DEV Community: Akhilesh Verma The latest articles on DEV Community by Akhilesh Verma (@akoode_tech). https://dev.to/akoode_tech https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3913898%2F22861018-69f3-4bf5-bba3-2d6a546b6512.jpg DEV Community: Akhilesh Verma https://dev.to/akoode_tech en f kefnwffe Akhilesh Verma Mon, 25 May 2026 19:51:20 +0000 https://dev.to/akoode_tech/f-kefnwffe-3ch1 https://dev.to/akoode_tech/f-kefnwffe-3ch1 <p>fownfkwnflknfkf</p> "Building a CI/CD Pipeline From Scratch: A Practical Guide for Developers (with GitHub Actions)" Akhilesh Verma Mon, 25 May 2026 19:49:06 +0000 https://dev.to/akoode_tech/building-a-cicd-pipeline-from-scratch-a-practical-guide-for-developers-with-github-actions-f98 https://dev.to/akoode_tech/building-a-cicd-pipeline-from-scratch-a-practical-guide-for-developers-with-github-actions-f98 <h1> Building a CI/CD Pipeline From Scratch: A Practical Guide for Developers </h1> <p><em>Originally inspired by <a href="https://www.akoode.com/blog/how-to-build-a-ci-cd-pipeline" rel="noopener noreferrer">Akoode's CI/CD pipeline guide</a> — rewritten here with more depth, code, and less hand-waving.</em></p> <p>I've seen teams spend hours manually running tests, zipping build artifacts, SSHing into servers, and crossing fingers before every deploy. CI/CD pipelines exist to kill that workflow. This guide skips the theory lecture and gets into how to actually build one.</p> <p>We'll use <strong>GitHub Actions</strong> as the CI/CD platform — it's free for public repos, tightly integrated with GitHub, and requires zero external infrastructure to get started.</p> <h2> What CI/CD Actually Does (Plain English) </h2> <ul> <li> <strong>CI (Continuous Integration):</strong> Every time code is pushed or a PR is opened, automatically run your build and tests. Catch breakage early, not in prod.</li> <li> <strong>CD (Continuous Delivery/Deployment):</strong> After CI passes, automatically ship the artifact to staging or production — no human clicking "deploy" required.</li> </ul> <p>The pipeline is just a sequence of automated steps triggered by a git event.</p> <h2> Pipeline Architecture </h2> <p>git push / PR open<br> │<br> ▼<br> ┌─────────────┐<br> │ Trigger │ ← GitHub webhook fires<br> └─────┬───────┘<br> │<br> ▼<br> ┌─────────────┐<br> │ Build │ ← Install deps, compile, bundle<br> └─────┬───────┘<br> │<br> ▼<br> ┌─────────────┐<br> │ Test │ ← Unit, integration, lint<br> └─────┬───────┘<br> │<br> ▼<br> ┌─────────────┐<br> │ Deploy │ ← Push to staging/prod<br> └─────────────┘<br> Each stage is a <strong>job</strong>. Jobs run on <strong>runners</strong> (GitHub-hosted VMs or your own). They can run in parallel or sequentially with dependencies between them.</p> <h2> Setting Up Your First Pipeline with GitHub Actions </h2> <p>Create this file in your repo:</p> <p>.github/<br> workflows/<br> ci-cd.yml</p> <h3> Minimal CI Pipeline (Node.js Example) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run linter</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run lint</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> </code></pre> </div> <p>That's it. Push this file, and every PR gets auto-tested. No server, no webhook config.</p> <h3> Adding CD: Deploy to a Server </h3> <p>After CI passes, deploy to production. Here we'll SSH into a VPS and pull + restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build-and-test</span> <span class="c1"># only runs if CI passes</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="c1"># only on main branch</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy via SSH</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">appleboy/ssh-action@v1.0.3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOY_HOST }}</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOY_USER }}</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOY_SSH_KEY }}</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd /var/www/myapp</span> <span class="s">git pull origin main</span> <span class="s">npm ci --omit=dev</span> <span class="s">pm2 restart myapp</span> </code></pre> </div> <p>Store your SSH key and server IP in <strong>GitHub Secrets</strong> (<code>Settings → Secrets and variables → Actions</code>). Never hardcode credentials in the YAML.</p> <h3> Docker-Based Deploy (More Portable) </h3> <p>If you're deploying containers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">build-and-push</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Log in to Docker Hub</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.DOCKER_USERNAME }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.DOCKER_TOKEN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push Docker image</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">yourusername/myapp:${{ github.sha }}</span> </code></pre> </div> <p>Using the commit SHA as the image tag gives you a clean audit trail — every deploy is traceable to a specific commit.</p> <h2> Environment Separation </h2> <p>Don't deploy everything to production. Use branch-based environment targeting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="c1"># → production</span> <span class="pi">-</span> <span class="s">staging</span> <span class="c1"># → staging env</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">feat/**'</span> <span class="c1"># → preview envs (optional)</span> </code></pre> </div> <p>Pair with GitHub Environments (<code>Settings → Environments</code>) to add manual approval gates before production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">deploy-prod</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">production</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://myapp.com</span> </code></pre> </div> <p>GitHub will pause and require an approver before proceeding. Useful for regulated teams or high-stakes deploys.