CI/CD Conformance
Overview
P1 Quality & Correctness - Enforces quality gates, immutable releases, and platform security features. Prevents defective deployments.
REQUIRED: superpowers:verification-before-completion, superpowers:brainstorming
When to Use
- •Creating/modifying CI/CD pipelines
- •Deployment automation, quality gates, release processes
- •Default: Applies to all repositories
- •Opt-out: User explicitly refuses
Core Workflow
- •Detect CI/CD provider (GitHub Actions, Azure Pipelines, GitLab CI, Jenkins)
- •Prompt CLI install if missing (gh, az, glab)
- •Announce skill application
- •Configure quality gates: tests, linting, security scan, coverage threshold
- •Configure immutable releases: tag-triggered deployments only
- •Configure incremental execution: caching, conditional jobs
- •Enable platform security: dependency scanning, secret detection, branch protection
- •Configure OIDC/managed identity (eliminate long-lived secrets)
- •Document pipeline in docs/ci-cd-pipeline.md
- •Add status badge and summary to README.md
Quick Reference
| Provider | CLI | Security Features |
|---|---|---|
| GitHub Actions | gh | Dependabot, CodeQL, secret scanning, OIDC |
| Azure Pipelines | az | Advanced security, credential scanning |
| GitLab CI | glab | SAST, DAST, dependency scanning |
| Jenkins | jenkins | Plugin-based security |
See Provider Configuration for setup details.
Red Flags - STOP
- •"Can add quality gates later"
- •"Security scanning not needed"
- •"Just need basic deployment"
- •"Branch protection is extra"
- •"Existing pipeline is fine"
All of these mean: Apply skill. CI/CD without quality gates is deployment automation, not CI/CD.
Rationalizations
| Excuse | Reality |
|---|---|
| "Can add quality gates after demo" | Demo deploys become production. Quality gates prevent defects. |
| "Customer doesn't care about scanning" | Data breaches affect all customers. Security is non-negotiable. |
| "Branch protection is separate" | CI/CD setup includes security. Incomplete setup creates risk. |
| "Existing pipeline has worked" | Lack of gates accumulates technical debt. |
| "Migration risk not worth it" | Risk of NOT having gates exceeds migration risk. |
See Brownfield Migration for incremental approaches.