Complete GitHub Actions CI/CD pipeline configuration for automated building, testing, security scanning, and deployment.
.github/
├── workflows/ # GitHub Actions workflow definitions
│ ├── ci.yml # CI pipeline (lint, test, security)
│ ├── build-images.yml # Build and push Docker images
│ ├── deploy-staging.yml # Deploy to staging (original)
│ ├── deploy-staging-enhanced.yml # Deploy to staging (enhanced with OIDC)
│ ├── deploy-production.yml # Deploy to production (original)
│ ├── deploy-production-enhanced.yml # Deploy to production (enhanced)
│ ├── security-audit.yml # Weekly security audit
│ └── build-push.yml # Legacy build workflow
├── dependabot.yml # Dependabot configuration for dependency updates
├── README.md # This file
├── CICD_PIPELINE_GUIDE.md # Comprehensive CI/CD documentation
└── QUICK_START.md # Quick reference for common tasks
- New to CI/CD? → Start with
QUICK_START.md - Need full details? → Read
CICD_PIPELINE_GUIDE.md - Troubleshooting? → Check
CICD_PIPELINE_GUIDE.md#troubleshooting
Code Push
↓
CI Pipeline (Lint + Security + Test)
├─ Success ─→ Build Docker Images
│ ├─ Gateway
│ ├─ Microservices (parallel)
│ └─ Dashboard
│ ↓
│ Push to ECR
│
└─ Failure ─→ Notify + Stop
Push to develop
↓
Deploy to Staging (automatic)
├─ Pre-flight checks
├─ Database migrations
├─ Rolling deployment
├─ Smoke tests
└─ Slack notification
Manual trigger
↓
Deploy to Production (with approval)
├─ Image validation
├─ Cluster health check
├─ Snapshot current state
├─ Canary deployment (10% → 50% → 100%)
├─ Health monitoring
├─ Rollback on failure
├─ Smoke tests
└─ Slack notification
Weekly (Monday 9 AM UTC)
↓
Security Audit
├─ Python dependencies
├─ Node.js dependencies
├─ Container images
├─ Code security
└─ Create GitHub issue if vulnerabilities found
What: Lint, test, and security scan on every commit
Triggers:
- Push to
main,staging,develop - Pull request to
main,staging,develop
What it does:
- Python linting (ruff) and formatting
- Python security scan (bandit, safety)
- Secret detection (TruffleHog)
- Dockerfile linting (hadolint)
- Dashboard linting (ESLint, TypeScript)
- Terraform validation
- Python unit tests (services, shared modules)
- Dashboard tests (Jest, build verification)
- Final CI summary
Example:
git push origin main
# → Workflow automatically starts
# → GitHub shows status checks on PR or in Actions tabWhat: Build and push Docker images to ECR
Triggers:
- Push to
main - Manual workflow dispatch
What it does:
- Detect changed services
- Build gateway service
- Build all microservices (parallel)
- Build dashboard frontend
- Scan images for vulnerabilities (Trivy)
- Push to ECR with tags (SHA, latest, version)
Example:
git push origin main
# → Images automatically built and pushed to ECRWhat: Deploy to staging environment
Triggers:
- Push to
developbranch - Manual workflow dispatch
What it does:
- Pre-flight checks (validate image tags, determine services)
- EKS cluster health check
- Run database migrations
- Rolling deployment
- Wait for rollout (5m timeout)
- Run smoke tests
- Post-deployment validation
- Slack notification
Example:
git push origin develop
# → Automatically deploys to staging
# Or manual
gh workflow run deploy-staging-enhanced.yml \
-f image_tag=latest \
-f skip_migrations=falseConfiguration:
Environment: Staging
URL: https://staging.currentglobal.com
Strategy: Rolling update
Timeout: 5 minutes
What: Deploy to production with manual approval
Triggers:
- Manual workflow dispatch only
- Requires GitHub environment approval
What it does:
- Validate image tag in ECR
- Cluster health check
- Snapshot current deployment (for rollback)
- Optional dry-run validation
- Canary/rolling/blue-green deployment (configurable)
- Monitor canary health (2 minutes)
- Automatic rollback on failure
- Production smoke tests
- Sentry release finalization
- Slack notification
Example:
# Canary deployment (10% traffic, then expand)
gh workflow run deploy-production-enhanced.yml \
-f image_tag=sha-abc123d \
-f deployment_strategy=canary \
-f canary_percentage=10
# Rolling deployment (gradual pod replacement)
gh workflow run deploy-production-enhanced.yml \
-f image_tag=sha-abc123d \
-f deployment_strategy=rolling
# Dry run (preview without deploying)
gh workflow run deploy-production-enhanced.yml \
-f image_tag=sha-abc123d \
-f dry_run=trueConfiguration:
Environment: Production
URL: https://app.currentglobal.com
Approval: Required
Strategies: rolling (default), canary, blue-green
Rollback: Automatic on health check failure
What: Comprehensive security scanning
Triggers:
- Weekly (Monday 9 AM UTC)
- Manual workflow dispatch
What it does:
- Scan Python dependencies (pip-audit)
- Scan Node.js dependencies (npm audit)
- Scan container images (Trivy)
- Scan Python code (Bandit)
- Create GitHub issue if vulnerabilities found
- Upload SARIF to GitHub Security tab
- Retain reports for 30 days
Example:
# Manual trigger
gh workflow run security-audit.yml
# Results: GitHub issue created if vulnerabilities found
# View: Repository → Security → Code scanning alertsAdd these to Settings → Secrets and variables → Actions:
# AWS
AWS_REGION # e.g., ap-south-1
AWS_ACCOUNT_ID # 12-digit account ID
AWS_ROLE_ARN # OIDC role (recommended)
# EKS
EKS_CLUSTER_NAME_STAGING # Staging cluster
EKS_CLUSTER_NAME_PRODUCTION # Production cluster
# Sentry (error tracking)
SENTRY_AUTH_TOKEN # API token
SENTRY_ORG # Organization slug
SENTRY_PROJECT # Project name
# Slack notifications
SLACK_WEBHOOK_URL # Incoming webhookSet secrets via CLI:
gh secret set AWS_REGION --body "ap-south-1"
gh secret set AWS_ACCOUNT_ID --body "123456789012"
gh secret set AWS_ROLE_ARN --body "arn:aws:iam::..."
# ... etcFile: dependabot.yml
Updates:
- Python (pip) - daily
- Node.js (npm) - daily
- GitHub Actions - weekly
- Docker - weekly
Features:
- Auto-merge for minor/patch updates
- Grouped updates
- Development dependencies separated
- Make changes → CI pipeline runs automatically
- Review lint/test results → Fix any issues
- Push to develop → Auto-deploys to staging
- Deploy to production → Manual workflow dispatch with approval
- Monitor workflows →
gh run list - Check logs →
gh run view <id> --log - Trigger deployments →
gh workflow run deploy-production-enhanced.yml ... - Review security audits → GitHub Security tab
- Manage Dependabot → Review and merge dependency PRs
# List recent workflows
gh run list --limit 20
# Watch a specific run
gh run watch <run-id> --exit-status
# Download artifacts
gh run download <run-id> -n coverage-*.xml
# View logs
gh run view <run-id> --log- Gradual pod replacement
- Zero downtime
- Quick rollback if needed
- Default strategy
- Initial 10% traffic to new version
- Monitor for 2 minutes
- Expand to 50% if healthy
- Full rollout if monitoring passes
- Automatic rollback on failure
- Run both versions in parallel
- Switch all traffic at once
- Quick rollback by switching back
- More resource intensive
Python lint error:
ruff check services/ shared/ --fix
git add .
git commit -m "fix: resolve lint issues"Test failures:
pytest services/gateway/tests -v
# Fix issues locally, then pushSecurity scan warning:
# Review Bandit report
gh run download <run-id> -n bandit-security-reportDocker build error:
- Check base images are accessible
- Verify Dockerfile syntax
- Test locally:
docker build -f Dockerfile.service .
ECR push failure:
- Verify AWS credentials/OIDC role
- Check ECR repository exists
- Confirm image name matches policy
Cluster unreachable:
kubectl cluster-info
kubectl get nodesPod not starting:
kubectl describe pod <pod-name> -n <namespace>
kubectl logs <pod-name> -n <namespace>Timeout on rollout:
- Check pod resources
- Review application startup time
- Increase timeout if needed
- Commit messages → Use conventional commits (
feat:,fix:,docs:) - Branch naming →
feature/name,hotfix/name - Testing → Run locally before pushing
- Security → Never commit secrets (use GitHub secrets)
- Reviews → Require approval for main/develop merges
- Monitoring → Check Slack notifications
- Documentation → Update deployment docs with changes
# Trigger CI pipeline (automatic)
git push origin feature/my-feature
# Deploy to staging (automatic)
git push origin develop
# Manual staging deployment
gh workflow run deploy-staging-enhanced.yml -f image_tag=latest
# Production deployment (with approval)
gh workflow run deploy-production-enhanced.yml \
-f image_tag=sha-abc123d \
-f deployment_strategy=canary
# Check workflow status
gh run list --workflow=ci.yml --limit=10
# View workflow logs
gh run view <run-id> --log
# Cancel running workflow
gh run cancel <run-id>
# Rerun failed workflow
gh run rerun <run-id> --failed| Env | API Endpoint | Dashboard | EKS Cluster |
|---|---|---|---|
| Staging | https://staging-api.currentglobal.com | https://staging.currentglobal.com | priya-global-staging |
| Production | https://api.currentglobal.com | https://app.currentglobal.com | priya-global-production |
- Issues? → Review
CICD_PIPELINE_GUIDE.md#troubleshooting - Quick help? → Check
QUICK_START.md - Full docs? → Read
CICD_PIPELINE_GUIDE.md - Slack? → Ask in #platform-engineering
- Issues? → Create GitHub issue with workflow logs
| File | Purpose |
|---|---|
workflows/ci.yml |
Lint, test, security scan |
workflows/build-images.yml |
Build Docker images |
workflows/deploy-staging-enhanced.yml |
Staging deployment (OIDC) |
workflows/deploy-production-enhanced.yml |
Production deployment (OIDC) |
workflows/security-audit.yml |
Weekly security scan |
dependabot.yml |
Dependency update configuration |
CICD_PIPELINE_GUIDE.md |
Complete documentation |
QUICK_START.md |
Quick reference |
README.md |
This file |
- Created: 2026-03-07
- Python: 3.12
- Node.js: 20
- GitHub Actions: Latest (v4)
- Docker: Multi-platform support
- AWS: OIDC authentication
Last Updated: 2026-03-07 Status: Production-ready Maintained By: Platform Engineering Team