Productify

Appearance

ci

Manage CI/CD pipeline templates for your projects.

Synopsis

bash
pfy ci <subcommand> [flags]

Description

The CI/CD management commands help you generate production-ready pipeline configuration templates for continuous integration and delivery workflows. These templates are embedded into the CLI binary and based on the actual CI/CD workflows used by ProductifyFW components, ensuring they follow best practices.

The command can read configuration from project.yaml (created with pfy init), allowing you to run without repetitive flags.

Subcommands

  • update - Generate CI/CD pipeline templates

ci update

Generate CI/CD pipeline templates for your project.

Usage

bash
pfy ci update [--type <platform>] [--language <lang>] [--output <directory>] [flags]

Configuration Priority

Values are resolved in this order:

  1. CLI flags (highest priority)
  2. project.yaml file
  3. Auto-detection (e.g., from go.mod)
  4. Defaults (lowest priority)

With project.yaml:

bash
# Run `pfy init` once
pfy init --name my-app

# Then just specify output
pfy ci update --output .github/workflows/ci.yml

Without project.yaml:

bash
pfy ci update --type github --language go --project-name my-app --output .github

Flags

FlagDefaultDescription
--typegithubCI/CD platform type (github or gitlab)
--language(detect)Project language (go or node) - auto-detected
--project-name(detect)Project name - auto-detected from directory
--registryghcr.ioDocker registry URL
--image-name(detect)Docker image name - defaults to project name
--output(varies)Output directory path for the CI templates
--with-dependabotfalseGenerate Dependabot/Renovate configuration

Default output paths:

  • GitHub: .github
  • GitLab: . (current directory)

Examples

Using project.yaml (recommended):

bash
# Initialize project once
pfy init --name my-service --language go

# Generate templates (reads from project.yaml)
pfy ci update

Generate GitHub Actions workflows (auto-detect language):

bash
pfy ci update
# or explicitly
pfy ci update --type github

Creates:

  • .github/workflows/ci.yml - Main CI pipeline
  • .github/workflows/release.yml - Release workflow
  • Dockerfile - Optimized multi-stage Dockerfile

Generate with dependency management:

bash
pfy ci update --with-dependabot

Additionally creates:

  • .github/dependabot.yml - Automated dependency updates

Generate for specific language:

bash
pfy ci update --language node --project-name my-api

Generate GitLab CI configuration:

bash
pfy ci update --type gitlab --with-dependabot

Creates:

  • .gitlab-ci.yml - GitLab CI pipeline
  • renovate.json - Renovate Bot configuration (if --with-dependabot)
  • Dockerfile - Optimized multi-stage Dockerfile

Custom registry and image name:

bash
pfy ci update --registry docker.io --image-name myorg/myapp

Output 

Created CI workflow: .github/workflows/ci.yml
Created release workflow: .github/workflows/release.yml
Created Dockerfile: Dockerfile

CI/CD templates generated successfully!
Language: go
Project: my-project
Registry: ghcr.io
Image: ghcr.io/my-project

Supported Platforms

GitHub Actions

Generates workflow files in .github/workflows/ and optional configuration:

ci.yml - Main CI Pipeline:

  • Triggered on push to main and pull requests
  • Gitleaks job: Secret scanning to prevent credential leaks
  • Lint-and-test job: Language-specific linting and testing with coverage (golangci-lint for Go, npm for Node.js)
  • Build-and-scan job: Docker build with Trivy vulnerability scanning (fails on CRITICAL/HIGH)
  • Push-multiarch job: Multi-platform image push to registry (main branch only, linux/amd64 + linux/arm64)

release.yml - Release Workflow:

  • Triggered on version tags (v*)
  • Uses GoReleaser for cross-platform binary builds
  • Automatic GitHub release creation
  • Multi-architecture support (amd64, arm64)

GitLab CI/CD

Generates .gitlab-ci.yml with production-ready pipeline:

Pipeline stages:

