What Is CI/CD?
- Continuous Integration (CI): automate build, lint, test, and packaging on every change.
- Continuous Delivery/Deployment (CD): automate promotion to environments (staging → production), often with approvals, feature flags, and rollbacks.
- Benefits: faster feedback, fewer regressions, reproducible releases, higher confidence.
CI/CD Tools at a Glance (Quick Compare)
- Jenkins: highly extensible, self‑hosted; you manage controllers/agents and plugins.
- GitLab CI: tightly integrated with GitLab; YAML pipelines, built‑in container registry.
- Azure Pipelines: great for Microsoft stacks; Windows/macOS/Linux hosted pools.
- CircleCI: cloud‑hosted, fast parallelism, orbs ecosystem.
- Bitbucket Pipelines: simple pipelines for Bitbucket repos.
- Buildkite: hybrid model; run builders on your infra.
- Tekton: Kubernetes‑native pipelines (CRDs).
- Argo CD / Flux: GitOps CD for Kubernetes (pull‑based).
- Spinnaker / Harness: powerful multi‑cloud CD, canary/blue‑green baked in.
Why GitHub Actions? Native to GitHub, enormous marketplace, generous hosted runners, great DX, reusable workflows, and first‑class security integrations (OIDC, environments, approvals).
GitHub Actions Core Concepts
- Workflow: YAML in .github/workflows/*.yml
- Trigger (Event): push,pull_request,workflow_dispatch,schedule,release, etc.
- Job: runs on a runner (runs-on: ubuntu-latest,windows-latest, etc.). Jobs can depend on others vianeeds.
- Step: individual shell command or “action” (like actions/checkout).
- Runners: GitHub‑hosted or self‑hosted (ephemeral or static).
- Artifacts & Caching: persist build outputs; speed up installs.
- Environments: dev,staging,prodwith protection rules, approvals, and secrets.
- Secrets & Variables: org/repo/environment scope; injected at runtime.
- Permissions: least‑privilege via permissions:(and OIDC viaid-token: write).
A Minimal CI Workflow (Node example)
Create .github/workflows/ci.yml:
name: CI
on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
  push:
    branches: [main]
permissions:
  contents: read
jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Use Node
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
      - name: Install
        run: npm ci
      - name: Lint
        run: npm run lint --if-present
      - name: Test
        run: npm test -- --ci --reporters=default --reporters=jest-junit
Notes:
- Runs on PRs and on pushes to main.
- Caches node_modulesautomatically viasetup-node@v4+cache: npm.
Python & Java Variants
Python (.github/workflows/python-ci.yml):
name: Python CI
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: [3.10, 3.11, 3.12]
      fail-fast: false
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: pip
      - run: pip install -r requirements.txt
      - run: pytest -q --maxfail=1 --disable-warnings --junitxml=report.xml
      - uses: actions/upload-artifact@v4
        with:
          name: pytest-report
          path: report.xml
Java (Gradle):
name: Java CI
on: [push, pull_request]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 21
          cache: gradle
      - run: ./gradlew build --stacktrace
      - uses: actions/upload-artifact@v4
        with:
          name: app-jar
          path: build/libs/*.jar
Service Containers for Integration Tests
Example: test against Postgres and Redis
name: Integration Tests
on: [push, pull_request]
jobs:
  itest:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_USER: app
          POSTGRES_PASSWORD: password
          POSTGRES_DB: appdb
        ports: ["5432:5432"]
        options: >-
          --health-cmd="pg_isready -U app -d appdb"
          --health-interval=10s --health-timeout=5s --health-retries=5
      redis:
        image: redis:7
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: 3.11 }
      - run: pip install -r requirements.txt
      - env:
          DATABASE_URL: postgresql://app:password@localhost:5432/appdb
          REDIS_URL: redis://localhost:6379
        run: pytest tests/integration -q
Caching & Artifacts (Speed and Traceability)
- Use setup actions’ built‑in caching (cache: npm/pip/gradle).
- For custom caches:
- name: Cache build
  uses: actions/cache@v4
  with:
    path: .m2/repository
    key: maven-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
    restore-keys: |
      maven-${{ runner.os }}-
- Upload build outputs for later jobs or downloads:
- uses: actions/upload-artifact@v4
  with:
    name: dist
    path: dist/**
    if-no-files-found: error
CD Basics: Environments, Approvals, and Secrets
- Create environments in GitHub: dev,staging,prod.
- Add environment secrets/variables (e.g., PROD_DB_URL).
- Configure protection rules (approvers, wait timers).
Sample CD job gated by an environment:
jobs:
  deploy_prod:
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: prod
      url: https://app.example.com
    permissions:
      contents: read
      id-token: write  # for OIDC to cloud providers
    steps:
      - uses: actions/checkout@v4
      - name: Deploy
        run: ./scripts/deploy.sh
Approvers receive a prompt in the PR/Actions UI before the job runs.
Multi‑Stage CI/CD (Build → Test → Deploy)
name: Webapp CI/CD
on:
  push:
    branches: [main]
  workflow_dispatch:
permissions:
  contents: read
  id-token: write
concurrency:
  group: app-${{ github.ref }}
  cancel-in-progress: true
jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      image: ${{ steps.meta.outputs.tags }}
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=ref,event=branch
            type=sha
            type=semver,pattern={{version}}
      - name: Build & Push
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
  test:
    runs-on: ubuntu-latest
    needs: build
    steps:
      - uses: actions/checkout@v4
      - run: npm ci && npm test
  deploy_staging:
    runs-on: ubuntu-latest
    needs: [test]
    environment: staging
    steps:
      - name: Deploy to Staging
        run: ./scripts/deploy_staging.sh ${{ needs.build.outputs.image }}
  deploy_prod:
    runs-on: ubuntu-latest
    needs: [deploy_staging]
    environment: prod
    steps:
      - name: Deploy to Production
        run: ./scripts/deploy_prod.sh ${{ needs.build.outputs.image }}
Cloud Deployments via OIDC (No Long‑Lived Secrets)
AWS (ECS/EKS/Lambda/etc.)
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/GHActionsDeployRole
    aws-region: eu-west-1
- name: Deploy infra with Terraform
  run: |
    terraform init
    terraform apply -auto-approve
- name: Update ECS service
  run: aws ecs update-service --cluster app --service web --force-new-deployment
Prereq: set IAM role with a trust policy allowing GitHub’s OIDC provider and your repo/environment.
Azure (Web Apps/AKS)
- uses: azure/login@v2
  with:
    client-id: ${{ secrets.AZURE_CLIENT_ID }}
    tenant-id: ${{ secrets.AZURE_TENANT_ID }}
    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Deploy to Azure Web App
  uses: azure/webapps-deploy@v3
  with:
    app-name: my-webapp
    images: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
Use Azure Federated Credentials for your repo/environment to avoid client secret rotation.
GCP (Cloud Run/GKE)
- uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/github
    service_account: gha-deployer@myproj.iam.gserviceaccount.com
- name: Deploy to Cloud Run
  run: |
    gcloud run deploy web --image=ghcr.io/${{ github.repository }}:${{ github.sha }} --region=europe-west1
Terraform in Actions (Infra as Code)
name: Terraform
on:
  pull_request:
    paths: ["infra/**.tf", ".github/workflows/terraform.yml"]
  push:
    branches: [main]
    paths: ["infra/**.tf"]
jobs:
  plan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - run: terraform -chdir=infra init
      - run: terraform -chdir=infra plan -out=plan.out
      - uses: actions/upload-artifact@v4
        with:
          name: tf-plan
          path: infra/plan.out
  apply:
    if: github.ref == 'refs/heads/main'
    needs: plan
    environment: prod
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - uses: actions/download-artifact@v4
        with: { name: tf-plan, path: infra }
      - run: terraform -chdir=infra apply -auto-approve plan.out
Secure Supply Chain (SCA, SAST, Code Scanning)
- Dependency Review on PRs:
name: Dependency Review
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  dep-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/dependency-review-action@v4
- CodeQL (static analysis):
name: CodeQL
on:
  push: { branches: [main] }
  pull_request:
  schedule: [{ cron: "35 1 * * 1" }] # weekly
permissions:
  contents: read
  security-events: write
jobs:
  analyze:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix: { language: [javascript, python, java] }
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with: { languages: ${{ matrix.language }} }
      - uses: github/codeql-action/analyze@v3
- Optional: container provenance (SLSA‑style):
- name: Attest build provenance
  uses: actions/attest-build-provenance@v1
  with:
    subject-name: ghcr.io/${{ github.repository }}
    subject-digest: ${{ steps.meta.outputs.digest }}
Reusable Workflows & Composite Actions
Reusable workflow (publisher):
.github/workflows/reusable-test.yml
name: Reusable Test
on:
  workflow_call:
    inputs:
      node-version: { required: true, type: string }
jobs:
  run-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: ${{ inputs.node-version }}, cache: npm }
      - run: npm ci && npm test
Caller:
jobs:
  tests:
    uses: your-org/your-repo/.github/workflows/reusable-test.yml@main
    with:
      node-version: "20"
Composite action (encapsulate repeatable steps):
.github/actions/setup-app/action.yml
name: "Setup App"
runs:
  using: "composite"
  steps:
    - uses: actions/setup-node@v4
      with: { node-version: 20, cache: npm }
    - run: npm ci
      shell: bash
Use it:
- uses: ./.github/actions/setup-app
Monorepos & Path Filters
Run pipelines only when relevant code changes:
on:
  pull_request:
    paths:
      - "services/api/**"
      - ".github/workflows/api-*.yml"
jobs:
  api-ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: make -C services/api test
Matrix by service:
strategy:
  matrix:
    service: [api, web, worker]
steps:
  - run: make -C services/${{ matrix.service }} test
Branching & Release Strategies
- Trunk‑based (recommended): PRs → main; feature flags; short‑lived branches.
- GitFlow: develop,release/*,hotfix/*; more ceremony.
- Semver tags trigger releases:
on:
  push:
    tags: ["v*.*.*"]
jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build Changelog
        run: npx conventional-changelog -p angular -i CHANGELOG.md -s
      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          files: |
            dist/**
Advanced Controls & Guardrails
- 
concurrency:to prevent overlapping deploys.
- 
environment:with required reviewers and wait timers.
- 
timeout-minutes:per job.
- 
if:conditions (e.g., only deploy on tags).
- 
needs:to enforce stage order.
- 
permissions:minimal scopes; addid-token: writeonly when needed.
- Pin actions to major versions or SHAs (for maximum supply‑chain safety).
- Secret scanning & push protection: keep secrets out of code.
Self‑Hosted Runners (When and How)
Why: custom tools, private networks, GPUs, cost control, long builds.
Basic setup steps:
- Provision VM/container with network access to targets.
- Create runner in repo/org (Settings → Actions → Runners).
- Label runners (e.g., self-hosted,gpu,arm64).
- Prefer ephemeral/auto‑scaled runners (clean state per job).
Use in workflow:
jobs:
  build:
    runs-on: [self-hosted, linux, x64, docker]
Security tips:
- Lock runners to specific repos.
- Rotate tokens; auto‑update runner.
- Isolate with VM snapshots or ephemeral images.
Slide 18 — Observability, Test Reports, Coverage, and Artifacts
- Upload test reports & coverage to keep PR feedback rich.
- Publish HTML reports as artifacts or Pages in non‑prod.
- Example (Jest coverage):
- run: npm run test -- --coverage
- uses: actions/upload-artifact@v4
  with:
    name: coverage
    path: coverage/**
- Annotate PRs via problem matchers or actions (eslint, flake8, etc.).
Scheduling, Manual Runs, and Branch Protections
- Schedules use UTC (not repository timezone):
on:
  schedule:
    - cron: "0 5 * * 1-5" # 05:00 UTC on weekdays
  workflow_dispatch:
    inputs:
      target:
        description: "Env to deploy"
        required: true
        default: "staging"
- Combine with branch protection rules (required checks before merge).
End‑to‑End Example: Dockerized API → Staging/Prod (ECS)
.github/workflows/api-cicd.yml:
name: API CI/CD
on:
  pull_request:
    paths: ["api/**", ".github/workflows/api-cicd.yml"]
  push:
    branches: [main]
    paths: ["api/**", ".github/workflows/api-cicd.yml"]
permissions:
  contents: read
  id-token: write
env:
  IMAGE_NAME: ghcr.io/${{ github.repository }}/api
jobs:
  ci:
    runs-on: ubuntu-latest
    outputs:
      image_tag: ${{ steps.meta.outputs.version }}
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.IMAGE_NAME }}
          tags: |
            type=sha,format=long
            type=ref,event=branch
      - name: Build & Push
        uses: docker/build-push-action@v6
        with:
          context: ./api
          push: true
          tags: ${{ steps.meta.outputs.tags }}
      - uses: actions/upload-artifact@v4
        with:
          name: image-tags
          path: |
            # emit a simple file with the final tag(s)
            /dev/stdout
        if: always()
  deploy_staging:
    needs: ci
    runs-on: ubuntu-latest
    environment: staging
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/gh-ecs-deployer
          aws-region: eu-west-1
      - name: Update ECS service (staging)
        run: |
          aws ecs update-service \
            --cluster app-staging \
            --service api \
            --force-new-deployment
  deploy_prod:
    if: startsWith(github.ref, 'refs/tags/v')
    needs: deploy_staging
    runs-on: ubuntu-latest
    environment: prod
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/gh-ecs-deployer
          aws-region: eu-west-1
      - name: Update ECS service (prod)
        run: |
          aws ecs update-service \
            --cluster app-prod \
            --service api \
            --force-new-deployment
Flow:
- PR → CI only.
- Push to main→ build/push image + deploy tostaging.
- Create tag vX.Y.Z→ deploy toprod(after staging job completes and environment approval, if configured).
Common Pitfalls & Troubleshooting
- “Permission denied” on checkout/push: set permissions: contents: writewhen publishing tags or creating releases.
- OIDC failing: verify correct audience/repo/environment in cloud role trust policy.
- Slow builds: add caches, narrow paths, enable parallel matrix, use bigger runners (e.g.,ubuntu-latestvsubuntu-24.04as available).
- Flaky tests: add service health checks and retries; separate unit vs integration; use timeout-minutes.
- Secrets not found: confirm secret scope (environment vs repo vs org) and name casing.
Security Best Practices Checklist
- Least‑privilege permissions:per workflow/job.
- Use environments for prod with required reviewers.
- Prefer OIDC to cloud over static keys.
- Pin actions to major versions or commit SHAs.
- Keep runners ephemeral or routinely cleaned.
- Enable branch protections + required status checks.
- Turn on secret scanning, Dependabot alerts & updates.
- Store sensitive config as environment secrets, not repo secrets if env‑specific.
Suggested Project Structure
.
├─ api/                      # your app(s)
├─ infra/                    # terraform/helm
├─ scripts/                  # deploy scripts
├─ .github/
│  ├─ actions/
│  │  └─ setup-app/          # composite action
│  └─ workflows/
│     ├─ ci.yml
│     ├─ codeql.yml
│     ├─ terraform.yml
│     └─ api-cicd.yml
└─ Dockerfile
Quick Start Checklist
- Add .github/workflows/ci.ymland run a PR.
- Add environments and secrets for stagingandprod.
- Add OIDC role/federated credentials in your cloud.
- Implement build → test → deploy workflow with approvals.
- Add CodeQL + Dependency Review.
- Add path filters and caches.
- Monitor, iterate, and keep pipelines as code.
Copy‑Paste Starters (Grab‑Bag)
Manual Deploy with Inputs
on:
  workflow_dispatch:
    inputs:
      env:
        type: choice
        options: [staging, prod]
        default: staging
jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: ${{ inputs.env }}
    steps:
      - uses: actions/checkout@v4
      - run: ./scripts/deploy_${{ inputs.env }}.sh
Blue‑Green (Feature Flag‑Style) Toggle
- name: Flip production traffic
  run: ./scripts/switch_traffic.sh --to blue
Conditional Job (Only on PRs from internal repo)
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
What to Implement Next
- Tracing CI duration and break‑down per step; set goals for speed.
- Parallelize test suites via matrix/shards.
- Add canary/percentage rollouts (ECS, Cloud Run, AKS/GKE).
- GitOps for Kubernetes (Argo CD/Flux) and make Actions only push manifests/images.
- DORA metrics (deployment frequency, lead time, MTTR, change‑fail rate) from Actions runs.
 

 
    
Top comments (0)