GH GambleHub

CI/CD konveyerlari: GitHub Actions, GitLab CI

CI/CD konveyerlari: GitHub Actions, GitLab CI

1) CI/CD vazifasi va platformadagi o’rni

CI/CD - bu doimiy yig’ish, sinovdan o’tkazish va o’zgarishlarni repozitoriyadan ish muhitiga yetkazish. Maqsadlar:
  • Relizlarning tezligi va bashorat qilinishi (qisqa lead time).
  • Sifati (avtotestlar, statik/dinamik tahlil).
  • Yetkazib berish zanjirining xavfsizligi (artefaktlarning imzosi, kirishni nazorat qilish).
  • Ishonchlilik (kanar deploi, tezkor orqaga qaytish).
  • Kuzatish darajasi (har bir bosqichda traslash va metrika).

Asosiy tamoyillar: «pipeline as code», immutable artefaktlar, «build once - run many», «shift-left security», «least privilege», determinizatsiya qilingan yig’ilishlar.

2) Konveyerlarning arxitektura patternlari

Stage-gate: build → test → security → package → deploy → post-deploy checks.
Fan-out/Fan-in: natijalarni birlashtirgan holda parallel matritsali yig’ilishlar (tillar/platformalar).
Promotion: Bir xil artefakt almashtirilmasdan (dev → stage → prod) atrof-muhit orqali harakatlanadi.
Trunk-based + qisqa filiallar: dreyfni minimallashtirish, PR/MR uchun avtomatlashtirilgan tekshiruvlar.
Reusable: qayta ishlatiladigan workflow/namunalar (Actions: reusable workflows; GitLab: includes/child-pipelines).
GitOps (ixtiyoriy): «yigʻish» va «yetkazib berish» boʻlinmasi (Argo CD/Flux atrof-muhitning deklarativ reposini kuzatadi).

3) Yetkazib berish zanjiri xavfsizligi (supply chain)

Identifikatsiya: OIDC-federatsiya runner’a dan bulutga (uzoq umr ko’radigan kalitlarsiz).
Sirlar: markazlashtirilgan ombor, kontekstni cheklash, logga kiritishni taqiqlash.
Artefaktlar/konteynerlar imzosi (cosign/Sigstore), admission-nazoratda imzoni tekshirish.
SBOM (CycloneDX/SPDX) va SCA, SAST/DAST/Container Scan - «majburiy darvozalar».
Siyosati: IaC/manifestlar uchun OPA/Conftest, «no latest», imtiyozli konteynerlarni taqiqlash.
Runner’larni izolyatsiya qilish: prod-rannerlar xususiy tarmoqlarda, ommaviy Internetdan chiqadigan ulanishlarni ajratish.

4) GitHub Actions - tuzilma va amaliyotlar

4. 1 workflows tuzilishi

`.github/workflows/.yml` — триггеры (`on: push, pull_request, schedule, workflow_call`).
Standartlashtirish uchun Reusable workflows (linter, SCA, konteyner yig’ish, deploy).

4. 2 Misol: OIDC va tasvir imzosi bilan ko’p bosqichli paypline

yaml name: ci-cd

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

permissions:
id-token: write  # для OIDC contents: read packages: write

jobs:
build_test_matrix:
runs-on: ubuntu-latest strategy:
matrix:
node: [18, 20]
os: [ubuntu-latest]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4 with: { node-version: ${{ matrix. node }} }
- name: Cache npm uses: actions/cache@v4 with:
path: ~/.npm key: npm-${{ runner. os }}-${{ matrix. node }}-${{ hashFiles('/package-lock. json') }}
- run: npm ci
- run: npm run lint && npm test -- --ci

docker_build_sign:
runs-on: ubuntu-latest needs: build_test_matrix steps:
- uses: actions/checkout@v4
- name: Login to GHCR uses: docker/login-action@v3 with:
registry: ghcr. io username: ${{ github. actor }}
password: ${{ secrets. GITHUB_TOKEN }}
- name: Build image run:
docker build --pull --no-cache -t ghcr. io/org/app:${{ github. sha }}.
docker push ghcr. io/org/app:${{ github. sha }}
- name: Generate SBOM uses: anchore/syft-action@v0 with:
image: ghcr. io/org/app:${{ github. sha }}
format: cyclonedx-json output-file: sbom. json
- name: Cosign sign (OIDC)
uses: sigstore/cosign-installer@v3
- name: Sign image run:
cosign sign ghcr. io/org/app:${{ github. sha }} \
--yes \
--identity-token $ACTIONS_ID_TOKEN_REQUEST_TOKEN \
--rekor-url https://rekor. sigstore. dev

deploy_stage:
runs-on: ubuntu-latest needs: docker_build_sign environment:
name: stage url: https://stage. example. com steps:
- uses: actions/checkout@v4
- name: Assume cloud role via OIDC uses: aws-actions/configure-aws-credentials@v4 with:
role-to-assume: arn:aws:iam::123456789012:role/github-deployer aws-region: eu-central-1
- name: Helm deploy (canary 10%)
run:
helm upgrade --install app charts/app \
--set image. tag=${{ github. sha }} \
--set canary. enabled=true --set canary. traffic=10
- name: Smoke checks run:./scripts/smoke. sh

promote_prod:
runs-on: ubuntu-latest needs: deploy_stage environment:
name: production url: https://app. example. com concurrency: prod-release steps:
- name: Manual approval gate run: echo "Requires environment approvers in repo settings"
- name: Promote canary → 100% (blue-green)
run:
helm upgrade --install app charts/app \
--set image. tag=${{ github. sha }} \
--set canary. enabled=false
- name: Post-deploy checks & rollback on SLO breach run:./scripts/verify_or_rollback. sh
Kalitlar:
  • ’permissions’ minimal darajaga tushirildi,’id-token: write’OIDC uchun yoqilgan.
  • Environments s approvers and URL,’concurrency’poygalardan himoya qiladi.
  • Trafikni kanareykali yoqish va SLO bo’yicha avtomatik ravishda orqaga qaytish.

4. 3 Reusable workflow

yaml jobs:
security_suite:
uses: org/.github/.github/workflows/security. yml@v1 with:
severity_threshold: high

5) GitLab CI - tuzilmasi va amaliyoti

5. 1. Bazaviy tuzilma

`.gitlab-ci. yml’tubdan; asosiy mohiyatlar:’stages’,’jobs’,’rules’,’needs’,’artifacts’,’environments’,’manual’.
Reuse:’include:’(lokal/remote namunalar), murakkab monorepolar uchun child/parent pipelines.

5. 2 Misol: matrisa, kesh, imzo, muhit va approvals

yaml stages: [lint, test, build, security, deploy]

variables:
DOCKER_TLS_CERTDIR: "" # docker: dind acceleration
IMAGE_TAG: $CI_COMMIT_SHA

lint:
stage: lint image: node:20 script:
- npm ci
- npm run lint cache:
key: "npm-${CI_COMMIT_REF_SLUG}"
paths: [node_modules/]
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"

test:
stage: test image: node:20 parallel:
matrix:
- NODE_VERSION: ["18", "20"]
script:
- nvm install $NODE_VERSION          true
- npm ci
- npm test -- --ci artifacts:
when: always reports:
junit: report. xml

build_image:
stage: build image: docker:26. 1 services: [ "docker:26. 1-dind" ]
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build -t $CI_REGISTRY_IMAGE:$IMAGE_TAG.
- docker push $CI_REGISTRY_IMAGE:$IMAGE_TAG artifacts:
expire_in: 1 week paths: [ "sbom. json" ]
after_script:
- syft $CI_REGISTRY_IMAGE:$IMAGE_TAG -o cyclonedx-json > sbom. json

security_scans:
stage: security image: alpine:3. 20 script:
- trivy image --exit-code 0 --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$IMAGE_TAG rules:
- if: '$CI_COMMIT_BRANCH == "main"'

deploy_stage:
stage: deploy image: bitnami/kubectl:1. 30 environment:
name: stage url: https://stage. example. com on_stop: stop_stage script:
- kubectl set image deploy/app app=$CI_REGISTRY_IMAGE:$IMAGE_TAG -n stage
-./scripts/smoke. sh needs: [build_image, security_scans]
when: manual allow_failure: false

stop_stage:
stage: deploy image: bitnami/kubectl:1. 30 environment:
name: stage action: stop script:
- kubectl rollout undo deploy/app -n stage

deploy_prod:
stage: deploy image: alpine/k8s:1. 30. 2 environment:
name: production url: https://app. example. com rules:
- if: '$CI_COMMIT_BRANCH == "main"'
when: manual allow_failure: false script:
-./scripts/canary_traffic. sh 10
-./scripts/verify_or_rollback. sh
Kalitlar:
  • `parallel. matrix’matrix toʻplamlarini taqlid qiladi.
  • ’artifacts’ + test hisobotlari.
  • Environments s’on _ stop’, qo’lda ishlatiladigan’when: manual’approvals uchun.
  • Tasvir yigʻish uchun DIND (Kaniko/BuildKit k8s-rannerda yaxshiroq).

5. 3 Child pipelines va include monorepo uchun

yaml include:
- local:.gitlab/ci/includes/security. yml
- project: org/platform/pipelines file: /k8s/deploy. yml ref: v1

stages: [prepare, component_a, component_b, deploy]

component_a:
stage: component_a trigger:
include:.gitlab/ci/component_a. yml strategy: depend

component_b:
stage: component_b trigger:
include:.gitlab/ci/component_b. yml strategy: depend

6) Monorepozitoriya va ko’p xizmatlilik

Directory-based ownership: CODEOWNERS va scoped-testlar.
Incremental builds: ta’sirlangan paketlar/chartlarni aniqlaymiz; Yoʻl kalitlari va lock fayllari boʻyicha kesh.
Dynamic pipelines: child-pipelines/’ workflow _ call’faqat oʻzgartirilgan komponentlar uchun ishga tushiriladi.
Version: har bir modul uchun semver, release bosqichida changelog.

7) Kesh qilish va tezlashtirish

Manzillar keshlari (hashFiles/lockfile).
Giyohvandlik va artefaktlar uchun alohida kesh.
Pre-warm runner images (toolchains, SDK).
Lokal paket oynalari (npm/pip/maven) va konteyner registry-kesh.

8) Reliz strategiyalari va qaytish

Canary: trafik foizini bosqichma-bosqich oshirish; SLO degradatsiyasida avto-to’xtash.
Blue-Green: parallel oqim, tezda o’zgartirish.
Shadow: mijozga ta’sir qilmasdan so’rovlarni takrorlash.
Feature flags: rollout bayroq darajasida, reliz darajasida emas.
Rollback: «bir tugma» ning aniq skriptlari, artefaktning versiyasi relizning meta-ma’lumotlarida saqlanadi.

9) Infratuzilma va GitOps

IaC: Terraform/Ansible/Helm alohida repoda boshqariladi; policy-as-code darvoza sifatida.
GitOps-kontur: Argo CD/Flux muhit manifestlari bilan reponi kuzatadi; konveyer faqat artefakt yaratadi va Git versiyasini yangilaydi.
Afzalliklari: atrof-muhit o’zgarishlarining aniq tarixi, idempotentlik, Git orqali standart orqaga qaytish.

10) CI/CD kuzatilishi

DORA-metriklar: deplolarning chastotasi, kommitdan prodakshngacha bo’lgan vaqt, nosozliklar foizi, MTTR.
Telemetry: navbat vaqti, bosqichlar davomiyligi, hit-rate kesh, flaky-testlar chastotasi.
Xavfsizlik loglari: chiqarishni kim boshlagan, qaysi darvozalar o’tgan, qanday istisnolar berilgan.

11) Kirishni boshqarish va approvals

Branch protection va majburiy tekshirishlar.
Environment-approvals: stage/prod.
Qo’l qadamlari uchun JIT-kirish, sessiyalarni jurnalga olish.
Vazifalar bo’linishi: «kod yozadi», «ma’qullaydi», «chiqaradi» uchun turli rollar.

12) Tez-tez xatolar (anti-patternlar)

OIDC rollari o’rniga repo sirlarida uzoq umr ko’radigan bulutli kalitlar.
Stage va prod uchun turli artefaktlarni yig’ish («build once» buzilishi).
’latest’ teglar va mutable-tasvirlar.
Maxfiylarni qadam sahifalarida chop etish.
Prod-deploylar uchun bitta umumiy public-runner.
Xavfsizlik «darvozalari» (SAST/SCA/Policy) va post-deploy tekshiruvlari yo’qligi.

13) Joriy etish chek-varaqasi (0-60 kun)

0-15 kun

Trunk-based, PR/MR qoidalarini, majburiy statik tekshirishlarni moslash.
OIDC-federatsiyasini bulutga kiritish; eng kam’permissions’.
Runner’larni tarqatish: ommaviy - CI uchun, shaxsiy - CD uchun.

16-30 kun

SBOM qoʻshish, rasmlar imzosi; klasterda - imzoni tekshirish.
canary/blue-green kiritish; SLO bo’yicha avto-rollback.
Bogʻliqlik va artefaktlar keshi, tasvirlar pre-warm.

31-60 kun

Yigʻish va yetkazib berishni boʻlish (GitOps), policy-as-code.
Payplaynlarning degradatsiyasi bo’yicha DORA metrikalari va alertlarini yo’lga qo’yish.
Barcha xizmatlar uchun payplaynlarni (reusable/child) shablon qilish.

14) Ishonchlilik bo’yicha amaliy maslahatlar

Kichik, tez payplaynlarni qo’llab-quvvatlang (PR signalidan 10-12 daqiqa oldin).
Flaky-testlarni o’ldiring: quarantine-belgilar + parallel fix.
CI-artefaktlar va release-artefaktlarni aralashtirmang; meta ma’lumotlarni (commit, vaqt, SBOM, imzolar) saqlang.
Ishlab chiquvchilarga konveyer qadamlari (dev-prod parity) bilan bir xil boʻlgan mahalliy skriptlarni bering.

15) Qayta foydalanish uchun namunalar

15. 1 GitHub Actions - security reusable workflow (soddalashtirilgan)

yaml name: security-suite on:
workflow_call:
inputs:
severity_threshold:
type: string required: false default: high jobs:
sast_sca:
runs-on: ubuntu-latest steps:
- uses: actions/checkout@v4
- run:./sec/sast. sh --threshold ${{ inputs. severity_threshold }}
- run:./sec/sca. sh --format cyclonedx-json --out sbom. json artifacts: # if using actions/upload-artifact
- sbom. json

15. 2 GitLab - qoʻshiladigan deploy namunasi (soddalashtirilgan)

yaml
.deployment_template:
image: alpine/k8s:1. 30 script:
- helm upgrade --install $APP charts/$APP --set image. tag=$IMAGE_TAG rules:
- if: '$CI_COMMIT_BRANCH == "main"'

16) Xulosa

GitHub Actions va GitLab CI tezkor va xavfsiz «kod → prod» aylanishi uchun yetuk mexanizmlarni taqdim etadi. Muvaffaqiyat kaliti - standartlashtirish va xavfsizlik: kalitlar o’rniga OIDC, imzo va SBOM, sifat darvozasi, reklama bilan yagona artefakt, GitOps-yetkazib berish va DORA orqali kuzatish. Payplaynlarni mahsulot sifatida yarating: o’lchang, soddalashtiring, tezlashtiring - va relizlar voqea emas, odatiy holga aylanadi.

Contact

Biz bilan bog‘laning

Har qanday savol yoki yordam bo‘yicha bizga murojaat qiling.Doimo yordam berishga tayyormiz.

Telegram
@Gamble_GC
Integratsiyani boshlash

Email — majburiy. Telegram yoki WhatsApp — ixtiyoriy.

Ismingiz ixtiyoriy
Email ixtiyoriy
Mavzu ixtiyoriy
Xabar ixtiyoriy
Telegram ixtiyoriy
@
Agar Telegram qoldirilgan bo‘lsa — javob Email bilan birga o‘sha yerga ham yuboriladi.
WhatsApp ixtiyoriy
Format: mamlakat kodi va raqam (masalan, +998XXXXXXXX).

Yuborish orqali ma'lumotlaringiz qayta ishlanishiga rozilik bildirasiz.