Skip to content

Portal | Level: L1: Foundations | Topics: CI/CD | Domain: DevOps & Tooling

CI Pipeline

Overview

The GitHub Actions CI pipeline runs on every push to main/develop and on pull requests to main.

Jobs

lint ──────┐
test ──────┴──> docker-build ──> security
validate (independent)
terraform (independent)
dependency-audit (independent)

1. Lint & Format

  • Installs dev dependencies
  • Runs ruff check . (linting)
  • Runs ruff format --check . (formatting)

2. Unit Tests

  • Runs pytest --cov=app with 70% coverage floor
  • Uploads coverage report as artifact

3. Validate Configs

  • Helm lint — validates chart structure
  • Helm template — renders templates for dev, staging, prod, tag-override, and digest-override
  • Ansible syntax check — validates all playbooks
  • YAML lint — validates YAML files in devops/observability/values/, devops/ansible/inventory/, .github/workflows/
  • Shellcheck — static analysis of shell scripts in devops/

4. Docker Build

  • Requires lint and test to pass first
  • Uses Docker Buildx with GitHub Actions cache
  • Tags with git SHA, branch name, and latest (for default branch)
  • Pushes to GHCR on push events (not on PRs)
  • Outputs image tag and digest for downstream jobs

5. Terraform Validate

  • Runs terraform fmt -check on all Terraform files
  • Validates each module in devops/terraform/modules/
  • Independent of other jobs (runs in parallel)

6. Security Scan

  • Runs only on push (after image is pushed to registry)
  • Trivy vulnerability scan using immutable image digest when available
  • SBOM generation in SPDX format
  • Artifacts uploaded for audit trail

7. Dependency Audit

  • Runs pip-audit against requirements.txt
  • Independent of other jobs (runs in parallel)

Security Practices

  • Security scans prefer image digest over mutable tag
  • SBOM generated for every pushed image
  • Dependency audit catches known CVEs in Python packages
  • Shellcheck prevents common shell script bugs

Wiki Navigation

Related Content