Secure Continuous Delivery on Google Cloud E-Book

Secure Continuous Delivery on Google Cloud

Implement an automated and secure software delivery pipeline on Google Cloud using native services

Giovanni Galloro

Nathaniel Avery

David Dorbin

Secure Continuous Delivery on Google Cloud

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Preet Ahuja

Publishing Product Manager: Surbhi Suman

Book Project Manager: Ashwini Gowda

Senior Editor: Mohd Hammad

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Proofreader: Mohd Hammad and Safis Editing

Indexer: Manju Arasan

Production Designer: Jyoti Kadam

DevRel Marketing Executive: Rohan Dobhal

First published: April 2024

Production reference: 1220324

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-80512-928-8

www.packtpub.com

To my wife, Lina, for the continued love and support she gives me, and to our precious Stefano and Sara, for giving me motivation when I want to give up and they are still on their homework.

– Giovanni Galloro

My deepest gratitude goes to my wife, Nikki, and our daughters. Your endless love and support have fueled my journey every step of the way.

– Nathaniel Avery

To my son, Sam, who is why I do anything. And to my mother, Betty, and my father, Jerry, who are why I know how.

– David Dorbin

Foreword

We are what we repeatedly do. Excellence, then, is not an act but a habit.

– Will Durant

When you accomplish something for the first time, it’s worth celebrating. Did you complete a marathon? Send the inaugural edition of your newsletter? Stay within your spending budget this month? Or ship v1 of your software to production? That’s amazing, and you should be proud.

However, I’m even more impressed if you do it a second time. And a third, and fourth, and fifth time. This indicates that you’ve built a habit or technique to successfully perform the activity over and over again. That’s hard to do, but it’s what often characterizes those who are consistently excellent.

Shipping software is far from simple, especially in the modern era. You’ve got more complex application code, with dozens of referenced packages outside of the programming language’s base libraries. The architecture is denser than it was a decade ago, with a mix of frontends, backends, APIs, databases, message queues, and so on. And this pile of software gets deployed to distributed infrastructure that you may not even own. With enough caffeine and manual effort, you can get modern software deployed the first time. But that’s not sustainable. If you care about being responsive to customer needs, keeping systems up and running, and maintaining your sanity, you’ll choose to automate the path to production.

Doing so isn’t just nice to have; it’s a precursor to better business performance. The research from the DevOps Research and Assessment (DORA) team at Google Cloud gave us trustworthy proof points that bear this out. Companies that are elite at managing short lead times, regular deployment frequencies, low change failure rates, and minimal time to restore service have better business outcomes and happier teams. Sounds great. How do you actually make it happen?

This book is the first publication that offers an end-to-end look at secure software delivery in Google Cloud. Public clouds can often feel like a set of powerful but loosely connected services. It’s often left to the user to figure out the right way to stitch them together to achieve their desired outcome. But when it comes to securely delivering software in a repeatable way, we crave opinions from experts. Fortunately, that’s the book you’re holding in your hands right now.

Each of the authors brings years of engineering and implementation experience to this book. They’ve seen a wide range of environments and software delivery programs in their careers, and that colors their walk through the major stages of the software development life cycle. At each stage, you’ll learn about the Google Cloud technologies that play a part and will have the opportunity to complete at least one exercise that helps you go from theoretical knowledge to practical wisdom.

Here’s a warning. Many things in this book will feel foreign and maybe even a bit uncomfortable! Using declarative tools such as Skaffold for local, iterative builds? Coding in cloud-based development environments? Stashing dependent language packages in managed repositories versus directly using NPM or Maven Central? Relying on canary deployments that progressively roll out your software? Verifying container images with binary authorization? Some of these things you’ll be doing for the first time. That’s good. We’re in a brave new world and need to challenge ourselves to uplevel our toolchain and skillset.

Look, I’m also a realist and expect that you might use many services from Google Cloud, but not all. You could have existing continuous integration product investments. Maybe you have a mature artifact repository and have no reason to change anything. That’s OK. The authors also dedicate a chapter to thinking through integrations with existing product investments.

This book is a jumping-off point for a journey to evolve your software delivery process. It won’t answer every question you have; there are always more configurations than available pages! But I’m confident that by digesting this content and getting hands-on with the embedded exercises, you’ll be well on your way to developing fresh habits that predict future excellence. Enjoy the ride.

Richard Seroter

Chief Evangelist at Google Cloud

Contributors

About the authors

Giovanni Galloro has been working at Google since 2017 as a customer engineer specializing in container-based runtimes, DevOps tools, and application networking. He works with multiple organizations across EMEA, helping them to leverage these capabilities and improve their software delivery practices.

