bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
be9fa8b5dc00e5cd668981da359c75cca9d4dc41
2nd/10_Wiki/Topics/DevOps_and_Security/CI_CD_Pipeline.md
T
Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update
2026-05-10 22:08:15 +09:00

4.9 KiB
Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack
id title category status canonical_id aliases duplicate_of source_trust_level confidence_score verification_status tags raw_sources last_reinforced github_commit tech_stack
wiki-2026-0508-ci-cd-pipeline CI CD Pipeline 10_Wiki/Topics verified self
Continuous Integration / Delivery Pipeline
Build Pipeline
none A 0.9 applied
ci
cd
devops
pipeline
2026-05-10 applied
language framework
YAML GitHub Actions/GitLab CI/Buildkite

CI CD Pipeline

매 한 줄

"매 commit 이 production 까지 도달하는 자동 경로가 CI/CD pipeline.". Pipeline 은 build → test → security → package → deploy → verify 의 매 ordered DAG. 2026 의 표준: GitHub Actions reusable workflow + OIDC 기반 cloud auth + supply-chain attestation (SLSA L3) + progressive delivery (Argo Rollouts/Flagger).

매 핵심

매 Pipeline Stage

  1. Source: trigger on PR / push / tag.
  2. Build: deterministic, hermetic — Bazel/Nx cache.
  3. Test: unit / integration / e2e — parallel shards.
  4. Security: SAST (Semgrep), SCA (Trivy), secret scan.
  5. Package: container, helm chart, npm — sign (cosign).
  6. Attest: SBOM (Syft) + SLSA provenance.
  7. Deploy: env-progressive (dev → staging → prod).
  8. Verify: smoke, canary metrics, auto-rollback.

매 Modern Best Practices 2026

  • OIDC over long-lived secrets (GitHub OIDC → AWS/GCP).
  • Reusable workflows — DRY across repos.
  • Matrix sharding — test parallelism.
  • Cache layers — Turborepo, Nx, Bazel remote cache.
  • Progressive delivery — canary, blue/green, feature flags.
  • GitOps — Argo CD / Flux — git as source of truth.
  • Supply chain — Sigstore cosign, SLSA L3 attestation.

매 응용

  1. SaaS web app deploy.
  2. Library publish (npm, PyPI, Maven).
  3. Container image release.
  4. Mobile (Fastlane).
  5. ML model deploy (MLOps).

💻 패턴

GitHub Actions reusable workflow

# .github/workflows/ci.yml
on: [pull_request, push]
permissions:
  contents: read
  id-token: write   # 매 OIDC
jobs:
  test:
    uses: org/.github/.github/workflows/ts-ci.yml@v1
    with:
      node-version: '22'
  deploy:
    needs: test
    if: github.ref == 'refs/heads/main'
    uses: org/.github/.github/workflows/deploy.yml@v1
    with:
      env: prod

OIDC to AWS (no long-lived keys)

- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123:role/gha-deployer
    aws-region: us-east-1
- run: aws s3 sync ./dist s3://my-bucket

Matrix test sharding

strategy:
  matrix:
    shard: [1, 2, 3, 4]
steps:
  - run: bun run vitest run --shard=${{ matrix.shard }}/4

Container build + sign + SBOM

- uses: docker/build-push-action@v6
  id: build
  with: { tags: ghcr.io/org/app:${{ github.sha }}, push: true }
- uses: anchore/sbom-action@v0
  with: { image: ghcr.io/org/app:${{ github.sha }}, format: spdx-json }
- uses: sigstore/cosign-installer@v3
- run: cosign sign --yes ghcr.io/org/app@${{ steps.build.outputs.digest }}

Argo Rollouts canary

apiVersion: argoproj.io/v1alpha1
kind: Rollout
spec:
  strategy:
    canary:
      steps:
        - setWeight: 10
        - pause: { duration: 5m }
        - analysis: { templates: [{ templateName: error-rate }] }
        - setWeight: 50
        - pause: { duration: 10m }
        - setWeight: 100

Turborepo remote cache

# 매 first build seeds cache; later runs hit
TURBO_TOKEN=$REMOTE_TOKEN TURBO_TEAM=acme bunx turbo run build --remote-cache-timeout=60

매 결정 기준

상황 Tool
OSS / GitHub repo GitHub Actions
GitLab native GitLab CI
Monorepo many pipelines Buildkite / Dagger
K8s GitOps Argo CD + Argo Rollouts
Multi-cloud workflow Dagger / Earthly

기본값: 매 GitHub Actions + OIDC + reusable workflow + Argo Rollouts.

🔗 Graph

🤖 LLM 활용

언제: workflow YAML drafting, failed-build log triage, retry-storm root-cause. 언제 X: 매 deterministic step (lint/test) — pipeline 자체가 검증.

안티패턴

  • Long-lived AWS keys in secret: 매 OIDC 사용.
  • if: always() 남용: 매 fail 무시 — 신뢰 무너짐.
  • No cache: 매 매 build 30분.
  • Single-stage everything: 매 fail-fast 설계 안 됨.
  • No staging: 매 직접 prod — rollback 어려움.

🧪 검증 / 중복

  • Verified: GitHub Actions docs; SLSA spec v1.0; Argo Rollouts docs; DORA report 2024.
  • 신뢰도 A.

🕓 Changelog

날짜 변경
2026-05-08 Phase 1
2026-05-10 Manual cleanup — pipeline stages + OIDC/SLSA/canary
Reference in New Issue View Git Blame Copy Permalink