ci-cd-pipelines
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCI/CD Pipelines
CI/CD流水线
GitHub Actions Workflows
GitHub Actions工作流
Core Concepts
核心概念
- Workflows: YAML files defining automation processes
- Events: Triggers for workflow execution (push, pull_request, schedule)
- Jobs: Collections of steps that run on the same runner
- Steps: Individual tasks within a job
- Actions: Reusable components for common tasks
- Workflows:定义自动化流程的YAML文件
- Events:触发工作流执行的事件(push、pull_request、schedule)
- Jobs:在同一运行器上执行的步骤集合
- Steps:作业中的单个任务
- Actions:用于常见任务的可复用组件
Best Practices
最佳实践
-
Workflow Organization
- Use separate workflows for different concerns (CI, CD, release)
- Use workflow templates for consistency
- Use composite actions for reusable steps
- Use reusable workflows for shared pipeline logic
- Use matrix strategy for testing across multiple configurations
-
Job Optimization
- Use caching for dependencies and build artifacts
- Use parallel jobs for faster execution
- Use job dependencies for sequential execution
- Use artifacts for passing data between jobs
- Use self-hosted runners for custom environments
-
Security
- Use secrets for sensitive data
- Use environments for deployment protection
- Use required reviews for critical deployments
- Use OIDC for cloud provider authentication
- Use branch protection rules
-
工作流组织
- 为不同场景使用独立工作流(CI、CD、发布)
- 使用工作流模板保证一致性
- 使用复合动作实现可复用步骤
- 使用可复用工作流共享流水线逻辑
- 使用矩阵策略在多配置下进行测试
-
作业优化
- 对依赖项和构建产物使用缓存
- 使用并行作业提升执行速度
- 使用作业依赖实现顺序执行
- 使用工件在作业间传递数据
- 使用自托管运行器适配自定义环境
-
安全规范
- 使用密钥存储敏感数据
- 使用环境实现部署保护
- 关键部署需通过必要审核
- 使用OIDC进行云提供商认证
- 使用分支保护规则
GitHub Actions Examples
GitHub Actions示例
yaml
name: CI/CD Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
- run: npm ci
- run: npm test
- run: npm run build
deploy:
needs: test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v3
- name: Deploy to production
run: |
# Deployment commandsyaml
name: CI/CD Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x, 16.x, 18.x]
steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
- run: npm ci
- run: npm test
- run: npm run build
deploy:
needs: test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v3
- name: Deploy to production
run: |
# Deployment commandsGitLab CI/CD Pipelines
GitLab CI/CD流水线
Core Concepts
核心概念
- Pipelines: Series of jobs executed in stages
- Stages: Logical grouping of jobs
- Jobs: Individual tasks that execute scripts
- Runners: Agents that execute jobs
- Artifacts: Files passed between jobs
- Pipelines:按阶段执行的一系列作业
- Stages:作业的逻辑分组
- Jobs:执行脚本的单个任务
- Runners:执行作业的代理
- Artifacts:在作业间传递的文件
Best Practices
最佳实践
-
Pipeline Configuration
- Use for pipeline definition
.gitlab-ci.yml - Use stages for logical job grouping
- Use only/except rules for job execution control
- Use rules for more complex conditions
- Use needs for job dependencies
- Use
-
Job Optimization
- Use artifacts for passing data between jobs
- Use cache for dependency caching
- Use parallel jobs for faster execution
- Use retry for transient failures
- Use timeout for job duration limits
-
Security
