CI/CD Pipeline
Overview
Section titled “Overview”The Octo E-Shop uses GitHub Actions for CI/CD with a progressive deployment model across three environments. The platform consists of 6 microservices deployed to Azure Kubernetes Service (AKS) via Helm charts, with infrastructure provisioned by Terraform.
Code Push → CI Validation → Build & Push Images → Deploy Dev → Deploy Staging → Deploy Production ↑ ↑ ↑ automatic approval gate approval gateWorkflow Inventory
Section titled “Workflow Inventory”| Workflow | File | Trigger | Purpose |
|---|---|---|---|
| CI Pipeline | ci.yml | PR, push to main/develop | Lint, test, build validation |
| Build & Push | build-push.yml | Push to main/develop | Build Docker images, push to ACR |
| Deploy | deploy.yml | Called by Build & Push | Helm deploy to AKS environments |
| Infrastructure | infrastructure.yml | Manual, Terraform changes | Terraform plan/apply |
| Terraform Deploy | terraform-deploy.yml | Called by Infrastructure | Per-environment Terraform execution |
| Cluster Setup | cluster-setup.yml | After Terraform apply | Install ESO, ingress-nginx, secrets |
| Rollback | rollback.yml | Manual | Helm rollback to previous release |
Pipeline Flows
Section titled “Pipeline Flows”1. CI Pipeline (ci.yml)
Section titled “1. CI Pipeline (ci.yml)”Runs on every PR and push to protected branches:
- Lint & Format — ESLint + Prettier check
- Unit Tests — Per-service test execution with coverage
- Build Validation — TypeScript compilation + Docker build (no push)
- Security Scan — Trivy vulnerability scanning on built images
2. Build & Deploy Pipeline (build-push.yml)
Section titled “2. Build & Deploy Pipeline (build-push.yml)”Triggered on pushes to main or develop:
- Resolve Tag — Generate image tag from git short SHA
- Build Matrix — Build all 6 service Docker images in parallel
- Push to ACR — Tag and push images to Azure Container Registry
- Deploy Dev — Automatic Helm deploy to dev namespace
- Deploy Staging — Requires manual approval
- Deploy Production — Requires manual approval
3. Infrastructure Pipeline
Section titled “3. Infrastructure Pipeline”Manual workflow with environment selection:
- Terraform Init — Initialize with Azure Storage backend
- Terraform Plan — Generate and display plan
- Terraform Apply — Apply changes (requires explicit action parameter)
- Cluster Setup — Post-apply: install cluster add-ons
4. Rollback Pipeline
Section titled “4. Rollback Pipeline”Emergency rollback via Helm:
- Select environment and service
- Helm rollback to previous release
- Verify pod health
Environment Strategy
Section titled “Environment Strategy”| Environment | Branch | Deployment | Approval |
|---|---|---|---|
| Dev | main, develop | Automatic | None |
| Staging | main | Manual trigger | Required |
| Production | main | Manual trigger | Required |
Secrets Management
Section titled “Secrets Management”Secrets flow through three layers:
- Azure Key Vault — Source of truth for all secrets
- GitHub Environment Secrets — Synced by Terraform for CI/CD access
- Kubernetes Secrets — Injected at deploy time via
kubectlor External Secrets Operator
Deployment Details
Section titled “Deployment Details”Image Tagging
Section titled “Image Tagging”- Images tagged with git short SHA (e.g.,
d802d86) - Branch names sanitized (
feature/xyz→feature-xyz) for Docker tag compatibility - Tag resolved in a dedicated job before the build matrix
Helm Charts
Section titled “Helm Charts”Each service has its own Helm chart under helm/charts/:
# Deploy a single servicehelm upgrade --install user-service ./helm/charts/user-service \ --namespace octo-eshop-dev \ -f ./helm/charts/user-service/values-dev.yaml
# Deploy all servicescd helm && helmfile -e dev syncHealth Checks
Section titled “Health Checks”Kubernetes probes verify service health during rolling updates:
- Liveness —
/healthendpoint - Readiness —
/readyendpoint (checks database connectivity)