DEV Community: Francesc Gil The latest articles on DEV Community by Francesc Gil (@xescugc). https://dev.to/xescugc https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3957091%2Fac26491c-000c-4961-baba-e282dfdd4cfe.png DEV Community: Francesc Gil https://dev.to/xescugc en How hard can it be to build a CI/CD system? Francesc Gil Thu, 28 May 2026 22:31:06 +0000 https://dev.to/xescugc/how-hard-can-it-be-to-build-a-cicd-system-1cnj https://dev.to/xescugc/how-hard-can-it-be-to-build-a-cicd-system-1cnj <p>How hard can it be to build a CI/CD system?</p> <p>That question stuck with me long enough that I actually started building one. Not because someone asked me to. Not because I spotted a market gap. Just because the question wouldn't go away.</p> <p>The trigger was Concourse CI. I've been using it for a while and what I love about it is the resource abstraction, an interface that anything external has to follow. Check for new versions, pull them, push back. As a Go developer this kind of clean interface resonates with me. Everything in the pipeline is just something that implements that contract.</p> <p>But the operational overhead is significant. And I needed CI for my own side projects anyway, games and open source tools that require custom environments GitHub Actions can't provide. So I started building.</p> <h2> What I wanted </h2> <p>A single binary that could also scale horizontally when needed. Start with nothing, grow when you need to.</p> <p>You start like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./pikoci server <span class="se">\</span> <span class="nt">--db-system</span> mem <span class="se">\</span> <span class="nt">--pubsub-system</span> mem <span class="se">\</span> <span class="nt">--run-worker</span> <span class="se">\</span> <span class="nt">--pipeline-config</span> pipeline.hcl </code></pre> </div> <p>That's a complete CI/CD system. In memory, no files, no external services. When you want persistence, add <code>--db-system sqlite</code>. When you need distributed workers, add NATS and start workers on other machines. The pipeline config never changes.</p> <h2> The interesting parts </h2> <p><strong>Four pluggable abstractions</strong></p> <p>PikoCI has four concepts you define in HCL and can source from a URL: resource types, runners, service types, and secret types. Each follows the same pattern: define the type once, instantiate it with params.</p> <p>A <strong>resource_type</strong> defines how to watch something for changes and fetch it. A <strong>resource</strong> is an instance of it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource_type</span> <span class="s2">"git"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"pikoci://git"</span> <span class="c1"># built-in</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"git"</span> <span class="s2">"my-app"</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://github.com/org/app"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"app"</span> <span class="p">}</span> <span class="nx">check_interval</span> <span class="p">=</span> <span class="s2">"@every 1m"</span> <span class="p">}</span> </code></pre> </div> <p>A <strong>runner_type</strong> defines where tasks execute. The <code>docker</code> and <code>exec</code> runners are built-in, no declaration needed. Here's what the docker runner looks like under the hood, in case you want to define your own:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># this is what pikoci://docker looks like</span> <span class="c1"># define your own to customize or replace it</span> <span class="nx">runner_type</span> <span class="s2">"docker"</span> <span class="p">{</span> <span class="nx">run</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"docker"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"run"</span><span class="p">,</span> <span class="s2">"--rm"</span><span class="p">,</span> <span class="s2">"-v"</span><span class="p">,</span> <span class="s2">"$WORKDIR:/workdir"</span><span class="p">,</span> <span class="s2">"-w"</span><span class="p">,</span> <span class="s2">"/workdir"</span><span class="p">,</span> <span class="s2">"$image"</span><span class="p">,</span> <span class="s2">"/bin/sh"</span><span class="p">,</span> <span class="s2">"-ec"</span><span class="p">,</span> <span class="s2">"$cmd"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">job</span> <span class="s2">"test"</span> <span class="p">{</span> <span class="nx">get</span> <span class="s2">"git"</span> <span class="s2">"my-app"</span> <span class="p">{</span> <span class="nx">trigger</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">task</span> <span class="s2">"run-tests"</span> <span class="p">{</span> <span class="nx">run</span> <span class="s2">"docker"</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"golang:1.25"</span> <span class="nx">cmd</span> <span class="p">=</span> <span class="s2">"cd app &amp;&amp; make test"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"-v"</span><span class="p">,</span> <span class="s2">"/cache/go:/root/go/pkg/mod"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A <strong>secret_type</strong> defines where credentials come from. Secrets are bound to variables and referenced anywhere in the pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">secret_type</span> <span class="s2">"vault"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"pikoci://vault"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"db_password"</span> <span class="p">{</span> <span class="nx">secret</span> <span class="s2">"vault"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"secret/data/db"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"password"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A <strong>service_type</strong> defines processes that run alongside your tasks, started before, stopped after, guaranteed regardless of outcome. This is the feature I'm most proud of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">service_type</span> <span class="s2">"postgres"</span> <span class="p">{</span> <span class="c1"># source = "pikoci://postgres" — or define inline</span> <span class="nx">start</span> <span class="s2">"exec"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/bin/sh"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"-ec"</span><span class="p">,</span> <span class="s2">"docker run -d --name db -p 5432:5432 postgres:16"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ready_check</span> <span class="s2">"exec"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/bin/sh"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"-ec"</span><span class="p">,</span> <span class="s2">"pg_isready -h localhost"</span><span class="p">]</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="s2">"30s"</span> <span class="p">}</span> <span class="nx">stop</span> <span class="s2">"exec"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/bin/sh"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"-ec"</span><span class="p">,</span> <span class="s2">"docker rm -f db"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">job</span> <span class="s2">"integration"</span> <span class="p">{</span> <span class="nx">service</span> <span class="s2">"postgres"</span> <span class="p">{}</span> <span class="nx">get</span> <span class="s2">"git"</span> <span class="s2">"my-app"</span> <span class="p">{</span> <span class="nx">trigger</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">task</span> <span class="s2">"test"</span> <span class="p">{</span> <span class="nx">run</span> <span class="s2">"exec"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"make"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"integration-test"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>No Docker-in-Docker. No docker-compose alongside CI. The service stops regardless of whether the job passed or failed.</p> <p>All four types are sourceable from a URL. The built-ins use <code>pikoci://</code>, the same mechanism as anything you host yourself. If you need a runner that executes jobs in Kubernetes or Azure, write it once, host it anywhere, reference it by URL.</p> <h2> Putting it all together </h2> <p>Here's a small pipeline that uses all four abstractions at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource_type</span> <span class="s2">"git"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"pikoci://git"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"git"</span> <span class="s2">"my-app"</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://github.com/org/app"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"app"</span> <span class="p">}</span> <span class="nx">check_interval</span> <span class="p">=</span> <span class="s2">"@every 1m"</span> <span class="p">}</span> <span class="nx">secret_type</span> <span class="s2">"vault"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"pikoci://vault"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"db_password"</span> <span class="p">{</span> <span class="nx">secret</span> <span class="s2">"vault"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"secret/data/db"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"password"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">service_type</span> <span class="s2">"postgresql"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"pikoci://postgresql"</span> <span class="p">}</span> <span class="nx">job</span> <span class="s2">"test"</span> <span class="p">{</span> <span class="nx">get</span> <span class="s2">"git"</span> <span class="s2">"my-app"</span> <span class="p">{</span> <span class="nx">trigger</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">service</span> <span class="s2">"postgresql"</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"17"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"5432"</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_password</span> <span class="p">}</span> <span class="nx">task</span> <span class="s2">"run-tests"</span> <span class="p">{</span> <span class="nx">run</span> <span class="s2">"docker"</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"golang:1.25"</span> <span class="nx">cmd</span> <span class="p">=</span> <span class="s2">"cd app &amp;&amp; make integration-test"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"-v"</span><span class="p">,</span> <span class="s2">"/cache/go:/root/go/pkg/mod"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A git resource watches for changes, a Vault secret feeds the Postgres password, Postgres starts as a service, and the task runs inside Docker. All four abstractions, one pipeline.</p> <p><strong>Running pipelines locally</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pikoci run <span class="nt">--pipeline-config</span> pipeline.hcl <span class="nt">--job</span> <span class="nb">test</span> </code></pre> </div> <p>Any job, on your laptop, no server required. Override resources with local paths, inject secrets via <code>--var</code>. The same pipeline that runs in CI runs on your laptop.</p> <h2> The queue decision </h2> <p>Workers don't connect directly to the server, they subscribe to a queue. This means workers can be behind NAT, on a laptop, in a different data center, or completely ephemeral. The server never needs to know where workers are. It made distributed workers trivially easy to add. Start a worker anywhere with network access to the queue and it just works.</p> <h2> Where it is now </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm1zg17gwturrjhnqf7gb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm1zg17gwturrjhnqf7gb.png" alt=" " width="800" height="399"></a></p> <p>PikoCI deploys itself. The pipeline runs PR checks, mock tests, and integration tests against six different database and queue backends: MariaDB, PostgreSQL, NATS, RabbitMQ, Kafka, and Vault, all running as services. Then it builds multi-arch Docker images and redeploys itself with zero downtime.</p> <p>Those six backends are not just targets, they are the pluggable abstractions themselves. The same PikoCI binary connects to any of them depending on how you start it. Testing against all of them is how I make sure the abstractions actually hold.</p> <p>All of it is publicly visible at <a href="https://ci.pikoci.com/teams/main/pipelines/pikoci" rel="noopener noreferrer">ci.pikoci.com/teams/main/pipelines/pikoci</a>. No account needed.</p> <p>It's Apache 2.0, written in Go, and very much something I use for my own projects every day.</p> <p>If you try it and something is broken, I want to know. If something is missing, I also want to know.</p> <p><a href="https://pikoci.com" rel="noopener noreferrer">pikoci.com</a> · <a href="https://github.com/pikoci/pikoci" rel="noopener noreferrer">github.com/pikoci/pikoci</a></p> cicd devops go selfhosted