CI/CD Concepts

Here are my notes on CI/CD.

Table of Contents

1. Core CI Stages
2. 1. Source checkout & environment setup
   2. Static analysis & linting
   3. Formakbding & code quality gates
   4. Building & packaging
   5. Testing
   6. Code coverage & test reporting
3. Artifact & environment management
4. 1. Artifact storage
   2. Configuration & secrets
5. CD / Deployment Stages
6. 1. Staging / test environment deployment
   2. Deployment strategies
   3. Production deployment
7. Post-deploy & operations
8. 1. Verification & monitoring
   2. Rollback & recovery
9. Supporting pipeline features
10. 1. Caching & optimization
    2. Branch / environment policies
    3. Notifications & reporting
11. Example high-level flow (simplified)

Core CI Stages

Source checkout & environment setup

1. Fetch code from VCS (e.g. git clone, checkout specific commit or PR)
2. Restore or install dependencies (e.g. language packages, system packages)
3. Set up build tools (compilers, SDKs, build caches)

Static analysis & linting

• Style linters (e.g. eslint, flake8, gofmt, prekbdier)
• Static analysis (e.g. pylint, sonarqube, tsc, clang-tidy)
• Security linters / SAST (e.g. bandit, semgrep, brakeman)
• Dependency vulnerability scan / SCA (e.g. npm audit, pip-audit, trivy, snyk)
• License / SBOM generation and checks

Formakbding & code quality gates

• Auto-formakbding (e.g. black, gofmt, rustfmt)
• Enforce code coverage thresholds
• Enforce quality gates (e.g. no new critical issues, complexity limits)

Building & packaging

1. Compile / build:
2. 1. Frontend bundles (e.g. webpack, vite, rollup)
   2. Backend binaries or artifacts (e.g. maven, gradle, msbuild, cargo)
3. Package:
4. 1. Containers (e.g. Docker images)
   2. Language-specific artifacts (e.g. .jar, .whl, .gem, .tgz)
   3. OS packages (e.g. .deb, .rpm)
5. Versioning & tagging (e.g. semantic versioning, git tags)

Testing

• Unit tests. Fast, in-memory; run on every commit
• Integration tests: Talk to real or test instances of DBs, queues, services
• Component / contract tests: API contract verification between services
• End-to-end (E2E) tests: Browser/UI tests, API flows, user journeys
• Regression and smoke tests: Focused tests ensuring key paths still work
• Performance & load tests (often in later stages or separate pipelines)
• Security tests (DAST, API fuzzing); may be separate jobs

Code coverage & test reporting

1. Collect coverage (e.g. lcov, coverage.py, jacoco)
2. Publish coverage and test reports (HTML, JUnit XML, etc.)
3. Enforce minimum coverage or “no drop in coverage” rules

Artifact & environment management

Artifact storage

1. Store build outputs in an artifact repository:
2. 1. Docker/image registry
   2. Binary repository (e.g. Artifactory, Nexus, GitHub Packages)
   3. CI artifact storage (for logs, reports, temporary builds)

Configuration & secrets

• Manage environment-specific configuration (dev/stage/prod)
• Inject secrets securely: Secret managers (e.g. Vault, KMS, SSM, GitHub Actions secrets)
• Template or generate configs (e.g. helm, kustomize, dotenv)

CD / Deployment Stages

Staging / test environment deployment

1. Deploy built artifact to:
2. 1. Test/staging Kubernetes namespace
   2. Test VMs or PaaS (e.g. Heroku, Cloud Run)
3. Run smoke/E2E tests against staging
4. Data / schema migrations in non-prod

Deployment strategies

• Blue–green deployments: Keep old (blue) and new (green) environment; cut traffic over when ready
• Canary releases: Release to a small % of users, then gradually increase
• Rolling updates: Replace instances gradually with new version
• Recreate: Take down old version, then start new (simple but risky)
• Feature flags:Deploy dark, enable functionality via flags at runtime

Production deployment

• Promotion of the *same* artifact from staging to production
• Automated or manual approval gates:
• Human approval step
• Policy-as-code checks
• Database migrations / rollbacks
• Infrastructure changes
• IaC tools (e.g. terraform, pulumi, ansible, cloudformation)

Post-deploy & operations

Verification & monitoring

• Automated health checks (readiness/liveness, /health endpoints)
• Log checks for errors after deploy
• Metrics / observability:
• Error rates, latency, throughput
• SLO / SLA checks
• Synthetic monitoring (scripted user journeys)

Rollback & recovery

• Automated rollback if health checks or metrics fail
• Versioned releases or deployment history
• Database rollback or forward-fix strategies

Supporting pipeline features

Caching & optimization

• Cache:
• Dependencies (e.g. node_modules, .m2, pip cache)
• Build intermediates
• Parallelization of independent jobs (lint, unit tests, build, etc.)
• Matrix builds:
• Multiple OS, language versions, or dependency sets

Branch / environment policies

• Different pipelines per branch:
• PR branches: lint, tests, build only
• Main/develop: full pipeline + deploy to dev/stage
• Release branches/tags: deploy to production
• Protected branches and required checks
• Triggers:
• On push, PR, schedule (cron), or manual

Notifications & reporting

• Status notifications: Chat (Slack, Matrix, etc.), email, dashboards
• Build and deploy history
• Links to test/coverage reports, logs, artifacts

Example high-level flow (simplified)

1. Checkout code and restore dependencies
2. Run linters and static analysis
3. Build artifacts (binary / container)
4. Run unit and integration tests
5. Publish artifacts to registry
6. Deploy to staging environment
7. Run smoke/E2E tests on staging
8. With approval, deploy to production (blue–green/canary/rolling)
9. Monitor and rollback automatically if needed

Copyright ©2023-2026 Søren Lund
Last modified on Wednesday, Apr 1, 2026