ArcLibrary
L1入门L2进阶L3生态

CI/CD Pipeline

Automate 'merge → test → build → deploy' — a baseline of modern engineering.

CICDAutomation
核心 · Key Idea

In one line: CI (continuous integration) = lint/test/build on every commit; CD (continuous delivery / deployment) = passed artifacts are auto- or semi-auto-shipped to environments. The core goal is main branch is always releasable.

What it is#

# .github/workflows/ci.yml (illustrative)
name: CI
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v3
      - uses: actions/setup-node@v4
        with: { node-version: 20, cache: pnpm }
      - run: pnpm install --frozen-lockfile
      - run: pnpm lint
      - run: pnpm typecheck
      - run: pnpm test --coverage
  build:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/build-push-action@v6
        with:
          push: true
          tags: ghcr.io/me/web:${{ github.sha }}

Analogy#

打个比方 · Analogy

Without CI/CD: a fresh queue and manual signatures every release. With CI/CD: an assembly line + QA stations — every commit auto-tested; failed ones never enter the warehouse; passed ones are packaged and shipped.

Key concepts#

Trunk-basedTrunk-based dev
Short branches + frequent merges to main. Pair with feature flags.
ArtifactBuild artifact
Image / tarball / wheel — **reproducible, traceable** to a commit.
Environmentsdev / staging / prod
Auto-deploy each tier; the closer to prod, the stricter.
Canary / Blue-GreenCanary / Blue-Green
Validate the new version on a small slice of traffic before flipping all.
RollbackRollback
Image tag / Helm release / Argo Rollouts — **always have a one-click rollback**.
CacheBuild cache
Dependencies / image-layer cache — the key to fast CI.

A good pipeline#

Practical notes#

  • Fast > comprehensive: slow CI → people skip / force-push. < 10 min is the healthy line.
  • Cache dependencies + image layers: GitHub Actions / GitLab CI / BuildKit all support it.
  • Test pyramid: unit (many) → integration (some) → e2e (few). e2e is slow — run on staging only.
  • Never ssh from CI to type commands — use Ansible / Argo CD / Kustomize / Helm — reproducible flows.
  • Secrets: CI's built-in secrets store (never echo); use Vault / cloud KMS in production.
  • Quality gates: coverage, vulnerability scans (Trivy / Grype), license checks — block merges that fail.
  • PR preview environments: each PR gets an isolated environment (Vercel / Cloudflare Pages / Helm preview).
  • Sign and trace: sign images with cosign + generate SBOM — friendly for compliance.

Three CD cadences#

Continuous Deployment
Tests pass → **straight to prod**.
Requires strong tests + canary + monitoring.
Continuous Delivery
Tests pass → staging; **human clicks** to promote.
Keeps a human in the loop.

Further reading#