CI/CD Pipeline
Commit → production in 15 minutes.
Automated delivery pipeline with quality gates, security scans and progressive rollout. Deployment as routine, not an event.
Why CI/CD isn’t just build and deploy¶
CI/CD is the entire delivery pipeline from commit to production. Every step automated, measurable, auditable.
Pipeline architecture¶
┌─────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ ┌──────────┐
│ Commit │──▶│ Build + Lint│──▶│ Test Suite │──▶│ Security│──▶│ Staging │
│ │ │ + SAST │ │ Unit + Integ│ │ Trivy │ │ E2E │
└─────────┘ └──────────────┘ └──────────────┘ │ Checkov │ │ Smoke │
└────┬─────┘ └────┬─────┘
│ │
Quality gates Quality gates
│ │
▼ ▼
┌──────────┐ ┌──────────┐
│ Prod │ │ Full │
│ Canary │──▶│ Rollout │
│ 5% │ │ 100% │
└──────────┘ └──────────┘
Quality Gates¶
Automated checks in pipeline:
- Test coverage < 80%? → Pipeline stops
- Critical security vulnerability (Trivy, Snyk)? → Pipeline stops
- Performance regression > 10% (benchmark tests)? → Pipeline stops
- Linting errors (ESLint, golangci-lint)? → Pipeline stops
- Dependency audit (known vulnerabilities)? → Warning / stop
No manual approval for standard changes. Exception process for urgent hotfixes.
DORA metrics¶
We measure delivery performance:
- Deployment frequency — How many times per day. Goal: multiple per day.
- Lead time for changes — Commit → production. Goal: < 1 hour.
- Change failure rate — Deployments that cause incidents. Goal: < 5%.
- MTTR — Mean time to recovery. Goal: < 1 hour.
Dashboard with trends. Retrospective on metrics every 2 weeks. Continuous improvement.
Standardized Pipeline Templates¶
Reusable templates for typical workloads:
- .NET API — Build, test, Docker, deploy to K8s
- Node.js API — Build, test, Docker, deploy
- Static frontend — Build, test, deploy to CDN
- Terraform — Validate, plan, apply with approval
- Helm chart — Lint, template, deploy with ArgoCD
Team selects template, configures parameters, has CI/CD in hours. Best practices built-in.
Časté otázky
Depends on the ecosystem. GitHub Actions for GitHub repos (marketplace, community actions). GitLab CI for GitLab (integrated, self-hosted runners). Azure DevOps for Microsoft stack. Principles are the same.
GitHub Secrets / GitLab CI Variables for pipeline secrets. HashiCorp Vault for runtime secrets. Never in code, never in plain text. Automated rotation.
Yes. Affected detection — we build and deploy only changed services. Turborepo, Nx, or custom detection based on git diff. Dramatic reduction in build time.