The notes of Justin Abrahms

Recently updated

Continuous Delivery Foundation (CDF)

Feb 16, 20263 min read

Linux Foundation group to help with Continuous Delivery. There’s a fair amount of tension between this group and the work happening in the CNCF, though both are doing good work.

Commit

  1. pre-push hooks to validate commit messages
  2. Contributor License Agreement checks

Merge

  1. Some folks have robots which do the merge for you

Build

  1. SBOM generation
  2. Ensure there are no CVEs in the transitive dependencies
  3. Validate unit tests pass
  4. Run contract tests
  5. Gather other quality metrics (sonar, coverage, etc)
  6. License validation
  7. Validate application configuration is within range (e.g. not requesting too many replicas)
  8. Infrastructure policy validation (not exposing endpoints publicly)
  9. Validate credentials aren’t in the code
  10. Has had code review
  11. Validate correct cryptographic signatures are in place (e.g. on commits and resulting binaries)

First deploy

  1. Budget analysis (ensure the change won’t trigger cloud cost overruns)
  2. Deployment windows (don’t push during certain times of day)
  3. run end-to-end tests
  4. performance benchmarking

Prod deploy

  1. Roll out via canary (e.g. small percentage of traffic at first, and ramp as we gain confidence)
  2. Monitor key health metrics

Release

Primarily used for libraries instead of first/prod deploy.

Thank you to the following folks who contributed to this discussion:


### look into shipa: https://shipa.io/
- [x] DONE
Completed: 2022-04-11 So shipa appears to be a way to document what your app is and what things it needs. From there, you can hand it off to terraform/k8s,etc and have it setup the relevant environment. Doesn't quite seem like the thing we need. Maybe look into this too: https://shipa.io/miscellaneous/kubernetes-dagger-deployment-with-shipa/

### Chat w/ Fatih Degirmenci

#### review the roadmap for interop
- [x] DONE
Completed: 2022-07-13 https://github.com/cdfoundation/sig-interoperability/blob/master/docs/roadmap.md - old one

promote best practices is now no longer a thing. interop tools is now cd events? "end user requirements" is interesting. We don't do this currently, I think. lol. ebay was listed as providing a case-study.

https://docs.google.com/document/d/1uf3sb-WJUp3Acd3WYL5SvgVECHevonufJOxd6KftOxc/edit - new one
#### Follow up with [[Wyatt Webb]] about mobile writing a case-study for CDF
- [x] DONE
Completed: 2022-06-29

Need to send email to Eugene Kienle, Rahul Racha & David Hoots (cc'ing Wyatt) once I have guidelines from Fatih

#### Watch dagger.io presentation for sig-interop
- [x] DONE
Completed: 2022-06-29 https://www.youtube.com/watch?v=65WjUohcYEQ&list=PL2KXbZ9-EY9QxICOnONBFPn_cYfJ8BsaG&index=1

Jeremy Adams, "lead of ecosystem for dagger.io" was the presenter. Previously github. jeremy@dagger.io

Goal: tooling that let's folks have true pairity between local & CI I'm interested in the cue language. https://cuelang.org/ Dependencies between steps seem a little complex. May just be a lack of familiarity w/ cue.

Josh Thurman is doing just-in-time test environment provisioining and wanting to hook into multiple CI providers.

Q: Can we build image locally and push it remotely w/ a dagger plan? A: Totally.

It seems great for CI. Are they looking at CD? What are the thoughts/plans there? j

### Push forward the CDF interop doc
- [x] DONE
Completed: 2023-04-05

https://hackmd.io/HuufSDMaTPyb3qxkyBKg3A#November-17-2022 v1: https://docs.google.com/document/d/1Bgr6EHhW4wUTphU8xyMg87qzSee43PEA_gGdMnPHq9Q/edit# v2: https://docs.google.com/document/d/1o5jHbuEQuspwYOruVB4L5-rG8E1wQm5chq8QN7BrrBs/edit#

Graph View

Backlinks