opencode-metis 0.1.0

package/opencode/skill/deployment-pipeline-design/SKILL.md

@@ -0,0 +1,579 @@
+---
+name: deployment-pipeline-design
+description: "Pipeline design, deployment strategies (blue-green, canary, rolling), and CI/CD platform patterns. Use when designing pipelines, implementing deployments, configuring quality gates, or setting up automated release workflows."
+license: MIT
+compatibility: opencode
+metadata:
+  category: infrastructure
+  version: "1.0"
+---
+
+# Deployment Pipeline Design
+
+Roleplay as a CI/CD pipeline design specialist for creating reliable, secure deployment workflows. Covers pipeline architecture, deployment strategies, quality gates, and platform-specific patterns for GitHub Actions and GitLab CI.
+
+DeploymentPipelineDesign {
+  Activation {
+    Designing new CI/CD pipelines from scratch
+    Implementing deployment strategies (blue-green, canary, rolling)
+    Setting up quality gates and approval workflows
+    Configuring GitHub Actions or GitLab CI pipelines
+    Implementing automated rollback mechanisms
+    Creating multi-environment deployment workflows
+    Integrating security scanning into pipelines
+  }
+
+  Constraints {
+    1. Fail fast - run quick checks before slow ones
+    2. Build once, deploy everywhere (immutable artifacts)
+    3. Environment parity - dev, staging, prod should be identical
+    4. Always have a rollback plan
+    5. Never skip security scanning for production deployments
+  }
+
+  PipelineArchitecture {
+    Stages {
+      ```
+      Build -> Test -> Analyze -> Package -> Deploy -> Verify
+      ```
+
+      | Stage | Purpose | Failure Action |
+      |-------|---------|----------------|
+      | Build | Compile code, resolve dependencies | Fail fast, notify developer |
+      | Test | Unit tests, integration tests | Block deployment |
+      | Analyze | SAST, linting, code coverage | Block or warn based on threshold |
+      | Package | Create artifacts, container images | Fail fast |
+      | Deploy | Push to environment | Rollback on failure |
+      | Verify | Smoke tests, health checks | Trigger rollback |
+    }
+
+    DesignPrinciples {
+      1. Fail Fast: Run quick checks (lint, unit tests) before slow ones
+      2. Parallel Execution: Run independent jobs concurrently
+      3. Artifact Caching: Cache dependencies between runs
+      4. Immutable Artifacts: Build once, deploy everywhere
+      5. Environment Parity: Dev, staging, and prod should be identical
+    }
+  }
+
+  DeploymentStrategies {
+    BlueGreenDeployment {
+      Description: "Two identical production environments where traffic switches instantly"
+
+      ```
+                          Load Balancer
+                               |
+                  +------------+------------+
+                  |                         |
+              [Blue v1.0]              [Green v1.1]
+               (active)                 (standby)
+      ```
+
+      WhenToUse {
+        Zero-downtime requirements
+        Need instant rollback capability
+        Sufficient infrastructure budget for duplicate environments
+      }
+
+      ImplementationSteps {
+        1. Deploy new version to inactive environment (Green)
+        2. Run smoke tests against Green
+        3. Switch load balancer to Green
+        4. Monitor for issues
+        5. Keep Blue running for quick rollback
+        6. After confidence period, Blue becomes next deployment target
+      }
+
+      Rollback: "Switch load balancer back to Blue (seconds)"
+    }
+
+    CanaryDeployment {
+      Description: "Gradually shift traffic from old version to new version"
+
+      ```
+      Traffic Distribution Over Time:
+
+      T0:  [====== v1.0 100% ======]
+      T1:  [=== v1.0 95% ===][v1.1 5%]
+      T2:  [== v1.0 75% ==][= v1.1 25% =]
+      T3:  [= v1.0 50% =][== v1.1 50% ==]
+      T4:  [====== v1.1 100% ======]
+      ```
+
+      WhenToUse {
+        High-risk deployments
+        Need to validate with real traffic
+        Want gradual rollout with monitoring
+      }
+
+      TrafficProgression {
+        1. 5% for 15 minutes - validate basic functionality
+        2. 25% for 30 minutes - monitor error rates
+        3. 50% for 1 hour - check performance metrics
+        4. 100% - full rollout
+      }
+
+      RollbackTriggers {
+        Error rate exceeds baseline + threshold
+        Latency exceeds acceptable limits
+        Health check failures
+      }
+    }
+
+    RollingDeployment {
+      Description: "Replace instances incrementally, one batch at a time"
+
+      ```
+      Instance Pool (5 instances):
+
+      T0: [v1.0] [v1.0] [v1.0] [v1.0] [v1.0]
+      T1: [v1.1] [v1.0] [v1.0] [v1.0] [v1.0]
+      T2: [v1.1] [v1.1] [v1.0] [v1.0] [v1.0]
+      T3: [v1.1] [v1.1] [v1.1] [v1.0] [v1.0]
+      T4: [v1.1] [v1.1] [v1.1] [v1.1] [v1.0]
+      T5: [v1.1] [v1.1] [v1.1] [v1.1] [v1.1]
+      ```
+
+      WhenToUse {
+        Limited infrastructure resources
+        Can tolerate mixed versions during deployment
+        Stateless applications
+      }
+
+      ConfigurationParameters {
+        maxUnavailable: "How many instances can be down simultaneously"
+        maxSurge: "How many extra instances during deployment"
+        minReadySeconds: "Wait time before considering instance healthy"
+      }
+    }
+
+    FeatureFlags {
+      Description: "Decouple deployment from release - deploy code without activating features"
+
+      ```javascript
+      if (featureFlags.isEnabled('new-checkout', user)) {
+        return newCheckoutFlow(cart);
+      } else {
+        return legacyCheckoutFlow(cart);
+      }
+      ```
+
+      WhenToUse {
+        Long-running feature development
+        A/B testing requirements
+        Gradual feature rollouts
+        Kill switch for problematic features
+      }
+
+      Rollback: "Disable flag (no deployment required)"
+    }
+  }
+
+  QualityGates {
+    RequiredGates {
+      | Gate | Threshold | Block Deploy? |
+      |------|-----------|---------------|
+      | Unit Tests | 100% pass | Yes |
+      | Integration Tests | 100% pass | Yes |
+      | Code Coverage | >= 80% | Yes |
+      | Security Scan (Critical) | 0 findings | Yes |
+      | Security Scan (High) | 0 new findings | Configurable |
+      | Dependency Vulnerabilities | 0 critical | Yes |
+    }
+
+    ManualApprovalGates {
+      ```yaml
+      # Conceptual flow
+      stages:
+        - test
+        - deploy-staging
+        - approval        # Manual gate
+        - deploy-prod
+        - verify
+      ```
+
+      Requirements {
+        At least 2 approvers for production
+        No self-approval allowed
+        Time-boxed approval windows
+        Audit trail of approvals
+      }
+    }
+  }
+
+  GitHubActionsPatterns {
+    BasicPipelineStructure {
+      ```yaml
+      name: CI/CD Pipeline
+
+      on:
+        push:
+          branches: [main, develop]
+        pull_request:
+          branches: [main]
+
+      concurrency:
+        group: ${{ github.workflow }}-${{ github.ref }}
+        cancel-in-progress: true
+
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-node@v4
+              with:
+                node-version: '20'
+                cache: 'npm'
+            - run: npm ci
+            - run: npm run build
+            - uses: actions/upload-artifact@v4
+              with:
+                name: build
+                path: dist/
+
+        test:
+          needs: build
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+            - uses: actions/download-artifact@v4
+              with:
+                name: build
+                path: dist/
+            - run: npm ci
+            - run: npm test
+
+        deploy-staging:
+          needs: test
+          if: github.ref == 'refs/heads/main'
+          environment: staging
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/download-artifact@v4
+              with:
+                name: build
+            - run: ./deploy.sh staging
+
+        deploy-prod:
+          needs: deploy-staging
+          if: github.ref == 'refs/heads/main'
+          environment: production
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/download-artifact@v4
+              with:
+                name: build
+            - run: ./deploy.sh production
+      ```
+    }
+
+    MatrixBuilds {
+      ```yaml
+      jobs:
+        test:
+          strategy:
+            fail-fast: false
+            matrix:
+              os: [ubuntu-latest, windows-latest, macos-latest]
+              node: [18, 20, 22]
+          runs-on: ${{ matrix.os }}
+          steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-node@v4
+              with:
+                node-version: ${{ matrix.node }}
+            - run: npm ci
+            - run: npm test
+      ```
+    }
+
+    ReusableWorkflows {
+      ```yaml
+      # .github/workflows/deploy-reusable.yml
+      name: Reusable Deploy
+
+      on:
+        workflow_call:
+          inputs:
+            environment:
+              required: true
+              type: string
+          secrets:
+            DEPLOY_KEY:
+              required: true
+
+      jobs:
+        deploy:
+          environment: ${{ inputs.environment }}
+          runs-on: ubuntu-latest
+          steps:
+            - run: ./deploy.sh ${{ inputs.environment }}
+              env:
+                DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
+      ```
+
+      CallingWorkflow {
+        ```yaml
+        jobs:
+          deploy-staging:
+            uses: ./.github/workflows/deploy-reusable.yml
+            with:
+              environment: staging
+            secrets:
+              DEPLOY_KEY: ${{ secrets.STAGING_DEPLOY_KEY }}
+        ```
+      }
+    }
+
+    EnvironmentProtectionRules {
+      Required reviewers for production
+      Wait timer (e.g., 15 minutes before prod deploy)
+      Restrict to specific branches
+      Required status checks
+    }
+  }
+
+  GitLabCIPatterns {
+    BasicPipelineStructure {
+      ```yaml
+      stages:
+        - build
+        - test
+        - deploy
+
+      variables:
+        NODE_VERSION: "20"
+
+      default:
+        image: node:${NODE_VERSION}
+        cache:
+          paths:
+            - node_modules/
+
+      build:
+        stage: build
+        script:
+          - npm ci
+          - npm run build
+        artifacts:
+          paths:
+            - dist/
+          expire_in: 1 hour
+
+      test:unit:
+        stage: test
+        script:
+          - npm ci
+          - npm run test:unit
+        coverage: '/Coverage: \d+\.\d+%/'
+
+      test:integration:
+        stage: test
+        services:
+          - postgres:15
+        variables:
+          POSTGRES_DB: test
+          POSTGRES_USER: test
+          POSTGRES_PASSWORD: test
+        script:
+          - npm ci
+          - npm run test:integration
+
+      deploy:staging:
+        stage: deploy
+        environment:
+          name: staging
+          url: https://staging.example.com
+        script:
+          - ./deploy.sh staging
+        only:
+          - main
+
+      deploy:production:
+        stage: deploy
+        environment:
+          name: production
+          url: https://example.com
+        script:
+          - ./deploy.sh production
+        when: manual
+        only:
+          - main
+      ```
+    }
+
+    PipelineRules {
+      ```yaml
+      deploy:production:
+        rules:
+          - if: $CI_COMMIT_BRANCH == "main"
+            when: manual
+          - if: $CI_COMMIT_TAG
+            when: on_success
+          - when: never
+      ```
+    }
+
+    IncludeTemplates {
+      ```yaml
+      include:
+        - template: Security/SAST.gitlab-ci.yml
+        - template: Security/Dependency-Scanning.gitlab-ci.yml
+        - local: .gitlab/ci/deploy.yml
+        - project: 'devops/ci-templates'
+          ref: main
+          file: '/templates/docker-build.yml'
+      ```
+    }
+
+    DynamicEnvironments {
+      ```yaml
+      deploy:review:
+        stage: deploy
+        environment:
+          name: review/$CI_COMMIT_REF_SLUG
+          url: https://$CI_COMMIT_REF_SLUG.review.example.com
+          on_stop: stop:review
+        script:
+          - ./deploy.sh review
+        only:
+          - merge_requests
+
+      stop:review:
+        stage: deploy
+        environment:
+          name: review/$CI_COMMIT_REF_SLUG
+          action: stop
+        script:
+          - ./teardown.sh review
+        when: manual
+        only:
+          - merge_requests
+      ```
+    }
+  }
+
+  RollbackMechanisms {
+    AutomatedRollbackTriggers {
+      ```yaml
+      # Conceptual rollback configuration
+      rollback:
+        triggers:
+          - metric: error_rate
+            threshold: 5%
+            window: 5m
+          - metric: latency_p99
+            threshold: 2000ms
+            window: 5m
+          - metric: health_check_failures
+            threshold: 3
+            window: 1m
+        action:
+          type: previous_version
+          notify:
+            - slack: #deployments
+            - pagerduty: on-call
+      ```
+    }
+
+    DatabaseMigrationRollback {
+      ForwardOnlyMigrations {
+        Description: "Preferred approach"
+        Rules {
+          Never use destructive operations (DROP, DELETE)
+          Add new columns as nullable
+          Use feature flags to switch behavior
+          Clean up old columns in later release
+        }
+      }
+
+      RollbackMigrations {
+        Every migration must have a corresponding rollback
+        Test rollbacks in staging before production
+        Keep rollback window defined (e.g., 24 hours)
+      }
+    }
+
+    ArtifactBasedRollback {
+      ```yaml
+      rollback:production:
+        stage: deploy
+        environment:
+          name: production
+        script:
+          - PREVIOUS_VERSION=$(get-previous-version.sh)
+          - ./deploy.sh production $PREVIOUS_VERSION
+        when: manual
+        only:
+          - main
+      ```
+    }
+  }
+
+  SecurityIntegration {
+    SASTDASTIntegration {
+      ```yaml
+      security:sast:
+        stage: analyze
+        image: security-scanner:latest
+        script:
+          - sast-scan --format sarif --output sast-results.sarif
+        artifacts:
+          reports:
+            sast: sast-results.sarif
+
+      security:dependency:
+        stage: analyze
+        script:
+          - npm audit --audit-level=high
+          - trivy fs --security-checks vuln .
+      ```
+    }
+
+    SecretScanning {
+      Never commit secrets to repository
+      Use environment secrets or vault integration
+      Scan for exposed secrets in pre-commit hooks
+      Rotate secrets immediately if exposed
+    }
+  }
+
+  BestPractices {
+    PipelineDesign {
+      Keep pipelines under 15 minutes for main branch
+      Use caching aggressively for dependencies
+      Run expensive tests in parallel
+      Fail fast with quick checks first
+      Use artifacts to avoid rebuilding
+    }
+
+    DeploymentSafety {
+      Always have a rollback plan
+      Deploy to staging before production
+      Use feature flags for risky changes
+      Monitor deployments in real-time
+      Document deployment procedures
+    }
+
+    QualityAssurance {
+      Enforce code coverage thresholds
+      Block deployments on security findings
+      Require peer approval for production
+      Maintain environment parity
+      Test rollback procedures regularly
+    }
+
+    Observability {
+      Log all deployment events
+      Track deployment frequency and lead time
+      Monitor change failure rate
+      Measure mean time to recovery
+      Alert on deployment failures
+    }
+  }
+}
+
+## References
+
+- [pipeline-template.md](templates/pipeline-template.md) - Complete pipeline template with all stages