// CI/CD pipeline design patterns and deployment strategies. Use when designing pipelines, implementing deployment strategies, or setting up automated delivery.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | tsh-implementing-ci-cd |
| description | CI/CD pipeline design patterns and deployment strategies. Use when designing pipelines, implementing deployment strategies, or setting up automated delivery. |
| user-invocable | false |
Check which CI/CD platform the project uses:
.github/workflows/*.yml → GitHub Actionsbitbucket-pipelines.yml → Bitbucket Pipelines.gitlab-ci.yml → GitLab CIazure-pipelines.yml → Azure PipelinesJenkinsfile → JenkinsUse context7 to look up platform-specific syntax for the detected platform.
Lint → Test → Build → Deploy (staging) → Deploy (production)
↓
Artifacts & Caching
Rule: Each stage should be independent and cacheable.
| Strategy | Use When | Rollback | Risk |
|---|---|---|---|
| Rolling | Stateless apps, can tolerate mixed versions | Slow | Low |
| Blue-Green | Need instant rollback, DB migrations | Instant | Low |
| Canary | High traffic, want gradual validation | Instant | Very Low |
| Recreate | Dev/test, breaking changes only | Slow | High |
| Scenario | Approach |
|---|---|
| AWS from GitHub/GitLab | OIDC federation (no long-lived keys) |
| AWS from Bitbucket | Repository variables + IAM role |
| Multi-cloud | HashiCorp Vault with CI/CD auth |
| Simple/small team | Platform native secrets |
Rule: Prefer OIDC federation over long-lived access keys. Use tsh-managing-secrets skill for implementation details.
| Tool | Detection | Approach |
|---|---|---|
| Nx | nx.json | nx affected --target=build |
| Turborepo | turbo.json | turbo run build --filter=...[origin/main] |
| None | - | Path filtering in CI config |
tsh-technical-context-discovering to find existing CI patternscontext7 for platform-specific YAML syntaxtsh-managing-secrets skill@latest)latest tags in production imagesLint (fmt) → Validate → Security Scan → Plan → [Manual Approval] → Apply
↓
Save Plan Artifact
↓
PR Comment with Diff
Rule: Never use local state in CI/CD. Always configure remote backend before pipeline runs.
| Element | Implementation | Why |
|---|---|---|
| AWS Credentials | aws-actions/configure-aws-credentials@v4 with OIDC | No long-lived secrets |
| State Backend | S3 + DynamoDB locking | Persistent state, concurrent access protection |
| Plan Artifact | terraform plan -out=tfplan + upload artifact | Ensure apply matches reviewed plan |
| PR Comment | actions/github-script or terraform-pr-commenter | Reviewers see changes before merge |
| Security Scan | aquasecurity/tfsec-action or bridgecrewio/checkov-action | Catch misconfigurations early |
| Production Guard | environment: production with required reviewers | Human approval before infra changes |
| Cache | actions/cache for .terraform directory | Faster init, reduced API calls |
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-arn: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ vars.AWS_REGION }}
Rule: Always use OIDC federation. Never store AWS access keys as secrets.
apply:
runs-on: ubuntu-latest
needs: plan
environment: production # Requires manual approval
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
Configure in GitHub: Settings → Environments → production → Required reviewers.
plan:
steps:
- run: terraform plan -out=tfplan
- uses: actions/upload-artifact@v4
with:
name: tfplan
path: tfplan
apply:
steps:
- uses: actions/download-artifact@v4
with:
name: tfplan
- run: terraform apply tfplan
Rule: Apply must use the exact plan that was reviewed, not regenerate it.
apply -auto-approve without environment protection gatesterraform init in every job without cachelatest provider versions instead of pinned versionsversions.tf.terraform directory cached between runstsh-managing-secrets - For credential configurationtsh-technical-context-discovering - For finding existing patterns