CI/CD Patterns
GitHub Actions
- •Reusable workflows in
.github/workflows/ - •Use composite actions for shared steps
- •Pin action versions by SHA, not tag
- •Use OIDC for cloud provider authentication — no static secrets
- •Cache Go modules:
actions/cachewithgo.sumhash key - •Parallelise: lint, test, build as separate jobs
- •Gate deployment behind test success
Go Build Pipeline
code
lint (golangci-lint) → test (go test ./...) → build (go build) → image (ko/buildah) → sign (cosign) → deploy
Container Images
- •Use
kofor Go services (no Dockerfile needed, reproducible) - •Use multi-stage builds if Dockerfile is required:
dockerfile
FROM golang:1.23 AS builder ... FROM gcr.io/distroless/static-debian12 COPY --from=builder /app /app
- •Tag with git SHA and semver
- •Push to project's container registry (ACR, ECR, GAR, Quay)
Release Automation
- •Use
goreleaserfor CLI tools and binaries - •Semantic versioning with conventional commits
- •Changelog generation from commit messages
- •GitHub Releases with checksums and signatures
- •Homebrew tap / APT repo for distribution if public
Makefiles
- •Standard targets:
make build,make test,make lint,make run - •
make generatefor code generation (controller-gen, protobuf, etc.) - •
make manifestsfor CRD/RBAC generation - •
make docker-build,make docker-pushfor image lifecycle - •Use
.PHONYfor all non-file targets - •Include
helptarget that auto-documents other targets
Deployment
- •GitOps: ArgoCD Application / ApplicationSet
- •Promote via PR to deployment repo or overlay update
- •Canary / blue-green via Argo Rollouts or Flagger
- •Health checks: readiness and liveness probes required before deploy
- •Rollback: automated via ArgoCD sync policy or manual
argocd app rollback