Giovanni is a community ambassador for the Continuous Delivery Foundation and is a frequent speaker at developer conferences.

Before Google, he worked at Microsoft, Red Hat, VMware, and HP, following the evolution of application platforms over the past 20 years.

Nathaniel Avery works at Google as an outbound product manager for the Google Cloud Application Ecosystem group, specializing in DevOps tools, and has spoken to many Fortune 500 companies about DevOps tooling solutions.

Before joining Google, Nate spent more than 20 years in IT designing, planning, and implementing complex systems, integrating custom-built and COTS applications for federal government customers.

Currently, he’s working on better ways to build and use cloud resources to help customers deliver better products, safely and securely, without sacrificing velocity.

David Dorbin has been a technical writer for more than three decades. He’s been with Google for more than a dozen years, documenting payment applications, internal tools, and Google Cloud DevOps products.

Before Google, he worked with numerous start-ups and established companies, documenting technologies in payment processing, digital publishing and rights management, consumer electronics, and cryptography for financial institutions.

In his free time, Dave enjoys playing bass and banjolele (but never at the same time), or doing more damage to his Achilles’ heel on the streets and trails of northern New Jersey.

We are happy to donate the earnings from this book to Save the Children Italia.

About the reviewer

Richard Seroter is currently the chief evangelist at Google Cloud and leads the Developer Relations program. He’s also an instructor at Pluralsight, a frequent public speaker, and the author of multiple books on software design and development. As chief evangelist at Google Cloud, Richard leads the team of developer advocates, developer engineers, outbound product managers, and technical writers who ensure that people find, use, and enjoy Google Cloud. Richard maintains a regularly updated blog (seroter.com) on the topics of architecture and solution design and can be found on Twitter/X as @rseroter.

Table of Contents

Preface

Part 1:Introduction and Code Your Application

1

Introducing Continuous Delivery and Software Supply Chain Security

Introduction to CD

CD practices

The impact of CD on software delivery performance

Understanding continuous integration

How to implement CI

Understanding continuous testing

Test types

Implementing continuous testing

Understanding deployment automation

Implementing deployment automation

Securing your software delivery pipeline

Source code management threats and remediations

Build threats and remediations

Dependency threats and remediations

Summary

2

Using Skaffold for Development, Build, and Deploy

Technical requirements

Understanding Skaffold’s capabilities and architecture

Skaffold for building

Skaffold for deploying

Skaffold’s architecture

Installing Skaffold

Using Skaffold with your application

Initializing your repository using skaffold init

Testing your application while you code using skaffold dev

Building your application using skaffold build

Testing your application using skaffold test

Deploying your application using skaffold deploy

Deploying and rendering separately using skaffold render and skaffold apply

Running the end-to-end pipeline using skaffold run

Managing deployment in different environments

Cleaning up

Summary

3

Developing and Testing with Cloud Code

Technical requirements

About Cloud Code

Continuously deploying and testing locally while you code

Checking application logs from your editor

Creating a GKE cluster from your editor

Continuously deploying and testing a Kubernetes app remotely while you code

Debugging

Code with AI assistance

Getting help to understand code

Generating code

Cleaning up

Summary

4

Securing Your Code with Cloud Workstations

Technical requirements

Introduction to Cloud Workstations

Cloud Workstations architecture

Configuring workstations for developers

Creating a workstation cluster

Creating a workstation configuration for the base editor

Creating a workstation configuration for the IntelliJ IDEA Ultimate IDE

Creating workstations and assigning them to developers

Customizing Cloud Workstations

Creating a custom image and workstation configuration

Updating Cloud workstations

Coding on Cloud Workstations

Accessing a Cloud workstation configured with the base editor

Accessing a Cloud workstation configured with a JetBrains IDE

Cleaning up

Summary

Part 2: Build and Package Your Application

5

Automating Continuous Integration with Cloud Build

Technical requirements

Cloud Build architecture and capabilities

Building your application manually

Running a simple build from the command line

Adding automated tests to your build

Building your application using Skaffold

Using substitutions

Customizing your build workers

Custom machine types

Private worker pools

Generating security information for your build

Producing digitally signed provenance

Viewing vulnerability reports and provenance

Automating builds

Creating your source code repository

Connecting your source code repository to Cloud Build

Creating a trigger for your build

Running an automated build after a code commit

Summary

6

Securely Store Your Software on Artifact Registry

Technical requirements

Managing container images with Artifact Registry

Creating an Artifact Registry repository to store your image

Viewing role-based access control on a repository

Listing the Artifact Registry repositories available in a project

Uploading a Docker container to Artifact Registry

Listing container images in the repository

Pulling a container image/package

Managing language package distribution with Artifact Registry

Creating a repository for a Python package from the demo app

Uploading a Python package to the repository

Viewing packages in the standard Python repository

Creating a repo for Go packages from the demo app

Using virtual and remote repositories

Creating a remote repository for Python

Listing the packages in the remote Python repo

Creating a virtual repository from two different Python repositories

Using vulnerability scanning to detect threats

Running an on-demand scan of your container image

Seeing the results of the on-demand scan

Viewing scan results in the Google Cloud Console

Summary

References

Part 3: Deploy and Run Your Application

7

Exploring Runtimes – GKE, GKE Enterprise, and Cloud Run

Understanding containers

Understanding Google Kubernetes Engine

What’s the big deal about GKE?

GKE limitations

GKE cluster modes

GKE components

Autoscaling

Understanding GKE Enterprise

Identity management

GKE Enterprise on on-premises clusters

Limitations of GKE Enterprise on bare metal

GKE Enterprise clusters on AWS and Azure

Understanding Cloud Run

Cloud Run services

Cloud Run jobs

Cloud Run integrations

Cloud Run limitations

Cloud Run pricing

Choosing between GKE and Cloud Run

Summary

References

8

Automating Software Delivery Using Cloud Deploy

Technical requirements

Exploring the Cloud Deploy architecture

Cloud Deploy among software delivery tools

The Cloud Deploy resource model

The Cloud Deploy execution environment

What happens when a delivery pipeline executes?

Understanding Cloud Deploy target types

Using the Kubernetes manifest and Kustomization

Using a Skaffold configuration

Preparing your project

Enabling the API

Creating the GKE clusters

Granting the necessary permissions

Creating a delivery pipeline

Understanding the progression

Understanding targets

Registering the delivery pipeline and targets

Creating a release

Examining a release

Verifying your deployment

Using a deployment strategy

Configuring the delivery pipeline for a canary deployment

Running the canary deployment

Summary

9

Securing Your Runtimes with Binary Authorization

Technical requirements

Understanding Binary Authorization concepts

Setting up Binary Authorization

Creating a CMEK

Setting up Binary Authorization on GKE

Setting up Binary Authorization on Cloud Run

Using Binary Authorization on GKE on other public clouds

Setting up attestations

Creating an attestation

Configuring Binary Authorization policies

Creating the policy

Applying an attestation to the image

Summary

Part 4: Hands-On Secure Pipeline Delivery and Looking Forward

10

Demonstrating an End-to-End Software Delivery Pipeline

Technical requirements

Software delivery pipeline overview

Building your software delivery pipeline

Creating your source code repository

Configuring the required IAM roles

Creating two GKE clusters

Creating GKE gateway resources

Creating your Cloud Deploy delivery pipeline

Configuring security policies for your pipeline

Connecting your source code repository to Cloud Build

Creating two Cloud Build triggers for your repository

Creating your initial release

Running your pipeline

Updating your code as a developer

Running an automatic build and scan of your artifact

Merging your code and deploying your application to production

Summary

11

Integrating with Your Organization’s Workflows

Technical requirements

Connecting a Cloud Build trigger to a third-party repository

Creating a host connection to GitLab

Creating a link to the GitLab repository

Creating a trigger

Integrating Cloud Deploy with automated testing

Integrating Cloud Deploy approval with third-party workflow management tools

Using a third-party workflow management system with Cloud Deploy approvals

Summary

12

Diving into Best Practices and Trends in Continuous Delivery

Best practices for deploying secure delivery pipelines

Using a host project for CI/CD infrastructure

Consider using VPC-SC

Using private pools with Cloud Build and Cloud Deploy

Using Cloud Logging and Cloud Monitoring

Enabling recommended alerts

Using GitOps

Anticipating the future

AI infusion

Summary

References

Index

Other Books You May Enjoy

Preface

Continuous Delivery (CD) is a set of software engineering practices that enables teams to deliver software quickly and safely by automating the entire software release process through a deployment pipeline.

To build a continuous delivery pipeline, you typically need separate tools to perform the necessary tasks, including the following:

You can choose tools from different providers and different deployment or installation methods, and integrate them. Or you can use a set of managed services from the same cloud provider, reducing the setup, integration, and management effort, allowing you to focus on your code.

The goal of this book is to use hands-on exercises to show you how to build an end-to-end continuous delivery pipeline on Google Cloud using Google-managed services, covering not only how to get code from commit to production but also how you can optimize your inner development loop.

