ci-cd

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

CI/CD Pipelines

CI/CD 流水线

Comprehensive guide for CI/CD pipeline design, optimization, security, and troubleshooting across GitHub Actions, GitLab CI, and other platforms.

针对GitHub Actions、GitLab CI及其他平台的CI/CD流水线设计、优化、安全防护与故障排查综合指南。

When to Use This Skill

何时使用此技能

Use this skill when:

Creating new CI/CD workflows or pipelines
Debugging pipeline failures or flaky tests
Optimizing slow builds or test suites
Implementing caching strategies
Setting up deployment workflows
Securing pipelines (secrets, OIDC, supply chain)
Implementing DevSecOps security scanning (SAST, DAST, SCA)
Troubleshooting platform-specific issues
Analyzing pipeline performance
Implementing matrix builds or test sharding
Configuring multi-environment deployments

在以下场景使用此技能：

创建新的CI/CD工作流或流水线
调试流水线故障或不稳定测试
优化缓慢的构建或测试套件
实施缓存策略
配置部署工作流
保障流水线安全（密钥、OIDC、供应链）
实施DevSecOps安全扫描（SAST、DAST、SCA）
排查平台特定问题
分析流水线性能
实现矩阵构建或测试分片
配置多环境部署

Core Workflows

核心工作流

1. Creating a New Pipeline

1. 创建新流水线

Decision tree:

What are you building?
├── Node.js/Frontend → GitHub: templates/github-actions/node-ci.yml | GitLab: templates/gitlab-ci/node-ci.yml
├── Python → GitHub: templates/github-actions/python-ci.yml | GitLab: templates/gitlab-ci/python-ci.yml
├── Go → GitHub: templates/github-actions/go-ci.yml | GitLab: templates/gitlab-ci/go-ci.yml
├── Docker Image → GitHub: templates/github-actions/docker-build.yml | GitLab: templates/gitlab-ci/docker-build.yml
├── Other → Follow the pipeline design pattern below

Basic pipeline structure:

yaml

undefined

决策树：

你要构建什么？
├── Node.js/前端 → GitHub: templates/github-actions/node-ci.yml | GitLab: templates/gitlab-ci/node-ci.yml
├── Python → GitHub: templates/github-actions/python-ci.yml | GitLab: templates/gitlab-ci/python-ci.yml
├── Go → GitHub: templates/github-actions/go-ci.yml | GitLab: templates/gitlab-ci/go-ci.yml
├── Docker镜像 → GitHub: templates/github-actions/docker-build.yml | GitLab: templates/gitlab-ci/docker-build.yml
├── 其他 → 遵循以下流水线设计模式

基础流水线结构：

yaml

undefined

1. Fast feedback (lint, format) - <1 min

1. 快速反馈（代码检查、格式校验）- <1分钟

2. Unit tests - 1-5 min

2. 单元测试 - 1-5分钟

3. Integration tests - 5-15 min

3. 集成测试 - 5-15分钟

4. Build artifacts

4. 构建产物

5. E2E tests (optional, main branch only) - 15-30 min

5. E2E测试（可选，仅主分支）- 15-30分钟

6. Deploy (with approval gates)

6. 部署（含审批 gates）


**Key principles:**
- Fail fast: Run cheap validation first
- Parallelize: Remove unnecessary job dependencies
- Cache dependencies: Use `actions/cache` or GitLab cache
- Use artifacts: Build once, deploy many times

See [best_practices.md](references/best_practices.md) for comprehensive pipeline design patterns.


**关键原则：**
- 快速失败：先执行低成本验证
- 并行化：移除不必要的作业依赖
- 缓存依赖：使用`actions/cache`或GitLab缓存
- 使用产物：一次构建，多次部署

查看[best_practices.md](references/best_practices.md)获取全面的流水线设计模式。

2. Optimizing Pipeline Performance

2. 优化流水线性能

Quick wins checklist:

Add dependency caching (50-90% faster builds)
Remove unnecessary
```
needs
```
dependencies
Add path filters to skip unnecessary runs
Use
```
npm ci
```
instead of
```
npm install
```
Add job timeouts to prevent hung builds
Enable concurrency cancellation for duplicate runs

Analyze existing pipeline:

bash

undefined

快速优化清单：

添加依赖缓存（构建速度提升50-90%）
移除不必要的
```
needs
```
依赖
添加路径过滤器以跳过不必要的运行
使用
```
npm ci
```
替代
```
npm install
```
为作业添加超时时间以防止构建挂起
为重复运行启用并发取消

分析现有流水线：

bash

undefined

Use the pipeline analyzer script

使用流水线分析脚本

python3 scripts/pipeline_analyzer.py --platform github --workflow .github/workflows/ci.yml


**Common optimizations:**
- **Slow tests:** Shard tests with matrix builds
- **Repeated dependency installs:** Add caching
- **Sequential jobs:** Parallelize with proper `needs`
- **Full test suite on every PR:** Use path filters or test impact analysis

See [optimization.md](references/optimization.md) for detailed caching strategies, parallelization techniques, and performance tuning.

python3 scripts/pipeline_analyzer.py --platform github --workflow .github/workflows/ci.yml


**常见优化手段：**
- **缓慢测试：** 通过矩阵构建分片测试
- **重复依赖安装：** 添加缓存
- **顺序作业：** 合理使用`needs`实现并行化
- **每个PR都运行完整测试套件：** 使用路径过滤器或测试影响分析

查看[optimization.md](references/optimization.md)获取详细的缓存策略、并行化技术和性能调优方法。

3. Securing Your Pipeline

3. 保障流水线安全

Essential security checklist:

Use OIDC instead of static credentials
Pin actions/includes to commit SHAs
Use minimal permissions
Enable secret scanning
Add vulnerability scanning (dependencies, containers)
Implement branch protection
Separate test from deploy workflows

Quick setup - OIDC authentication:

GitHub Actions → AWS:

yaml

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
      aws-region: us-east-1

Secrets management:

Store in platform secret stores (GitHub Secrets, GitLab CI/CD Variables)
Mark as "masked" in GitLab
Use environment-specific secrets
Rotate regularly (every 90 days)
Never log secrets

See security.md for comprehensive security patterns, supply chain security, and secrets management.

核心安全清单：

使用OIDC替代静态凭证
将actions/includes固定到提交SHA
使用最小权限
启用密钥扫描
添加漏洞扫描（依赖、容器）
实现分支保护
分离测试与部署工作流

快速配置 - OIDC认证：

GitHub Actions → AWS：

yaml

permissions:
  id-token: write
  contents: read

steps:
  - uses: aws-actions/configure-aws-credentials@v4
    with:
      role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
      aws-region: us-east-1

密钥管理：

存储在平台密钥仓库（GitHub Secrets、GitLab CI/CD Variables）
在GitLab中标记为"masked"
使用环境特定密钥
定期轮换（每90天）
绝不要记录密钥

查看security.md获取全面的安全模式、供应链安全和密钥管理方法。

4. Troubleshooting Pipeline Failures

4. 排查流水线故障

Systematic approach:

Step 1: Check pipeline health

bash

python3 scripts/ci_health.py --platform github --repo owner/repo

Step 2: Identify the failure type

Error Pattern	Common Cause	Quick Fix
"Module not found"	Missing dependency or cache issue	Clear cache, run `npm ci`
"Timeout"	Job taking too long	Add caching, increase timeout
"Permission denied"	Missing permissions	Add to `permissions:` block
"Cannot connect to Docker daemon"	Docker not available	Use correct runner or DinD
Intermittent failures	Flaky tests or race conditions	Add retries, fix timing issues

Step 3: Enable debug logging

GitHub Actions:

yaml

undefined

系统化方法：

步骤1：检查流水线健康状态

bash

python3 scripts/ci_health.py --platform github --repo owner/repo

步骤2：识别故障类型

错误模式	常见原因	快速修复
"Module not found"	缺少依赖或缓存问题	清除缓存，运行 `npm ci`
"Timeout"	作业耗时过长	添加缓存，增加超时时间
"Permission denied"	缺少权限	添加到 `permissions:` 块
"Cannot connect to Docker daemon"	Docker不可用	使用正确的运行器或DinD
间歇性故障	不稳定测试或竞态条件	添加重试，修复时序问题

步骤3：启用调试日志

GitHub Actions：

yaml

undefined

Add repository secrets:

添加仓库密钥：

ACTIONS_RUNNER_DEBUG = true

ACTIONS_STEP_DEBUG = true


GitLab CI:
```yaml
variables:
  CI_DEBUG_TRACE: "true"

Step 4: Reproduce locally

bash

undefined


GitLab CI：
```yaml
variables:
  CI_DEBUG_TRACE: "true"

步骤4：本地复现

bash

undefined

GitHub Actions - use act

GitHub Actions - 使用act

act -j build

Or Docker

或Docker

docker run -it ubuntu:latest bash

Then manually run the failing steps

然后手动运行失败的步骤


See [troubleshooting.md](references/troubleshooting.md) for comprehensive issue diagnosis, platform-specific problems, and solutions.


查看[troubleshooting.md](references/troubleshooting.md)获取全面的问题诊断、平台特定问题及解决方案。

5. Implementing Deployment Workflows

5. 实现部署工作流

Deployment pattern selection:

Pattern	Use Case	Complexity	Risk
Direct	Simple apps, low traffic	Low	Medium
Blue-Green	Zero downtime required	Medium	Low
Canary	Gradual rollout, monitoring	High	Very Low
Rolling	Kubernetes, containers	Medium	Low

Basic deployment structure:

yaml

deploy:
  needs: [build, test]
  if: github.ref == 'refs/heads/main'
  environment:
    name: production
    url: https://example.com
  steps:
    - name: Download artifacts
    - name: Deploy
    - name: Health check
    - name: Rollback on failure

Multi-environment setup:

Development: Auto-deploy on develop branch
Staging: Auto-deploy on main, requires passing tests
Production: Manual approval required, smoke tests mandatory

See best_practices.md for detailed deployment patterns and environment management.

部署模式选择：

模式	使用场景	复杂度	风险
直接部署	简单应用、低流量	低	中
蓝绿部署	需要零停机	中	低
金丝雀部署	逐步发布、监控	高	极低
滚动部署	Kubernetes、容器	中	低

基础部署结构：

yaml

deploy:
  needs: [build, test]
  if: github.ref == 'refs/heads/main'
  environment:
    name: production
    url: https://example.com
  steps:
    - name: 下载产物
    - name: 部署
    - name: 健康检查
    - name: 失败时回滚

多环境配置：

开发环境： 提交到develop分支时自动部署
预发布环境： 提交到main分支时自动部署，需通过测试
生产环境： 需要手动审批，强制运行冒烟测试

查看best_practices.md获取详细的部署模式和环境管理方法。

6. Implementing DevSecOps Security Scanning

6. 实施DevSecOps安全扫描

Security scanning types:

Scan Type	Purpose	When to Run	Speed	Tools
Secret Scanning	Find exposed credentials	Every commit	Fast (<1 min)	TruffleHog, Gitleaks
SAST	Find code vulnerabilities	Every commit	Medium (5-15 min)	CodeQL, Semgrep, Bandit, Gosec
SCA	Find dependency vulnerabilities	Every commit	Fast (1-5 min)	npm audit, pip-audit, Snyk
Container Scanning	Find image vulnerabilities	After build	Medium (5-10 min)	Trivy, Grype
DAST	Find runtime vulnerabilities	Scheduled/main only	Slow (15-60 min)	OWASP ZAP

Quick setup - Add security to existing pipeline:

GitHub Actions:

yaml

jobs:
  # Add before build job
  secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: trufflesecurity/trufflehog@main
      - uses: gitleaks/gitleaks-action@v2

  sast:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: javascript  # or python, go
      - uses: github/codeql-action/analyze@v3

  build:
    needs: [secret-scan, sast]  # Add dependencies

GitLab CI:

yaml

stages:
  - security  # Add before other stages
  - build
  - test

安全扫描类型：

扫描类型	用途	运行时机	速度	工具
密钥扫描	查找暴露的凭证	每次提交	快（<1分钟）	TruffleHog, Gitleaks
SAST	查找代码漏洞	每次提交	中（5-15分钟）	CodeQL, Semgrep, Bandit, Gosec
SCA	查找依赖漏洞	每次提交	快（1-5分钟）	npm audit, pip-audit, Snyk
容器扫描	查找镜像漏洞	构建后	中（5-10分钟）	Trivy, Grype
DAST	查找运行时漏洞	定时/仅主分支	慢（15-60分钟）	OWASP ZAP

快速配置 - 为现有流水线添加安全扫描：

GitHub Actions：

yaml

jobs:
  # 在构建作业前添加
  secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: trufflesecurity/trufflehog@main
      - uses: gitleaks/gitleaks-action@v2

  sast:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: javascript  # 或python, go
      - uses: github/codeql-action/analyze@v3

  build:
    needs: [secret-scan, sast]  # 添加依赖

GitLab CI：

yaml

stages:
  - security  # 在其他阶段前添加
  - build
  - test

Secret scanning

密钥扫描

secret-scan: stage: security image: trufflesecurity/trufflehog:latest script: - trufflehog filesystem . --json --fail

SAST

sast:semgrep: stage: security image: returntocorp/semgrep script: - semgrep scan --config=auto .

Use GitLab templates

使用GitLab模板

include:

template: Security/SAST.gitlab-ci.yml
template: Security/Dependency-Scanning.gitlab-ci.yml


**Comprehensive security pipeline templates:**
- **GitHub Actions:** `templates/github-actions/security-scan.yml` - Complete DevSecOps pipeline with all scanning stages
- **GitLab CI:** `templates/gitlab-ci/security-scan.yml` - Complete DevSecOps pipeline with GitLab security templates

**Security gate pattern:**

Add a security gate job that evaluates all security scan results and fails the pipeline if critical issues are found:

```yaml
security-gate:
  needs: [secret-scan, sast, sca, container-scan]
  script:
    # Check for critical vulnerabilities
    # Parse JSON reports and evaluate thresholds
    # Fail if critical issues found

Language-specific security tools:

Node.js: CodeQL, Semgrep, npm audit, eslint-plugin-security
Python: CodeQL, Semgrep, Bandit, pip-audit, Safety
Go: CodeQL, Semgrep, Gosec, govulncheck

All language-specific templates now include security scanning stages. See:

```
templates/github-actions/node-ci.yml
```
```
templates/github-actions/python-ci.yml
```
```
templates/github-actions/go-ci.yml
```
```
templates/gitlab-ci/node-ci.yml
```
```
templates/gitlab-ci/python-ci.yml
```
```
templates/gitlab-ci/go-ci.yml
```

See devsecops.md for comprehensive DevSecOps guide covering all security scanning types, tool comparisons, and implementation patterns.

include:

template: Security/SAST.gitlab-ci.yml
template: Security/Dependency-Scanning.gitlab-ci.yml


**全面安全流水线模板：**
- **GitHub Actions：** `templates/github-actions/security-scan.yml` - 包含所有扫描阶段的完整DevSecOps流水线
- **GitLab CI：** `templates/gitlab-ci/security-scan.yml` - 包含GitLab安全模板的完整DevSecOps流水线

**安全门模式：**

添加安全门作业，评估所有安全扫描结果，若发现严重问题则终止流水线：

```yaml
security-gate:
  needs: [secret-scan, sast, sca, container-scan]
  script:
    # 检查严重漏洞
    # 解析JSON报告并评估阈值
    # 若发现严重问题则失败

特定语言安全工具：

Node.js： CodeQL, Semgrep, npm audit, eslint-plugin-security
Python： CodeQL, Semgrep, Bandit, pip-audit, Safety
Go： CodeQL, Semgrep, Gosec, govulncheck

所有特定语言模板现在都包含安全扫描阶段。查看：

```
templates/github-actions/node-ci.yml
```
```
templates/github-actions/python-ci.yml
```
```
templates/github-actions/go-ci.yml
```
```
templates/gitlab-ci/node-ci.yml
```
```
templates/gitlab-ci/python-ci.yml
```
```
templates/gitlab-ci/go-ci.yml
```

查看devsecops.md获取全面的DevSecOps指南，涵盖所有安全扫描类型、工具对比和实施模式。

Quick Reference Commands

快速参考命令

GitHub Actions

bash

undefined

bash

undefined

List workflows

列出工作流

gh workflow list

View recent runs

查看最近运行记录

gh run list --limit 20

View specific run

查看特定运行记录

gh run view <run-id>

Re-run failed jobs

重新运行失败的作业

gh run rerun <run-id> --failed

Download logs

下载日志

gh run view <run-id> --log > logs.txt

Trigger workflow manually

手动触发工作流

gh workflow run ci.yml

Check workflow status

检查工作流状态

gh run watch

undefined

gh run watch

undefined

GitLab CI

bash

undefined

bash

undefined

View pipelines

查看流水线

gl project-pipelines list

Pipeline status

流水线状态

gl project-pipeline get <pipeline-id>

Retry failed jobs

重试失败的作业

gl project-pipeline retry <pipeline-id>

Cancel pipeline

取消流水线

gl project-pipeline cancel <pipeline-id>

Download artifacts

下载产物

gl project-job artifacts <job-id>

undefined

gl project-job artifacts <job-id>

undefined

Platform-Specific Patterns

平台特定模式

GitHub Actions

Reusable workflows:

yaml

undefined

可复用工作流：

yaml

undefined

.github/workflows/reusable-test.yml

on: workflow_call: inputs: node-version: required: true type: string

jobs: test: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v4 with: node-version: ${{ inputs.node-version }}


**Call from another workflow:**
```yaml
jobs:
  test:
    uses: ./.github/workflows/reusable-test.yml
    with:
      node-version: '20'

on: workflow_call: inputs: node-version: required: true type: string

jobs: test: runs-on: ubuntu-latest steps: - uses: actions/setup-node@v4 with: node-version: ${{ inputs.node-version }}


**从其他工作流调用：**
```yaml
jobs:
  test:
    uses: ./.github/workflows/reusable-test.yml
    with:
      node-version: '20'

GitLab CI

Templates with extends:

yaml

.test_template:
  image: node:20
  before_script:
    - npm ci

unit-test:
  extends: .test_template
  script:
    - npm run test:unit

integration-test:
  extends: .test_template
  script:
    - npm run test:integration

DAG pipelines with needs:

yaml

build:
  stage: build

test:unit:
  stage: test
  needs: [build]

test:integration:
  stage: test
  needs: [build]

deploy:
  stage: deploy
  needs: [test:unit, test:integration]

使用extends的模板：

yaml

.test_template:
  image: node:20
  before_script:
    - npm ci

unit-test:
  extends: .test_template
  script:
    - npm run test:unit

integration-test:
  extends: .test_template
  script:
    - npm run test:integration

使用needs的DAG流水线：

yaml

build:
  stage: build

test:unit:
  stage: test
  needs: [build]

test:integration:
  stage: test
  needs: [build]

deploy:
  stage: deploy
  needs: [test:unit, test:integration]

Diagnostic Scripts

诊断脚本

Pipeline Analyzer

流水线分析器

Analyzes workflow configuration for optimization opportunities:

bash

undefined

分析工作流配置以发现优化机会：

bash

undefined

GitHub Actions

python3 scripts/pipeline_analyzer.py --platform github --workflow .github/workflows/ci.yml

GitLab CI

python3 scripts/pipeline_analyzer.py --platform gitlab --config .gitlab-ci.yml


**Identifies:**
- Missing caching opportunities
- Unnecessary sequential execution
- Outdated action versions
- Unused artifacts
- Overly broad triggers

python3 scripts/pipeline_analyzer.py --platform gitlab --config .gitlab-ci.yml


**识别内容：**
- 缺失的缓存机会
- 不必要的顺序执行
- 过时的action版本
- 未使用的产物
- 过于宽泛的触发器

CI Health Checker

CI健康检查器

Checks pipeline status and identifies issues:

bash

undefined

检查流水线状态并识别问题：

bash

undefined

GitHub Actions

python3 scripts/ci_health.py --platform github --repo owner/repo --limit 20

GitLab CI

python3 scripts/ci_health.py --platform gitlab --project-id 12345 --token $GITLAB_TOKEN


**Provides:**
- Success/failure rates
- Recent failure patterns
- Workflow-specific insights
- Actionable recommendations

python3 scripts/ci_health.py --platform gitlab --project-id 12345 --token $GITLAB_TOKEN


**提供信息：**
- 成功率/失败率
- 近期故障模式
- 特定工作流的洞察
- 可执行的建议

Reference Documentation

参考文档

For deep-dive information on specific topics:

best_practices.md - Pipeline design, testing strategies, deployment patterns, dependency management, artifact handling, platform-specific patterns
security.md - Secrets management, OIDC authentication, supply chain security, access control, vulnerability scanning, secure pipeline patterns
devsecops.md - Comprehensive DevSecOps guide: SAST (CodeQL, Semgrep, Bandit, Gosec), DAST (OWASP ZAP), SCA (npm audit, pip-audit, Snyk), container security (Trivy, Grype, SBOM), secret scanning (TruffleHog, Gitleaks), security gates, license compliance
optimization.md - Caching strategies (dependencies, Docker layers, build artifacts), parallelization techniques, test splitting, build optimization, resource management
troubleshooting.md - Common issues (workflow not triggering, flaky tests, timeouts, dependency errors), Docker problems, authentication issues, platform-specific debugging

获取特定主题的深入信息：

best_practices.md - 流水线设计、测试策略、部署模式、依赖管理、产物处理、平台特定模式
security.md - 密钥管理、OIDC认证、供应链安全、访问控制、漏洞扫描、安全流水线模式
devsecops.md - 全面的DevSecOps指南：SAST（CodeQL、Semgrep、Bandit、Gosec）、DAST（OWASP ZAP）、SCA（npm audit、pip-audit、Snyk）、容器安全（Trivy、Grype、SBOM）、密钥扫描（TruffleHog、Gitleaks）、安全门、许可证合规
optimization.md - 缓存策略（依赖、Docker层、构建产物）、并行化技术、测试分片、构建优化、资源管理
troubleshooting.md - 常见问题（工作流未触发、不稳定测试、超时、依赖错误）、Docker问题、认证问题、平台特定调试

Templates

模板

Starter templates for common use cases:

针对常见场景的入门模板：

GitHub Actions

assets/templates/github-actions/node-ci.yml
- Complete Node.js CI/CD with security scanning, caching, matrix testing, and multi-environment deployment
assets/templates/github-actions/python-ci.yml
- Python pipeline with security scanning, pytest, coverage, PyPI deployment
assets/templates/github-actions/go-ci.yml
- Go pipeline with security scanning, multi-platform builds, benchmarks, integration tests
assets/templates/github-actions/docker-build.yml
- Docker build with multi-platform support, security scanning, SBOM generation, and signing
assets/templates/github-actions/security-scan.yml
- Comprehensive DevSecOps pipeline with SAST, DAST, SCA, container scanning, and security gates

assets/templates/github-actions/node-ci.yml
- 完整的Node.js CI/CD流水线，包含安全扫描、缓存、矩阵测试和多环境部署
assets/templates/github-actions/python-ci.yml
- Python流水线，包含安全扫描、pytest、覆盖率、PyPI部署
assets/templates/github-actions/go-ci.yml
- Go流水线，包含安全扫描、多平台构建、基准测试、集成测试
assets/templates/github-actions/docker-build.yml
- Docker构建流水线，包含多平台支持、安全扫描、SBOM生成和签名
assets/templates/github-actions/security-scan.yml
- 全面的DevSecOps流水线，包含SAST、DAST、SCA、容器扫描和安全门

GitLab CI

assets/templates/gitlab-ci/node-ci.yml
- GitLab CI pipeline with security scanning, parallel execution, services, and deployment stages
assets/templates/gitlab-ci/python-ci.yml
- Python pipeline with security scanning, parallel testing, Docker builds, PyPI and Cloud Run deployment
assets/templates/gitlab-ci/go-ci.yml
- Go pipeline with security scanning, multi-platform builds, benchmarks, Kubernetes deployment
assets/templates/gitlab-ci/docker-build.yml
- Docker build with DinD, multi-arch, Container Registry, security scanning
assets/templates/gitlab-ci/security-scan.yml
- Comprehensive DevSecOps pipeline with SAST, DAST, SCA, container scanning, GitLab security templates, and security gates

assets/templates/gitlab-ci/node-ci.yml
- GitLab CI流水线，包含安全扫描、并行执行、服务和部署阶段
assets/templates/gitlab-ci/python-ci.yml
- Python流水线，包含安全扫描、并行测试、Docker构建、PyPI和Cloud Run部署
assets/templates/gitlab-ci/go-ci.yml
- Go流水线，包含安全扫描、多平台构建、基准测试、Kubernetes部署
assets/templates/gitlab-ci/docker-build.yml
- Docker构建流水线，包含DinD、多架构、容器仓库、安全扫描
assets/templates/gitlab-ci/security-scan.yml
- 全面的DevSecOps流水线，包含SAST、DAST、SCA、容器扫描、GitLab安全模板和安全门

