Stage 5 · Platform
CI/CD & GitOps
Move every commit through automated verification, signed release artifacts, and safe production promotion.
Prerequisite
Kubernetes.
What this course leaves you with
- Build test-and-release pipelines end-to-end
- Ship canary, blue-green, and rollback workflows
- Run declarative GitOps with ArgoCD
Why this stage matters — Delivery is automated — now instrument what you cannot see.
Progress
0 of 54 lessons complete. Progress is stored locally in your browser so you can pick the path back up later.
course completion
CI/CD Foundations
The pipeline concepts and delivery principles behind reliable automation.
- 01Pipeline AnatomyStages, jobs, steps, runners, and directed acyclic graphs in GitHub Actions and GitLab CI.6 min
- 02CI vs CD vs Continuous DeploymentHow build verification, release readiness, and automatic production deploys differ in real systems.6 min
- 03Artifacts and WorkspacesPassing build outputs, test reports, coverage files, and Docker image metadata between jobs.7 min
- 04Pipeline Feedback LoopsUsing pull request checks, commit statuses, notifications, and flaky-test quarantine to shorten feedback.6 min
- 05Core Delivery PrinciplesTrunk-based development, small batches, immutable artifacts, and separation of build from deploy.7 min
- 06Pipeline Failure ModesDiagnosing broken runners, expired credentials, cache poisoning, missing artifacts, and nondeterministic builds.7 min
Building Pipelines
Author practical workflows with reusable jobs, caches, matrices, and protected secrets.
- 01GitHub Actions WorkflowsEvents, workflow_dispatch, reusable workflows, composite actions, and permissions in YAML.7 min
- 02GitLab CI PipelinesStages, needs, rules, includes, child pipelines, and runner tags in .gitlab-ci.yml.7 min
- 03Jobs and RunnersHosted runners, self-hosted runners, Kubernetes executors, containers, and privileged build isolation.6 min
- 04Caching DependenciesSpeeding npm, pip, Maven, Gradle, and Docker layer builds with keyed restore caches.6 min
- 05Matrix BuildsTesting operating systems, language versions, architectures, and feature variants with fail-fast controls.6 min
- 06Secrets and OIDCManaging masked secrets, environments, GitHub OIDC, cloud IAM roles, and least-privilege tokens.8 min
Testing & Quality Gates
Block risky changes with automated tests, scans, and measurable quality thresholds.
- 01Unit Tests in CIRunning Jest, pytest, go test, and JUnit reports with deterministic fixtures and parallel workers.6 min
- 02Integration TestsStarting PostgreSQL, Redis, LocalStack, and Docker Compose services inside pipeline jobs.7 min
- 03Coverage GatesPublishing Cobertura, LCOV, and JaCoCo reports while enforcing changed-line coverage thresholds.6 min
- 04Linting and FormattingFailing fast with ESLint, Prettier, golangci-lint, ShellCheck, and markdownlint checks.6 min
- 05SAST ScanningFinding code vulnerabilities with CodeQL, Semgrep, Bandit, and SARIF pull request annotations.7 min
- 06Dependency ScanningUsing Dependabot, npm audit, pip-audit, Trivy, and OSV-Scanner to catch vulnerable packages.7 min
Build, Version & Release
Create immutable, traceable, signed artifacts ready for controlled deployment.
- 01Semantic VersioningApplying SemVer, conventional commits, changelog generation, and release-please automation.6 min
- 02Building Containers in CIUsing BuildKit, docker buildx, multi-stage Dockerfiles, and multi-architecture image builds.7 min
- 03Artifact RegistriesPublishing images and packages to GHCR, ECR, GCR, Artifactory, and npm registries.6 min
- 04SBOM GenerationProducing CycloneDX and SPDX software bills of materials with Syft and Trivy.7 min
- 05Cosign SigningSigning container images with Sigstore cosign, keyless OIDC identities, and Rekor transparency logs.8 min
- 06Release ProvenanceAttaching SLSA provenance, build attestations, checksums, and Git tags to every release.7 min
Deployment Strategies
Roll changes out safely with traffic control, flags, and automated recovery.
