Padrões de CI/CD e Boas Práticas
Aula 5 de 5
Pipeline CI Completo
name: CI
on:
pull_request:
branches: [main, develop]
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: npm ci
- run: npm run lint
- run: npm run typecheck
test:
runs-on: ubuntu-latest
strategy:
matrix:
node: [18, 20, 22]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
- run: npm ci
- run: npm test -- --coverage
- uses: actions/upload-artifact@v4
with:
name: coverage-report
path: coverage/
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
build:
needs: [lint, test, security]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci && npm run build
- uses: actions/upload-artifact@v4
with:
name: build
path: dist/
Pipeline CD — Deploy Contínuo
name: CD
on:
push:
branches: [main]
paths:
- 'src/**'
- 'Dockerfile'
- 'helm/**'
jobs:
docker:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
outputs:
image: ${{ steps.build.outputs.image }}
steps:
- uses: actions/checkout@v4
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/build-push-action@v6
id: build
with:
push: true
tags: |
ghcr.io/${{ github.repository }}:${{ github.sha }}
ghcr.io/${{ github.repository }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
deploy:
needs: docker
runs-on: ubuntu-latest
environment:
name: production
url: https://app.empresa.com
concurrency: deploy-production
steps:
- uses: actions/checkout@v4
- uses: azure/setup-kubectl@v4
- uses: azure/k8s-set-context@v4
with:
kubeconfig: ${{ secrets.KUBECONFIG }}
- run: |
helm upgrade --install app ./helm \
--namespace production \
--set image.tag=${{ github.sha }} \
--set image.repository=ghcr.io/${{ github.repository }}
Dependabot — Automação de Dependências
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
labels:
- "dependencies"
- "automerge"
reviewers:
- "team-dev"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
CodeQL — Análise de Segurança
# .github/workflows/codeql.yml
name: "CodeQL"
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 3'
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
strategy:
matrix:
language: ['javascript', 'typescript', 'python']
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- uses: github/codeql-action/analyze@v3
Badges e Status
[](https://github.com/org/repo/actions/workflows/ci.yml)
[](https://codecov.io/gh/org/repo)
Checklist de CI/CD
- Lint + typecheck em PR
- Testes unitários + integração
- Matrix build (múltiplas versões)
- Security scanning (Trivy, CodeQL)
- Cache de dependências
- Artifact upload/build
- Docker build + push (multi-arch)
- Deploy: staging automático, prod com approval
- Rollback via Helm/Git revert
- Notificações (Slack, email)
- Dependabot configurado
- Badges no README
- Workflow concurrency (cancel-in-progress)
- Environment protection rules (prod)
- Secrets no GitHub (não no código)
CI/CD pipeline de qualidade = lint + test + security + build + deploy. Use concurrency groups para evitar deploys concorrentes. Ambientes com protection rules para produção. Sempre tenha rollback.