Back to Details

ci-cd-and-automation

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

CI/CD and Automation

CI/CD与自动化

Overview

概述

Automate quality gates so that no change reaches production without passing tests, lint, type checking, and build. CI/CD is the enforcement mechanism for every other skill — it catches what humans and agents miss, and it does so consistently on every single change.
自动化质量门禁,确保所有变更只有通过测试、代码检查、类型校验和构建后才能进入生产环境。CI/CD是所有其他技能的执行保障机制——它能捕捉到人类和Agent遗漏的问题,并且对每一次变更都能持续稳定地执行检查。

When to Use

适用场景

  • Setting up a new project's CI pipeline
  • Adding or modifying automated checks
  • Configuring deployment pipelines
  • When a change should trigger automated verification
  • Debugging CI failures
  • 为新项目搭建CI流水线
  • 添加或修改自动化检查项
  • 配置部署流水线
  • 当变更需要触发自动化验证时
  • 调试CI失败问题

The Quality Gate Pipeline

质量门禁流水线

Every change goes through these gates before merge:
Pull Request Opened
┌─────────────────┐
│   LINT CHECK     │  eslint, prettier
│   ↓ pass         │
│   TYPE CHECK     │  tsc --noEmit
│   ↓ pass         │
│   UNIT TESTS     │  jest/vitest
│   ↓ pass         │
│   BUILD          │  npm run build
│   ↓ pass         │
│   INTEGRATION    │  API/DB tests
│   ↓ pass         │
│   E2E (optional) │  Playwright/Cypress
│   ↓ pass         │
│   SECURITY AUDIT │  npm audit
│   ↓ pass         │
│   BUNDLE SIZE    │  bundlesize check
└─────────────────┘
  Ready for review
No gate can be skipped. If lint fails, fix lint — don't disable the rule. If a test fails, fix the code — don't skip the test.
所有变更在合并前都需经过以下门禁:
Pull Request Opened
┌─────────────────┐
│   LINT CHECK     │  eslint, prettier
│   ↓ pass         │
│   TYPE CHECK     │  tsc --noEmit
│   ↓ pass         │
│   UNIT TESTS     │  jest/vitest
│   ↓ pass         │
│   BUILD          │  npm run build
│   ↓ pass         │
│   INTEGRATION    │  API/DB tests
│   ↓ pass         │
│   E2E (optional) │  Playwright/Cypress
│   ↓ pass         │
│   SECURITY AUDIT │  npm audit
│   ↓ pass         │
│   BUNDLE SIZE    │  bundlesize check
└─────────────────┘
  Ready for review
所有门禁均不可跳过。如果代码检查失败,请修复代码问题——不要禁用规则。如果测试失败,请修复代码——不要跳过测试。

GitHub Actions Configuration

GitHub Actions配置

Basic CI Pipeline

基础CI流水线

yaml
undefined
yaml
undefined

.github/workflows/ci.yml

.github/workflows/ci.yml

name: CI
on: pull_request: branches: [main] push: branches: [main]
jobs: quality: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - uses: actions/setup-node@v4
    with:
      node-version: '22'
      cache: 'npm'

  - name: Install dependencies
    run: npm ci

  - name: Lint
    run: npm run lint

  - name: Type check
    run: npx tsc --noEmit

  - name: Test
    run: npm test -- --coverage

  - name: Build
    run: npm run build

  - name: Security audit
    run: npm audit --audit-level=high
undefined
name: CI
on: pull_request: branches: [main] push: branches: [main]
jobs: quality: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
  - uses: actions/setup-node@v4
    with:
      node-version: '22'
      cache: 'npm'

  - name: Install dependencies
    run: npm ci

  - name: Lint
    run: npm run lint

  - name: Type check
    run: npx tsc --noEmit

  - name: Test
    run: npm test -- --coverage

  - name: Build
    run: npm run build

  - name: Security audit
    run: npm audit --audit-level=high
undefined

With Database Integration Tests

带数据库集成测试的配置

yaml
  integration:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_DB: test
          POSTGRES_USER: test
          POSTGRES_PASSWORD: test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5

