CI/CD Pipeline Templates

Production-ready CI/CD pipeline templates for GitHub Actions, covering Docker, Terraform, Python, and Kubernetes deployments.

Overview

This repository contains battle-tested CI/CD templates that implement security scanning, testing, and deployment best practices. Each template is designed to be copied and customized for your specific needs.

Pipeline Templates

Template	Description	Features
Docker	Build, scan, and push container images	Multi-arch builds, Trivy scanning, GHCR/DockerHub
Terraform	Infrastructure as Code pipelines	Format, validate, plan, apply with state locking
Python	Python application CI/CD	pytest, coverage, linting, PyPI publishing
Kubernetes	K8s deployment pipelines	Helm, Kustomize, ArgoCD integration

Architecture

CI/CD Pipeline Flow

flowchart LR
    subgraph Trigger
        Push[Push/PR]
    end

    subgraph CI[Continuous Integration]
        Lint[Lint & Format]
        Test[Test & Coverage]
        Scan[Security Scan]
        Build[Build Artifacts]
    end

    subgraph CD[Continuous Deployment]
        Dev[Dev Environment<br/>Auto Deploy]
        Staging[Staging<br/>Auto Deploy]
        Prod[Production<br/>Manual Approval]
    end

    Push --> Lint --> Test --> Scan --> Build
    Build --> Dev --> Staging --> Prod

    style Lint fill:#2088FF,color:#fff
    style Test fill:#2088FF,color:#fff
    style Scan fill:#e74c3c,color:#fff
    style Build fill:#27ae60,color:#fff
    style Prod fill:#f39c12,color:#fff

Loading

Multi-Stack Pipeline Architecture

flowchart TB
    subgraph GitHub Actions
        direction TB
        subgraph Docker Pipeline
            D1[Hadolint] --> D2[Build Image]
            D2 --> D3[Trivy Scan]
            D3 --> D4[Push GHCR]
        end

        subgraph Terraform Pipeline
            T1[fmt + validate] --> T2[tfsec]
            T2 --> T3[Plan]
            T3 --> T4[Apply]
        end

        subgraph Python Pipeline
            P1[Ruff + mypy] --> P2[pytest]
            P2 --> P3[Safety]
            P3 --> P4[PyPI]
        end

        subgraph K8s Pipeline
            K1[Helm Lint] --> K2[Dry Run]
            K2 --> K3[Deploy Dev]
            K3 --> K4[Deploy Prod]
        end
    end

    style D3 fill:#e74c3c,color:#fff
    style T2 fill:#e74c3c,color:#fff
    style P3 fill:#e74c3c,color:#fff

Loading

Quick Start

1. Copy the template you need

# For a Docker project
cp -r templates/docker/.github/workflows/* your-project/.github/workflows/

# For a Terraform project
cp -r templates/terraform/.github/workflows/* your-project/.github/workflows/

# For a Python project
cp -r templates/python/.github/workflows/* your-project/.github/workflows/

2. Configure secrets

Add these secrets to your repository (Settings → Secrets → Actions):

Secret	Required For	Description
DOCKERHUB_USERNAME	Docker	Docker Hub username
DOCKERHUB_TOKEN	Docker	Docker Hub access token
AWS_ACCESS_KEY_ID	Terraform	AWS credentials
AWS_SECRET_ACCESS_KEY	Terraform	AWS credentials
PYPI_API_TOKEN	Python	PyPI publishing token
KUBECONFIG	Kubernetes	Base64 encoded kubeconfig

3. Customize for your project

Each template includes comments explaining customization options.

