// Apply CI/CD pipeline design patterns when configuring build pipelines, deployment processes, release strategies, Dockerfiles, or GitHub Actions workflows. Covers pipeline stages, artifact management, environment promotion, and rollback strategies.
Execute a structured code review protocol that inspects code quality against the full rule set. Use when auditing code written by yourself or another agent, during code audit workflows, or when the user asks for a code review. Produces a findings document with severity tags.
Structured research protocol for investigating technologies, patterns, and APIs before implementation. Use when exploring unfamiliar technologies, evaluating library options, or documenting technical findings. Covers multi-tool search strategy, research log conventions, and training data fallback honesty protocol.
Apply WCAG accessibility standards when building UI components, forms, interactive elements, or any user-facing interface. Covers semantic HTML, ARIA attributes, keyboard navigation, color contrast, and screen reader support.
Document significant architectural decisions using the ADR (Architecture Decision Record) format. Use during research phases when choosing between approaches, when introducing new dependencies or patterns, or when the user asks to document a technical decision.
Apply REST/HTTP API design conventions when implementing endpoints, handlers, middleware, request validation, or response formatting. Covers resource naming, status codes, error formats, versioning, and pagination.
Apply Kubernetes deployment and GitOps patterns when configuring container orchestration, deployment strategies (rolling, blue-green, canary), ArgoCD/Flux manifests, or Kubernetes secrets management. Supplement to ci-cd-principles.
| name | ci-cd-principles |
| description | Apply CI/CD pipeline design patterns when configuring build pipelines, deployment processes, release strategies, Dockerfiles, or GitHub Actions workflows. Covers pipeline stages, artifact management, environment promotion, and rollback strategies. |
| user-invocable | false |
Agent scope: This rule applies when writing CI/CD manifests (Dockerfile, docker-compose, GitHub Actions, GitLab CI, etc.). It is layered by deployment complexity — apply only the levels relevant to the project.
| Level | Applies When | Key Additions |
|---|---|---|
| 0 — All projects | Always | Lint, test, security scan, secrets management |
| 1 — Containerized | Docker image is the artifact | Multi-stage build, image scan, SBOM attestation |
| 2 — Orchestrated | Kubernetes or managed container platform | Deployment strategies, GitOps |
Load supplementary rules when reaching Level 2:
Pipeline Stages (in order):
Rules:
The deploy stage varies by target. The pipeline stages before it are identical.
Docker Compose (local / staging):
docker compose up --build
Cloud Run:
gcloud run deploy myapp \
--image gcr.io/project/myapp:$GIT_SHA \
--region us-central1
Vercel (frontend SPA):
vercel deploy --prod
Kubernetes: Use GitOps — see @.claude/skills/ci-cd-gitops-kubernetes/SKILL.md.
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod # Pin via go.mod
cache: true # Cache dependencies
- run: gofumpt -l -e -d .
- run: go vet ./...
- run: staticcheck ./...
test:
needs: lint # Fail fast: lint before test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
- run: go test -race -cover ./...
security:
needs: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan for secrets
uses: trufflesecurity/trufflehog@v3 # Pin to release tag
- name: Audit dependencies
run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
Rules:
@v4, not @latest or @main)needs: to enforce stage orderingcache: true in setup actions)go-version-file / node-version-file instead of hardcoding versions${{ secrets.NAME }}# Stage 1: Build
FROM golang:1.22-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download # Cache dependencies
COPY . .
RUN CGO_ENABLED=0 go build -o /bin/api ./cmd/api
# Stage 2: Runtime (minimal image)
FROM gcr.io/distroless/static-debian12
COPY --from=builder /bin/api /bin/api
EXPOSE 8080
CMD ["/bin/api"]
Rules:
:latest).env, secrets, or .git into imagesservices:
backend:
build:
context: ./apps/backend # Path per project-structure.md
ports:
- "8080:8080"
env_file: .env # Environment config
depends_on:
postgres:
condition: service_healthy
postgres:
image: postgres:16-alpine # Pin versions
environment:
POSTGRES_DB: ${DB_NAME}
POSTGRES_USER: ${DB_USER}
POSTGRES_PASSWORD: ${DB_PASSWORD}
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${DB_USER}"]
interval: 5s
timeout: 5s
retries: 5
volumes:
- pgdata:/var/lib/postgresql/data
volumes:
pgdata:
Rules:
depends_on with condition: service_healthyAfter building and pushing a container image, scan it and attach a signed SBOM attestation.
Preferred approach: Cosign keyless signing (no key management required)
Cosign integrates with your CI provider's OIDC token (GitHub Actions, GitLab CI) to sign images and attestations without storing or rotating cryptographic keys. The signature is anchored to a transparency log (Rekor), making it auditable and policy-enforceable.
build:
needs: security
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write # Required for Cosign keyless signing
steps:
- uses: actions/checkout@v4
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Build and push image
id: build
run: |
docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
docker push ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Scan container image
run: |
trivy image \
--severity HIGH,CRITICAL \
--exit-code 1 \
ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Generate SBOM
run: |
syft ghcr.io/${{ github.repository }}:${{ github.sha }} \
-o cyclonedx-json > sbom.json
- name: Attest SBOM to image (keyless, OIDC-backed)
run: |
cosign attest \
--predicate sbom.json \
--type cyclonedx \
ghcr.io/${{ github.repository }}:${{ github.sha }}
# Cosign uses the GitHub Actions OIDC token automatically.
# No COSIGN_PASSWORD or secret keys required.
How the SBOM travels with the image:
The SBOM attestation is stored as an OCI reference in the same container registry alongside the image digest. It requires no additional infrastructure — any registry that supports OCI artifacts (ghcr.io, Google Artifact Registry, AWS ECR, Docker Hub) works out of the box.
To verify the attestation at any time:
cosign verify-attestation \
--type cyclonedx \
ghcr.io/org/app@sha256:<digest>
Use ORAS instead of Cosign when:
oras attach ghcr.io/org/app@sha256:<digest> scan-report.jsonRules:
npm audit/yarn audit instead;
no SBOM attachment appliesCode deployment and feature release are separate concerns. When the PRD or technical architecture explicitly requires gradual rollout, A/B testing, or kill switches, feature flags can decouple them.
Agent rule: Do NOT implement feature flags unless explicitly required by the PRD or technical architecture document. See @.claude/skills/feature-flags-principles/SKILL.md for implementation guidance when they are required.
dev → staging → production
Rules:
Always (all projects):
If building container images (Level 1):
If deploying to Kubernetes (Level 2):
kubectl apply in production?If feature flags are required by PRD/architecture: