ci-cd_skill

Overview

This skill provides CI/CD pipeline standards and opinionated templates for GitHub Actions and GitLab CI with deployment automation patterns. It focuses on test gates, multi-layer security scans, artifact management, and deployment strategies to achieve reliable, repeatable delivery. Use it to start projects quickly with battle-tested defaults and clear production-friendly practices.

How this skill works

The skill inspects pipeline configuration and recommends multi-stage workflows: validate → build → test → scan → deploy. It enforces automated testing gates (unit, integration, e2e), SAST/DAST and container scanning, artifact tagging and retention, and deployment flows such as blue-green, canary, and rolling updates. It also includes caching, environment protection, and secrets handling patterns for repeatable builds and rapid rollback.

When to use it

• Bootstrapping a new project and you need a production-ready CI/CD layout in minutes
• Standardizing pipelines across teams to enforce security and testing gates
• Implementing container image build, scan, and traceable artifact tagging
• Designing safe deployment rollouts (blue-green, canary, rolling) with rollback plans
• Auditing existing pipelines for missing security scans, retention, or secrets issues

Best practices

• Automate every stage: lint, unit, integration, security scans, and deployment
• Fail fast: enforce coverage thresholds and break the pipeline on critical findings
• Scan at multiple layers: dependency, SAST, container, and secret leakage
• Tag artifacts with semantic versions, git SHAs, environment, and date for traceability
• Use environment protection rules and vault-backed secrets; avoid hardcoding credentials
• Keep short-lived caches and retention policies to limit storage and surface older artifacts

Example use cases

• A GitHub Actions pipeline that runs lint, unit tests with coverage gates, CodeQL, Trivy, then builds and pushes images to a registry
• A GitLab CI flow that caches dependencies, runs coverage reports, scans with Trivy, and deploys to staging automatically while requiring manual approval for production
• Implementing blue-green deployment scripts that deploy to an inactive environment, run smoke tests, then switch traffic with a service patch
• Configuring Istio VirtualService rules to route a percentage of traffic to a canary subset for progressive rollouts
• Automated cleanup job that deletes artifacts older than a configurable retention window