CI/CD — Stratégies, pipelines & GitLab CI

Stratégies (trunk/feature flags, GitOps), design pipelines (DAG, cache, artefacts), qualité (tests/coverage/gates), GitLab CI avancé (runners, rules, matrices, child pipelines), sécurité (SAST/DAST/SCA/SBOM), releases (semver/changelog), performance & coûts, troubleshooting.

Stratégies Design Pipeline Qualité & Tests GitLab CI Avancé DevSecOps Releases Perf & Coûts Troubleshooting

Cheat-sheet — objectif → features GitLab → snippets → KPIs → guardrails

Objectif	Features GitLab	Snippets	KPIs	Guardrails
Feedback rapide	DAG `needs`, cache, tests parallèles	`parallel: 4`, `needs: []`, cache npm/pip	Durée CI < 10 min, succès > 90%	Interruption `interruptible: true`, auto-cancel redondant
Qualité	Reports JUnit, cobertura, codequality	`artifacts:reports:junit`	Coverage > 80%, flakies ↓	Quarantaine tests instables
Sécurité	SAST/DAST/SCA, License, Secret scan	jobs “Security” + SBOM/sign	Critiques=0 en prod	Gates PR, exceptions datées
Déploiement fiable	Environments, `resource_group`, canary	on_stop, manual, approvals	Rollback < 10 min	Prod sérialisé, GitOps
Scalabilité	Runners autoscalés, matrices	`parallel:matrix`	Throughput ↑	Quotas minutes & tags

Mesures cœur : DORA (fréquence, lead-time, MTTR, % échec change), coût/minute CI, “Time-to-First-Deploy”.

Patterns

Trunk-based + petites PR, checks obligatoires.
Feature flags & progressive delivery (canary/blue-green).
GitOps : déploiements pilotés par PR (Argo/Flux).
Release trains (cadence) vs continuous delivery (à l’issue de la CI verte).

Anti-patterns

Branches longues, merges tardifs, “snowflake env”.
Tag :latest, déploiements manuels non tracés.

KPIs

Lead-time < 48h; fréquence déploiements ≥ hebdo (cible : daily).
Taux d’échec change < 10%, MTTR < 60 min.

Playbook

Start: trunk + flags → CI rapide → gates qualité → CD canary → GitOps prod

Principes

Stages : prepare → build → test → scan → package → deploy.
DAG avec needs pour paralléliser; interruptible pour annuler obsolètes.
Cache dépendances; artefacts minimaux & expirations courtes.

Snippet .gitlab-ci.yml

stages: [prepare, build, test, scan, package, deploy]

variables:
  GIT_DEPTH: "1"

build:
  stage: build
  image: node:20
  cache: { key: files: [package-lock.json], paths: [node_modules/] }
  script:
    - npm ci
    - npm run build
  artifacts:
    paths: [dist/]
    expire_in: 2 days
  rules:
    - changes: ["package.json", "src/**/*"]

test:
  stage: test
  needs: ["build"]
  parallel: 4
  script:
    - npm test -- --shard=$CI_NODE_INDEX/$CI_NODE_TOTAL
  artifacts: { reports: { junit: "junit.xml", cobertura: "coverage.xml" } }

DAG/Matrix/Child

lint:
  stage: prepare
  script: [ "eslint . -f junit -o junit.xml" ]
  artifacts: { reports: { junit: "junit.xml" } }

e2e:
  stage: test
  parallel:
    matrix:
      - BROWSER: [chrome, firefox]
  needs: ["build"]

Pratiques

Pyramide : unitaires > intégration > e2e ciblés.
Coverage rapporté (Cobertura), seuils, tests en parallèles/shards.
Quarantaine des flakies, retry ciblé (retry: 1).

Snippets

unit:
  stage: test
  script: [ "pytest -q --junitxml=junit.xml --cov=app --cov-report=xml" ]
  artifacts: { reports: { junit: "junit.xml", cobertura: "coverage.xml" } }
  coverage: '/^TOTAL.*\s+(\d+\%)$/'

e2e:
  stage: test
  image: cypress/included:13.7.0
  script: [ "cypress run --reporter junit --reporter-options 'mochaFile=junit.xml'" ]
  artifacts: { reports: { junit: "junit.xml" }, when: always }
  retry: 1

KPIs & gates

Durée tests < 6–8 min, coverage > 80% (app) / > 60% (services).
Fail-fast : stop si JUnit erreurs, publier codequality, lints bloquants.

Runners & variables

Runners autoscalés (tags), jobs lourds sur machines dédiées.
Variables protégées/scopées env, masquées; dotenv pour passer des valeurs.
OIDC vers cloud (pas de clés longues durées).

export-build-vars:
  stage: prepare
  script: [ 'echo "IMAGE_TAG=$CI_COMMIT_SHORT_SHA" > build.env' ]
  artifacts: { reports: { dotenv: build.env } }

Rules & matrices

workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_TAG'

lint:
  stage: prepare
  rules:
    - changes: ["**/*.py","**/*.js"]
  script: ["make lint"]

test-matrix:
  stage: test
  parallel:
    matrix:
      - PY: ["3.10","3.11"]
        DB: ["postgres","mysql"]

Child pipelines & envs

monorepo-router:
  stage: prepare
  trigger:
    include: .gitlab/ci/services/.child.yml
    strategy: depend
  rules:
    - changes:
        - services/**/*
        - .gitlab/ci/services/**/*

review:
  stage: deploy
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    url: https://$CI_COMMIT_REF_SLUG.review.example.com
    on_stop: stop_review
  script: ["./deploy_review.sh"]
stop_review:
  stage: deploy
  when: manual
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    action: stop
  script: ["./destroy_review.sh"]

Pratiques

SAST/DAST/SCA/Container scan; License Compliance.
SBOM (syft) + signatures (cosign); policy admission (OPA/Conftest).
Exceptions datées; rapports versionnés (evidence-as-code).

Snippets

container-scan:
  stage: scan
  image: aquasec/trivy:latest
  script:
    - trivy image --exit-code 1 --severity CRITICAL,HIGH $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

sbom-sign:
  stage: package
  script:
    - syft . -o json > sbom.json
    - cosign sign $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  artifacts: { paths: ["sbom.json"] }

KPIs & gates

Vuln. critiques en prod = 0; SLA patch < 7 j; secrets fuites = 0.
Gate MR si vuln. critique non justifiée.

Pratiques

Conventional commits → version semver + changelog auto.
Tags immuables, images signées; release evidence.
Déploiements : canary/blue-green, GitOps en prod.

Snippets

release:
  stage: package
  rules: [ { if: '$CI_COMMIT_TAG' } ]
  script:
    - ./scripts/changelog.sh $CI_COMMIT_TAG > CHANGELOG.md
  release:
    name: "$CI_COMMIT_TAG"
    tag_name: "$CI_COMMIT_TAG"
    description: "./CHANGELOG.md"

deploy-prod:
  stage: deploy
  resource_group: production
  when: manual
  script: ["./deploy_canary.sh 25%"]
  environment: { name: production, url: https://app.example.com }

KPIs

Rollback < 10 min; “time-to-release” ↓; échecs release < 10%.

Leviers

Images slim/distroless; npm ci / pip cache.
Shallow clone (GIT_DEPTH: 1), rules:changes pour cibler.
Parallélisme & matrices; split tests; Docker layer cache (buildx).

Snippets

docker-build:
  stage: package
  image: docker:27
  services: [ "docker:27-dind" ]
  variables: { DOCKER_BUILDKIT: "1" }
  script:
    - docker buildx build --cache-to=type=inline --cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:cache -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

# Skipper
workflow:
  rules:
    - if: $CI_COMMIT_MESSAGE =~ /(\[ci skip\]|\[skip ci\])/

KPIs

Durée pipeline médiane < 10 min; coût/min ↓; taux ré-exécution tests ↓.
Cache hit-rate > 70%; minutes runner par merge ↓.

Bonnes pratiques

Logs courts + set -euo pipefail; upload artefacts; traces d’erreur visibles.
Pipeline Analytics (taux succès, durée), flaky-tests dashboard.
“Fail fast” : arrêter e2e si unitaires KO; allow_failure pour jobs non-bloquants.

Snippets

before_script:
  - set -euo pipefail

smoke:
  stage: test
  allow_failure: true
  script: ["./smoke.sh"]

# Artefacts de debug
debug:
  stage: test
  when: on_failure
  script: ["tar czf logs.tgz logs/"]
  artifacts: { paths: ["logs.tgz"], when: on_failure, expire_in: 1 day }

Anti-patterns

Jobs séquentiels inutiles, artefacts énormes, scripts non idempotents.
Secrets en clair, :latest, pipelines sans rules ciblées.

CI/CD — Stratégies, pipelines & GitLab CI

Cheat-sheet — objectif → features GitLab → snippets → KPIs → guardrails

1. Stratégies CI/CD

2. Design de pipeline

3. Qualité & Tests

4. GitLab CI avancé

5. Sécurité (DevSecOps)

6. Releases

7. Performance & coûts

8. Troubleshooting