ci-cd-architecture
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCI/CD & Deployment
CI/CD与部署
Overview
概述
Covers CI/CD pipeline design, deployment platform selection, and production infrastructure. Focuses on GitHub Actions with hardened security (OIDC, permission scoping, action pinning), Bun-first build optimization, and deployment patterns from MVP to enterprise scale.
When to use: Setting up GitHub Actions workflows, choosing deployment targets, configuring OIDC for cloud providers, optimizing CI performance, planning multi-environment pipelines.
When NOT to use: Application-level architecture decisions (use framework-specific skills), Kubernetes cluster management (use dedicated IaC tools), cloud provider console configuration.
涵盖CI/CD流水线设计、部署平台选择及生产基础设施相关内容。重点介绍具备强化安全机制(OIDC、权限范围限定、Action版本锁定)的GitHub Actions、基于Bun的构建优化,以及从MVP到企业级规模的部署模式。
适用场景:搭建GitHub Actions工作流、选择部署目标、为云服务商配置OIDC、优化CI性能、规划多环境流水线。
不适用场景:应用级架构决策(请使用框架专属技能)、Kubernetes集群管理(请使用专用IaC工具)、云服务商控制台配置。
Quick Reference
快速参考
| Need | Solution |
|---|---|
| MVP deploy (< 1K users) | Vercel, Netlify, Railway, Cloudflare Pages |
| Growing product (1K-100K) | AWS Amplify, Cloud Run, Fly.io, Render |
| Enterprise (100K+) | AWS ECS/EKS, GKE, DigitalOcean App Platform |
| Static site | Vercel, Netlify, Cloudflare Pages |
| Full-stack + DB | Railway, Render, AWS Amplify |
| Global low latency | Cloudflare Workers, Vercel Edge, Fly.io |
| Compliance (HIPAA, SOC 2) | AWS, GCP, Azure |
| Cloud auth from CI | OIDC roles (never long-lived keys) |
| Action pinning | Pin to commit SHA, not tag |
| Bun CI caching | |
| Pipeline security | StepSecurity Harden-Runner for egress control |
| Container builds | Multi-stage Dockerfile: builder + runtime stage |
| Docker layer caching | |
| Multi-platform builds | |
| Image scanning | Trivy or Snyk in pipeline before push |
| Registry push | GHCR ( |
| Pipeline stages | build → test → security scan → deploy |
| DORA: deploy frequency | Track deployments per day/week per service |
| DORA: lead time | Commit-to-production time; target < 1 hour |
| DORA: change failure rate | % of deploys causing incidents; target < 5% |
| DORA: MTTR | Mean time to restore; target < 1 hour |
| 需求 | 解决方案 |
|---|---|
| MVP部署(用户量<1000) | Vercel, Netlify, Railway, Cloudflare Pages |
| 成长型产品(1000-100000用户) | AWS Amplify, Cloud Run, Fly.io, Render |
| 企业级(用户量>100000) | AWS ECS/EKS, GKE, DigitalOcean App Platform |
| 静态站点 | Vercel, Netlify, Cloudflare Pages |
| 全栈+数据库 | Railway, Render, AWS Amplify |
| 全球低延迟 | Cloudflare Workers, Vercel Edge, Fly.io |
| 合规要求(HIPAA、SOC 2) | AWS, GCP, Azure |
| 从CI进行云认证 | OIDC角色(绝不使用长期密钥) |
| Action版本锁定 | 锁定到提交SHA值,而非标签 |
| Bun CI缓存 | 以 |
| 流水线安全 | 使用StepSecurity Harden-Runner进行出口流量控制 |
| 容器构建 | 多阶段Dockerfile:构建阶段 + 运行时阶段 |
| Docker层缓存 | 结合 |
| 多平台构建 | 使用 |
| 镜像扫描 | 在推送前于流水线中使用Trivy或Snyk |
| 镜像仓库推送 | GHCR ( |
| 流水线阶段 | 构建 → 测试 → 安全扫描 → 部署 |
| DORA:部署频率 | 按服务统计每日/每周的部署次数 |
| DORA:前置时间 | 从提交到生产环境的时间;目标<1小时 |
| DORA:变更失败率 | 引发故障的部署占比;目标<5% |
| DORA:平均恢复时间(MTTR) | 平均恢复时间;目标<1小时 |
Common Mistakes