The book starts by introducing continuous delivery principles and best practices to implement them while protecting your artifacts from security threats. You’ll then learn how to use Skaffold, Cloud Code, Duet AI, and Cloud Workstations to help stay in the flow and optimize feedback loops while you code. You’ll experiment with automating your builds and tests and generating signed provenance for your artifacts using Cloud Build. You’ll understand how to store your software artifacts and assess their security posture using Artifact Registry. You’ll learn how to orchestrate deployments and promotions through different stages using Cloud Deploy, and release your software on GKE and Cloud Run. You’ll also see how to use Binary Authorization to protect these runtime environments. Furthermore, we'll show some examples of integrating these tools with other services you may have.

After you learn about each tool or service, following the hands-on examples, we’ll guide you through creating an end-to-end software delivery pipeline that represents a real production environment, with multiple actors involved, using all the aforementioned services together.

Lastly, we’ll provide some additional best practices, as well as insights into some possible future trends.

By the end of this book, you’ll be able to build a secure software delivery pipeline from development to production using Google Cloud’s managed services and best practices.

Who this book is for

This book is mainly for technical practitioners, such as DevOps engineers and platform engineers, who manage application deployment, create continuous delivery pipelines, and want to automate workflows in a fully managed, scalable, and secure platform.

Another group who will find the book useful are software developers involved in application delivery, who are interested in learning how to leverage Google Cloud tools to optimize development flow status and feedback loop.

What this book covers

Chapter 1, Introducing Continuous Delivery and Software Supply Chain Security,describes continuous delivery principles and some of the practices and technical capabilities that drive the ability to implement them. The chapter also provides an overview of the security threats that a software supply chain can be exposed to and some practices that can mitigate them.

Chapter 2, Using Skaffold for Development, Build, and Deploy, describes Skaffold and how you can use it to test your application continuously while you develop it, build the container image containing your application, execute tests, and deploy it on different Kubernetes clusters.

Chapter 3, Developing and Testing with Cloud Code, demonstrates how to use Cloud Code, a Google-provided IDE add-on, to optimize the development flow state and feedback loops, and how to use Duet AI to get help while coding.

Chapter 4, Securing Your Code with Cloud Workstations, describes how an administrator can preconfigure Cloud Workstations, fully managed developer workstations hosted in Google Cloud, and how developers can use those workstations to work on code using their preferred IDE.

Chapter 5, Automating Continuous Integration with Cloud Build, describes Cloud Build, a managed service used to automate building artifacts, as well as other continuous integration (CI) tasks, and how you can use Cloud Build to build your application from source to a deployable container image.

Chapter 6, Securely Store Your Software on Artifact Registry, describes Artifact Registry, the Google-managed container and software artifact repository, and shows how to use it to store container images, application dependencies, and all of your software artifacts, scan them for vulnerabilities, and store vulnerabilities’ metadata.

Chapter 7, Exploring Runtimes – GKE, GKE Enterprise, and Cloud Run, describes the main runtime environments into which you can deploy your applications using Google Cloud continuous delivery tooling. This chapter includes Google Kubernetes Engine (GKE) hosted on GCP as well as Cloud Run, and on-premises Kubernetes or hosted on other hyperscale cloud platforms.

Chapter 8, Automating Software Delivery Using Cloud Deploy, describes Cloud Deploy, a service you can use to automate how your application is delivered to a predetermined sequence of runtime environments. You’ll learn how to create the software delivery pipeline that guides your application delivery to those target environments.

Chapter 9, Securing Your Runtimes with Binary Authorization, describes Binary Authorization, a service that lets you configure policies to control the execution of container-based applications on Google Cloud runtimes such as GKE and Cloud Run.

Chapter 10, Demonstrating an End-to-End Software Delivery Pipeline, shows how to use all the Google Cloud tools described in the previous chapters to create and run an end-to-end pipeline from code to production for an example application.

Chapter 11, Integrating with Your Organization's Workflows, demonstrates an example of how to integrate your pipeline with external systems present in your organization, such as source-code management systems or workflow management tools.

Chapter 12, Diving into Best Practices and Trends in Continuous Delivery, describes some best practices for continuous delivery on Google Cloud that we didn’t cover exhaustively in previous chapters. This chapter also provides some hints on future improvements, directions, and developments in software delivery capabilities.

To get the most out of this book

To get the most out of this book, you’ll need a basic understanding of software development and application packaging (basic project structure, builds, and unit tests), application deployment, Linux containers, Kubernetes, and the fundamentals of Google Cloud (Cloud APIs, IAM, etc.).

Software/hardware covered in the book

Operating system requirements

Cloud Shell

You can execute all the exercises in the book in Cloud Shell and the Google Cloud console. Cloud Shell supports the latest versions of Google Chrome, Mozilla Firefox, Microsoft Edge, Microsoft Internet Explorer 11+, and Apple Safari 8+. Safari in private browser mode is not supported.

