GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}`
- `Settings > Actions > General > Workflow permissions` is set to `Read and write`
Safer script behavior:
- prefer command-attempt + fallback over hardcoded schema fields
- keep `set -euo pipefail` and enough contextual logs
- fail only on truly unsafe states; skip gracefully when merge policy blocks
2. Token policy for boilerplate repositories
Rules:
- never hardcode Personal Access Tokens (PATs) in repo files
- use `${{ secrets.GITHUB_TOKEN }}` in workflows by default
- if custom PAT is needed, each user sets it in their own repo secrets
Why:
- this template will be reused by many teams
- committed tokens are immediate security incidents
- `GITHUB_TOKEN` is scoped and managed by GitHub Actions
3. Supply-chain protection for dependency auto-merge
Blind auto-merge is risky. Use a guarded policy:
- auto-merge only `semver-patch`
- production dependencies only
- ecosystem scoped (for this repo: npm)
- denylist critical/core packages for manual review
- required CI checks must pass
Manual-review examples:
- `next`, `react`, `react-dom`
- auth/data foundations (`better-auth`, `drizzle-orm`, `pg`)
- test/runtime tooling with broad impact (`typescript`, `@types/node`)
4. Playwright runtime suddenly increases (for example ~15 minutes)
Common reasons:
- CI runs with `workers: 1` (serial execution)
- retries are high and flaky tests retry frequently
- browser/dependency install overhead in each run
- test suite grew without smoke/full split
Practical tuning:
- raise CI workers moderately (for example `2`)
- reduce retries after stabilizing flaky selectors
- split e2e into fast smoke checks vs deeper full suite
- keep selectors resilient to auth-state and locale variants
- monitor runtime trends in Actions weekly
5. Locale/content mismatch in docs pages
Symptoms:
- switching EN/BN changes UI language, but article content stays in one language
Checks:
- verify locale resolution logic in `src/lib/docs/content.ts`
- verify source path mapping per locale
- if docs policy is English-only, point all locale source paths to English markdown
- remove stale locale doc folders to avoid accidental routing regressions
6. Branch/ruleset check drift
Symptoms:
- release or PR checks show `Expected — Waiting for status to be reported`
Fix:
- open branch protection ruleset
- remove stale required check names
- re-add required checks from live check-run names
- re-run affected workflow
Summary: Maintenance at a Glance
| Frequency | What To Do | Time Required |
|---|---|---|
| **Daily** | Sync branch, run pre-push checks, keep docs aligned | 5–10 min |
| **Weekly** | Review dependency PRs, check CI health, scan new issues | 15–30 min |
| **Monthly** | Env/secret audit, release automation health, docs accuracy | 1–2 hours |
| **Quarterly** | Validate deploy guides, full test run, major upgrades, security review | Half a day |
Related Docs
- [Workflows](../workflows.md)
- [Release Automation](release-automation.md)
- [Contributing Guide](contributing.md)
- [Security Policy](../security.md)
- [Deployment Guide](deployment.md)