Skip to main content

Lab 7: CI/CD Pipeline

Difficulty: Intermediate · Estimated time: ~3 hours

Objective

For your Week 2 ChatBot, add:

  1. GitHub Actions pipeline (lint → test → build → push → deploy)
  2. Docker multi-stage build
  3. Branch protection rules
  4. NeMo Guardrails integration
  5. Secret scanning

Step 1 — GitHub Actions workflow

yaml
name: CI/CD Pipeline

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: '3.11' }
      - run: pip install ruff && ruff check .

  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: '3.11' }
      - run: pip install -r requirements.txt
      - run: pytest tests/ -v --cov

  build:
    needs: [lint, test]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/build-push-action@v5
        with:
          push: true
          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

  deploy:
    needs: build
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4
      - run: |
          gcloud run deploy tds-chatbot \
            --image ghcr.io/${{ github.repository }}:${{ github.sha }} \
            --region asia-south1 \
            --set-env-vars OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}

Step 2 — Multi-stage Dockerfile

dockerfile
FROM python:3.11-slim AS builder
WORKDIR /build
COPY requirements.txt .
RUN pip install --no-cache-dir --user -r requirements.txt

FROM python:3.11-slim
RUN useradd --create-home appuser
WORKDIR /home/appuser/app
COPY --from=builder /root/.local /home/appuser/.local
COPY --chown=appuser:appuser app/ ./app/
USER appuser
ENV PATH=/home/appuser/.local/bin:$PATH
EXPOSE 8000
HEALTHCHECK --interval=30s CMD curl -f http://localhost:8000/health || exit 1
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

Submission

GitHub repo with complete CI/CD setup, branch protection screenshot, deployment URL

Grading rubric

CriterionPoints
Pipeline runs end-to-end on push25
Multi-stage Docker build works20
Deploys to Cloud Run automatically20
Branch protection enabled15
NeMo Guardrails integrated20
Total100