CI/CD Pipeline Overview
Visão geral dos pipelines de integração e deploy contínuo.
Arquitetura do Pipeline
flowchart TD
PR[Pull Request] --> CI[CI: Lint + Tests]
CI --> Review{Code Review}
Review -->|Aprovado| MergeDev[Merge em dev]
MergeDev --> DeployStaging[Deploy Staging]
DeployStaging --> QA[QA Manual]
QA -->|OK| PRProd[PR dev → main]
PRProd --> ReviewProd{Review Prod}
ReviewProd -->|Aprovado| MergeMain[Merge em main]
MergeMain --> DeployProd[Deploy Production]
Hotfix[Hotfix Branch] --> CIHotfix[CI: Lint + Tests]
CIHotfix --> PRMain[PR → main]
PRMain --> FastTrack{Fast Track?}
FastTrack -->|Sim| MergeMain
FastTrack -->|Não| ReviewProd
DeployProd --> SyncDev[Rebase dev com main]
SyncDev --> DeployStagingWorkflows
1. CI (Continuous Integration)
Trigger: Todo PR e push para dev/main
Steps: 1. Checkout code 2. Setup Python & Node 3. Install dependencies 4. Lint (ruff, black, eslint, prettier) 5. Run tests (pytest, jest) 6. Check coverage 7. Validate SAM templates 8. Security scan (bandit, npm audit)
Duration: ~5-8 minutos
2. Deploy to Staging
Trigger: Push para branch dev
Steps: 1. Build SAM application 2. Run database migrations (staging) 3. Deploy to AWS (staging) 4. Run smoke tests 5. Notify team (Slack)
Duration: ~8-12 minutos
3. Deploy to Production
Trigger: Push para branch main
Steps: 1. Backup production database 2. Build SAM application 3. Run database migrations (production) 4. Deploy to AWS (production) 5. Create release tag 6. Run smoke tests 7. Notify team (Slack) 8. Rollback on failure
Duration: ~10-15 minutos
Ambientes GitHub
staging
- Approval: Nenhuma (deploy automático)
- URL: https://staging.seuapp.com
- Secrets:
STAGING_DATABASE_URLAWS_STAGING_ROLE_ARN
production
- Approval: Opcional (pode configurar required reviewers)
- URL: https://seuapp.com
- Secrets:
PROD_DATABASE_URLAWS_PROD_ROLE_ARNSLACK_WEBHOOK
Secrets Management
GitHub Secrets
Configurar no GitHub: Settings → Secrets → Actions
Required:
- AWS_ACCOUNT_ID - ID da conta AWS
- AWS_REGION - Região AWS (us-east-1)
- STAGING_DATABASE_URL - Connection string staging
- PROD_DATABASE_URL - Connection string production
Optional:
- SLACK_WEBHOOK - Para notificações
- CODECOV_TOKEN - Para upload de coverage
OIDC Authentication (Recomendado)
Usar OIDC ao invés de access keys:
- Criar IAM Role para GitHub Actions
- Configurar trust policy
- Usar
aws-actions/configure-aws-credentials@v4
Quality Gates
Must Pass (Bloqueia merge)
- ✅ Todos os testes passam
- ✅ Coverage >= threshold
- ✅ Linter sem erros
- ✅ Security scan sem issues críticas
- ✅ SAM template válido
Warnings (Não bloqueia)
- ⚠️ Coverage diminuiu
- ⚠️ Testes lentos
- ⚠️ Dependencies desatualizadas
Rollback
Em caso de falha em production:
# Rollback automático se deploy falhar
# Ou manual se bug descoberto depois:
# 1. Reverter PR
git revert <commit-hash>
git push origin main
# 2. Ou fazer hotfix
# Ver [Rollback Procedure](../runbooks/rollback-procedure.md)
Monitoramento
- CloudWatch para logs de deploy
- GitHub Actions UI para status
- Slack para notificações
- Métricas de deployment frequency e MTTR
Métricas (DORA)
Tracking de métricas DORA:
- Deployment Frequency: Quantas vezes deployamos por semana
- Lead Time for Changes: Tempo de commit até production
- Time to Restore Service: Tempo para recuperar de falha
- Change Failure Rate: % de deploys que causam problemas
Próximos Passos
- GitHub Actions - Workflows detalhados
- Deployment Process - Processo passo a passo
- Rollback Procedure - Como reverter deploys