    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'
      - run: npm ci
      - name: Run migrations
        run: npx prisma migrate deploy
        env:
          DATABASE_URL: postgresql://test:test@localhost:5432/test
      - name: Integration tests
        run: npm run test:integration
        env:
          DATABASE_URL: postgresql://test:test@localhost:5432/test
yaml
  integration:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_DB: test
          POSTGRES_USER: test
          POSTGRES_PASSWORD: test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5

    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'
      - run: npm ci
      - name: Run migrations
        run: npx prisma migrate deploy
        env:
          DATABASE_URL: postgresql://test:test@localhost:5432/test
      - name: Integration tests
        run: npm run test:integration
        env:
          DATABASE_URL: postgresql://test:test@localhost:5432/test

E2E Tests

E2E测试

yaml
  e2e:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'
      - run: npm ci
      - name: Install Playwright
        run: npx playwright install --with-deps chromium
      - name: Build
        run: npm run build
      - name: Run E2E tests
        run: npx playwright test
      - uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: playwright-report
          path: playwright-report/
yaml
  e2e:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'
      - run: npm ci
      - name: Install Playwright
        run: npx playwright install --with-deps chromium
      - name: Build
        run: npm run build
      - name: Run E2E tests
        run: npx playwright test
      - uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: playwright-report
          path: playwright-report/

Feeding CI Failures Back to Agents

将CI失败结果反馈给Agent

The power of CI with AI agents is the feedback loop. When CI fails:
CI fails
Copy the failure output
Feed it to the agent:
"The CI pipeline failed with this error:
[paste specific error]
Fix the issue and verify locally before pushing again."
Agent fixes → pushes → CI runs again
Key patterns:
Lint failure → Agent runs `npm run lint --fix` and commits
Type error  → Agent reads the error location and fixes the type
Test failure → Agent follows debugging-and-error-recovery skill
Build error → Agent checks config and dependencies
CI与AI Agent结合的强大之处在于形成反馈循环。当CI失败时:
CI fails
Copy the failure output
Feed it to the agent:
"The CI pipeline failed with this error:
[paste specific error]
Fix the issue and verify locally before pushing again."
Agent fixes → pushes → CI runs again
核心模式:
Lint failure → Agent runs `npm run lint --fix` and commits
Type error  → Agent reads the error location and fixes the type
Test failure → Agent follows debugging-and-error-recovery skill
Build error → Agent checks config and dependencies

Deployment Strategies

部署策略

Preview Deployments

预览部署

Every PR gets a preview deployment for manual testing:
yaml
undefined
每个PR都会生成一个预览部署环境,用于手动测试:
yaml
undefined

Deploy preview on PR (Vercel/Netlify/etc.)

Deploy preview on PR (Vercel/Netlify/etc.)

deploy-preview: runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - uses: actions/checkout@v4 - name: Deploy preview run: npx vercel --token=${{ secrets.VERCEL_TOKEN }}
undefined
deploy-preview: runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - uses: actions/checkout@v4 - name: Deploy preview run: npx vercel --token=${{ secrets.VERCEL_TOKEN }}
undefined

Staged Rollouts

分阶段发布

PR merged to main
  Staging deployment (auto)
    │ Manual verification
  Production deployment (manual trigger or auto after staging)
  Monitor for errors (15-minute window)
    ├── Errors detected → Rollback
    └── Clean → Done
PR merged to main
  Staging deployment (auto)
    │ Manual verification
  Production deployment (manual trigger or auto after staging)
  Monitor for errors (15-minute window)
    ├── Errors detected → Rollback
    └── Clean → Done

Rollback Plan

回滚方案

Every deployment should be reversible:
yaml
undefined
所有部署都应该支持回滚:
yaml
undefined

Manual rollback workflow

Manual rollback workflow

name: Rollback on: workflow_dispatch: inputs: version: description: 'Version to rollback to' required: true
jobs: rollback: runs-on: ubuntu-latest steps: - name: Rollback deployment run: | # Deploy the specified previous version npx vercel rollback ${{ inputs.version }}
undefined
name: Rollback on: workflow_dispatch: inputs: version: description: 'Version to rollback to' required: true
jobs: rollback: runs-on: ubuntu-latest steps: - name: Rollback deployment run: | # Deploy the specified previous version npx vercel rollback ${{ inputs.version }}
undefined

