name: cicd-pipelines description: 多平台CI/CD流水线专业知识。生成GitHub Actions、GitLab CI、Jenkins和Azure Pipelines配置。分析故障、优化执行时间、验证语法、配置矩阵构建和缓存策略。 allowed-tools: Bash(*) 读取 写入 编辑 全局 搜索 网络获取 metadata: author: babysitter-sdk version: “1.0.0” category: cicd backlog-id: SK-004
cicd-pipelines
您是cicd-pipelines - 一个专门用于多平台CI/CD流水线专业知识的技能。该技能提供设计、实施和优化持续集成和部署流水线的全面能力。
概述
该技能支持AI驱动的CI/CD操作,包括:
- 生成GitHub Actions、GitLab CI、Jenkins和Azure Pipelines
- 分析流水线故障并建议修复方案
- 优化流水线执行时间
- 验证流水线语法和安全性
- 配置矩阵构建和并行化
- 设置工件缓存策略
先决条件
- 访问CI/CD平台(GitHub、GitLab、Jenkins、Azure DevOps)
- 工作流文件的仓库写入权限
- 可选:平台特定的CLI工具(gh、glab、az)
能力
1. GitHub Actions
生成和优化GitHub Actions工作流:
name: CI/CD流水线
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
env:
NODE_VERSION: '20'
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node: [18, 20, 22]
steps:
- uses: actions/checkout@v4
- name: 设置Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
cache: 'npm'
- name: 安装依赖
run: npm ci
- name: 运行测试
run: npm test -- --coverage
- name: 上传覆盖率
uses: codecov/codecov-action@v4
if: matrix.node == 20
build:
needs: test
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: 设置Docker Buildx
uses: docker/setup-buildx-action@v3
- name: 登录容器注册表
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: 构建和推送
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
deploy:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
environment: production
steps:
- name: 部署到生产环境
run: |
echo "正在部署 ${{ github.sha }}"
2. GitLab CI
生成GitLab CI/CD配置:
stages:
- test
- build
- deploy
variables:
DOCKER_TLS_CERTDIR: "/certs"
.node-cache: &node-cache
cache:
key:
files:
- package-lock.json
paths:
- node_modules/
policy: pull-push
test:
stage: test
image: node:20
<<: *node-cache
script:
- npm ci
- npm test -- --coverage
coverage: '/All files[^|]*\|[^|]*\s+([\d\.]+)/'
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
build:
stage: build
image: docker:24
services:
- docker:24-dind
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
deploy-production:
stage: deploy
environment:
name: production
url: https://app.example.com
script:
- echo "正在部署到生产环境"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: manual
3. Jenkins Pipeline
生成Jenkinsfile配置:
pipeline {
agent any
environment {
DOCKER_REGISTRY = 'registry.example.com'
IMAGE_NAME = 'myapp'
}
options {
timeout(time: 30, unit: 'MINUTES')
buildDiscarder(logRotator(numToKeepStr: '10'))
disableConcurrentBuilds()
}
stages {
stage('检出') {
steps {
checkout scm
}
}
stage('测试') {
agent {
docker {
image 'node:20'
args '-v $HOME/.npm:/root/.npm'
}
}
steps {
sh 'npm ci'
sh 'npm test'
}
post {
always {
junit 'test-results/**/*.xml'
}
}
}
stage('构建') {
steps {
script {
docker.build("${DOCKER_REGISTRY}/${IMAGE_NAME}:${env.BUILD_NUMBER}")
}
}
}
stage('推送') {
when {
branch 'main'
}
steps {
script {
docker.withRegistry("https://${DOCKER_REGISTRY}", 'docker-credentials') {
docker.image("${DOCKER_REGISTRY}/${IMAGE_NAME}:${env.BUILD_NUMBER}").push()
docker.image("${DOCKER_REGISTRY}/${IMAGE_NAME}:${env.BUILD_NUMBER}").push('latest')
}
}
}
}
stage('部署') {
when {
branch 'main'
}
steps {
echo "正在部署构建 ${env.BUILD_NUMBER}"
}
}
}
post {
failure {
emailext (
subject: "流水线失败: ${env.JOB_NAME}",
body: "请查看控制台输出: ${env.BUILD_URL}",
recipientProviders: [developers(), requestor()]
)
}
}
}
4. Azure Pipelines
生成Azure DevOps流水线配置:
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
variables:
- group: production-variables
- name: imageRepository
value: 'myapp'
- name: containerRegistry
value: 'myregistry.azurecr.io'
stages:
- stage: Build
displayName: '构建和测试'
jobs:
- job: Test
displayName: '运行测试'
steps:
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm ci
displayName: '安装依赖'
- script: npm test -- --ci --reporters=default --reporters=jest-junit
displayName: '运行测试'
- task: PublishTestResults@2
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'junit.xml'
- job: Build
displayName: '构建容器'
dependsOn: Test
steps:
- task: Docker@2
inputs:
containerRegistry: 'acr-connection'
repository: '$(imageRepository)'
command: 'buildAndPush'
Dockerfile: '**/Dockerfile'
tags: |
$(Build.BuildId)
latest
- stage: Deploy
displayName: '部署到生产环境'
dependsOn: Build
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
jobs:
- deployment: DeployProd
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: echo "正在部署到生产环境"
5. 流水线优化
优化策略:
# 缓存策略
- uses: actions/cache@v4
with:
path: |
~/.npm
node_modules
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
# 并行化
jobs:
test:
strategy:
fail-fast: false
matrix:
shard: [1, 2, 3, 4]
steps:
- run: npm test -- --shard=${{ matrix.shard }}/4
# 条件执行
- name: 部署
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
6. 安全扫描
集成安全扫描:
- name: 运行Trivy漏洞扫描器
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: 上传Trivy扫描结果
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
MCP服务器集成
该技能可以利用以下MCP服务器:
| 服务器 | 描述 | 安装 |
|---|---|---|
| GitHub MCP服务器 | 官方GitHub集成 | GitHub |
| Azure DevOps MCP | 官方Azure DevOps支持 | GitHub |
| claude-code-for-gitlab | GitLab CI/CD集成 | GitHub |
最佳实践
流水线设计
- 快速反馈 - 首先运行快速测试
- 快速失败 - 在适当时机在第一次失败时停止
- 幂等性 - 流水线应可重新运行
- 并行化 - 使用矩阵构建和并行作业
- 缓存 - 缓存依赖项和构建工件
安全性
- 最小权限 - 令牌的最小权限
- 密钥管理 - 使用平台密钥存储
- 依赖项扫描 - 扫描漏洞
- 镜像扫描 - 扫描容器镜像
- OIDC - 优先使用OIDC而非长期令牌
优化
- 增量构建 - 仅重建更改的内容
- Docker层缓存 - 为缓存优化Dockerfile
- 工件重用 - 在作业之间共享工件
- 资源大小调整 - 适当调整运行器/代理大小
流程集成
该技能与以下流程集成:
cicd-pipeline-setup.js- 初始流水线配置pipeline-optimization.js- 性能调优security-scanning.js- 安全集成
输出格式
执行操作时,提供结构化输出:
{
"operation": "generate-pipeline",
"platform": "github-actions",
"status": "success",
"workflow": {
"name": "CI/CD流水线",
"jobs": 3,
"stages": ["test", "build", "deploy"]
},
"optimizations": [
"添加了依赖项缓存",
"启用了并行测试执行",
"配置了Docker层缓存"
],
"artifacts": [".github/workflows/ci.yml"]
}
约束
- 在提交前验证工作流语法
- 首先在非生产环境中测试
- 记录所有环境变量和密钥
- 包含超时配置
- 添加失败通知