CI/CD & Deployment
Automated continuous integration, deployment pipelines, and post-deployment verification for reliable software delivery.
When to Use This Skill
Use this skill when:
- Setting up CI/CD pipelines for a project
- Deploying to staging or production environments
- Configuring GitHub Actions, GitLab CI, or other CI systems
- Running automated tests in CI environments
- Verifying deployments are successful
- Rolling back failed deployments
- Setting up infrastructure as code
Instructions
Step 1: Analyze Deployment Requirements
-
Identify target environments:
- Development
- Staging/Preview
- Production
-
Determine deployment strategy:
- Direct deployment (simple)
- Blue-green deployment (zero downtime)
- Canary deployment (gradual rollout)
- Feature flags (controlled release)
-
List prerequisites:
- Environment variables
- Secrets management
- Database migrations
- Infrastructure requirements
Step 2: Set Up CI Pipeline
GitHub Actions Example:
# .github/workflows/ci.yml
name: CI
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run linter
run: npm run lint
- name: Run type check
run: npm run typecheck
- name: Run tests
run: npm test
- name: Build
run: npm run build
GitLab CI Example:
# .gitlab-ci.yml
stages:
- test
- build
- deploy
test:
stage: test
image: node:20
script:
- npm ci
- npm run lint
- npm run test
build:
stage: build
image: node:20
script:
- npm ci
- npm run build
artifacts:
paths:
- dist/
Step 3: Configure Deployment Pipeline
Vercel Deployment:
# .github/workflows/deploy.yml
name: Deploy to Vercel
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Deploy to Vercel
uses: vercel/action-deploy@v1
with:
vercel-token: ${{ secrets.VERCEL_TOKEN }}
vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
Docker Deployment:
# .github/workflows/docker.yml
name: Build and Push Docker Image
on:
push:
tags: ['v*']
jobs:
docker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
cache-from: type=gha
cache-to: type=gha,mode=max
Step 4: Set Up Secrets Management
GitHub Secrets:
# Add via GitHub UI or CLI
gh secret set DATABASE_URL --body "postgresql://..."
gh secret set API_KEY --body "sk-..."
gh secret set JWT_SECRET --body "..."
Environment Variables:
# .github/workflows/deploy.yml
jobs:
deploy:
environment: production
env:
NODE_ENV: production
DATABASE_URL: ${{ secrets.DATABASE_URL }}
API_KEY: ${{ secrets.API_KEY }}
Step 5: Configure Database Migrations
Run Migrations in CI:
- name: Run Database Migrations
run: npm run migrate
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
Pre-deployment Check:
- name: Check Migration Status
run: |
npm run migrate:status
if [ $? -ne 0 ]; then
echo "Pending migrations detected"
exit 1
fi
Step 6: Set Up Automated Testing in CI
Test Matrix (multiple environments):
strategy:
matrix:
node-version: [18, 20, 21]
os: [ubuntu-latest, windows-latest]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- run: npm test
Coverage Reporting:
- name: Run tests with coverage
run: npm run test:coverage
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
file: ./coverage/lcov.info
Step 7: Implement Security Scanning
Dependency Vulnerability Check:
- name: Run npm audit
run: npm audit --audit-level=moderate
- name: Check for known vulnerabilities
run: npx audit-ci --moderate
Static Application Security Testing (SAST):
- name: Run CodeQL Analysis
uses: github/codeql-action/init@v2
with:
languages: javascript
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
Step 8: Post-Deployment Verification
Health Checks:
- name: Verify Deployment
run: |
sleep 30 # Wait for deployment
curl -f https://your-app.com/health || exit 1
curl -f https://your-app.com/api/status || exit 1
Smoke Tests:
- name: Run Smoke Tests
run: |
npm run test:smoke
env:
BASE_URL: https://your-app.com
Performance Checks:
- name: Lighthouse CI
run: |
npm install -g @lhci/cli@0.12.x
lhci autorun
env:
LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
Step 9: Set Up Notifications
Slack Notifications:
- name: Notify Slack on Success
if: success()
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#deployments'
text: 'Deployment successful!'
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Notify Slack on Failure
if: failure()
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: '#alerts'
text: 'Deployment failed!'
Step 10: Configure Rollback Strategy
Automatic Rollback on Failure:
- name: Deploy
id: deploy
run: |
# Deploy command
vercel --prod
- name: Verify Deployment
id: verify
run: |
sleep 30
curl -f https://your-app.com/health
continue-on-error: true
- name: Rollback on Failure
if: steps.verify.outcome == 'failure'
run: |
echo "Deployment verification failed, rolling back..."
vercel rollback
Manual Rollback:
# Via CLI
vercel rollback
# Via Git
git revert HEAD
git push
Integration with OpenSpec
- Run CI pipeline after
openspec-apply-changecompletes - Use
openspec-verify-changeas part of CI verification - Archive changes automatically after successful deployment
- Link deployment status to change documentation
Guardrails
- Test before deploying - Never deploy without running tests
- Use staging environment - Always test in staging first
- Keep secrets secure - Never commit secrets to repository
- Monitor deployments - Watch for errors after deployment
- Have rollback plan - Know how to revert quickly
- Document deployments - Record what was deployed when
Common Patterns
Feature Branch Workflow:
on:
push:
branches-ignore:
- main
jobs:
preview:
steps:
- name: Deploy Preview
run: vercel --target=preview
Tag-based Production Deployment:
on:
push:
tags:
- 'v*'
jobs:
production:
environment: production
steps:
- name: Deploy to Production
run: vercel --prod
Monorepo Deployment:
jobs:
changes:
runs-on: ubuntu-latest
outputs:
frontend: ${{ steps.changes.outputs.frontend }}
backend: ${{ steps.changes.outputs.backend }}
steps:
- uses: dorny/paths-filter@v2
id: changes
with:
filters: |
frontend:
- 'apps/frontend/**'
backend:
- 'apps/backend/**'
deploy-frontend:
needs: changes
if: ${{ needs.changes.outputs.frontend == 'true' }}
steps:
- name: Deploy Frontend
run: vercel --cwd apps/frontend
deploy-backend:
needs: changes
if: ${{ needs.changes.outputs.backend == 'true' }}
steps:
- name: Deploy Backend
run: vercel --cwd apps/backend
Requirements
- Access to CI/CD platform (GitHub Actions, GitLab CI, etc.)
- Deployment target access (Vercel, AWS, GCP, etc.)
- Secrets management (GitHub Secrets, Vault, etc.)
- Infrastructure access (for database, cache, etc.)
Output Format
After setting up CI/CD:
## CI/CD Pipeline Configuration
**Platform**: [GitHub Actions/GitLab CI/etc.]
**Environments**: [List of configured environments]
### Workflows Created
1. **CI** (.github/workflows/ci.yml)
- Triggers: Push to main/develop, PRs
- Jobs: Lint, Test, Build
- Duration: ~3 minutes
2. **Deploy Staging** (.github/workflows/deploy-staging.yml)
- Triggers: Push to develop
- Jobs: Deploy to Vercel Preview
- URL: https://staging-your-app.vercel.app
3. **Deploy Production** (.github/workflows/deploy-prod.yml)
- Triggers: Tags (v*)
- Jobs: Security scan, Deploy, Verify
- URL: https://your-app.com
- Rollback: Enabled
### Secrets Configured
- [x] DATABASE_URL
- [x] API_KEY
- [x] JWT_SECRET
- [x] VERCEL_TOKEN
### Deployment Strategy
- Staging: Auto-deploy on push to develop
- Production: Manual deploy via git tag
- Rollback: Automatic on health check failure
### Verification
- Health check: /health endpoint
- Smoke tests: 5 critical user flows
- Performance: Lighthouse CI
See Also
testing-qa- Test automationsecure-coding-cybersecurity- Security scanningopenspec-verify-change- Verification stepsdocumentation- Document deployment process