Environment Management

环境管理

.env.example       → Committed (template for developers)
.env                → NOT committed (local development)
.env.test           → Committed (test environment, no real secrets)
CI secrets          → Stored in GitHub Secrets / vault
Production secrets  → Stored in deployment platform / vault
CI should never have production secrets. Use separate secrets for CI testing.
.env.example       → Committed (template for developers)
.env                → NOT committed (local development)
.env.test           → Committed (test environment, no real secrets)
CI secrets          → Stored in GitHub Secrets / vault
Production secrets  → Stored in deployment platform / vault
CI环境中绝不能存储生产环境密钥。请为CI测试使用独立的密钥。

Automation Beyond CI

超越CI的自动化

Dependabot / Renovate

Dependabot / Renovate

yaml
undefined
yaml
undefined

.github/dependabot.yml

.github/dependabot.yml

version: 2 updates:
  • package-ecosystem: npm directory: / schedule: interval: weekly open-pull-requests-limit: 5
undefined
version: 2 updates:
  • package-ecosystem: npm directory: / schedule: interval: weekly open-pull-requests-limit: 5
undefined

PR Checks

PR检查

  • Required reviews: At least 1 approval before merge
  • Required status checks: CI must pass before merge
  • Branch protection: No force-pushes to main
  • Auto-merge: If all checks pass and approved, merge automatically
  • 必需审核: 合并前至少需要1次审核通过
  • 必需状态检查: CI必须通过才能合并
  • 分支保护: 禁止对main分支进行强制推送
  • 自动合并: 如果所有检查通过且已审核,自动合并

Common Rationalizations

常见错误认知

RationalizationReality
"CI is too slow"Optimize the pipeline (caching, parallelism), don't skip it. A 5-minute pipeline prevents hours of debugging.
"This change is trivial, skip CI"Trivial changes break builds. CI is fast for trivial changes anyway.
"The test is flaky, just re-run"Flaky tests mask real bugs and waste everyone's time. Fix the flakiness.
"We'll add CI later"Projects without CI accumulate broken states. Set it up on day one.
"Manual testing is enough"Manual testing doesn't scale and isn't repeatable. Automate what you can.
错误认知实际情况
"CI速度太慢"优化流水线(缓存、并行执行),不要跳过它。5分钟的流水线能避免数小时的调试工作。
"这个变更很小,跳过CI吧"微小变更也可能破坏构建。而且对于微小变更,CI的执行速度本来就很快。
"这个测试不稳定,重新运行就行"不稳定的测试会掩盖真实的bug,还会浪费所有人的时间。请修复测试的不稳定性。
"我们以后再加CI"没有CI的项目会逐渐积累问题。从项目第一天就应该搭建CI。
"手动测试就足够了"手动测试无法扩展,也不具备可重复性。尽可能自动化测试。

Red Flags

验证项

  • No CI pipeline in the project
  • CI failures ignored or silenced
  • Tests disabled in CI to make the pipeline pass
  • Production deploys without staging verification
  • No rollback mechanism
  • Secrets stored in code or CI config files (not secrets manager)
  • Long CI times with no optimization effort
搭建或修改CI后,请确认:
  • 所有质量门禁均已配置(代码检查、类型校验、测试、构建、安全审计)
  • 流水线会在所有PR和main分支的推送时运行
  • 失败会阻止合并(已配置分支保护)
  • CI结果能反馈到开发流程中
  • 密钥存储在密钥管理器中,而非代码里
  • 部署具备回滚机制
  • 测试套件的流水线执行时间在10分钟以内

Verification

After setting up or modifying CI:
  • All quality gates are present (lint, types, tests, build, audit)
  • Pipeline runs on every PR and push to main
  • Failures block merge (branch protection configured)
  • CI results feed back into the development loop
  • Secrets are stored in the secrets manager, not in code
  • Deployment has a rollback mechanism
  • Pipeline runs in under 10 minutes for the test suite