Warning
🚧 Work in Progress: This page is currently under construction. Content may be incomplete or subject to change. To contribute, see the contribution guide.
GitHub Actions
Standard pipeline structure
Every repository should have a CI/CD pipeline with the following stages:
# .github/workflows/ci-cd.yml
name: CI/CD
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
# ── Stage 1: Quality gate ──────────────────────────────────────────
lint-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: pip install -r requirements.txt
- name: Lint
run: ruff check .
- name: Run tests
run: pytest tests/ --cov=src --cov-report=xml
# ── Stage 2: Build ────────────────────────────────────────────────
build:
needs: lint-and-test
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Build Docker image
run: docker build -t gcr.io/${ secrets.GCP_PROJECT }/my-service:${ github.sha } .
# ── Stage 3: Deploy to staging ────────────────────────────────────
deploy-staging:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment: staging
steps:
- name: Deploy to Cloud Run (staging)
run: |
gcloud run deploy my-service \
--image gcr.io/${ secrets.GCP_PROJECT }/my-service:${ github.sha } \
--region us-east1 \
--project ${ secrets.GCP_PROJECT_STAGING }
# ── Stage 4: Deploy to production (manual approval) ───────────────
deploy-production:
needs: deploy-staging
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment: production # requires manual approval in GitHub Environments
steps:
- name: Deploy to Cloud Run (production)
run: |
gcloud run deploy my-service \
--image gcr.io/${ secrets.GCP_PROJECT }/my-service:${ github.sha } \
--region us-east1 \
--project ${ secrets.GCP_PROJECT_PROD }Required GitHub Secrets
Every repository must have the following secrets configured:
| Secret | Description | Where to set |
|---|---|---|
GCP_PROJECT_STAGING | GCP project ID for staging | Repository secrets |
GCP_PROJECT_PROD | GCP project ID for production | Repository secrets |
GCP_SA_KEY | GCP service account key (JSON) | Repository secrets |
AZURE_STATIC_WEB_APPS_API_TOKEN | Azure SWA deploy token (for portals) | Repository secrets |
GitHub Environments
Production deployments must use GitHub Environments with required reviewers configured:
- Environment:
staging— auto-deploy on merge tomain - Environment:
production— requires manual approval from squad lead
Portal-specific pipeline (MkDocs)
For this documentation portal, see the setup guide in patria-tech-docs repository.
Notifications
Configure pipeline failure notifications to the squad’s Teams channel:
- name: Notify Teams on failure
if: failure()
uses: aliencube/microsoft-teams-actions@v0.8.0
with:
webhook_uri: ${ secrets.TEAMS_WEBHOOK }
title: "❌ Pipeline failed"
summary: "Repository: ${ github.repository } | Branch: ${ github.ref }"