- Use CI/CD variables for sensitive data
- Use protected variables for protected branches
- Use masked variables for hiding values
- Use environments for deployment control
- Use approval rules for critical deployments
-
流水线配置
- 使用定义流水线
.gitlab-ci.yml - 使用阶段对作业进行逻辑分组
- 使用only/except规则控制作业执行
- 使用规则处理更复杂的条件
- 使用needs定义作业依赖
- 使用
-
作业优化
- 使用工件在作业间传递数据
- 使用缓存存储依赖项
- 使用并行作业提升执行速度
- 对临时失败使用重试机制
- 为作业设置时长超时限制
-
安全规范
- 使用CI/CD变量存储敏感数据
- 为受保护分支使用受保护变量
- 使用掩码变量隐藏值
- 使用环境实现部署控制
- 关键部署需通过审批规则
GitLab CI/CD Examples
GitLab CI/CD示例
yaml
stages:
- test
- build
- deploy
test:
stage: test
image: node:18
script:
- npm ci
- npm test
parallel:
matrix:
- NODE_VERSION: [14, 16, 18]
cache:
paths:
- node_modules/
build:
stage: build
image: node:18
script:
- npm ci
- npm run build
artifacts:
paths:
- dist/
deploy:
stage: deploy
image: node:18
script:
- npm install -g serverless
- serverless deploy
only:
- main
when: manualyaml
stages:
- test
- build
- deploy
test:
stage: test
image: node:18
script:
- npm ci
- npm test
parallel:
matrix:
- NODE_VERSION: [14, 16, 18]
cache:
paths:
- node_modules/
build:
stage: build
image: node:18
script:
- npm ci
- npm run build
artifacts:
paths:
- dist/
deploy:
stage: deploy
image: node:18
script:
- npm install -g serverless
- serverless deploy
only:
- main
when: manualJenkins Pipelines
Jenkins流水线
Core Concepts
核心概念
- Pipelines: Groovy scripts defining automation
- Stages: Logical grouping of steps
- Steps: Individual operations
- Agents: Nodes where pipeline runs
- Credentials: Secure storage for secrets
- Pipelines:定义自动化的Groovy脚本
- Stages:步骤的逻辑分组
- Steps:单个操作
- Agents:运行流水线的节点
- Credentials:密钥的安全存储
Best Practices
最佳实践
-
Pipeline Design
- Use Declarative Pipeline syntax
- Use shared libraries for reusable code
- Use pipeline stages for logical organization
- Use when conditions for conditional execution
- Use post sections for cleanup and notifications
-
Agent Management
- Use labels for agent selection
- Use Docker agents for consistent environments
- Use Kubernetes agents for dynamic scaling
- Use agent none for lightweight pipelines
- Use stash/unstash for passing data
-
Security
- Use credentials binding for secrets
- Use credential scopes for access control
- Use approval steps for manual gates
- Use input steps for user interaction
- Use role-based strategy for permissions
-
流水线设计
- 使用声明式流水线语法
- 使用共享库实现可复用代码
- 使用流水线阶段进行逻辑组织
- 使用when条件实现条件执行
- 使用post部分进行清理和通知
-
代理管理
- 使用标签选择代理
- 使用Docker代理保证环境一致性
- 使用Kubernetes代理实现动态扩容
- 使用agent none创建轻量流水线
- 使用stash/unstash传递数据
-
安全规范
- 使用凭据绑定处理密钥
- 使用凭据范围实现访问控制
- 使用审批步骤设置人工闸门
- 使用input步骤实现用户交互
- 使用基于角色的策略控制权限
Jenkins Pipeline Examples
Jenkins流水线示例
groovy
pipeline {
agent any
stages {
stage('Test') {
parallel {
stage('Node 14') {
agent { docker { image 'node:14' } }
steps {
sh 'npm ci'
sh 'npm test'
}
}
stage('Node 16') {
agent { docker { image 'node:16' } }
steps {
sh 'npm ci'
sh 'npm test'
}
}
}
}
stage('Build') {
agent { docker { image 'node:18' } }
steps {
sh 'npm ci'
sh 'npm run build'
archiveArtifacts artifacts: 'dist/**'
}
}
stage('Deploy') {
when {
branch 'main'
}
steps {
