CI/CD & Build Automation
Automated builds, artifact management, SBOM generation, and CI pipeline templates for every team.
Job to be done: When our CI varies wildly across repos and security checks stay manual, I want to establish a minimum baseline of build, test, lint, and scanning, so I can deploy with confidence that quality is consistent and predictable.
You will create a shared CI pipeline template with build, test, and lint stages, add dependency and container scanning with SBOM generation, then roll it out across repos. Implement caching and parallelization to keep feedback fast, and standardize how artifacts are versioned and stored.
What you’ll implement
These are the roadmap epic features, organized as a starter backlog.
Execution guide
Practical guidance aligned to the Execution Kit Definition of Done.
Outcome
Every service has a consistent CI baseline (build/test/lint/security) and produces promotable artifacts.
Before to After Transformation
Each team has different pipelines, manual security checks, slow builds, no artifact strategy
# Manual build process:
cd app && npm install
npm run build
# Hope it works...
scp -r dist/ prod-server:/var/www/Every repo uses shared templates, automated security scanning, fast feedback, immutable artifacts
# Standardized CI template:
name: ci
on: [push, pull_request]
jobs:
build:
uses: org/pipelines/.github/workflows/node-ci.yml@v1
# ✓ Build + Test + Lint
# ✓ SAST + Dependency scan
# ✓ SBOM generation
# ✓ Container build + scan
# DORA improvements:
# - Deployment frequency: weekly to daily
# - Lead time: 7 days to 2 daysSymptoms
Prerequisites
Implementation steps
- Define the CI minimum checks policy
- Create a pipeline template (build + unit + lint)
- Add dependency and secret scanning
- Add SBOM generation and publish artifacts
- Add container/image scanning (where applicable)
- Standardize caching and parallelization
- Add provenance/signing where feasible
- Add CI observability (timings, flaky detection)
- Roll out to the next 3–5 repos
Definition of Done
- CI policy documented and enforced on protected branch
- Standard pipeline template adopted
- Security scanning runs automatically
- Artifacts are versioned and stored
- Practice integrated into team workflow
Metrics
- Build time (p50/p95)
- CI success rate
- Flaky test rate
- Deployment frequency
- Change failure rate
Failure modes
Ownership
- Own pipeline templates
- Operate registries and runners
- Support adoption
- Adopt templates
- Fix broken builds quickly
- Keep dependencies current
What good looks like (by org scale)
- Build/test/lint + basic scanning on every PR
- SBOM + image scanning
- Artifact promotion pipeline
- Signed artifacts + provenance
- Central dashboards + policy packs
References
Resources
Templates and related materials for this kit.
Related capabilities
Capabilities tracked under this epic in the roadmap.
- CI Pipeline Template>= 90% of repos use org-wide CI template with lint, test, build, scan stages.
- Artifact Versioning100% of builds produce semantically versioned artifacts (semver) pushed to artifact registry.
- SBOM Generation>= 80% of builds generate Software Bill of Materials (SBOM) in SPDX or CycloneDX format.
- Automated Security Scanning100% of builds run SAST (code scan) and SCA (dependency scan) with >= HIGH severity blocking merge.
- Secrets Detection>= 95% of commits scanned for leaked secrets (API keys, passwords) pre-commit and in CI.
- Fast Feedback Loop>= 80% of CI pipeline runs complete in < 10 minutes from commit to pass/fail result.
Related kits
Other kits in the same milestone or with similar DORA impact.