# Mission — CI/CD & Delivery

## Why this course exists

**Course 5 of 7** in the deployment/infra track. Courses 1–4 built the artifact and its config:
a **container** (C1), running as Kubernetes **objects** (C2), generated by **Helm** (C3),
routed by **Istio** (C4). But none of that reaches a real cluster by magic. **CI/CD is the
machine that turns a git push into a running deployment** — running the tests on every PR, then
(via a release tag, a scheduled build, and a rollout) shipping the image across the env×org
matrix. (One thing to know up front: a merge doesn't deploy *directly* — see Part 2.)

This repo's delivery system is large: **~99 GitHub Actions workflows**, **~80 composite
actions**, a **trunk-based** deploy model (the `tbd.*` workflows), **self-hosted ARC runners**,
keyless GCP auth, and **binary-authorization** supply-chain checks. This course is how it all
fits together — and how *your* code actually ships.

## Who the learner is

- Backend engineer on the **conversationmgmt / notification / spike** team — strong Go, gRPC,
  Kafka, Postgres, Airflow; now solid on containers, Kubernetes, Helm, and Istio (ten courses in).
- **Newer to CI/CD as a system.** GitHub Actions workflows, runners, trunk-based deploy, supply
  chain security are new as a *whole*. Assume strong backend maturity, NOT delivery-pipeline
  fluency.
- Directly relevant: every PR they open runs this CI; every merge to trunk deploys through it.

## What "success" looks like

By the end, the learner can, from memory:

1. Explain CI vs CD (continuous integration / delivery / deployment) and this repo's push-based
   (not GitOps) model.
2. Read a GitHub Actions workflow — events/triggers, jobs, steps, actions, runners — and the
   `tbd.*` naming convention.
3. Describe the CI pipeline: lint, unit tests, codegen drift checks, and build.
4. Explain reusable workflows vs composite actions and how this repo stays DRY across ~99
   workflows.
5. Explain image build/push/tagging (docker buildx → GCR, tagged by release tag), and the real
   trunk-based deploy chain (push → release tag → scheduled build → deploy per env×org via
   `skaffold deploy` → Helm; staging auto, prod manual).
6. Explain self-hosted **ARC** runners, keyless GCP auth (**OIDC / Workload Identity
   Federation**), and **binary authorization** (attestation → admission — currently audit-only).
7. Explain E2E/BDD testing in CI and the drift guards, plus operations (concurrency, caching,
   path filters, rollback).

## Grounding

Every concept lands on real workflow/action files in `.github/` and the deploy scripts under
`deployments/` — mapped in [reference/repo-cicd-map.md](./reference/repo-cicd-map.md). External
claims cite the official GitHub Actions / GCP docs ([RESOURCES.md](./RESOURCES.md)) — never my
memory.

## The seven-course plan (this track)

1. Containers & Local Dev ✅
2. Kubernetes ✅
3. Helm ✅
4. Istio & Service Mesh ✅
5. **CI/CD & Delivery** ← *you are here* (how the artifact + config reach the clusters)
6. Observability & Monitoring — the dashboards CI/CD and the mesh feed
7. Infrastructure as Code — Terraform/GCP/GKE, the clusters CI/CD deploys into
