Portal | Level: L1: Foundations | Topics: CI/CD | Domain: DevOps & Tooling

CI/CD - Skill Check

Mental model (bottom-up)

CI/CD is an event-driven DAG of jobs running on runners, producing artifacts and optionally deploying them. Security is about who can run what with which tokens.

Visual guide

git push/PR/tag -> pipeline -> build/test -> package -> deploy -> verify -> rollback

Glossary

• runner - worker executing jobs
• artifact - build output passed to later jobs or stored
• cache - speed-up storage; not the shipped output
• promotion - same artifact promoted dev->stage->prod
• GitOps - deploy desired state from Git via controller
• canary - partial traffic shift to new version

Common failure modes

• Secrets exposed to untrusted PRs.
• "Works in staging" because artifact changed between environments.
• No rollback plan (so deployments become roulette).

Roadmap core (10, easy -> hard)

• CI vs CD?
• CI validates/builds; CD deploys.
• What triggers a pipeline?
• Push/PR/tag/schedule/manual.
• What is an artifact?
• Build output stored for later steps (image/package/binary).
• Why run tests in CI?
• Catch regressions before merge/deploy.
• Why build container images in CI?
• Reproducible deployable unit with version tag.
• What is "pipeline as code"?
• Pipeline definition in repo; reviewed like code.
• Deploy strategies: rolling vs blue/green vs canary?
• Gradual replace vs parallel cutover vs partial traffic shift.
• What is a promotion flow?
• Same artifact promoted dev->stage->prod with approvals.
• Secrets in CI: main rule?
• Inject at runtime; never echo; restrict scopes.
• What makes CI/CD "production-grade"?
• Deterministic builds, least-privilege deploy keys, rollback path, audit logs.

Pipelines & runners (easy -> hard)

• What is a runner/agent?
• Worker that executes jobs.
• Why isolate runners?
• Reduce secret exposure and lateral movement risk.
• Cache vs artifact?
• Cache speeds builds; artifact is an output you promote/ship.
• Why pin tool versions?
• Reproducibility and fewer surprise failures.
• What's a build matrix?
• Run same job across OS/versions for coverage.

GitHub Actions specifics (easy -> hard)

• What is GITHUB_TOKEN?
• Auto token for workflows (scoped; expires per job).
• Why set default permissions to read-only?
• Least privilege; raise perms only for jobs that need it.
• How do you scope permissions?
• Workflow/job-level permissions: blocks.
• Fork PR risk?
• Tokens are restricted; be careful with secrets on forked PRs.
• Common Actions footgun?
• Overbroad permissions + unpinned third-party actions.

GitLab CI specifics (easy -> hard)

• Stages vs needs?
• Stages are ordered; needs builds a DAG to run faster.
• Artifacts retention matters because?
• Storage cost + compliance; don't keep forever by default.
• Environments feature gives what?
• Deploy tracking, approvals, review apps.

Deployment patterns (easy -> hard)

• Why "same artifact promoted"?
• Prevents "it worked in staging" because artifact changed.
• What is GitOps (concept)?
• Desired state in Git; controller applies; PRs = change control.
• Rollback mechanics?
• Deploy previous known-good artifact; automate and test it.
• Progressive delivery tradeoff?
• Safer but more moving parts (metrics gating, traffic splitting).

Supply chain baseline (easy -> hard)

• Why SBOM/provenance?
• Know what you shipped and how it was built.
• Why sign artifacts/images?
• Prevent tampering; verify in deploy pipeline.
• Where do secrets belong?
• Secret store; short-lived tokens; no secrets in repo.
• What's a minimal "secure pipeline" checklist?
• Pinned actions/images, least privilege tokens, scans, approvals, audit.

Cleanup / teardown

• Remove CI resources you created:
• Delete test environments/namespaces, revoke tokens, clean artifacts per policy.

Key correctness notes

• GITHUB_TOKEN is automatically created for workflows; default permissions are write-access to the current repo unless restricted with the permissions: key.
• Least-privilege workflow/job permissions reduce blast radius if a workflow is compromised.

Sources

• GitHub Actions docs (secure use, permissions), GitLab CI docs, SLSA/OSSF guidance.
• https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

---

Wiki Navigation

Related Content

• Adversarial Interview Gauntlet (30 sequences) (Scenario, L2) — CI/CD
• CI Pipeline Documentation (Reference, L1) — CI/CD
• CI/CD Drills (Drill, L1) — CI/CD
• CI/CD Flashcards (CLI) (flashcard_deck, L1) — CI/CD
• CI/CD Pipelines & Patterns (Topic Pack, L1) — CI/CD
• Circleci Flashcards (CLI) (flashcard_deck, L1) — CI/CD
• Dagger / CI as Code (Topic Pack, L2) — CI/CD
• Deep Dive: CI/CD Pipeline Architecture (deep_dive, L2) — CI/CD
• GitHub Actions (Topic Pack, L1) — CI/CD
• Interview: CI Vuln Scan Failed (Scenario, L2) — CI/CD

Pages that link here

• Adversarial Interview Gauntlet
• CI Pipeline
• CI/CD Drills
• CI/CD Pipeline Architecture
• CI/CD Pipelines & Patterns
• Dagger
• DevOps Tooling Domain
• Github Actions
• Level 4: Operations & Observability
• Scenario: CI Failed Due to Vulnerability Scan