常见错误
| Mistake | Correct Pattern |
|---|---|
| Storing long-lived AWS/GCP/Azure keys as GitHub secrets | Use OIDC roles with |
| Pinning GitHub Actions to tags instead of commit SHAs | Pin third-party actions to full commit SHA to prevent supply chain attacks |
Leaving | Explicitly scope permissions at the job level; default to |
| Running full CI on every branch push | Use |
| Over-engineering infrastructure before product-market fit | Start with managed platforms (Vercel, Railway); scale to AWS/GKE only when needed |
| Using outdated action versions (v3 or older) | Use current major versions: checkout@v6, cache@v5, configure-aws-credentials@v5 |
Caching only | Bun 1.2+ uses text-based |
| Skipping preview deployments for PRs | Every PR should get a preview URL for testing before merge |
| 错误 | 正确做法 |
|---|---|
| 将AWS/GCP/Azure长期密钥存储为GitHub密钥 | 使用带有 |
| 将GitHub Actions锁定到标签而非提交SHA值 | 将第三方Action锁定到完整提交SHA值,以防止供应链攻击 |
工作流中保留默认的(宽泛) | 在任务级别显式限定权限;默认设置为 |
| 每次分支推送都运行完整CI流程 | 使用 |
| 在产品-市场匹配前过度设计基础设施 | 从托管平台(Vercel、Railway)起步;仅在需要时扩展到AWS/GKE |
| 使用过时的Action版本(v3或更早版本) | 使用当前主版本:checkout@v6, cache@v5, configure-aws-credentials@v5 |
仅缓存 | Bun 1.2+使用基于文本的 |
| 跳过PR的预览部署 | 每个PR都应生成预览URL,以便合并前进行测试 |
Relationship to Other Skills
与其他技能的关联
If theskill is available, delegate detailed workflow authoring, matrix strategies, and composite actions to it. This skill covers CI/CD architecture and platform selection;github-actionscovers workflow syntax depth. If thegithub-actionsskill is available, delegate deployment pattern selection (blue-green, canary, rolling) to it. This skill covers platform selection and CI pipeline mechanics.deployment-strategy
若技能可用,将详细的工作流编写、矩阵策略及复合Action相关工作委托给该技能。本技能负责CI/CD架构与平台选择;github-actions负责工作流语法的深度实现。 若github-actions技能可用,将部署模式选择(蓝绿部署、金丝雀部署、滚动部署)委托给该技能。本技能负责平台选择与CI流水线机制。deployment-strategy
Delegation
委托事项
- Audit existing CI workflow security and permissions: Use agent to scan workflow YAML files for broad permissions, unpinned actions, and exposed secrets
Explore - Set up multi-environment deployment pipelines: Use agent to create dev/staging/prod workflows with environment protection rules
Task - Plan migration from managed platform to containerized infrastructure: Use agent to evaluate current deployment, define migration steps, and select target architecture
Plan
- 审计现有CI工作流的安全性与权限设置:使用代理扫描工作流YAML文件,检查是否存在宽泛权限、未锁定版本的Action及暴露的密钥
Explore - 搭建多环境部署流水线:使用代理创建带有环境保护规则的开发/预发布/生产环境工作流
Task - 规划从托管平台到容器化基础设施的迁移:使用代理评估当前部署情况、定义迁移步骤并选择目标架构
Plan
References
参考资料
- GitHub Actions workflows, OIDC, matrix builds, and security hardening
- Deployment patterns: Jamstack, serverless, traditional, microservices
- Platform selection framework, database needs, and cost optimization
- Monitoring, observability tiers, and deployment checklists
- Container builds: multi-stage Dockerfiles, layer caching, buildx, image scanning, and registry push
- GitHub Actions工作流、OIDC、矩阵构建及安全强化
- 部署模式:Jamstack、无服务器、传统架构、微服务
- 平台选择框架、数据库需求及成本优化
- 监控、可观测性层级及部署检查清单
- 容器构建:多阶段Dockerfile、层缓存、buildx、镜像扫描及镜像仓库推送