input message: 'Deploy to production?', ok: 'Deploy'
sh 'npm install -g serverless'
sh 'serverless deploy'
}
}
}
post {
always {
cleanWs()
}
success {
emailext subject: 'Build Success',
body: 'The build completed successfully.',
to: 'team@example.com'
}
failure {
emailext subject: 'Build Failed',
body: 'The build failed.',
to: 'team@example.com'
}
}
}groovy
pipeline {
agent any
stages {
stage('Test') {
parallel {
stage('Node 14') {
agent { docker { image 'node:14' } }
steps {
sh 'npm ci'
sh 'npm test'
}
}
stage('Node 16') {
agent { docker { image 'node:16' } }
steps {
sh 'npm ci'
sh 'npm test'
}
}
}
}
stage('Build') {
agent { docker { image 'node:18' } }
steps {
sh 'npm ci'
sh 'npm run build'
archiveArtifacts artifacts: 'dist/**'
}
}
stage('Deploy') {
when {
branch 'main'
}
steps {
input message: 'Deploy to production?', ok: 'Deploy'
sh 'npm install -g serverless'
sh 'serverless deploy'
}
}
}
post {
always {
cleanWs()
}
success {
emailext subject: 'Build Success',
body: 'The build completed successfully.',
to: 'team@example.com'
}
failure {
emailext subject: 'Build Failed',
body: 'The build failed.',
to: 'team@example.com'
}
}
}Azure DevOps Pipelines
Azure DevOps流水线
Core Concepts
核心概念
- Pipelines: YAML or GUI-defined automation
- Stages: Major divisions in a pipeline
- Jobs: Units of work within a stage
- Tasks: Pre-built units of work
- Agents: Machines that run jobs
- Pipelines:通过YAML或GUI定义的自动化流程
- Stages:流水线中的主要划分
- Jobs:阶段内的工作单元
- Tasks:预构建的工作单元
- Agents:运行作业的机器
Best Practices
最佳实践
-
Pipeline Configuration
- Use YAML pipelines for version control
- Use templates for reusable pipeline logic
- Use parameters for pipeline customization
- Use variables for configuration values
- Use stages for environment separation
-
Job Optimization
- Use parallel jobs for faster execution
- Use artifacts for passing data between jobs
- Use caching for dependency caching
- Use matrix strategy for multiple configurations
- Use demands for agent selection
-
Security
- Use secret variables for sensitive data
- Use variable groups for organization
- Use key vault for secret management
- Use environment checks for deployment control
- Use approval gates for manual intervention
-
流水线配置
- 使用YAML流水线进行版本控制
- 使用模板实现可复用流水线逻辑
- 使用参数实现流水线定制
- 使用变量存储配置值
- 使用阶段实现环境隔离
-
作业优化
- 使用并行作业提升执行速度
- 使用工件在作业间传递数据
- 使用缓存存储依赖项
- 使用矩阵策略适配多配置
- 使用需求选择代理
-
安全规范
- 使用密钥变量存储敏感数据
- 使用变量组进行组织
- 使用密钥保管库管理密钥
- 使用环境检查实现部署控制
- 使用审批闸门实现人工干预
Azure DevOps Pipeline Examples
Azure DevOps流水线示例
yaml
trigger:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
stages:
- stage: Test
jobs:
- job: Test
strategy:
matrix:
Node_14:
node_version: 14.x
Node_16:
node_version: 16.x
Node_18:
node_version: 18.x
steps:
- task: UseNode@1
inputs:
versionSpec: $(node_version)
- script: |
npm ci
npm test
displayName: 'Install dependencies and run tests'
- stage: Build
dependsOn: Test
jobs:
- job: Build
steps:
- task: UseNode@1
inputs:
versionSpec: '18.x'
- script: |
npm ci
npm run build
displayName: 'Build application'
- publish: dist
artifact: dist
- stage: Deploy
dependsOn: Build
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
jobs:
- deployment: Deploy
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: |
npm install -g serverless
serverless deploy
displayName: 'Deploy to production'yaml
trigger:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
stages:
- stage: Test
jobs:
- job: Test
strategy:
matrix:
Node_14:
node_version: 14.x
Node_16:
node_version: 16.x
Node_18:
node_version: 18.x
steps:
- task: UseNode@1
inputs:
versionSpec: $(node_version)
- script: |
npm ci
npm test
displayName: 'Install dependencies and run tests'
- stage: Build
dependsOn: Test
jobs:
- job: Build
steps:
- task: UseNode@1
inputs:
versionSpec: '18.x'
- script: |
npm ci
npm run build
displayName: 'Build application'
- publish: dist
artifact: dist
- stage: Deploy
dependsOn: Build
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
jobs:
- deployment: Deploy
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: |
npm install -g serverless
serverless deploy
displayName: 'Deploy to production'Build and Test Strategies
构建与测试策略
Build Strategies
构建策略
- Incremental Builds: Build only changed components
- Parallel Builds: Build multiple components simultaneously
- Matrix Builds: Build across multiple configurations
- Cached Builds: Use cache for faster builds
- Docker Builds: Use Docker for consistent build environments
- 增量构建:仅构建变更的组件
- 并行构建:同时构建多个组件
- 矩阵构建:在多配置下构建
- 缓存构建:使用缓存加速构建
- Docker构建:使用Docker保证构建环境一致性
Test Strategies
测试策略
- Unit Tests: Test individual components in isolation
- Integration Tests: Test component interactions
- End-to-End Tests: Test complete user flows
- Performance Tests: Test system performance
- Security Tests: Test for security vulnerabilities
- 单元测试:隔离测试单个组件
- 集成测试:测试组件间的交互
- 端到端测试:测试完整用户流程
- 性能测试:测试系统性能
- 安全测试:测试安全漏洞
Quality Gates
质量闸门
- Code Coverage: Minimum code coverage threshold
- Linting: Code style and quality checks
- Static Analysis: Security and vulnerability scanning
- Dependency Scanning: Check for vulnerable dependencies
- License Compliance: Check for license compliance
- 代码覆盖率:最低代码覆盖率阈值
- 代码检查:代码风格与质量检查
- 静态分析:安全与漏洞扫描
- 依赖扫描:检查易受攻击的依赖项
- 许可证合规:检查许可证合规性
Deployment Patterns
部署模式
Blue-Green Deployment
蓝绿部署
- Concept: Maintain two identical production environments
- Benefits: Zero downtime, instant rollback
- Implementation: Switch traffic between blue and green environments
- Best Practices: Use load balancers for traffic switching, test green environment before switching
- 概念:维护两个相同的生产环境
- 优势:零停机、即时回滚
- 实现:在蓝绿环境间切换流量
- 最佳实践:使用负载均衡器切换流量,切换前测试绿色环境
Canary Deployment
金丝雀部署
- Concept: Gradually roll out changes to a subset of users
- Benefits: Reduced risk, gradual feedback
- Implementation: Route small percentage of traffic to new version
- Best Practices: Monitor metrics closely, have rollback plan ready
- 概念:逐步向部分用户推出变更
- 优势:降低风险、逐步获取反馈
- 实现:将小比例流量路由到新版本
- 最佳实践:密切监控指标,准备好回滚计划
Rolling Deployment
滚动部署
- Concept: Replace instances one at a time
- Benefits: Gradual rollout, minimal downtime
- Implementation: Update instances in batches
- Best Practices: Use health checks, monitor for failures
- 概念:逐个替换实例
