Agent Skills Framework Extension (Optional)
CI/CD Pipeline Design Skill
When to Use This Skill
Use this skill when implementing cicd pipeline design patterns in your codebase.
How to Use This Skill
- Review the patterns and examples below
- Apply the relevant patterns to your implementation
- Follow the best practices outlined in this skill
Design and implement comprehensive CI/CD pipelines with automated testing, security scanning, and deployment strategies for production-grade systems.
Core Capabilities
- Workflow Creation - GitHub Actions, GitLab CI, Cloud Build
- Deployment Strategies - Blue-green, canary, rolling updates
- Security Integration - SAST, DAST, dependency scanning
- Quality Gates - Automated testing, coverage thresholds
- Rollback Automation - Automated failure recovery
GitHub Actions Pipeline Template
name: CI/CD Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
env:
REGISTRY: gcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run linting
run: npm run lint
- name: Run tests
run: npm run test:coverage
- name: Upload coverage
uses: codecov/codecov-action@v3
with:
token: ${{ secrets.CODECOV_TOKEN }}
security:
runs-on: ubuntu-latest
needs: test
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
build:
runs-on: ubuntu-latest
needs: [test, security]
outputs:
image_tag: ${{ steps.meta.outputs.tags }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: _json_key
password: ${{ secrets.GCP_SA_KEY }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha,prefix=
type=ref,event=branch
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
deploy-staging:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/develop'
environment: staging
steps:
- uses: actions/checkout@v4
- name: Deploy to staging
run: |
gcloud run deploy api-staging \
--image ${{ needs.build.outputs.image_tag }} \
--region us-central1 \
--platform managed
deploy-production:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
environment: production
steps:
- uses: actions/checkout@v4
- name: Deploy with canary
run: |
# Deploy canary (10% traffic)
gcloud run deploy api-production \
--image ${{ needs.build.outputs.image_tag }} \
--region us-central1 \
--tag canary \
--no-traffic
# Route 10% traffic to canary
gcloud run services update-traffic api-production \
--to-tags canary=10
- name: Health check
run: |
# Wait and verify canary health
sleep 60
curl -f https://canary---api-production.run.app/health
- name: Promote to production
run: |
gcloud run services update-traffic api-production \
--to-latest
GitLab CI Pipeline
stages:
- test
- security
- build
- deploy
variables:
DOCKER_DRIVER: overlay2
IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
test:
stage: test
image: node:20-alpine
script:
- npm ci
- npm run lint
- npm run test:coverage
coverage: '/Lines\s*:\s*(\d+\.\d+)%/'
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
security-scan:
stage: security
image: aquasec/trivy:latest
script:
- trivy fs --exit-code 1 --severity HIGH,CRITICAL .
allow_failure: true
build:
stage: build
image: docker:24
services:
- docker:24-dind
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build -t $IMAGE_TAG .
- docker push $IMAGE_TAG
deploy-staging:
stage: deploy
environment:
name: staging
url: https://staging.example.com
script:
- kubectl set image deployment/api api=$IMAGE_TAG
only:
- develop
deploy-production:
stage: deploy
environment:
name: production
url: https://example.com
script:
- kubectl set image deployment/api api=$IMAGE_TAG
when: manual
only:
- main
Cloud Build Configuration
# cloudbuild.yaml
steps:
# Run tests
- name: 'node:20'
entrypoint: npm
args: ['ci']
- name: 'node:20'
entrypoint: npm
args: ['run', 'test']
# Security scan
- name: 'gcr.io/cloud-builders/docker'
entrypoint: bash
args:
- '-c'
- |
docker run --rm -v $(pwd):/src aquasec/trivy:latest fs /src
# Build container
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/api:$COMMIT_SHA', '.']
