CI/CD Patterns Skill
Metadata (Tier 1)
Keywords: cicd, github actions, cloud build, pipeline, workflow, automation, deploy
File Patterns: .github/workflows/*.yml, cloudbuild.yaml, .gitlab-ci.yml
Modes: deployment
Instructions (Tier 2)
Standard Pipeline Stages
- •Lint & Format - Code quality validation
- •Test - Unit and integration tests
- •Security Scan - Vulnerability detection
- •Build - Container image creation
- •Image Scan - Container vulnerability scan
- •Deploy Staging - Automated deployment
- •Deploy Production - Manual approval + deployment
GitHub Actions with Workload Identity
Setup Workload Identity (One-time)
bash
gcloud iam workload-identity-pools create "github-pool" \ --project=PROJECT --location=global gcloud iam workload-identity-pools providers create-oidc "github-provider" \ --project=PROJECT --location=global \ --workload-identity-pool="github-pool" \ --issuer-uri="https://token.actions.githubusercontent.com" \ --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository"
Workflow Authentication
yaml
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
service_account: 'deployer@PROJECT.iam.gserviceaccount.com'
Deploy Step
yaml
- uses: google-github-actions/deploy-cloudrun@v2
with:
service: my-service
region: us-central1
image: ${{ env.IMAGE }}
Cloud Build Pipeline
yaml
steps:
- id: 'test'
name: 'python:3.13'
entrypoint: 'pytest'
args: ['--cov=src']
- id: 'build'
name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', '$_IMAGE', '.']
- id: 'scan'
name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: 'bash'
args:
- '-c'
- |
gcloud artifacts docker images scan $_IMAGE --remote
# Check for CRITICAL vulnerabilities
- id: 'deploy'
name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
args:
- 'run'
- 'deploy'
- '$_SERVICE'
- '--image=$_IMAGE'
- '--region=$_REGION'
images: ['$_IMAGE']
Security Best Practices
- •Use Workload Identity (no service account keys)
- •Scan images for vulnerabilities
- •Run tests before deployment
- •Use least-privilege service accounts
- •Store secrets in Secret Manager
- •Enable branch protection on main
- •Require approvals for production
Anti-Patterns
- •Service account keys in secrets
- •No vulnerability scanning
- •No test stage
- •Direct push to production without validation
- •Secrets in environment variables