  • security - Gitleaks secret scanning
  • test - Language-specific linting and testing with coverage
  • build - Docker image build
  • scan - Trivy security scanning
  • deploy - Image push to registry (main branch and tags)

Optional: renovate.json for automated dependency updates (with --with-dependabot)

Template Features

Multi-Language Support

Templates automatically adapt based on detected or specified language:

Go Projects:

  • golangci-lint for code quality
  • go test with race detection and coverage
  • GoReleaser for multi-platform binary releases
  • Optimized multi-stage Dockerfile with scratch base image

Node.js Projects:

  • npm-based linting and testing
  • Code coverage with standard npm test
  • npm build for production releases
  • Node.js Alpine-based Dockerfile with health checks

Security Features

Gitleaks Secret Scanning:

  • Runs on every push and pull request
  • Prevents credential leaks before they reach production
  • Scans entire git history

Trivy Vulnerability Scanning:

  • Scans Docker images for vulnerabilities
  • Fails build on CRITICAL or HIGH severity issues
  • Table output format for easy reading
  • No external service dependencies

Build Features

Docker Multi-Platform Builds:

  • Supports linux/amd64 and linux/arm64
  • GitHub Actions cache for faster builds
  • Optimized multi-stage Dockerfiles
  • Minimal final image sizes

Continuous Integration:

  • Language-specific linting
  • Automated testing with coverage
  • Build verification
  • Automated image pushing on main branch

Dependency Management (Optional)

Dependabot (GitHub):

  • Weekly automated dependency updates
  • Separate tracking for language packages, Docker, and GitHub Actions
  • Configurable pull request limits
  • Custom commit message prefixes

Renovate (GitLab):

  • Automated dependency updates with automerge rules
  • Minor/patch updates auto-merged
  • Major updates require manual review
  • Security updates prioritized and auto-merged

Workflow Examples

Initial CI Setup for GitHub

bash
# Navigate to your project
cd my-project

# Generate CI/CD templates
pfy ci update

# Or with dependency management
pfy ci update --with-dependabot

# Review the generated files
ls -la .github/workflows/
cat .github/workflows/ci.yml

# Commit to repository
git add .github/ Dockerfile
git commit -m "Add CI/CD workflows"
git push

Initial CI Setup for GitLab

bash
# Navigate to your project
cd my-project

# Generate GitLab CI configuration
pfy ci update --type gitlab --with-dependabot

# Review the generated files
cat .gitlab-ci.yml
cat renovate.json

# Commit to repository
git add .gitlab-ci.yml renovate.json Dockerfile
git commit -m "Add GitLab CI/CD pipeline"
git push

Multi-Registry Setup

bash
# For Docker Hub
pfy ci update --registry docker.io --image-name myorg/myapp

# For AWS ECR
pfy ci update --registry 123456789.dkr.ecr.us-east-1.amazonaws.com --image-name myapp

# For custom registry
pfy ci update --registry registry.example.com --image-name company/project

Template Customization

The generated templates are production-ready but can be customized:

Common Customizations

Change Go version:

bash
# Regenerate with custom Go version by editing render.go DefaultConfig
# or manually edit .github/workflows/ci.yml:
go-version: '1.22.0'

Change Node.js version:

bash
# Regenerate with custom Node version or edit manually:
node-version: '22'

Add more Docker platforms:

yaml
# In .github/workflows/ci.yml, modify platforms:
platforms: linux/amd64,linux/arm64,linux/arm/v7

Use different registry:

bash
# Regenerate with custom registry
pfy ci update --registry registry.example.com --image-name myapp

Customize build context:

yaml
# Modify context path if Dockerfile is in subdirectory:
context: ./services/api

Best Practices

Security

  • Use the generated Gitleaks configuration to prevent secret leaks
  • Let Trivy fail builds on critical vulnerabilities
  • Store registry credentials as CI/CD secrets, never in code
  • Enable Dependabot/Renovate for automated security updates
  • Review dependency update PRs before merging

Docker Images

  • Use multi-stage builds (automatically generated)
  • Keep base images minimal (scratch for Go, alpine for Node.js)
  • Tag images with both SHA and semantic versions
  • Use registry-specific credentials and access controls
  • Enable Docker layer caching for faster builds

CI/CD Workflows

  • Run tests before building Docker images
  • Use separate workflows for CI and releases
  • Only push images from main branch or tags
  • Enable branch protection requiring CI to pass
  • Review generated templates before committing

Dependency Management

  • Use --with-dependabot for automated updates
  • Configure automerge for minor/patch updates
  • Manually review major version updates
  • Keep CI/CD workflows and Docker base images updated
  • Monitor security advisories
  • Go module caching
  • golangci-lint configuration
  • Cross-platform builds
  • Docker multi-arch builds

See Also

Workflow Examples

Initial CI Setup

bash
# For GitHub repository
cd my-project
pfy ci --type github update

# Commit the generated workflow files
git add .github/
git commit -m "Add CI/CD workflows"
git push

Updating Existing CI

bash
# Update GitLab CI configuration
pfy ci --type gitlab update

# Review changes
git diff .gitlab-ci.yml

# Commit if satisfactory
git add .gitlab-ci.yml
git commit -m "Update CI/CD pipeline template"
git push

CI/CD in Development Workflow

bash
# Update CI template before major version
pfy ci update

# The CI pipeline will now:
# 1. Run tests on every push
# 2. Bump version automatically
# 3. Deploy to dev environment on main branch
# 4. Deploy to prod on tagged releases

Generated CI Features

Automatic Version Bumping

The CI templates include automatic semantic versioning:

  • Patch version (1.0.x): For regular commits to main
  • Minor version (1.x.0): For commits with feat: prefix
  • Major version (x.0.0): For commits with BREAKING CHANGE: in body

Dependency Management

  • Automatic dependency vulnerability scanning
  • Outdated dependency detection
  • Security advisory notifications

Environment Deployments

Automatic deployments based on branch:

BranchEnvironmentTrigger
developdevOn push
mainqaOn push
TagprodOn version tag create

Testing

  • Unit tests on every push
  • Integration tests before deployment
  • Code coverage reporting
  • Performance benchmarks

GitHub Actions Template

Example generated .github/workflows/main.yml:

yaml
name: CI/CD Pipeline

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  release:
    types: [created]

env:
  PFY_MANAGER_URL: ${{ secrets.PFY_MANAGER_URL }}
  PFY_MANAGER_TOKEN: ${{ secrets.PFY_MANAGER_TOKEN }}

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Setup environment
        run: |
          # Install pfy CLI
          curl -sSL https://get.productify.dev/cli | sh
      - name: Build
        run: |
          # Build steps
          pfy module init --name ${{ github.repository }}
      - name: Run tests
        run: |
          pfy test

  deploy:
    needs: build
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to dev
        run: |
          pfy deploy --env dev --ci

GitLab CI Template

Example generated .gitlab-ci.yml:

yaml
stages:
  - build
  - test
  - deploy

variables:
  PFY_MANAGER_URL: $PFY_MANAGER_URL
  PFY_MANAGER_TOKEN: $PFY_MANAGER_TOKEN

before_script:
  - curl -sSL https://get.productify.dev/cli | sh
  - export PATH="$PATH:$HOME/.pfy/bin"

build:
  stage: build
  script:
    - pfy module init --name $CI_PROJECT_NAME
  artifacts:
    paths:
      - dist/

test:
  stage: test
  script:
    - pfy test
  coverage: '/Coverage: \d+\.\d+%/'

deploy_dev:
  stage: deploy
  script:
    - pfy release --ci
    - pfy deploy --env dev --ci
  only:
    - develop

deploy_qa:
  stage: deploy
  script:
    - pfy release --ci
    - pfy deploy --env qa --ci
  only:
    - main

deploy_prod:
  stage: deploy
  script:
    - pfy deploy --env prod --ci
  only:
    - tags
  when: manual

See Also