# Push to registry
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/api:$COMMIT_SHA']
# Deploy to Cloud Run
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: gcloud
args:
- 'run'
- 'deploy'
- 'api'
- '--image=gcr.io/$PROJECT_ID/api:$COMMIT_SHA'
- '--region=us-central1'
- '--platform=managed'
images:
- 'gcr.io/$PROJECT_ID/api:$COMMIT_SHA'
options:
logging: CLOUD_LOGGING_ONLY
Deployment Strategies
Blue-Green Deployment
# kubernetes/blue-green-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-green
labels:
version: green
spec:
replicas: 3
selector:
matchLabels:
app: api
version: green
template:
metadata:
labels:
app: api
version: green
spec:
containers:
- name: api
image: gcr.io/project/api:v2
ports:
- containerPort: 8080
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
---
apiVersion: v1
kind: Service
metadata:
name: api
spec:
selector:
app: api
version: green # Switch to 'blue' for rollback
ports:
- port: 80
targetPort: 8080
Canary Release with Istio
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: api
spec:
hosts:
- api
http:
- match:
- headers:
x-canary:
exact: "true"
route:
- destination:
host: api
subset: canary
- route:
- destination:
host: api
subset: stable
weight: 90
- destination:
host: api
subset: canary
weight: 10
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: api
spec:
host: api
subsets:
- name: stable
labels:
version: v1
- name: canary
labels:
version: v2
Quality Gates
# GitHub Actions quality gate
quality-gate:
runs-on: ubuntu-latest
needs: [test, security]
steps:
- name: Check coverage threshold
run: |
COVERAGE=$(cat coverage/coverage-summary.json | jq '.total.lines.pct')
if (( $(echo "$COVERAGE < 80" | bc -l) )); then
echo "Coverage ${COVERAGE}% is below 80% threshold"
exit 1
fi
- name: Check security findings
run: |
HIGH_VULNS=$(cat trivy-results.json | jq '[.[] | select(.Severity == "HIGH")] | length')
CRITICAL_VULNS=$(cat trivy-results.json | jq '[.[] | select(.Severity == "CRITICAL")] | length')
if [ "$CRITICAL_VULNS" -gt 0 ]; then
echo "Found $CRITICAL_VULNS critical vulnerabilities"
exit 1
fi
Usage Examples
Create GitHub Actions Pipeline
Apply cicd-pipeline-design skill to create a complete CI/CD pipeline for a Node.js API with testing, security scanning, and GKE deployment
Implement Canary Deployment
Apply cicd-pipeline-design skill to add canary release strategy with automatic rollback on failure metrics
Configure Quality Gates
Apply cicd-pipeline-design skill to add quality gates requiring 80% coverage and zero critical vulnerabilities
Integration Points
- container-orchestration - Deploy to Kubernetes clusters
- infrastructure-as-code - Provision deployment infrastructure
- monitoring-observability - Health checks and deployment metrics
- vulnerability-assessment - Security scanning in pipeline
Success Output
When successful, this skill MUST output:
✅ SKILL COMPLETE: cicd-pipeline-design
Completed:
- [x] CI/CD platform selected ({platform}: GitHub Actions/GitLab CI/Cloud Build)
- [x] Pipeline workflow created (.github/workflows/{name}.yml)
- [x] Test stage configured (linting, unit tests, coverage)
- [x] Security scanning integrated (Trivy, SAST, dependency scan)
- [x] Build stage configured (Docker, container registry)
- [x] Deployment strategy implemented ({strategy}: blue-green/canary/rolling)
- [x] Quality gates defined (coverage {threshold}%, security scan)
- [x] Rollback automation configured
Outputs:
- Workflow file: {workflow_path}
- Deployment strategy: {strategy}
- Quality gates: {gate_count} configured
- Environments: {env_list} (staging, production, etc.)