Template Details

Docker Pipeline

# Triggers on push to main and PRs
# Features:
# - Multi-stage build optimization
# - Trivy vulnerability scanning
# - Multi-architecture builds (amd64, arm64)
# - Push to GitHub Container Registry
# - Semantic versioning with tags

Workflow stages:

1. Lint - Dockerfile linting with Hadolint
2. Build - Multi-stage Docker build
3. Scan - Trivy security scanning
4. Push - Push to GHCR/DockerHub
5. Deploy - Optional deployment trigger

Terraform Pipeline

# Triggers on push to main and PRs
# Features:
# - Terraform fmt and validate
# - tfsec security scanning
# - Infracost cost estimation
# - Plan output in PR comments
# - Manual apply approval for production

Workflow stages:

1. Format - Check Terraform formatting
2. Validate - Syntax validation
3. Security - tfsec and checkov scanning
4. Plan - Generate execution plan
5. Cost - Infracost estimation
6. Apply - Apply with manual approval

Python Pipeline

# Triggers on push to main and PRs
# Features:
# - Multi-version Python testing (3.9, 3.10, 3.11)
# - pytest with coverage reporting
# - Ruff linting and formatting
# - Type checking with mypy
# - Dependency scanning with safety
# - PyPI publishing on release

Workflow stages:

1. Lint - Ruff linting and formatting
2. Type Check - mypy static analysis
3. Test - pytest with coverage
4. Security - safety dependency scan
5. Build - Build wheel/sdist
6. Publish - PyPI release

Kubernetes Pipeline

# Triggers on push to main and PRs
# Features:
# - Helm chart linting and testing
# - Kubernetes manifest validation
# - Kustomize build verification
# - Deployment to multiple environments
# - ArgoCD sync support

Workflow stages:

1. Lint - Helm lint, kubeval
2. Test - Helm test, dry-run
3. Build - Package Helm chart
4. Deploy Dev - Auto-deploy to dev
5. Deploy Staging - Auto-deploy to staging
6. Deploy Prod - Manual approval required

Best Practices Implemented

Security

• Secret scanning - GitHub secret scanning enabled
• Dependency scanning - Dependabot configured
• Container scanning - Trivy for vulnerabilities
• IaC scanning - tfsec, checkov for Terraform
• SAST - CodeQL for code analysis

Quality

• Code coverage - Minimum thresholds enforced
• Linting - Language-specific linters
• Formatting - Automated code formatting
• Type checking - Static type analysis

Deployment

• Environment protection - Required reviewers for production
• Rollback capability - Easy rollback procedures
• Canary deployments - Gradual rollout support
• Feature flags - Integration with feature flag services

Repository Structure

cicd-pipeline-templates/
├── README.md
├── LICENSE
├── .github/
│   └── workflows/
│       └── validate.yml          # Validates all templates
├── templates/
│   ├── docker/
│   │   ├── README.md
│   │   └── .github/workflows/
│   │       ├── docker-build.yml
│   │       └── docker-security.yml
│   ├── terraform/
│   │   ├── README.md
│   │   └── .github/workflows/
│   │       ├── terraform-plan.yml
│   │       └── terraform-apply.yml
│   ├── python/
│   │   ├── README.md
│   │   └── .github/workflows/
│   │       ├── python-test.yml
│   │       └── python-publish.yml
│   └── kubernetes/
│       ├── README.md
│       └── .github/workflows/
│           ├── helm-test.yml
│           └── k8s-deploy.yml
└── examples/
    └── complete-pipeline.yml     # Full example combining templates

Usage Examples

Example 1: Simple Docker Build

name: Docker Build
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  build:
    uses: morgandt-reed/cicd-pipeline-templates/.github/workflows/docker-build.yml@main
    with:
      image-name: my-app
    secrets:
      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}

Example 2: Terraform with Environments

name: Infrastructure
on:
  push:
    branches: [main]
    paths: ['terraform/**']

jobs:
  plan:
    uses: morgandt-reed/cicd-pipeline-templates/.github/workflows/terraform-plan.yml@main
    with:
      working-directory: terraform/environments/prod
    secrets:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Contributing

Contributions are welcome! Please read the contributing guidelines before submitting PRs.

License

MIT License - see LICENSE for details.

---

Related Projects

• docker-microservices-template - Uses Docker pipeline
• infrastructure-as-code-demos - Uses Terraform pipeline
• langgraph-rag-assistant - Uses Python pipeline
• kubernetes-deployment-patterns - Uses Kubernetes pipeline