Common Patterns

常见模式

Caching Dependencies

依赖缓存

GitHub Actions:

yaml

- uses: actions/cache@v4
  with:
    path: ~/.npm
    key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
    restore-keys: |
      ${{ runner.os }}-node-
- run: npm ci

GitLab CI:

yaml

cache:
  key:
    files:
      - package-lock.json
  paths:
    - node_modules/

GitHub Actions：

yaml

- uses: actions/cache@v4
  with:
    path: ~/.npm
    key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
    restore-keys: |
      ${{ runner.os }}-node-
- run: npm ci

GitLab CI：

yaml

cache:
  key:
    files:
      - package-lock.json
  paths:
    - node_modules/

Matrix Builds

矩阵构建

GitHub Actions:

yaml

strategy:
  matrix:
    os: [ubuntu-latest, macos-latest]
    node: [18, 20, 22]
  fail-fast: false

GitLab CI:

yaml

test:
  parallel:
    matrix:
      - NODE_VERSION: ['18', '20', '22']

GitHub Actions：

yaml

strategy:
  matrix:
    os: [ubuntu-latest, macos-latest]
    node: [18, 20, 22]
  fail-fast: false

GitLab CI：

yaml

test:
  parallel:
    matrix:
      - NODE_VERSION: ['18', '20', '22']

Conditional Execution

条件执行

GitHub Actions:

yaml

- name: Deploy
  if: github.ref == 'refs/heads/main' && github.event_name == 'push'

GitLab CI:

yaml

deploy:
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'
      when: manual

GitHub Actions：

yaml

- name: 部署
  if: github.ref == 'refs/heads/main' && github.event_name == 'push'

GitLab CI：

yaml

deploy:
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'
      when: manual

Best Practices Summary

最佳实践总结

Performance:

Enable dependency caching
Parallelize independent jobs
Add path filters to reduce unnecessary runs
Use matrix builds for cross-platform testing

Security:

Use OIDC for cloud authentication
Pin actions to commit SHAs
Enable secret scanning and vulnerability checks
Apply principle of least privilege

Reliability:

Add timeouts to prevent hung jobs
Implement retry logic for flaky operations
Use health checks after deployments
Enable concurrency cancellation

Maintainability:

Use reusable workflows/templates
Document non-obvious decisions
Keep workflows DRY with extends/includes
Regular dependency updates

性能：

启用依赖缓存
并行化独立作业
添加路径过滤器以减少不必要的运行
使用矩阵构建进行跨平台测试

安全：

使用OIDC进行云认证
将actions固定到提交SHA
启用密钥扫描和漏洞检查
应用最小权限原则

可靠性：

为作业添加超时时间以防止挂起
为不稳定操作实现重试逻辑
部署后进行健康检查
启用并发取消

可维护性：

使用可复用工作流/模板
记录非显而易见的决策
使用extends/includes保持工作流DRY
定期更新依赖

Getting Started

快速开始

New pipeline: Start with a template from
```
assets/templates/
```
Add security scanning: Use DevSecOps templates or add security stages to existing pipelines (see workflow 6 above)
Optimize existing: Run
```
scripts/pipeline_analyzer.py
```
Debug issues: Check
```
references/troubleshooting.md
```

Improve security: Review

references/security.md

and

references/devsecops.md

checklists

Speed up builds: See
```
references/optimization.md
```

新流水线： 从
```
assets/templates/
```
选择模板开始
添加安全扫描： 使用DevSecOps模板或为现有流水线添加安全阶段（见上文工作流6）
优化现有流水线： 运行
```
scripts/pipeline_analyzer.py
```
调试问题： 查看
```
references/troubleshooting.md
```

提升安全性： 查看

references/security.md

和

references/devsecops.md

的检查清单

加速构建： 查看
```
references/optimization.md
```