CI/CD Pipeline
Automate testing, Docker image builds, and deployment using GitHub Actions.
Basic CI Workflow
# .github/workflows/ci.yml
name: CI
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
services:
postgres:
image: postgres:16
env:
POSTGRES_DB: testdb
POSTGRES_USER: postgres
POSTGRES_PASSWORD: password
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
redis:
image: redis:7-alpine
ports:
- 6379:6379
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: "pip"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install -r requirements-dev.txt
- name: Lint (Ruff)
run: ruff check .
- name: Type check (mypy)
run: mypy app/
- name: Run tests
env:
DATABASE_URL: postgresql://postgres:password@localhost:5432/testdb
REDIS_URL: redis://localhost:6379/0
SECRET_KEY: test-secret-key-32-chars-minimum!
ENVIRONMENT: testing
run: |
pytest --cov=app --cov-report=xml --cov-report=term-missing -v
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
file: ./coverage.xml
CD — Docker Build + Deploy
# .github/workflows/deploy.yml
name: Deploy
on:
push:
branches: [main]
tags: ["v*.*.*"]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
build-and-push:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
image-tag: ${{ steps.meta.outputs.tags }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=sha,prefix=sha-
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
deploy:
needs: build-and-push
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy to server
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.DEPLOY_HOST }}
username: ${{ secrets.DEPLOY_USER }}
key: ${{ secrets.DEPLOY_SSH_KEY }}
script: |
cd /opt/myapp
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
docker compose pull app
docker compose up -d --no-deps app
docker image prune -f
Full Pipeline (CI + CD Integrated)
# .github/workflows/pipeline.yml
name: Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
# ── Stage 1: Code quality ─────────────────────────────
quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: pip
- run: pip install ruff mypy
- run: ruff check . && ruff format --check .
- run: mypy app/ --ignore-missing-imports
# ── Stage 2: Tests ────────────────────────────────────
test:
needs: quality
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: pip
- run: pip install -r requirements.txt -r requirements-dev.txt
- run: pytest -x --tb=short
# ── Stage 3: Security scan ────────────────────────────
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install bandit safety
- run: bandit -r app/ -ll # code security vulnerabilities
- run: safety check # dependency CVE check
# ── Stage 4: Deploy (main branch only) ───────────────
deploy:
needs: [test, security]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v4
- name: Production deploy
run: echo "Run deployment script"
pyproject.toml — Unified Tool Configuration
# pyproject.toml
[tool.ruff]
line-length = 88
target-version = "py312"
select = ["E", "F", "I", "N", "W", "UP"]
ignore = ["E501"]
[tool.ruff.isort]
known-first-party = ["app"]
[tool.mypy]
python_version = "3.12"
strict = true
ignore_missing_imports = true
[tool.pytest.ini_options]
testpaths = ["tests"]
asyncio_mode = "auto"
addopts = "-v --tb=short"
[tool.coverage.run]
source = ["app"]
omit = ["tests/*", "*/migrations/*"]
[tool.coverage.report]
fail_under = 80
Summary
| Stage | Tool | Purpose |
|---|---|---|
| Lint/Format | Ruff | Enforce code style |
| Type check | mypy | Catch runtime errors early |
| Tests | pytest + coverage | Verify behavior, prevent regressions |
| Security scan | bandit + safety | Detect vulnerabilities |
| Image build | Docker Buildx | Containerization |
| Deploy | SSH/Kubernetes | Apply to production |