What this part covers
In Part 1, we built the foundation: Git setup, Node.js app, dependencies, and automated tests.
In Part 2, we’ll take the next big steps toward a production-ready setup by:
Creating a
.gitignorefileSetting up a
.env.examplefor environment variablesAdding
ESLintfor code qualityWriting a
Dockerfileto containerize our appCreating a
.dockerignoreto slim imagesUsing Docker Compose for local development
Running & testing the app in Docker
Setting up GitHub repository + pushing code
Configuring GitHub Actions CI/CD pipeline for build + test
Deploying to GitHub (first automated deployment)
Monitoring build/deployment success
By the end of this article, you’ll have your project running in Docker, connected to GitHub, and building automatically via CI/CD.
Step 1: GitHub Actions CI/CD Pipeline
What this step does
We’re now moving from local development into automation. In this step, we’ll create a GitHub Actions pipeline that:
Runs linting, tests, and security audits on every push and pull request.
Builds and pushes Docker images to GitHub’s container registry (GHCR).
Runs a vulnerability scan against the built image.
Deploys automatically to staging (develop branch) and production (main branch).
This is the backbone of modern DevOps: CI/CD automation that ensures code is tested, packaged, secured, and ready for deployment — with no manual intervention required.
- Create workflow directory:
# Create the GitHub Actions directory structure mkdir -p github/workflows - Create ci.yml:
touch .github/workflows/ci.yml - Create the pipeline definition
Inside .github/workflows/ci.yml, add the following:
name: CI/CD Pipeline on: push: branches: [ main, develop ] tags: [ 'v*' ] pull_request: branches: [ main ] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: test: name: Test & Lint runs-on: ubuntu-latest strategy: matrix: node-version: [20, 22] steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Node.js ${{ matrix.node-version }} uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Install dependencies run: npm ci - name: Run linting run: npm run lint - name: Run tests run: npm test - name: Security audit run: npm audit --audit-level=critical || echo "Audit completed with warnings" build: name: Build & Push Image runs-on: ubuntu-latest needs: test if: github.event_name == 'push' permissions: contents: read packages: write security-events: write outputs: image-tag: ${{ steps.meta.outputs.tags }} image-digest: ${{ steps.build.outputs.digest }} steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: platforms: linux/amd64,linux/arm64 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha,prefix={{branch}}- type=raw,value=${{ github.run_id }} type=raw,value=latest,enable={{is_default_branch}} labels: | org.opencontainers.image.title=DevOps Lab 2025 org.opencontainers.image.description=Modern Node.js DevOps application - name: Build and push Docker image id: build uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max target: production - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.24.0 with: image-ref: ${{ steps.meta.outputs.tags }} format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' continue-on-error: true - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v3 if: always() && hashFiles('trivy-results.sarif') != '' with: sarif_file: 'trivy-results.sarif' deploy-staging: name: Deploy to Staging runs-on: ubuntu-latest needs: build if: github.ref == 'refs/heads/develop' environment: staging steps: - name: Deploy to Staging run: | echo "🚀 Deploying to staging environment..." echo "Image: ${{ needs.build.outputs.image-tag }}" echo "Digest: ${{ needs.build.outputs.image-digest }}" # Add your staging deployment commands here (kubectl, helm, etc.) deploy-production: name: Deploy to Production runs-on: ubuntu-latest needs: build if: github.ref == 'refs/heads/main' environment: production steps: - name: Deploy to Production run: | echo "🎯 Deploying to production environment..." echo "Image: ${{ needs.build.outputs.image-tag }}" echo "Digest: ${{ needs.build.outputs.image-digest }}" # Add your production deployment commands here This setup:
- Ensures we only build/test on pushes to main or develop, pull requests to main, or tagged releases.
- Runs in Node 20 and 22 to validate across multiple versions
-
For the building and pushing of Docker Images, it only runs on push events and after tests pass it:
- Uses Buildx for multi-arch images (amd64 + arm64).
- Pushes to GitHub Container Registry.
- Adds labels and tags for traceability.
- Runs Trivy for vulnerability scanning.
-
Separates staging and production deployments by branch:
- develop → staging
- main → production
Why this matters
By the end of this step, you now have:
✅ Automated linting, tests, and audits on every change.
✅ Docker images built and pushed to GHCR automatically.
✅ Security scans integrated directly into CI/CD.
✅ Branch-based deployments ready for staging and production.
This is the minimum baseline for modern DevOps — continuous integration, containerized builds, automated deployments, and built-in security.
Step 2: Dockerfile
What this step does
The Dockerfile defines how to package your application into a container image that can run consistently anywhere — locally, in CI/CD pipelines, or in cloud environments.
In this step, we’ll create a production-ready Dockerfile that:
Uses multi-stage builds to keep images small.
Runs as a non-root user for security.
Sets up health checks for monitoring.
Includes signal handling for clean shutdowns.
This makes your app portable, secure, and reliable.
Create Dockerfile
Enter:
touch Dockerfile In Dockerfile, Paste:
# Multi-stage build for optimized image FROM node:20-alpine AS dependencies # Update packages for security RUN apk update && apk upgrade --no-cache WORKDIR /app # Copy package files first for better caching COPY package*.json ./ # Install only production dependencies RUN npm ci --only=production && npm cache clean --force # Production stage FROM node:20-alpine AS production # Update packages and install necessary tools RUN apk update && apk upgrade --no-cache && \ apk add --no-cache curl dumb-init && \ rm -rf /var/cache/apk/* # Create non-root user with proper permissions RUN addgroup -g 1001 -S nodejs && \ adduser -S nodeuser -u 1001 -G nodejs WORKDIR /app # Copy dependencies from previous stage with proper ownership COPY --from=dependencies --chown=nodeuser:nodejs /app/node_modules ./node_modules # Copy application code with proper ownership COPY --chown=nodeuser:nodejs package*.json ./ COPY --chown=nodeuser:nodejs app.js ./ # Switch to non-root user USER nodeuser # Expose port EXPOSE 3000 # Health check with proper timing for Node.js startup HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \ CMD curl -f http://localhost:3000/health || exit 1 # Use dumb-init for proper signal handling in containers ENTRYPOINT ["dumb-init", "--"] # Start application CMD ["npm", "start"] 
Dockerfile Explained
Dependencies Stage:
Based on node:20-alpine for a minimal footprint.
Installs only production dependencies.
Cleans up cache to keep size small.
Production Stage
Installs required tools (curl, dumb-init).
Creates a non-root user (nodeuser) with proper permissions.
Copies dependencies and app code with correct ownership.
Defines a health check endpoint (/health).
Uses dumb-init as the entrypoint for proper signal handling.
Why this matters
By containerizing your app with this Dockerfile, you gain:
✅ Consistency: Same environment across dev, CI/CD, and production.
✅ Security: Runs as non-root with patched Alpine base image.
✅ Reliability: Health checks ensure containers are restarted if unhealthy.
✅ Efficiency: Multi-stage builds keep images lean.
Step 3: Essential Configuration Files
What this step does
Configuration files are the unsung heroes of a DevOps project. They define what to ignore, how tools behave, and what settings your project expects.
In this step, we’ll set up:
.dockerignore– to keep Docker images lean..gitignore– to avoid committing unnecessary or sensitive files..env.example– a template for environment variables..eslintrc.js– to enforce coding standards.
Create .dockerignore
- This file ensures your Docker builds don’t copy unnecessary files into the image, making builds faster and images smaller
node_modules npm-debug.log* .git .github .env .env.local .env.*.local logs *.log coverage .nyc_output .vscode .idea *.swp *.swo .DS_Store Thumbs.db README.md tests/ jest.config.js .eslintrc* Create .gitignore
# Dependencies node_modules/ npm-debug.log* # Runtime data pids *.pid *.seed *.pid.lock # Coverage coverage/ .nyc_output # Environment variables .env .env.local .env.*.local # Logs logs *.log # IDE .vscode/ .idea/ *.swp *.swo # OS .DS_Store Thumbs.db Create .env.example
# Server Configuration PORT=3000 NODE_ENV=production # Logging LOG_LEVEL=info Create ESLint configuration:
create .eslintrc.js
module.exports = { env: { node: true, es2021: true, jest: true }, extends: ['eslint:recommended'], parserOptions: { ecmaVersion: 12, sourceType: 'module' }, rules: { 'no-console': 'off', 'no-unused-vars': ['error', { 'argsIgnorePattern': '^_' }] } }; 
Step 4: Docker Compose for Development
What this step does
While a Dockerfile defines how to build your app’s container, Docker Compose makes it easy to run multiple services together (like your app + a database).
With one command, you can spin up your entire development environment.
- Create
docker-compose.yml
version: '3.8' services: app: build: . ports: - "3000:3000" environment: - NODE_ENV=development - PORT=3000 restart: unless-stopped healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3000/health"] interval: 30s timeout: 10s retries: 3 start_period: 10s Start your app with:
docker-compose up --build (First stop the app if started with npm)
Stop it with:
docker-compose down 
Step 4: Test Everything Locally
What this step does: Shows you how to actually run and test your application locally before deploying it.
Install and Test Locally
# Install all dependencies from package.json npm install # Run your test suite to make sure everything works npm test # Start the application server npm start What you’ll see:
- Tests should pass with green checkmarks:
- ✓ GET / should return welcome page
Server starts and shows:
🚀 Server running at http://localhost:3000/
Test endpoints (in a new terminal window):
curl http://localhost:3000/ # Homepage curl http://localhost:3000/health # Health check JSON curl http://localhost:3000/info # System info JSON curl http://localhost:3000/metrics # Prometheus metrics Results of test:
Docker Commands
Use these to test your image and container directly (great for debugging fundamentals).
# Build image docker build -t my-devops-app:latest . # Run container docker run -d \ --name my-devops-container \ -p 3000:3000 \ --restart unless-stopped \ my-devops-app:latest # Check container status docker ps docker logs my-devops-container # Test health check curl http://localhost:3000/health # Stop container docker stop my-devops-container docker rm my-devops-container Docker Compose Commands
Use these for day-to-day development or when you have multiple services.
# Start all services defined in docker-compose.yml docker-compose up -d # View real-time logs from all services docker-compose logs -f # Stop all services and clean up docker-compose down Step 5: Deploy to GitHub
What this step does: Commits your code to Git and pushes it to GitHub so the automated CI/CD pipeline can start working.
Initial Commit
# Add all files to Git staging area git add . # Create your first commit with a descriptive message git commit -m "Initial commit: Complete DevOps setup with working CI/CD" Connect to GitHub
⚠️ Before running these commands:
Go to GitHub.com and create a new repository called my-devops-project.
Do not initialize it with a README, .gitignore, or license (we already created those).
Copy the repository URL from GitHub.
Replace YOUR_GITHUB_USERNAME in the commands below with your actual username.
# Set main as the default branch git branch -M main # Connect to your GitHub repository (UPDATE THIS URL!) git remote add origin https://github.com/YOUR_GITHUB_USERNAME/my-devops-project.git # Push your code to GitHub for the first time git push -u origin main What You’ll See
Your code appears in your new GitHub repository.
The CI/CD pipeline kicks in automatically (thanks to the GitHub Actions workflow you added earlier).
Step 6: Fix CI Security Scan Errors
The Problem:
When the pipeline first runs, the security scanner fails with this error:
failed to parse the image name: could not parse reference: ghcr.io/USERNAME/my-devops-project:latest
This happened because the workflow was hardcoding :latest as the image tag. At the time of the scan, that tag didn’t exist yet in the GitHub Container Registry, so Trivy couldn’t find or parse the image reference.
The Fix:
Instead of scanning :latest, we need to scan the exact image tag that was built and pushed by the build job. GitHub Actions makes this available via the job output needs.build.outputs.image-tag.
Edit .github/workflows/ci.yml and replace the security-scan section with:
security-scan: name: Security Scan runs-on: ubuntu-latest needs: build if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ needs.build.outputs.image-tag }} format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' Create the Staging Environment in GitHub
Go to your repo Settings
Go to Environments, click new environment.
Name it:
stagingSave.
In VS Save and Commit Your Code Changes
# Stage changes git add .github/workflows/ci.yml # Commit with a clear message git commit -m "Fixed security scan to use build job image tag" # Push to GitHub git push origin main 
Once pushed, GitHub Actions will re-run the pipeline and Trivy will correctly scan the newly built image.
Step 7: Kubernetes Deployment Configurations
What this step does: Defines how your application should run in Kubernetes for both staging and production environments, including the number of replicas, resource limits, and health checks.
