DevSecOps CI CD Proposal - saayam-for-all/devsecops GitHub Wiki

Following is the proposed flow for our CI/CD using Github Actions.

ci_cd (1)

Webapp Repo CI/CD Pipelines with

We are using following CI/CD pipelines in our webapp repo to build our web application - which is where our main code for Saayam For All lives.

  • When code is pushed to "test" branch of "webapp" repo, code gets built and pushed to netlify.app and changes are seen from test-saayam.netlify.app site. To merge your changes into test branch, you DO NOT need any approvals. After pushing your code, you need to make sure the code in the test branch compiles well and you can see your changes properly from the test site.
  • When code is pushed to "dev" branch of "webapp" repo, code gets built and pushed to netlify.app and changes are seen from dev-saayam.netlify.app site. To merge any changes to dev site, we need two code reviews and 90% code coverage. Once after merging your changes, you need to verify your changes from the dev site.
  • When code is pushed to "main" branch of "webapp" repo, code gets built and pushed to netlify.app and changes are seen from saayam.netlify.app site. Only team leads move the code from dev branch to main branch with a minimum of two approvals and 90% code coverage. After pushing the changes, you need to verify your changes from our main site.
  • We do have one more domain for the code pushed to AWS S3. https://test.help-for-everyone.org/. You need to use this site to test the code that is moved to AWS S3 before moving to our production site.
  • Finally, the code will be moving to production in AWS S3. You need to test this using our production site - https://saayamforall.org/
  • If you are creating a local branch, it should follow a specific naming convention: yourname_feature/bug detail_GitHubIssueNum

Branching Strategy Diagram

Now, on a repository level on GitHub for Java or Python based projects, this is the format in which deployment needs to take place. Our pipeline is designed to maintain a clear separation between environments while ensuring code quality, testing coverage, and stable deployments.

Environment Branch / Platform Deployment Target Owner / Responsibility
Production main → AWS S3 saayamforall.org DevOps Team only
Staging / QA aws-s3-test → AWS S3 test.help-for-everyone.org QA + DevOps
Development dev → Netlify dev-saayam.netlify.app Leads + DevOps
Testing test → Netlify test-saayam.netlify.app Developers (no approvals required)
Feature / Bug Branches yourname_feature/bug-detail_GitHubIssueNum Local builds / PR validation Individual Developers

Note: Only team leads and DevOps members can promote code from devmain once it meets approval and coverage requirements.

Explanation of Flow: The goal here is to have thoroughly tested code in production. Help developers to quickly develop a new feature/bug fix, test quickly in the Test branch without waiting for approvals, improve the quality of the code with good code coverage by adding more unit tests and maintain good and stable code in the Dev branch.

  1. Developers create feature or bug branches from the Dev branch and use that base to develop the feature/bug on a local level saving progress on a Git branch titled 'yourname_feature/bug-detail_GitHubIssueNum' format.
  2. Compile and make sure that the code you got from the Dev branch is buildable. Then, start working on your task to complete your feature/bug fix.
  3. Once your development work is complete, you need to refresh your local branch from the Test branch. After refresh, make sure the code is buildable in your local branch.
  4. Then push your code to the Test branch for testing. You do NOT need any approvals for merging your code to the Test branch. Make sure your changes are good.
  5. Then, continue to add unit test cases for your work in your local branch. Make sure you get good code coverage at least up to 90%.
  6. Then refresh your local branch with the Dev branch and make it buildable, and make sure your feature is working fine one more time.
  7. Then, raise a pull request to merge your code in the Dev branch. Get your changes reviewed by at least two people.
  8. After getting approvals, merge your code into the Dev branch. Make sure that building on the Dev branch succeeds with your new code.
  9. Subsequently, leads will push the code from the Dev branch to the main branch, once in a while. Test the code in this main branch.
  10. Then, the leads or DevOps team pushes the code from the main branch to our AWS S3 for deployment.
  11. DevOps team pushes the code into production based on our release guidelines.

Automation and CI/CD Integration Proposal

  • Builds are automated via GitHub Actions.
  • Testing workflows trigger on each push to test, dev, or main.
  • SonarQube integration scans repositories for code quality metrics and vulnerabilities.
  • Playwright tests run on QA before any code promotion to staging or production.

For current status of automation progress, please check: https://github.com/saayam-for-all/devsecops/wiki/DevSecOps-Dashboard