Course 5 of 7 · The deployment/infra track

CI/CD & Delivery, from newcomer to interview-ready

The machine that turns a git push into a running deployment — build, test, and roll out across the env×org matrix.

Courses 1–4 built the artifact and its config: a container, running as Kubernetes objects, generated by Helm, routed by Istio. None of that reaches a cluster by magic. CI/CD is the machine — ~99 GitHub Actions workflows, ~80 composite actions, trunk-based deploy, self-hosted ARC runners, keyless GCP auth, and binary-authorization supply-chain checks. This is how your code ships. Three parts, built one at a time. Lessons are short — one win each. Read them in order.

How to use this Do one lesson, take its quiz from memory (no peeking), then skim the matching row of the cheat sheet. Come back a day later and re-take it — spacing beats cramming. Your tenth course; you know the rhythm. Stuck? Ask me — I'm your teacher, not just the author.
Where CI/CD sits in the stack Containers/K8s/Helm/Istio defined what runs. CI/CD is how it gets there: on every push it builds the image, runs the checks, and (on a merge to trunk) deploys it — the same skaffold run / helm upgrade you met in Courses 1 & 3, automated.

Part 1 — CI/CD & GitHub Actions fundamentals available now

The vocabulary and the workflow model everything else builds on.

1 · What CI/CD is & why

Continuous integration / delivery / deployment — and this repo's push-based model.

ready

2 · GitHub Actions anatomy

Workflows, events, jobs, steps, actions, runners — the model.

ready

3 · The CI pipeline

Lint, unit tests, codegen drift checks, build — the PR checks.

ready

4 · Reusable workflows & composite actions

Staying DRY across ~99 workflows — pipeline reuse vs step reuse.

ready

Part 2 — Build, deploy & trunk-based delivery available now

From a merge to a running deployment across every env×org cell.

5 · Building & pushing images

Docker buildx → GCR, tagged by the release tag; the manifest-skip trick.

ready

6 · Trunk-based deployment

The tbd.* chain — push → tag → cron → deploy, per env×org, with gates.

ready

7 · Self-hosted ARC runners

Actions Runner Controller — autoscaling runners as pods, and the dind trick.

ready

8 · The deploy mechanism

skaffold deployhelm upgrade from CI; push-based vs GitOps.

ready

Part 3 — Security, supply chain & operations available now

Keyless auth, provable builds, testing at scale, and running the pipeline.

9 · Keyless GCP auth (OIDC/WIF)

Workload Identity Federation — deploy with no static keys.

ready

10 · Binary authorization & supply chain

Attestation → admission control — the machinery, and why it's audit-only here.

ready

11 · Testing at scale

Unit + kind-in-runner E2E, the diff router, and the drift guards.

ready

12 · Operations & the delivery model

Concurrency, caching, path filters, rollback — the whole picture.

ready

Reference shelf

Cheat sheet

Dense revision sheet + workflow syntax + interview one-liners.

Glossary

The canonical vocabulary, opinionated.

Repo CI/CD map

Ground truth: workflows, actions, deploy scripts, binauthz.

Resources

GitHub Actions + GCP docs, trunk-based dev, SLSA.

All 12 lessons are built — the CI/CD course is complete. You can now narrate exactly how this repo turns a push into a running deployment — and name what's real vs aspirational (binauthz DRYRUN, BDD commented, no GitOps). Next: Course 6 (Observability) — the dashboards this pipeline feeds. Or — eleven courses' worth of lessons, still no retention check — ask me to run a mock interview and I'll record where you're solid.