- Create directories
# Create directories for Kubernetes configurations mkdir -p k8s/staging k8s/production - Create Staging Deployment
Create k8s/staging/deployment.yml:
⚠️ IMPORTANT: Update YOUR_GITHUB_USERNAME and YOUR_REPO_NAME in the image URL.
apiVersion: apps/v1 kind: Deployment metadata: name: devops-app-staging namespace: staging spec: replicas: 2 selector: matchLabels: app: devops-app environment: staging template: metadata: labels: app: devops-app environment: staging spec: containers: - name: app image: ghcr.io/YOUR_GITHUB_USERNAME/YOUR_REPO_NAME:latest ports: - containerPort: 3000 env: - name: NODE_ENV value: "staging" - name: PORT value: "3000" livenessProbe: httpGet: path: /health port: 3000 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /health port: 3000 initialDelaySeconds: 5 periodSeconds: 5 --- apiVersion: v1 kind: Service metadata: name: devops-app-service-staging namespace: staging spec: selector: app: devops-app environment: staging ports: - protocol: TCP port: 80 targetPort: 3000 type: LoadBalancer - Create Production Deployment
Create k8s/production/deployment.yml:
⚠️ IMPORTANT: Update YOUR_GITHUB_USERNAME and YOUR_REPO_NAME in the image URL.
apiVersion: apps/v1 kind: Deployment metadata: name: devops-app-production namespace: production spec: replicas: 3 selector: matchLabels: app: devops-app environment: production template: metadata: labels: app: devops-app environment: production spec: containers: - name: app image: ghcr.io/YOUR_GITHUB_USERNAME/YOUR_REPO_NAME:latest ports: - containerPort: 3000 env: - name: NODE_ENV value: "production" - name: PORT value: "3000" resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "256Mi" cpu: "200m" livenessProbe: httpGet: path: /health port: 3000 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /health port: 3000 initialDelaySeconds: 5 periodSeconds: 5 --- apiVersion: v1 kind: Service metadata: name: devops-app-service-production namespace: production spec: selector: app: devops-app environment: production ports: - protocol: TCP port: 80 targetPort: 3000 type: LoadBalancer Update the k8s/production/deployment.yml as such
✅ Key Notes:
Namespaces: staging and production isolate environments.
Replicas: Staging uses 2 replicas; production uses 3 for high availability.
Probes: livenessProbe and readinessProbe ensure containers are healthy before traffic is routed.
Resources (Production only): CPU/memory requests and limits prevent resource exhaustion.
Services: Both use LoadBalancer to expose the application externally.
Step 8: Complete Deployment Workflow
What this step does: Demonstrates the full CI/CD process with branch-based deployments to staging and production, along with monitoring.
1. Branch-based Deployment Strategy
| Branch | Action |
|---|---|
develop | Automatically deploys to staging environment |
main | Automatically deploys to production environment |
| Pull requests | Run tests only (no deployment) |
2. Deploy Changes
Deploy to Staging
# Create and switch to develop branch git checkout -b develop # Make your changes, then commit and push git add . git commit -m "Add new feature" git push origin develop What happens:
GitHub Actions automatically builds the image.
Runs security scans and tests.
Deploys the app to staging (staging namespace in Kubernetes).
3.Deploy to Production
When you’re ready to release:
# Switch to main branch git checkout main # Merge changes from develop git merge develop # Push to trigger production deployment git push origin main 
What happens:
GitHub Actions runs the full pipeline.
Deploys the app to production (default namespace in Kubernetes).
🔎 Monitor Deployments
Check GitHub Actions status
👉 https://github.com/YOUR_GITHUB_USERNAME/YOUR_REPO_NAME/actions,
replace YOUR_GITHUB_USERNAME and YOUR_REPO_NAME accordingly
Check your container registry
👉https://github.com/YOUR_GITHUB_USERNAME/YOUR_REPO_NAME/pkgs/container/my-devops-project
replace YOUR_GITHUB_USERNAME and YOUR_REPO_NAME accordingly
Test your deployed applications
# Staging health check curl https://your-staging-url.com/health # Production health check curl https://your-production-url.com/health 🎯 Conclusion
In this second part of DevOps by Doing, we took our project beyond the basics and built out a modern CI/CD pipeline with GitHub Actions, Docker, and Kubernetes.
*We covered how to: *
- ✅ Automate testing and linting across multiple Node.js versions
- ✅ Build and publish Docker images to GitHub Container Registry (GHCR)
- ✅ Deploy automatically to a staging environment from the
developbranch - ✅ Secure production deployments on the
mainbranch with environment protections
With these steps, you now have a complete DevOps workflow: from writing code, to testing, to building, to deploying in a controlled and repeatable way.
This isn’t just theory—it’s the exact type of pipeline used in modern production teams. By now, you should feel confident that every push to your repo can be tested, built, and deployed automatically. That’s the heart of DevOps by Doing.
Top comments (0)