Pipeline Stages:
- Test ✅ (runs on every push)
- Security ✅ (blocks on critical vulnerabilities)
- Build ✅ (creates container image)
- Deploy Staging ✅ (auto-deploy on develop)
- Deploy Production ✅ (manual/auto with canary)
Completion Checklist
Before marking this skill as complete, verify:
- Pipeline workflow file created in correct location (.github/workflows/, .gitlab-ci.yml, cloudbuild.yaml)
- Test stage runs linting and unit tests
- Code coverage collected and reported
- Security scanner integrated (Trivy, Snyk, or equivalent)
- Build stage creates container image with proper tags
- Container registry configured with authentication
- Deployment strategy appropriate for use case (blue-green, canary, or rolling)
- Staging environment auto-deploys on develop/main
- Production deployment requires approval (manual) or has canary validation
- Quality gates enforce minimum standards (coverage threshold, security scan pass)
- Rollback mechanism tested and documented
- Pipeline tested end-to-end with test commit
- Environment variables and secrets configured securely
Failure Indicators
This skill has FAILED if:
- ❌ Pipeline workflow has syntax errors
- ❌ Tests don't run or fail silently
- ❌ Security scanning not blocking critical vulnerabilities
- ❌ Build stage creates images with incorrect tags
- ❌ Container registry authentication fails
- ❌ Deployment to staging/production fails
- ❌ Quality gates don't block failed builds
- ❌ No rollback strategy defined
- ❌ Secrets exposed in logs or workflow files
- ❌ Pipeline runs indefinitely (no timeout)
- ❌ Deployment strategy inappropriate (e.g., rolling update for database migrations)
When NOT to Use
Do NOT use this skill when:
- Prototyping/MVP phase - CI/CD overhead slows iteration, manual deploys acceptable
- Static website/documentation - Simple static hosting (Netlify/Vercel) with built-in CI/CD
- Single-developer hobby project - Overhead exceeds benefit for solo work
- Legacy system without tests - Need test coverage first before CI/CD
- Infrastructure not ready - Need staging/production environments first
- Regulatory constraints - Manual approval/audit required, can't automate
- Monolith migration in progress - Wait for microservices architecture
Use alternative approaches instead:
- Prototypes → Manual deployment with simple build script
- Static sites → Use platform built-in CI/CD (Netlify, Vercel, GitHub Pages)
- Solo projects → GitHub Actions simple workflow or manual deploy
- No tests → Write tests first, then add CI/CD
- Infrastructure → Provision environments with IaC, then add pipelines
- Regulated → Implement approval gates with human review
- Monolith → CI/CD for monolith first, then microservices
Anti-Patterns (Avoid)
| Anti-Pattern | Problem | Solution |
|---|---|---|
| No quality gates | Broken builds reach production | Add coverage threshold, security scan, integration tests |
| Secrets in workflow files | Security breach | Use platform secrets (GitHub Secrets, GitLab CI/CD variables) |
| Auto-deploy to production | No validation before release | Use canary, manual approval, or staged rollout |
| No rollback strategy | Stuck with broken deployment | Implement automatic rollback on health check failure |
| Infinite pipeline execution | Costs spiral, deadlocks | Set timeouts on all jobs (max 30-60 minutes) |
| Test flakiness ignored | Pipeline unreliable | Fix flaky tests or quarantine them |
| Duplicate pipelines | Configuration drift | Use pipeline templates/includes for shared config |
| Deployment before tests | Broken code deployed | Test stage MUST run before build/deploy |
| No caching | Slow pipeline | Cache dependencies (npm, pip, Docker layers) |
| Wrong deployment strategy | Downtime or failed rollouts | Blue-green for zero downtime, canary for risk mitigation |
Principles
This skill embodies CODITECT principles:
- #5 Eliminate Ambiguity - Explicit stages, clear quality gates, defined deployment strategy
- #6 Clear, Understandable, Explainable - Pipeline as code documents deployment process
- #8 No Assumptions - Test every assumption (tests pass, security scan clean, deployment works)
- First Principles - Understand deployment requirements before choosing strategy
- Automation - Eliminate manual deployment steps, reduce human error
- Separation of Concerns - Separate stages for test, security, build, deploy
Related Standards: