CI/CD Pipeline Builder Tier: POWERFUL Category: Engineering / DevOps Maintainer: Claude Skills Team Overview Generate production-grade CI/CD pipelines from detected project stack signals. Analyzes lockfiles, manifests, and scripts to produce optimized pipelines with proper caching, matrix strategies, security scanning, and deployment gates. Supports GitHub Actions, GitLab CI, CircleCI, and Buildkite with deployment strategies including blue-green, canary, and rolling updates. Keywords CI/CD, GitHub Actions, GitLab CI, pipeline, deployment, caching, matrix builds, blue-green deployment, canary…

\n for lineno, line in _lines_containing(text, pat):\n findings.append({\n \"rule\": \"pin-action-versions\",\n \"severity\": SEVERITY_WARNING,\n \"line\": lineno,\n \"message\": f\"Action pinned to mutable branch: {line}\",\n })\n return findings\n\n\ndef check_missing_timeout(text, platform):\n \"\"\"Flag jobs that lack a timeout setting.\"\"\"\n findings = []\n if platform == \"github-actions\":\n # Heuristic: look for 'runs-on' (marks a job) without a nearby timeout-minutes\n in_job = False\n job_name = \"\"\n job_line = 0\n has_timeout = False\n for idx, line in enumerate(text.splitlines(), start=1):\n stripped = line.strip()\n if re.match(r'^[a-zA-Z0-9_-]+:\\s*

CI/CD Pipeline Builder Tier: POWERFUL Category: Engineering / DevOps Maintainer: Claude Skills Team Overview Generate production-grade CI/CD pipelines from detected project stack signals. Analyzes lockfiles, manifests, and scripts to produce optimized pipelines with proper caching, matrix strategies, security scanning, and deployment gates. Supports GitHub Actions, GitLab CI, CircleCI, and Buildkite with deployment strategies including blue-green, canary, and rolling updates. Keywords CI/CD, GitHub Actions, GitLab CI, pipeline, deployment, caching, matrix builds, blue-green deployment, canary…

, stripped) or re.match(r'^[a-zA-Z0-9_-]+:

CI/CD Pipeline Builder Tier: POWERFUL Category: Engineering / DevOps Maintainer: Claude Skills Team Overview Generate production-grade CI/CD pipelines from detected project stack signals. Analyzes lockfiles, manifests, and scripts to produce optimized pipelines with proper caching, matrix strategies, security scanning, and deployment gates. Supports GitHub Actions, GitLab CI, CircleCI, and Buildkite with deployment strategies including blue-green, canary, and rolling updates. Keywords CI/CD, GitHub Actions, GitLab CI, pipeline, deployment, caching, matrix builds, blue-green deployment, canary…

, stripped):\n if in_job and not has_timeout:\n findings.append({\n \"rule\": \"require-timeout\",\n \"severity\": SEVERITY_WARNING,\n \"line\": job_line,\n \"message\": f\"Job '{job_name}' has no timeout-minutes (default is 6 hours)\",\n })\n in_job = False\n has_timeout = False\n if \"runs-on:\" in stripped:\n in_job = True\n job_name = stripped\n job_line = idx\n if \"timeout-minutes:\" in stripped:\n has_timeout = True\n if in_job and not has_timeout:\n findings.append({\n \"rule\": \"require-timeout\",\n \"severity\": SEVERITY_WARNING,\n \"line\": job_line,\n \"message\": f\"Job '{job_name}' has no timeout-minutes (default is 6 hours)\",\n })\n elif platform == \"gitlab-ci\":\n if \"timeout:\" not in text:\n findings.append({\n \"rule\": \"require-timeout\",\n \"severity\": SEVERITY_INFO,\n \"line\": 1,\n \"message\": \"No global or per-job timeout set (GitLab default is 1 hour)\",\n })\n return findings\n\n\ndef check_missing_concurrency(text, platform):\n \"\"\"Flag GitHub Actions workflows missing a concurrency group.\"\"\"\n if platform != \"github-actions\":\n return []\n if \"concurrency:\" not in text:\n return [{\n \"rule\": \"require-concurrency\",\n \"severity\": SEVERITY_WARNING,\n \"line\": 1,\n \"message\": \"Workflow has no concurrency group; duplicate runs can waste resources\",\n }]\n return []\n\n\ndef check_missing_permissions(text, platform):\n \"\"\"Flag GitHub Actions workflows without explicit permissions.\"\"\"\n if platform != \"github-actions\":\n return []\n if \"permissions:\" not in text:\n return [{\n \"rule\": \"require-permissions\",\n \"severity\": SEVERITY_WARNING,\n \"line\": 1,\n \"message\": \"No explicit permissions block; workflow runs with default (often broad) token scope\",\n }]\n return []\n\n\ndef check_missing_path_filters(text, platform):\n \"\"\"Info-level hint when pushes trigger on all paths.\"\"\"\n if platform != \"github-actions\":\n return []\n if re.search(r'on:\\s*\\n\\s+push:', text) and \"paths\" not in text:\n return [{\n \"rule\": \"suggest-path-filters\",\n \"severity\": SEVERITY_INFO,\n \"line\": 1,\n \"message\": \"No path filters; documentation-only changes will trigger full CI\",\n }]\n return []\n\n\ndef check_artifact_retention(text, platform):\n \"\"\"Warn when upload-artifact has no retention-days.\"\"\"\n findings = []\n if platform == \"github-actions\":\n in_upload = False\n upload_line = 0\n has_retention = False\n for idx, line in enumerate(text.splitlines(), start=1):\n stripped = line.strip()\n if \"actions/upload-artifact\" in stripped:\n if in_upload and not has_retention:\n findings.append({\n \"rule\": \"set-artifact-retention\",\n \"severity\": SEVERITY_WARNING,\n \"line\": upload_line,\n \"message\": \"upload-artifact without retention-days; artifacts kept for 90 days by default\",\n })\n in_upload = True\n upload_line = idx\n has_retention = False\n if in_upload and \"retention-days:\" in stripped:\n has_retention = True\n if in_upload and stripped.startswith(\"- \") and \"upload-artifact\" not in stripped:\n if not has_retention:\n findings.append({\n \"rule\": \"set-artifact-retention\",\n \"severity\": SEVERITY_WARNING,\n \"line\": upload_line,\n \"message\": \"upload-artifact without retention-days; artifacts kept for 90 days by default\",\n })\n in_upload = False\n has_retention = False\n elif platform == \"gitlab-ci\":\n if \"artifacts:\" in text and \"expire_in:\" not in text:\n findings.append({\n \"rule\": \"set-artifact-retention\",\n \"severity\": SEVERITY_WARNING,\n \"line\": 1,\n \"message\": \"Artifacts defined without expire_in; storage costs grow indefinitely\",\n })\n return findings\n\n\ndef check_deploy_without_gate(text, platform):\n \"\"\"Flag deploy jobs that lack environment protection or branch guards.\"\"\"\n findings = []\n if platform == \"github-actions\":\n for idx, line in enumerate(text.splitlines(), start=1):\n if re.search(r'deploy.*production', line, re.IGNORECASE):\n # Check next ~15 lines for environment or if guard\n block = \"\\n\".join(text.splitlines()[idx:idx + 15])\n if \"environment:\" not in block and 'if:' not in block:\n findings.append({\n \"rule\": \"gate-production-deploy\",\n \"severity\": SEVERITY_ERROR,\n \"line\": idx,\n \"message\": \"Production deploy job lacks environment gate or branch condition\",\n })\n elif platform == \"gitlab-ci\":\n for idx, line in enumerate(text.splitlines(), start=1):\n if re.search(r'deploy.*production', line, re.IGNORECASE):\n block = \"\\n\".join(text.splitlines()[idx:idx + 15])\n if \"when: manual\" not in block and \"rules:\" not in block:\n findings.append({\n \"rule\": \"gate-production-deploy\",\n \"severity\": SEVERITY_ERROR,\n \"line\": idx,\n \"message\": \"Production deploy job lacks manual gate or rules guard\",\n })\n return findings\n\n\n# ---------------------------------------------------------------------------\n# Platform detection & orchestration\n# ---------------------------------------------------------------------------\n\nALL_CHECKS = [\n check_hardcoded_secrets,\n check_unpinned_actions,\n check_missing_timeout,\n check_missing_concurrency,\n check_missing_permissions,\n check_missing_path_filters,\n check_artifact_retention,\n check_deploy_without_gate,\n]\n\n\ndef detect_platform(filepath, text):\n \"\"\"Determine CI platform from path and content.\"\"\"\n name = os.path.basename(filepath)\n parent = os.path.basename(os.path.dirname(filepath))\n if parent == \"workflows\" or \".github\" in filepath:\n return \"github-actions\"\n if name == \".gitlab-ci.yml\" or \"stages:\" in text:\n return \"gitlab-ci\"\n # Fallback heuristic\n if \"runs-on:\" in text:\n return \"github-actions\"\n if \"image:\" in text and \"script:\" in text:\n return \"gitlab-ci\"\n return \"unknown\"\n\n\ndef lint_file(filepath):\n \"\"\"Run all checks on a single file. Returns dict with findings.\"\"\"\n filepath = str(filepath)\n try:\n with open(filepath, \"r\", encoding=\"utf-8\") as f:\n text = f.read()\n except (OSError, UnicodeDecodeError) as exc:\n return {\n \"file\": filepath,\n \"platform\": \"unknown\",\n \"findings\": [{\n \"rule\": \"file-read-error\",\n \"severity\": SEVERITY_ERROR,\n \"line\": 0,\n \"message\": str(exc),\n }],\n }\n\n platform = detect_platform(filepath, text)\n findings = []\n for check_fn in ALL_CHECKS:\n findings.extend(check_fn(text, platform))\n\n findings.sort(key=lambda f: (f[\"line\"], f[\"severity\"]))\n return {\"file\": filepath, \"platform\": platform, \"findings\": findings}\n\n\ndef collect_files(path):\n \"\"\"Collect YAML files from a file path or directory.\"\"\"\n p = Path(path)\n if p.is_file():\n return [p]\n if p.is_dir():\n yamls = sorted(p.glob(\"**/*.yml\")) + sorted(p.glob(\"**/*.yaml\"))\n return yamls\n return []\n\n\n# ---------------------------------------------------------------------------\n# Output formatting\n# ---------------------------------------------------------------------------\n\n_SEVERITY_SYMBOL = {\n SEVERITY_ERROR: \"E\",\n SEVERITY_WARNING: \"W\",\n SEVERITY_INFO: \"I\",\n}\n\n\ndef format_human(results):\n \"\"\"Return human-readable report string.\"\"\"\n lines = []\n total_errors = 0\n total_warnings = 0\n for result in results:\n lines.append(f\"\\n--- {result['file']} (platform: {result['platform']}) ---\")\n if not result[\"findings\"]:\n lines.append(\" No issues found.\")\n continue\n for f in result[\"findings\"]:\n sym = _SEVERITY_SYMBOL.get(f[\"severity\"], \"?\")\n lines.append(f\" [{sym}] L{f['line']:>4d} {f['rule']}: {f['message']}\")\n if f[\"severity\"] == SEVERITY_ERROR:\n total_errors += 1\n elif f[\"severity\"] == SEVERITY_WARNING:\n total_warnings += 1\n lines.append(f\"\\nSummary: {total_errors} error(s), {total_warnings} warning(s)\")\n return \"\\n\".join(lines)\n\n\n# ---------------------------------------------------------------------------\n# CLI\n# ---------------------------------------------------------------------------\n\ndef main():\n parser = argparse.ArgumentParser(\n description=\"Lint CI/CD pipeline YAML files for common issues.\",\n epilog=\"Examples:\\n\"\n \" %(prog)s .github/workflows/ci.yml\\n\"\n \" %(prog)s --dir .github/workflows/ --json\\n\"\n \" %(prog)s .gitlab-ci.yml --severity warning\",\n formatter_class=argparse.RawDescriptionHelpFormatter,\n )\n parser.add_argument(\"files\", nargs=\"*\", help=\"Pipeline YAML files to lint\")\n parser.add_argument(\"--dir\", help=\"Directory to scan recursively for YAML files\")\n parser.add_argument(\"--json\", action=\"store_true\", dest=\"json_output\",\n help=\"Output results as JSON\")\n parser.add_argument(\"--severity\", choices=[\"error\", \"warning\", \"info\"],\n default=\"info\",\n help=\"Minimum severity to report (default: info)\")\n args = parser.parse_args()\n\n files_to_lint = []\n for f in (args.files or []):\n files_to_lint.extend(collect_files(f))\n if args.dir:\n files_to_lint.extend(collect_files(args.dir))\n\n if not files_to_lint:\n parser.error(\"No files provided. Pass YAML files or use --dir.\")\n\n severity_rank = {\"error\": 3, \"warning\": 2, \"info\": 1}\n min_rank = severity_rank[args.severity]\n\n results = []\n for fpath in files_to_lint:\n result = lint_file(fpath)\n result[\"findings\"] = [\n f for f in result[\"findings\"]\n if severity_rank.get(f[\"severity\"], 0) >= min_rank\n ]\n results.append(result)\n\n if args.json_output:\n print(json.dumps(results, indent=2))\n else:\n print(format_human(results))\n\n has_errors = any(\n f[\"severity\"] == SEVERITY_ERROR\n for r in results for f in r[\"findings\"]\n )\n sys.exit(1 if has_errors else 0)\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":14219,"content_sha256":"23120622e294ba5da8e8bfcc172d280653dd2178091369a577bcaf29c9695161"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"CI/CD Pipeline Builder","type":"text"}]},{"type":"paragraph","content":[{"text":"Tier:","type":"text","marks":[{"type":"strong"}]},{"text":" POWERFUL ","type":"text"},{"text":"Category:","type":"text","marks":[{"type":"strong"}]},{"text":" Engineering / DevOps ","type":"text"},{"text":"Maintainer:","type":"text","marks":[{"type":"strong"}]},{"text":" Claude Skills Team","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Generate production-grade CI/CD pipelines from detected project stack signals. Analyzes lockfiles, manifests, and scripts to produce optimized pipelines with proper caching, matrix strategies, security scanning, and deployment gates. Supports GitHub Actions, GitLab CI, CircleCI, and Buildkite with deployment strategies including blue-green, canary, and rolling updates.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Keywords","type":"text"}]},{"type":"paragraph","content":[{"text":"CI/CD, GitHub Actions, GitLab CI, pipeline, deployment, caching, matrix builds, blue-green deployment, canary deployment, security scanning, SAST, container builds, environment gates","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Capabilities","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Stack Detection","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Language/runtime detection from lockfiles and manifests","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Package manager inference from lock file format","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Build/test/lint command extraction from scripts","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Framework detection (Next.js, FastAPI, Go modules, etc.)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Infrastructure detection (Docker, Kubernetes, Terraform)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. Pipeline Generation","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Lint, test, build, deploy stages with correct dependencies","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Caching strategies matched to package manager","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Matrix builds for multi-version support","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Artifact passing between jobs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Conditional execution (path filters, branch rules)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Deployment Strategies","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Blue-green with instant rollback","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Canary with percentage-based traffic shifting","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Rolling updates with health checks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Feature flags integration","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Manual approval gates for production","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"4. Security Integration","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SAST scanning (CodeQL, Semgrep, Snyk)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dependency vulnerability scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Container image scanning (Trivy, Grype)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secret scanning in CI","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SBOM generation","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Bootstrapping CI/CD for a new repository","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Migrating between CI platforms","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Optimizing slow or flaky pipelines","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Adding deployment stages to an existing CI-only pipeline","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implementing security scanning in the pipeline","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Setting up multi-environment deployment (staging, production)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Stack Detection Heuristics","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"File Found → Inference\n─────────────────────────────────────────────────\npackage-lock.json → Node.js + npm\npnpm-lock.yaml → Node.js + pnpm\nyarn.lock → Node.js + yarn\nbun.lockb → Bun\nrequirements.txt / Pipfile → Python + pip/pipenv\npyproject.toml + uv.lock → Python + uv\npoetry.lock → Python + poetry\ngo.mod → Go\nCargo.lock → Rust\nGemfile.lock → Ruby\ncomposer.lock → PHP\nnext.config.* → Next.js (Node.js)\nnuxt.config.* → Nuxt (Node.js)\nDockerfile → Container build needed\ndocker-compose.yml → Multi-service setup\nterraform/*.tf → Infrastructure as Code\nk8s/ or kubernetes/ → Kubernetes deployment","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"GitHub Actions Pipeline Templates","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Node.js (pnpm + Vitest + Next.js)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"name: CI/CD\n\non:\n push:\n branches: [main, dev]\n pull_request:\n branches: [main, dev]\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\nenv:\n NODE_VERSION: '20'\n PNPM_VERSION: '9'\n\njobs:\n lint-and-typecheck:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: pnpm/action-setup@v4\n with:\n version: ${{ env.PNPM_VERSION }}\n - uses: actions/setup-node@v4\n with:\n node-version: ${{ env.NODE_VERSION }}\n cache: 'pnpm'\n - run: pnpm install --frozen-lockfile\n - run: pnpm lint\n - run: pnpm typecheck\n\n test:\n runs-on: ubuntu-latest\n needs: lint-and-typecheck\n services:\n postgres:\n image: postgres:16\n env:\n POSTGRES_USER: test\n POSTGRES_PASSWORD: test\n POSTGRES_DB: testdb\n ports: ['5432:5432']\n options: >-\n --health-cmd pg_isready\n --health-interval 10s\n --health-timeout 5s\n --health-retries 5\n steps:\n - uses: actions/checkout@v4\n - uses: pnpm/action-setup@v4\n with:\n version: ${{ env.PNPM_VERSION }}\n - uses: actions/setup-node@v4\n with:\n node-version: ${{ env.NODE_VERSION }}\n cache: 'pnpm'\n - run: pnpm install --frozen-lockfile\n - run: pnpm test:ci\n env:\n DATABASE_URL: postgresql://test:test@localhost:5432/testdb\n\n build:\n runs-on: ubuntu-latest\n needs: test\n steps:\n - uses: actions/checkout@v4\n - uses: pnpm/action-setup@v4\n with:\n version: ${{ env.PNPM_VERSION }}\n - uses: actions/setup-node@v4\n with:\n node-version: ${{ env.NODE_VERSION }}\n cache: 'pnpm'\n - run: pnpm install --frozen-lockfile\n - run: pnpm build\n - uses: actions/upload-artifact@v4\n with:\n name: build-output\n path: .next/\n retention-days: 1\n\n security-scan:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n steps:\n - uses: actions/checkout@v4\n - uses: github/codeql-action/init@v3\n with:\n languages: javascript-typescript\n - uses: github/codeql-action/analyze@v3\n\n deploy-staging:\n if: github.ref == 'refs/heads/main' && github.event_name == 'push'\n needs: [build, security-scan]\n runs-on: ubuntu-latest\n environment:\n name: staging\n url: https://staging.myapp.com\n steps:\n - uses: actions/checkout@v4\n - uses: actions/download-artifact@v4\n with:\n name: build-output\n path: .next/\n - name: Deploy to staging\n run: |\n # Replace with your deployment command\n echo \"Deploying to staging...\"\n env:\n DEPLOY_TOKEN: ${{ secrets.STAGING_DEPLOY_TOKEN }}\n\n deploy-production:\n if: github.ref == 'refs/heads/main' && github.event_name == 'push'\n needs: deploy-staging\n runs-on: ubuntu-latest\n environment:\n name: production\n url: https://myapp.com\n steps:\n - uses: actions/checkout@v4\n - uses: actions/download-artifact@v4\n with:\n name: build-output\n path: .next/\n - name: Deploy to production\n run: |\n echo \"Deploying to production...\"\n env:\n DEPLOY_TOKEN: ${{ secrets.PROD_DEPLOY_TOKEN }}","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Python (uv + pytest + FastAPI)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"name: CI/CD\n\non:\n push:\n branches: [main]\n pull_request:\n\njobs:\n lint:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: astral-sh/setup-uv@v4\n - run: uv sync --frozen\n - run: uv run ruff check .\n - run: uv run ruff format --check .\n - run: uv run mypy src/\n\n test:\n runs-on: ubuntu-latest\n needs: lint\n strategy:\n matrix:\n python-version: ['3.11', '3.12', '3.13']\n services:\n postgres:\n image: postgres:16\n env:\n POSTGRES_USER: test\n POSTGRES_PASSWORD: test\n POSTGRES_DB: testdb\n ports: ['5432:5432']\n options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5\n steps:\n - uses: actions/checkout@v4\n - uses: astral-sh/setup-uv@v4\n with:\n python-version: ${{ matrix.python-version }}\n - run: uv sync --frozen\n - run: uv run pytest --cov --cov-report=xml -v\n env:\n DATABASE_URL: postgresql://test:test@localhost:5432/testdb\n - uses: codecov/codecov-action@v4\n if: matrix.python-version == '3.12'\n with:\n file: coverage.xml\n\n build-container:\n needs: test\n runs-on: ubuntu-latest\n permissions:\n contents: read\n packages: write\n steps:\n - uses: actions/checkout@v4\n - uses: docker/setup-buildx-action@v3\n - uses: docker/login-action@v3\n with:\n registry: ghcr.io\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n - uses: docker/build-push-action@v6\n with:\n context: .\n push: ${{ github.ref == 'refs/heads/main' }}\n tags: ghcr.io/${{ github.repository }}:${{ github.sha }}\n cache-from: type=gha\n cache-to: type=gha,mode=max\n\n container-scan:\n needs: build-container\n if: github.ref == 'refs/heads/main'\n runs-on: ubuntu-latest\n steps:\n - uses: aquasecurity/trivy-action@master\n with:\n image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}\n severity: 'CRITICAL,HIGH'\n exit-code: '1'","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Deployment Strategy Decision Framework","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"How critical is zero-downtime?\n│\n├─ Critical (payment processing, real-time systems)\n│ └─ BLUE-GREEN DEPLOYMENT\n│ Pro: Instant rollback, zero-downtime guaranteed\n│ Con: Requires 2x infrastructure during deployment\n│\n├─ Important but can tolerate brief errors\n│ ├─ Need to validate with real traffic first?\n│ │ └─ CANARY DEPLOYMENT\n│ │ Pro: Test with small % of traffic before full rollout\n│ │ Con: Complex routing, need observability for canary metrics\n│ │\n│ └─ Standard web app with health checks\n│ └─ ROLLING UPDATE\n│ Pro: Simple, built into K8s/ECS, gradual rollout\n│ Con: Both versions serve traffic during rollout\n│\n└─ Development/staging environment\n └─ RECREATE (stop old, start new)\n Pro: Simplest, cleanest\n Con: Brief downtime during deployment","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Caching Strategy Reference","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Package Manager","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cache Path","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Key Pattern","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"npm","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"~/.npm","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"${{ runner.os }}-npm-${{ hashFiles('package-lock.json') }}","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pnpm","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detected by setup-node","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cache: 'pnpm'","type":"text","marks":[{"type":"code_inline"}]},{"text":" in setup-node","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"yarn","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"~/.cache/yarn","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"${{ runner.os }}-yarn-${{ hashFiles('yarn.lock') }}","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pip","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"~/.cache/pip","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"uv","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"~/.cache/uv","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Handled by setup-uv","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Go","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"~/go/pkg/mod","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"${{ runner.os }}-go-${{ hashFiles('go.sum') }}","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cargo","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"~/.cargo/registry","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"${{ runner.os }}-cargo-${{ hashFiles('Cargo.lock') }}","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Docker","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"GHA cache","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"cache-from: type=gha","type":"text","marks":[{"type":"code_inline"}]},{"text":" in build-push-action","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Pipeline Optimization Techniques","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"1. Path Filtering (Skip Unnecessary Runs)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"on:\n push:\n paths:\n - 'src/**'\n - 'tests/**'\n - 'package.json'\n - 'pnpm-lock.yaml'\n paths-ignore:\n - '**.md'\n - 'docs/**'\n - '.github/ISSUE_TEMPLATE/**'","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"2. Job Dependency Graph","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"lint ──────┐\n ├──→ test ──→ build ──→ deploy-staging ──→ deploy-production\ntypecheck ─┘ │\n └──→ security-scan","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"3. Matrix Strategy with Fail-Fast","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"strategy:\n fail-fast: true # cancel all if one fails\n matrix:\n node-version: [18, 20, 22]\n os: [ubuntu-latest]\n include:\n - node-version: 20\n os: macos-latest # test one combo on macOS","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"GitLab CI Equivalent","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"stages:\n - validate\n - test\n - build\n - deploy\n\nvariables:\n NODE_VERSION: \"20\"\n\n.node-setup: &node-setup\n image: node:${NODE_VERSION}\n cache:\n key: ${CI_COMMIT_REF_SLUG}\n paths:\n - node_modules/\n - .pnpm-store/\n before_script:\n - corepack enable\n - pnpm install --frozen-lockfile\n\nlint:\n stage: validate\n \u003c\u003c: *node-setup\n script:\n - pnpm lint\n - pnpm typecheck\n\ntest:\n stage: test\n \u003c\u003c: *node-setup\n services:\n - postgres:16\n variables:\n POSTGRES_DB: testdb\n POSTGRES_USER: test\n POSTGRES_PASSWORD: test\n DATABASE_URL: postgresql://test:test@postgres:5432/testdb\n script:\n - pnpm test:ci\n coverage: '/All files[^|]*\\|[^|]*\\s+([\\d\\.]+)/'\n\nbuild:\n stage: build\n \u003c\u003c: *node-setup\n script:\n - pnpm build\n artifacts:\n paths:\n - .next/\n expire_in: 1 hour\n\ndeploy_staging:\n stage: deploy\n environment:\n name: staging\n url: https://staging.myapp.com\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n script:\n - echo \"Deploy to staging\"\n\ndeploy_production:\n stage: deploy\n environment:\n name: production\n url: https://myapp.com\n rules:\n - if: $CI_COMMIT_BRANCH == \"main\"\n when: manual\n needs: [deploy_staging]\n script:\n - echo \"Deploy to production\"","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Validation Checklist","type":"text"}]},{"type":"paragraph","content":[{"text":"Before merging a generated pipeline:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"YAML parses without syntax errors","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"All referenced commands exist in the repository (","type":"text"},{"text":"test","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"lint","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"build","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cache strategy matches the detected package manager","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Required secrets are documented (not embedded in YAML)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Branch protection rules match organization policy","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deployment jobs are gated by protected environments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security scanning runs on the appropriate code paths","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Artifact retention is set (do not keep build artifacts indefinitely)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Concurrency group prevents duplicate runs on the same branch","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Path filters exclude documentation-only changes from full CI runs","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Pitfalls","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Copying pipelines between projects","type":"text","marks":[{"type":"strong"}]},{"text":" without adapting to the actual stack","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No concurrency control","type":"text","marks":[{"type":"strong"}]},{"text":" leading to redundant parallel runs on rapid pushes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Missing cache keys","type":"text","marks":[{"type":"strong"}]},{"text":" causing cache misses on every run (slow builds)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Running full matrix on every PR","type":"text","marks":[{"type":"strong"}]},{"text":" when only main needs multi-version testing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Hardcoding secrets in YAML","type":"text","marks":[{"type":"strong"}]},{"text":" instead of using CI secret stores","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No path filtering","type":"text","marks":[{"type":"strong"}]},{"text":" so documentation changes trigger full build+test+deploy","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deploy jobs without environment gates","type":"text","marks":[{"type":"strong"}]},{"text":" allowing accidental production deployments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"No artifact retention policy","type":"text","marks":[{"type":"strong"}]},{"text":" causing storage costs to grow indefinitely","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Best Practices","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect stack first, then generate pipeline","type":"text","marks":[{"type":"strong"}]},{"text":" — never guess at build commands","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Keep the generated baseline under version control","type":"text","marks":[{"type":"strong"}]},{"text":" and customize incrementally","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"One optimization at a time","type":"text","marks":[{"type":"strong"}]},{"text":" — add caching, then matrix, then split jobs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Require green CI before any deployment job","type":"text","marks":[{"type":"strong"}]},{"text":" can execute","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use protected environments","type":"text","marks":[{"type":"strong"}]},{"text":" for production credentials and manual approval gates","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Track pipeline duration and flakiness","type":"text","marks":[{"type":"strong"}]},{"text":" as first-class engineering metrics","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Separate deploy jobs from CI jobs","type":"text","marks":[{"type":"strong"}]},{"text":" to keep feedback fast for developers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Regenerate the pipeline when the stack changes significantly","type":"text","marks":[{"type":"strong"}]},{"text":" (new language, new framework)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Problem","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cause","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Solution","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pipeline YAML fails validation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Indentation errors or invalid key names","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Run ","type":"text"},{"text":"yamllint","type":"text","marks":[{"type":"code_inline"}]},{"text":" locally before committing; use the CI platform's built-in linter (e.g., ","type":"text"},{"text":"act","type":"text","marks":[{"type":"code_inline"}]},{"text":" for GitHub Actions, ","type":"text"},{"text":"gitlab-ci-lint","type":"text","marks":[{"type":"code_inline"}]},{"text":" for GitLab)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cache misses on every run","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Cache key does not include the correct lockfile hash","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Verify the ","type":"text"},{"text":"hashFiles()","type":"text","marks":[{"type":"code_inline"}]},{"text":" path matches the actual lockfile location; check the Caching Strategy Reference table above","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Matrix build times explode","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Running full OS + version matrix on every PR","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Restrict the full matrix to ","type":"text"},{"text":"main","type":"text","marks":[{"type":"code_inline"}]},{"text":" branch pushes; run a single representative version on PRs","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Deployment job triggers on PRs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Missing branch/event guard on deploy jobs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Add ","type":"text"},{"text":"if: github.ref == 'refs/heads/main' && github.event_name == 'push'","type":"text","marks":[{"type":"code_inline"}]},{"text":" or equivalent platform condition","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Service containers fail to start","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Health check misconfigured or image not found","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pin the service image to a specific major version; confirm health check command exists in the image","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Secret not available in workflow","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Secret not added to the repository or environment settings","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Add the secret via the CI platform's secrets UI; ensure the job references the correct ","type":"text"},{"text":"environment","type":"text","marks":[{"type":"code_inline"}]},{"text":" name","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Build artifact missing in deploy job","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Artifact name mismatch or retention expired","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Ensure ","type":"text"},{"text":"upload-artifact","type":"text","marks":[{"type":"code_inline"}]},{"text":" and ","type":"text"},{"text":"download-artifact","type":"text","marks":[{"type":"code_inline"}]},{"text":" use the same ","type":"text"},{"text":"name","type":"text","marks":[{"type":"code_inline"}]},{"text":" value; set ","type":"text"},{"text":"retention-days","type":"text","marks":[{"type":"code_inline"}]},{"text":" high enough to survive the full pipeline","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Success Criteria","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pipeline generates valid YAML that passes platform-native linting on first attempt for detected stacks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Build times stay under 10 minutes for lint + test + build stages combined (excluding deploy)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cache hit rate exceeds 90% on repeat runs with unchanged lockfiles","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security scanning (SAST + dependency + container) executes on every push to ","type":"text"},{"text":"main","type":"text","marks":[{"type":"code_inline"}]},{"text":" without manual triggers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deployment to staging is fully automated; production requires exactly one manual approval gate","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pipeline flakiness rate remains below 2% over a rolling 30-day window","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zero hardcoded secrets in generated pipeline YAML; all sensitive values reference platform secret stores","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Scope & Limitations","type":"text"}]},{"type":"paragraph","content":[{"text":"This skill covers:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Generating CI/CD pipelines for GitHub Actions, GitLab CI, CircleCI, and Buildkite","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Stack detection from lockfiles, manifests, Dockerfiles, and infrastructure-as-code definitions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deployment strategy selection (blue-green, canary, rolling, recreate) with decision framework","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pipeline optimization including caching, matrix builds, path filtering, and concurrency control","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"This skill does NOT cover:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Runtime infrastructure provisioning or cloud resource management (see ","type":"text"},{"text":"engineering/saas-scaffolder","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Application-level security hardening beyond CI-integrated scanning (see ","type":"text"},{"text":"engineering/skill-security-auditor","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitoring, alerting, and observability configuration after deployment (see ","type":"text"},{"text":"engineering/observability-designer","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Database migration orchestration during deployments (see ","type":"text"},{"text":"engineering/migration-architect","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Integration Points","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Skill","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Integration","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Data Flow","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"engineering/dependency-auditor","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Feeds vulnerability scan results into pipeline security gates","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Auditor findings trigger pipeline failure or warning annotations","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"engineering/release-manager","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Coordinates versioning and changelog with deploy stages","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Release tags drive conditional deployment job execution","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"engineering/observability-designer","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Post-deploy health checks and alerting complement pipeline gates","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pipeline triggers smoke tests; observability confirms deployment health","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"engineering/env-secrets-manager","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Manages secrets referenced by pipeline environment variables","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Secret rotation policies feed into pipeline secret store configuration","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"engineering/migration-architect","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Database migrations run as a pre-deploy step in the pipeline","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Migration status gates the application deployment job","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"engineering/runbook-generator","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Generates rollback runbooks aligned with deployment strategy","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Pipeline failure triggers link to the relevant rollback runbook","type":"text"}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"ci-cd-pipeline-builder","author":"@skillopedia","source":{"stars":209,"repo_name":"claude-skills","origin_url":"https://github.com/borghei/claude-skills/blob/HEAD/engineering/ci-cd-pipeline-builder/SKILL.md","repo_owner":"borghei","body_sha256":"24fae75f5dc67b5e26e1dd4a6b9daf43773bd6f46f0a77f17f4ffceff9e63cad","cluster_key":"388a92e4c8b9e19a5d2863e957ee02fb9fe4f9b7d287891c8f9656b57ffc874b","clean_bundle":{"format":"clean-skill-bundle-v1","source":"borghei/claude-skills/engineering/ci-cd-pipeline-builder/SKILL.md","attachments":[{"id":"1a83320e-0cb4-5ea2-b94a-3bdd1246988d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/1a83320e-0cb4-5ea2-b94a-3bdd1246988d/attachment.py","path":"scripts/cache_optimizer.py","size":16313,"sha256":"7609d499b84cbc1dbddb1d1b259a4961fb9371195a48211a6b64ce004a8596c6","contentType":"text/x-python; charset=utf-8"},{"id":"ab9feb76-47c3-5faf-a384-4b05e47fb83f","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/ab9feb76-47c3-5faf-a384-4b05e47fb83f/attachment.py","path":"scripts/pipeline_generator.py","size":16922,"sha256":"6ecbce190912b73542be50e99fb1968d71d29e44a430b2a9bf43f9c6f8576709","contentType":"text/x-python; charset=utf-8"},{"id":"f73b04b7-a3a6-588d-875f-0d878a8de85e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/f73b04b7-a3a6-588d-875f-0d878a8de85e/attachment.py","path":"scripts/pipeline_linter.py","size":14219,"sha256":"23120622e294ba5da8e8bfcc172d280653dd2178091369a577bcaf29c9695161","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"c6a5e361216dea4121162675f3d5603c76bc6465109b0b8d364e2acc413c49ae","attachment_count":3,"text_attachments":3,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"engineering/ci-cd-pipeline-builder/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"MIT + Commons Clause","version":"v1","category":"security","metadata":{"tier":"POWERFUL","author":"borghei","domain":"devops","updated":"2026-03-09T00:00:00.000Z","version":"1.0.0","category":"engineering","frameworks":"github-actions, gitlab-ci, circleci, buildkite"},"import_tag":"clean-skills-v1","description":"Design and generate CI/CD pipelines from detected project stack signals. Covers GitHub Actions, GitLab CI, CircleCI, and Buildkite with caching, matrix builds, deployment strategies (blue-green, canary, rolling), environment gates, and security scanning. Use when bootstrapping CI, migrating pipelines, or optimizing build times.\n"}},"renderedAt":1782987769180}

CI/CD Pipeline Builder Tier: POWERFUL Category: Engineering / DevOps Maintainer: Claude Skills Team Overview Generate production-grade CI/CD pipelines from detected project stack signals. Analyzes lockfiles, manifests, and scripts to produce optimized pipelines with proper caching, matrix strategies, security scanning, and deployment gates. Supports GitHub Actions, GitLab CI, CircleCI, and Buildkite with deployment strategies including blue-green, canary, and rolling updates. Keywords CI/CD, GitHub Actions, GitLab CI, pipeline, deployment, caching, matrix builds, blue-green deployment, canary…