- 01Blue-Green DeploymentsSwitching production traffic between blue and green Kubernetes Services or load balancer target groups.6 min
- 02Canary ReleasesShifting traffic with service meshes, ingress controllers, metrics checks, and weighted routing.7 min
- 03Rolling UpdatesTuning Kubernetes maxSurge, maxUnavailable, readiness probes, and PodDisruptionBudgets for safe rollouts.7 min
- 04Feature FlagsDecoupling deploy from release with LaunchDarkly, OpenFeature, targeting rules, and kill switches.6 min
- 05Automated RollbacksTriggering rollback from failed health checks, Prometheus alerts, synthetic tests, and error-budget burn.7 min
- 06Environments and PromotionModeling dev, staging, preview, and production with protected approvals, config overlays, and audit trails.6 min
GitOps & Progressive Delivery
Use declarative desired state and controllers to promote verified releases across environments.
- 01Declarative DeploysRepresenting Kubernetes desired state with Helm, Kustomize, Jsonnet, and environment overlays.6 min
- 02ArgoCD ApplicationsManaging Application manifests, sync policies, health checks, waves, hooks, and app-of-apps.8 min
- 03Flux ReconciliationUsing GitRepository, Kustomization, HelmRelease, image automation, and source-controller reconciliation.8 min
- 04Drift DetectionDetecting and correcting manual kubectl changes with sync status, diff views, and prune policies.7 min
- 05Argo RolloutsConfiguring Rollout resources, AnalysisTemplates, Prometheus metrics, pause steps, and traffic routers.8 min
- 06Promotion WorkflowsPromoting image tags through Git pull requests, Kargo-style stages, policy checks, and signed commits.7 min
GitOps Operations
Operate declarative delivery controllers safely across clusters, teams, and environments.
- 01Multi-Cluster GitOpsManaging fleet repositories, cluster selectors, Argo CD ApplicationSets, and Flux Kustomizations.8 min
- 02Sync Windows and WavesControlling deployment order with Argo CD sync waves, hooks, windows, and health checks.7 min
- 03Drift RemediationHandling manual kubectl changes with automated sync, prune policies, ignoreDifferences, and audit logs.7 min
- 04Secrets in GitOpsEncrypting Kubernetes secrets with SOPS, Sealed Secrets, External Secrets Operator, and KMS.8 min
- 05Policy as CodeEnforcing Kubernetes guardrails with OPA Gatekeeper, Kyverno, Conftest, and admission reports.7 min
- 06GitOps Disaster RecoveryRebuilding clusters from Git, backups, registry mirrors, CRD ordering, and bootstrap credentials.8 min
Progressive Delivery Controllers
Automate production rollouts with metrics, traffic routers, and guarded promotion steps.
- 01Flagger CanariesConfiguring Flagger Canary resources, Prometheus checks, webhooks, and service mesh traffic shifts.8 min
- 02Rollout AnalysisDesigning AnalysisTemplates with success conditions, failure limits, intervals, and metric providers.7 min
- 03Traffic Routing IntegrationsSplitting traffic through NGINX Ingress, Istio, Linkerd, Gateway API, and AWS ALB.7 min
- 04Feature Flag RolloutsCoordinating OpenFeature flags, targeting rules, progressive exposure, and instant kill switches.6 min
- 05Rollback AutomationReverting failed releases from SLO burn, synthetic probes, Kubernetes conditions, and error rates.7 min
- 06Progressive Delivery RunbooksDocumenting pause, promote, abort, retry, and manual override steps for release incidents.6 min
Supply-Chain Security
Harden pipelines from source control through signed artifacts and verified deployment.
- 01Secret ScanningBlocking leaked credentials with GitHub secret scanning, gitleaks, trufflehog, and push protection.7 min
- 02Dependency ReviewGating pull requests with dependency-review-action, OSV data, license policies, and severity thresholds.7 min
- 03Provenance VerificationVerifying SLSA attestations, GitHub artifact attestations, builder IDs, and source repository claims.8 min
- 04Image Policy EnforcementRequiring signed images with Kyverno verifyImages, cosign public keys, and admission controls.7 min
- 05Runner HardeningIsolating self-hosted runners with ephemeral VMs, network egress controls, and scoped tokens.8 min
- 06Pipeline Threat ModelingMapping attack paths across pull requests, third-party actions, registries, caches, and deploy keys.7 min