
---

# 🔄 CI/CD (GitHub Actions) + Smoke & Healthchecks

> **Intent** → Automate build, test, and deploy pipelines with **fast feedback** and **post-deploy verification**.

---

## 🧭 Pipeline Stages

1. **Lint & Type Check** → flake8, mypy, black (fail fast).
2. **Unit & Contract Tests** → pytest + coverage, schema snapshots.
3. **Build Image** → Docker multi-stage, tag with git SHA + semver.
4. **Security Scan** → deps (pip-audit), image scan (Trivy/Grype).
5. **Deploy** → staging → prod, gated by approvals.
6. **Post-Deploy Checks** → smoke + health endpoints before traffic shift.

---

## ⚙️ GitHub Actions Setup

* **Workflows**: `.github/workflows/ci.yml`, `deploy.yml`.
* **Triggers**: PRs (tests), merges to `main` (deploy).
* **Secrets**: stored in GitHub → injected at runtime.
* **Artifacts**: cache wheels, test reports, Docker layers.

---

## 🚦 Smoke Tests

* Minimal checks after deploy:

  * GET `/health` → returns 200
  * GET `/docs` → OpenAPI loads
  * Auth route works with known test token
* Run **before shifting traffic** or marking deploy successful.

---

## 🫀 Healthchecks in Prod

* **Readiness** → is service ready to take traffic? (DB/queue connected)
* **Liveness** → is process alive? (event loop, thread health)
* Expose `/health` (app deps) vs `/live` (just process).
* Tie into orchestrator (K8s probes, ECS health checks).

---

## 🔐 Security in CI/CD

* Pin action versions (`@v3` not `@main`).
* Least-privilege deploy keys (write-only to target env).
* Sign images/artifacts; verify before deploy.
* Scan for leaked secrets in PRs.

---

## 📊 Observability in Pipelines

* Record build times, test durations, deploy success/fail.
* Alert on **slow builds**, **flaky tests**, or **failed smoke checks**.
* Keep dashboards: coverage %, image sizes, deploy frequency.

---

## 🧯 Rollbacks & Safety

* Blue/green or canary → rollback fast if smoke fails.
* Auto-scale down bad release while keeping old alive.
* Store last known good image tag for quick redeploy.

---

## ✅ Outcome

CI/CD ensures every commit is **tested, secured, built, deployed, and verified** automatically—so your FastAPI app ships **faster, safer, and more reliably**.

---
