Chapter 12 Β· Operate
CI/CD
Automate quality and deployment. The existing workflow lints, compiles, tests, and scans for secrets. The recommended production pipeline adds schema and infrastructure validation, image builds, deployment gates, and post-deploy smoke tests.
π― What you'll be able to do
- Understand what the existing CI workflow runs
- Design a production pipeline with deployment gates
- Explain why GitHub Actions OIDC beats long-lived Azure secrets
The existing workflow
.github/workflows/ci.yml runs, on each change:
- checkout
- Python setup
- install the package with dev dependencies
- ruff lint
- compileall syntax check
- pytest
- gitleaks secret scan
Recommended production pipeline
Loading diagramβ¦
Production note
The two highest-value additions over basic CI are connector-schema validation (catches a broken MCP connector before users do) and post-deploy smoke tests (catches a bad deploy automatically).
Use OIDC, not stored secrets
Security
Use GitHub Actions OIDC for Azure deployment instead of storing Azure credentials as long-lived secrets. OIDC issues short-lived, workload-scoped tokens at run time, so there is no standing secret to leak or rotate. This mirrors the same principle as the rest of the design: avoid standing credentials.
β Concept check
Why place Bicep validation and connector schema validation before merge, rather than only at deploy time?
π Chapter summary
- Current CI: install, ruff lint, compileall, pytest, gitleaks secret scan.
- Production pipeline adds connector-schema and Bicep validation, Docker build, deployment to dev via OIDC, smoke tests, manual approval, then prod.
- Use OIDC federation instead of storing Azure credentials.