name: cicd-pipeline-generator version: 1.0.0 description: | Configurable GitHub Actions workflow generator that produces complete CI/CD pipelines for any technology stack, including linting, testing, security scanning, and deployment. author: QuantQuiver AI R&D license: MIT
category: tooling tags:
- ci-cd
- github-actions
- devops
- automation
- testing
- deployment
- security-scanning
dependencies: skills: [] python: ">=3.9" packages: - pyyaml tools: - bash - code_execution
triggers:
- "generate CI/CD pipeline"
- "create GitHub Actions"
- "set up automated testing"
- "CI/CD workflow"
- "deployment pipeline"
- "continuous integration"
- "GitHub workflow"
CI/CD Pipeline Generator
Purpose
A configurable GitHub Actions workflow generator that produces complete CI/CD pipelines for any technology stack, including linting, testing, security scanning, and deployment stages.
Problem Space:
- Manual CI/CD setup is error-prone
- Security scanning often forgotten
- Inconsistent quality gates across projects
- Deployment strategies vary without standardization
Solution Approach:
- Stack detection and appropriate tool selection
- Configurable quality gates
- Built-in security scanning (SAST, dependency audit)
- Multi-environment deployment with approval gates
When to Use
- New project setup
- Adding CI/CD to legacy projects
- Standardizing pipelines across organization
- Security compliance requirements
- When asked to "set up automated testing"
- When deploying to staging/production
When NOT to Use
- Single-file scripts that don't need CI
- Projects with highly custom build processes (customize manually)
- When existing pipeline just needs minor tweaks
Core Instructions
Pipeline Architecture
┌─────────────────────────────────────────────────────────────────┐
│ CI/CD PIPELINE STRUCTURE │
├─────────────────────────────────────────────────────────────────┤
│ STAGE 1: CODE QUALITY │
│ ├── Linting (language-specific) │
│ ├── Formatting check │
│ └── Type checking │
├─────────────────────────────────────────────────────────────────┤
│ STAGE 2: SECURITY SCANNING │
│ ├── Dependency audit │
│ ├── SAST (static analysis) │
│ ├── Secret scanning │
│ └── Container scanning │
├─────────────────────────────────────────────────────────────────┤
│ STAGE 3: TESTING │
│ ├── Unit tests │
│ ├── Integration tests │
│ └── Coverage reporting │
├─────────────────────────────────────────────────────────────────┤
│ STAGE 4: BUILD │
│ ├── Application build │
│ ├── Docker image build │
│ └── Artifact upload │
├─────────────────────────────────────────────────────────────────┤
│ STAGE 5: DEPLOY │
│ ├── Staging (automatic) │
│ ├── Production (manual approval) │
│ └── Notifications │
└─────────────────────────────────────────────────────────────────┘
Stack Detection Rules
stack_detection:
python:
indicators:
- "requirements.txt"
- "pyproject.toml"
- "setup.py"
- "Pipfile"
tools:
lint: ["ruff", "flake8"]
format: ["black", "autopep8"]
type_check: ["mypy", "pyright"]
test: ["pytest", "unittest"]
security: ["bandit", "pip-audit", "safety"]
nodejs:
indicators:
- "package.json"
tools:
lint: ["eslint"]
format: ["prettier"]
type_check: ["tsc"] # if typescript
test: ["jest", "mocha", "vitest"]
security: ["npm audit", "snyk"]
go:
indicators:
- "go.mod"
tools:
lint: ["golangci-lint"]
format: ["gofmt"]
type_check: null # built-in
test: ["go test"]
security: ["gosec", "govulncheck"]
rust:
indicators:
- "Cargo.toml"
tools:
lint: ["clippy"]
format: ["rustfmt"]
type_check: null # built-in
test: ["cargo test"]
security: ["cargo-audit"]
Standard Procedures
1. Detect Technology Stack
Scan repository root for indicator files and determine primary language(s).
2. Configure Pipeline Options
class CICDConfig:
# Stack configuration
stacks: List[str] = ["python"]
python_version: str = "3.11"
node_version: str = "20"
# Quality gates
lint_enabled: bool = True
format_check: bool = True
type_check: bool = True
# Testing
test_enabled: bool = True
coverage_threshold: int = 60
# Security
security_scan: bool = True
dependency_audit: bool = True
secret_scanning: bool = True
container_scanning: bool = True
# Build
docker_build: bool = True
docker_registry: str = "ghcr.io"
# Deploy
deploy_enabled: bool = True
staging_auto_deploy: bool = True
production_approval: bool = True
3. Generate Workflow File
Output to .github/workflows/ci.yml
Decision Framework
Quality Gate Selection:
- Always include: linting, unit tests
- Production apps: add security scanning, type checking
- Open source: add coverage badges, multiple Python/Node versions
- Enterprise: add approval gates, audit logging
When to Use Matrix Builds:
- Testing library compatibility across versions
- Cross-platform applications
- Multiple Python/Node version support
Deployment Strategy:
- Staging first, then production
- Production requires manual approval
- Use environment protection rules
Templates
Complete Python Pipeline
name: CI/CD Pipeline
on:
push:
branches: [main, develop, 'feature/**']
pull_request:
branches: [main, develop]
workflow_dispatch:
inputs:
deploy_environment:
description: 'Environment to deploy to'
required: false
default: 'staging'
type: choice
options: [staging, production]
env:
PYTHON_VERSION: '3.11'
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
name: Lint & Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install linting tools
run: pip install ruff black mypy
- name: Run Ruff
run: ruff check . --output-format=github
- name: Run Black
run: black --check --diff .
- name: Run mypy
run: mypy . --ignore-missing-imports
continue-on-error: true
security:
name: Security Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install security tools
run: pip install pip-audit bandit
- name: Dependency audit
run: pip-audit -r requirements.txt --strict
continue-on-error: true
- name: Run Bandit
run: bandit -r . -f json -o bandit-report.json || true
- name: Upload security report
uses: actions/upload-artifact@v4
with:
name: security-report
path: bandit-report.json
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
test:
name: Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install pytest pytest-cov
- name: Run tests
run: pytest --cov=. --cov-report=xml --cov-fail-under=60
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
files: coverage.xml
build:
name: Build Docker Image
runs-on: ubuntu-latest
needs: [lint, security, test]
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha,prefix=
type=ref,event=branch
type=semver,pattern={{version}}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
deploy-staging:
name: Deploy to Staging
runs-on: ubuntu-latest
needs: [build]
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
environment:
name: staging
url: https://staging.example.com
steps:
- uses: actions/checkout@v4
- name: Deploy to staging
run: echo "Deploy commands here"
- name: Health check
run: |
sleep 10
curl -f https://staging.example.com/health || exit 1
deploy-production:
name: Deploy to Production
runs-on: ubuntu-latest
needs: [build, deploy-staging]
if: github.ref == 'refs/heads/main'
environment:
name: production
url: https://example.com
steps:
- uses: actions/checkout@v4
- name: Deploy to production
run: echo "Production deploy commands here"
- name: Notify success
if: success()
run: echo "Deployment successful!"
- name: Notify failure
if: failure()
run: echo "Deployment failed!"
Node.js/TypeScript Pipeline
name: Node.js CI/CD
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
NODE_VERSION: '20'
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- run: npm ci
- run: npm run lint
- run: npx tsc --noEmit
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- run: npm ci
- run: npm audit --audit-level=high
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- run: npm ci
- run: npm test -- --coverage --coverageThreshold='{"global":{"lines":60}}'
Examples
Example 1: Python Web Application
Input: "Generate CI/CD for my Flask API with Docker deployment"
Configuration Detected:
- Stack: Python (Flask)
- Build: Docker
- Deploy: Staging + Production
Output: Complete workflow with lint, security, test, build, and deploy jobs.
Example 2: Multi-Stack Monorepo
Input: "Set up CI for a repo with Python backend and React frontend"
Output: Separate job groups for Python and Node.js, parallel execution, unified deployment.
Validation Checklist
Before generating pipeline:
- Technology stack correctly detected
- All indicator files checked
- Security scanning included for production apps
- Coverage threshold appropriate for project maturity
- Docker registry permissions documented
- Environment protection rules noted
- Secrets requirements listed
Related Resources
- Skill:
repository-auditor- Pre-audit code before CI setup - Skill:
docker-stack-composer- Multi-service Docker configs - GitHub Actions Documentation: https://docs.github.com/en/actions
- Security scanning: Gitleaks, Trivy, Bandit
Changelog
1.0.0 (January 2026)
- Initial release
- Python, Node.js, Go, Rust support
- Security scanning integration
- Multi-environment deployment
- Coverage reporting