Fast Feedback
Independent jobs start immediately with needs: []: linting, formatting,
secret scanning, SAST and documentation checks do not wait for build stages.
Weather App uses GitLab CI/CD as the main engineering pipeline. The pipeline separates fast feedback, staging validation and production promotion so application changes can be verified without rebuilding artifacts for every environment.
| Environment | Purpose | Security Level | Main Evidence |
|---|---|---|---|
| Local test stack | Developer feedback and E2E debugging | Relaxed edge security, mocked external dependencies | Unit, integration and Cypress results |
| VPS staging | Edge and deployment validation | HTTPS, Traefik, WAF, registry pull and monitoring | Healthcheck, DAST and staging logs |
| Kubernetes platform | GitOps and policy validation | NetworkPolicies, Kyverno, External Secrets and RBAC | Argo CD sync, policies and dashboards |
flowchart LR commit[Commit or merge request] --> fast[Fast feedback] fast --> build[Build application images] build --> evidence[SBOM, PBOM, SCA and image scans] evidence --> staging[VPS staging deploy] staging --> dast[DAST and health checks] dast --> promote[Artifact promotion] promote --> gitops[GitOps deployment]
fast --> lint[Lint and formatting] fast --> tests[Unit and integration tests] fast --> policy[Secrets, SAST and pipeline policy]Fast Feedback
Independent jobs start immediately with needs: []: linting, formatting,
secret scanning, SAST and documentation checks do not wait for build stages.
Tests
Unit tests mock external APIs. Integration and E2E tests run separately so network behavior is explicit instead of hidden inside unit tests.
Supply Chain
SBOMs, PBOMs, image scans and registry digests are stored as evidence. SemVer tags remain readable, while digests provide the immutable deployment reference.
Policy
Plumber checks pipeline security, pinned images and risky shell patterns. GitLab CI lint validates syntax before GitLab attempts to execute the pipeline.
bun.lock
are available.Local execution uses gitlab-ci-local through the Weather App wrapper for fast feedback on jobs
that do not require protected variables. The local runner is intentionally restricted:
Plumber remains the policy checker for CI/CD governance. It is run locally before push when the self-managed GitLab context is available, and in CI after the branch is visible to GitLab.