--- name: deployment-engineer type: workflow description: "Designs and implements CI/CD pipelines, GitOps workflows, and deployment automation. Use when building or improving CI/CD pipelines, containerization, or release automation." effort: 3 allowed-tools: Read, Glob, Grep, Write, Edit, Bash argument-hint: "[environment: dev|staging|prod]" user-invocable: true when_to_use: "When designing or improving CI/CD pipelines, implementing GitOps workflows, or automating deployments" --- # Deployment Engineer Designs and implements CI/CD pipelines, GitOps workflows, container build strategies, and release automation with progressive delivery. ## When to Use - Designing or improving CI/CD pipelines and release workflows - Implementing GitOps or progressive delivery patterns - Automating deployments with zero-downtime requirements - Integrating security scanning into deployment flows ## When NOT to Use - Executing a deployment (use deployment-procedures instead) - Simple dev setup without pipeline changes - Infrastructure architecture decisions (use backend-architect or cloud-architect) --- ## Workflow ### 1. Gather Requirements Ask before designing: - Target environments (dev/staging/prod)? - Current CI/CD platform (GitHub Actions, GitLab CI, Azure DevOps, Jenkins)? - Container strategy (Docker, Podman, buildpacks)? - Zero-downtime requirement? Database migrations involved? - Compliance requirements (SOX, PCI-DSS, HIPAA)? - Team prefers GitOps (declarative) or imperative deployment? ### 2. Design Pipeline Stages Standard pipeline structure: \`\`\` [Build] -> [Test] -> [Security Scan] -> [Package] -> [Deploy Staging] -> [Integration Test] -> [Approval] -> [Deploy Prod] -> [Verify] \`\`\` Design each stage: | Stage | Actions | Failure Policy | |-------|---------|----------------| | Build | Compile, lint, type-check | Block | | Test | Unit + integration tests | Block | | Security | SAST, dependency scan, container scan | Block on Critical/High | | Package | Docker build, push to registry, sign image | Block | | Deploy Staging | Apply manifests/Helm, run smoke tests | Block | | Integration Test | E2E tests, performance baseline | Block | | Approval | Manual gate for production | Require approval | | Deploy Prod | Progressive rollout | Auto-rollback on failure | | Verify | Health checks, metrics validation | Auto-rollback | ### 3. Implement Container Strategy Dockerfile best practices: \`\`\`dockerfile # Multi-stage build FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci --only=production FROM gcr.io/distroless/nodejs20-debian12 COPY --from=builder /app /app USER nonroot CMD ["app/index.js"] \`\`\` Checklist: - Multi-stage build to minimize image size - Distroless or minimal base image - Non-root user - No secrets in image layers - .dockerignore excludes unnecessary files - Image scanning in pipeline (Trivy, Grype) - Image signing (Cosign/Sigstore) ### 4. Configure Deployment Strategy Choose based on requirements: | Strategy | Zero-downtime | Rollback Speed | Resource Cost | Use When | |----------|---------------|----------------|---------------|----------| | Rolling Update | Yes | Slow (redeploy) | Low | Default for most services | | Blue/Green | Yes | Instant (switch) | 2x | Critical services, DB-independent | | Canary | Yes | Fast (shift) | 1.1x | High-traffic, need real-user validation | | A/B Testing | Yes | Fast | 1.1x | Feature experiments | For Kubernetes, implement with: - Rolling: native Deployment strategy - Canary: Argo Rollouts or Flagger - Blue/Green: Argo Rollouts with previewService ### 5. Implement GitOps (if applicable) Repository structure: \`\`\` app-repo/ # Application source code + Dockerfile env-repo/ # Environment configs (Kustomize overlays / Helm values) base/ # Base manifests overlays/ dev/ # Dev-specific values staging/ # Staging-specific values prod/ # Production-specific values \`\`\` Tools: - ArgoCD or Flux v2 for continuous deployment - Kustomize or Helm for environment-specific configuration - External Secrets Operator for secret management - Sealed Secrets as alternative ### 6. Integrate Security Pipeline security stages: - SAST: CodeQL, Semgrep, SonarQube - Dependency scanning: Snyk, Dependabot, npm audit - Container scanning: Trivy, Grype - Secret scanning: GitLeaks, TruffleHog - SBOM generation: Syft - Image signing: Cosign Policy enforcement: - OPA/Gatekeeper for admission control - Only signed images in production - No Critical/High vulnerabilities pass gates ### 7. Add Observability Deployment metrics to track (DORA): - Deployment frequency - Lead time for changes - Change failure rate - Mean time to recovery (MTTR) Implementation: - Pipeline notifications (Slack, Teams, email) - Deployment markers in APM (Datadog, New Relic) - Health check endpoints for readiness/liveness - Synthetic monitoring post-deployment ### 8. Create Rollback Plan Automated rollback triggers: - Health check failures after deployment - Error rate spike above threshold - Latency regression beyond SLO - Manual rollback command Rollback procedure: \`\`\`bash # Kubernetes rollback kubectl rollout undo deployment/ -n # ArgoCD rollback argocd app rollback \`\`\` --- ## Output Deliver: - Pipeline configuration file (GitHub Actions / GitLab CI / etc.) - Dockerfile with multi-stage build and security hardening - Deployment strategy selection with justification - GitOps repository structure (if applicable) - Security scanning configuration - Rollback runbook - Monitoring dashboard requirements --- ## Quality Gates Before marking pipeline as complete: - All pipeline stages pass on a test commit - Security scan catches intentional vulnerability in test - Rollback tested successfully - Pipeline runs under 10 minutes for CI (excluding deploy) - Secrets properly managed (not in code, not in logs) - Documentation covers troubleshooting common failures