- 优势:逐步推出、最小停机
- 实现:分批更新实例
- 最佳实践:使用健康检查,监控故障
Feature Flags
功能开关
- Concept: Enable/disable features without deployment
- Benefits: Gradual rollout, instant rollback
- Implementation: Use feature flag management system
- Best Practices: Keep flags temporary, clean up old flags
- 概念:无需部署即可启用/禁用功能
- 优势:逐步推出、即时回滚
- 实现:使用功能开关管理系统
- 最佳实践:保持开关为临时状态,清理旧开关
Immutable Infrastructure
不可变基础设施
- Concept: Replace rather than modify infrastructure
- Benefits: Consistency, easier rollback, no configuration drift
- Implementation: Use infrastructure as code, replace instances on updates
- Best Practices: Version all infrastructure, use golden images
- 概念:替换而非修改基础设施
- 优势:一致性、易回滚、无配置漂移
- 实现:使用基础设施即代码,更新时替换实例
- 最佳实践:对所有基础设施版本化,使用黄金镜像
Pipeline Orchestration
流水线编排
Pipeline Dependencies
流水线依赖
- Sequential Execution: Jobs run in sequence
- Parallel Execution: Jobs run simultaneously
- Conditional Execution: Jobs run based on conditions
- Artifact Passing: Pass data between jobs
- Environment Promotion: Promote through environments
- 顺序执行:作业按顺序运行
- 并行执行:作业同时运行
- 条件执行:作业根据条件运行
- 工件传递:在作业间传递数据
- 环境升级:在环境间升级
Pipeline Triggers
流水线触发器
- Push Triggers: Run on code push
- Pull Request Triggers: Run on pull requests
- Schedule Triggers: Run on schedule
- Manual Triggers: Run on demand
- Webhook Triggers: Run on webhook events
- 推送触发器:代码推送时运行
- 拉取请求触发器:拉取请求时运行
- 定时触发器:按计划运行
- 手动触发器:按需运行
- Webhook触发器:Webhook事件触发运行
Pipeline Notifications
流水线通知
- Email Notifications: Send email on pipeline events
- Slack Notifications: Send Slack messages on pipeline events
- Microsoft Teams Notifications: Send Teams messages on pipeline events
- Custom Webhooks: Send custom webhook notifications
- Status Badges: Display pipeline status as badges
- 邮件通知:流水线事件时发送邮件
- Slack通知:流水线事件时发送Slack消息
- Microsoft Teams通知:流水线事件时发送Teams消息
- 自定义Webhook:发送自定义Webhook通知
- 状态徽章:将流水线状态显示为徽章
Pipeline Security
流水线安全
Secrets Management
密钥管理
- Secret Variables: Store secrets as pipeline variables
- Secret Stores: Use secret stores (Vault, AWS Secrets Manager)
- OIDC Authentication: Use OIDC for cloud provider authentication
- Key Vault: Use key vault for secret management
- Secret Rotation: Rotate secrets regularly
- 密钥变量:将密钥存储为流水线变量
- 密钥存储:使用密钥存储(Vault、AWS Secrets Manager)
- OIDC认证:使用OIDC进行云提供商认证
- 密钥保管库:使用密钥保管库管理密钥
- 密钥轮换:定期轮换密钥
Access Control
访问控制
- Branch Protection: Protect branches from direct pushes
- Pull Request Reviews: Require reviews for merges
- Environment Approvals: Require approvals for deployments
- Role-Based Access: Use RBAC for pipeline access
- Audit Logging: Enable audit logging for compliance
- 分支保护:保护分支免受直接推送
- 拉取请求审核:合并需经过审核
- 环境审批:部署需经过审批
- 基于角色的访问:使用RBAC控制流水线访问
- 审计日志:启用审计日志以符合合规要求
Supply Chain Security
供应链安全
- Dependency Scanning: Scan for vulnerable dependencies
- Container Scanning: Scan container images for vulnerabilities
- SBOM Generation: Generate software bill of materials
- Code Signing: Sign artifacts for integrity
- Policy Enforcement: Enforce policies with tools like OPA
- 依赖扫描:扫描易受攻击的依赖项
- 容器扫描:扫描容器镜像的漏洞
- SBOM生成:生成软件物料清单
- 代码签名:为工件签名保证完整性
- 策略执行:使用OPA等工具执行策略