</p> <h2> Caching Dependencies </h2> <p>Don't reinstall <code>node_modules</code> from scratch on every run. Cache it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="c1"># ← this line handles caching automatically</span> </code></pre> </div> <p>For Python:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.12'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">pip'</span> </code></pre> </div> <p>This alone can cut pipeline runtime by 60–70% on most projects.</p> <h2> Matrix Testing: Test Across Multiple Versions </h2> <p>Need to support Node 18 and 20? Don't write two jobs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">18</span><span class="pi">,</span> <span class="nv">20</span><span class="pi">,</span> <span class="nv">22</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version }}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci &amp;&amp; npm test</span> </code></pre> </div> <p>GitHub runs these in parallel — fast and zero duplication.</p> <h2> Secrets Management </h2> <p>Rules:</p> <ul> <li>Store secrets in GitHub Secrets, not in <code>.env</code> files committed to the repo</li> <li>Use environment-scoped secrets for prod vs staging differences</li> <li>Rotate secrets regularly (SSH keys, API tokens)</li> <li>Never <code>echo</code> secrets in run steps — they'll be masked in logs, but it's still bad practice </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">env</span><span class="pi">:</span> <span class="na">API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.PROD_API_KEY }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./deploy.sh</span> </code></pre> </div> <h2> When to Use CI/CD </h2> <p>✅ Any team with more than one developer<br><br> ✅ Frequent deploys (more than once a week)<br><br> ✅ You have a test suite (even a small one)<br><br> ✅ Multiple environments (dev, staging, prod)<br><br> ✅ Open source projects where contributors submit PRs </p> <h2> When NOT to Use (or Keep It Simple) </h2> <p>❌ Solo hobby project with no test suite — a basic deploy script is fine<br><br> ❌ Legacy monolith where builds take 45 minutes — fix the build first<br><br> ❌ Highly regulated environments where automated prod deploys are prohibited — use CD to staging only, with manual prod promotion </p> <h2> Common Mistakes </h2> <p><strong>1. Not pinning action versions</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Bad — can break silently when the action updates</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@main</span> <span class="c1"># Good — locked to a specific version</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> </code></pre> </div> <p><strong>2. Running everything on every push</strong><br><br> Use path filters to skip unnecessary runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">src/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">package.json'</span> </code></pre> </div> <p><strong>3. Storing secrets in env files</strong><br><br> Don't commit <code>.env.production</code> to the repo. Use GitHub Secrets + a secrets manager (HashiCorp Vault, AWS Secrets Manager) for anything sensitive.</p> <p><strong>4. No rollback plan</strong><br><br> Tag your Docker images with the git SHA. If prod breaks, you can redeploy the previous image in 30 seconds.</p> <h2> Full Pipeline at a Glance </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI/CD Pipeline</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run lint</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">test</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t myapp:${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Push to registry</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo ${{ secrets.DOCKER_TOKEN }} | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin</span> <span class="s">docker push myapp:${{ github.sha }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">appleboy/ssh-action@v1.0.3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">host</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOY_HOST }}</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOY_USER }}</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOY_SSH_KEY }}</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker pull myapp:${{ github.sha }}</span> <span class="s">docker stop myapp || true</span> <span class="s">docker run -d --name myapp -p 3000:3000 myapp:${{ github.sha }}</span> </code></pre> </div> <h2> Practical Takeaways </h2> <ul> <li>Start small: even a single <code>npm test</code> in CI adds real value</li> <li> <code>needs:</code> keyword is your sequencing primitive — use it</li> <li>Branch protection rules + required CI checks = no broken code on main</li> <li>Commit SHA tagging on Docker images = instant rollback capability</li> <li>Cache dependencies — it's free performance</li> <li>Use GitHub Environments for approval gates before prod</li> </ul> <p>The goal isn't a perfect pipeline on day one. It's getting <em>something</em> automated, then adding stages as your confidence and test coverage grow.</p> cicd github devops automation