The CI pipeline runs four checks and none of them need secrets

Every push to main and every pull request triggers a GitHub Actions workflow called CI. It runs on ubuntu-latest with Node 20 and npm caching enabled. Four steps run in sequence — lint, type check, test, build. The lint step runs the Next.js ESLint config. The type check runs tsc with noEmit so it validates every TypeScript file without producing output. The test step runs Vitest which executes all forty-one unit tests. The build step runs next build to confirm the production bundle compiles clean. None of these steps require environment variables or API keys. The Stripe SDK is mocked in tests. The Resend SDK is mocked in tests. The Prisma client generates from the schema without a database connection. The Google Calendar client is never imported in test files. The build succeeds because every external dependency is either mocked, tree-shaken, or loaded conditionally at runtime. That means the CI pipeline has zero secrets configured in GitHub. No STRIPE_SECRET_KEY, no RESEND_API_KEY, no DATABASE_URL, no CLERK_SECRET_KEY. The workflow file is thirty-three lines. One job, four steps, four quality gates. If any step fails, the pipeline fails and the merge is blocked. Railway watches the main branch and auto-deploys on every merge, so the deploy pipeline is one line of config on their side — connect the repo, pick the branch, done. CI catches the code problems. Railway handles the infrastructure. The two never overlap.