Google Cloud console

You can use the Google Cloud console in the following browsers: Chrome, Safari, Firefox, and Edge.

gcloud CLI installed locally (optional)

Linux (Debian, Ubuntu, Red Hat/Fedora/CentOS), macOS, and Windows.

Skaffold installed locally (optional)

Linux (Debian, Ubuntu, Red Hat/Fedora/CentOS), macOS, and Windows.

Cloud Code installed locally (optional)

You need a supported IDE. Examples in the book are based mainly on Code OSS/VS Code.

All the tasks in the book that require a terminal or an editor can be performed with Cloud Shell (or Cloud Workstations), accessible with one of the aforementioned supported browsers. We suggest using Cloud Shell or Cloud Workstations because they have all the necessary tools already installed. If you prefer, you can install the gcloud CLI, Skaffold, and Cloud Code locally, following the requirements in the preceding table.

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Secure-Continuous-Delivery-on-Google-Cloud. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “A new build now runs, linked to the scdbook-e2e-merge trigger.”

A block of code is set as follows:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “To view the render logs, click the link next to Render logs, under Rendering.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Secure Continuous Delivery on Google Cloud, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content..

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/978-1-80512-928-8

Part 1:Introduction and Code Your Application

This part is an overview of continuous delivery, its underlying principles and practices, and best practices for protecting software artifacts from security threats along the software supply chain. In this part, you’ll also learn about Skaffold, Cloud Code, and Cloud Workstations, three tools that can help developers to be more productive, stay in the flow, and optimize their feedback loop.

This part has the following chapters:

1

Introducing Continuous Delivery and Software Supply Chain Security

Most transactions and interactions today are digital or rely on digital services, so the ability to deliver software quickly, reliably, and securely is a critical competitive advantage. Continuous delivery (CD) is a software engineering practice that enables teams to achieve this goal by automating the entire software release process, from committing code to deploying to production. CD, properly done, empowers organizations to reduce their time to market (TTM), improve software quality, and release new features and bug fixes more frequently.

The goal of this book is to share how to implement secure CD using Google Cloud services such as Cloud Code, Cloud Workstations, Cloud Build, Artifact Registry, Cloud Deploy, and others.

In this book, we describe each service and show how you can use them together to automate and secure your software delivery pipeline. But first, in this chapter, we introduce CD principles and some of the practices and technical capabilities that drive the ability to implement them.

This chapter also provides an overview of security threats that a software supply chain can face and some practices that can mitigate those threats.

This chapter includes the following sections:

We start this book by looking at what CD is.

Introduction to CD

CD is a set of practices and principles that aim to streamline and automate software delivery from commit to production. Teams and organizations practice with the goal of deploying software to production on demand at any time without impacting service availability. The main objective of CD is that software should always be in a deployable state and software release should be a fast, repeatable process.

This section is a quick overview of CD, what it consists of, and how it can help your organization achieve better and faster software delivery.

CD practices

Some of the practices that underpin CD are set out here:

The following diagram represents an example pipeline, starting when there is a new commit in the source code repository. The tasks represented in the diagram and the ones listed previously are examples. The exact pipeline sequence changes depending on factors such as the application itself, the programming language, and the framework, as well as specific organizational contexts:

Figure 1.1 – A high-level look at a software delivery pipeline

That process, with those practices, can help you achieve improved software delivery performance, as described in the next section.

The impact of CD on software delivery performance

The DevOps Research and Assessment (DORA) research program has identified CD as one of the main capabilities driving software delivery performance, as measured by DORA’s four key metrics.

The following list shows those four metrics and how they can help you improve your software delivery performance:

CD encourages more frequent deployments because it automates the deployment process and ensures that code changes are always production ready. Teams practicing CD can deploy changes to production on demand, often multiple times a day. Compare this to traditional approaches that might have longer release cycles.

CD streamlines the software development process, enabling faster development cycles and reducing delays. CD automates steps in the delivery pipeline, such as building, testing, and deploying, which reduces manual intervention and wait times.

With CD, code changes are continuously integrated, tested, and delivered, shortening the time from development to production. Frequent, small releases accelerate TTM.

CD emphasizes continuous testing, including unit tests, integration tests, and acceptance tests. This reduces the chance that defects and errors make their way into production.

Automation, in general, makes the release process repeatable and less error-prone because almost nothing is left to interpretation. Frequent, smaller releases make it easier to identify and fix issues early in the development process, reducing the likelihood of catastrophic failures in production.

CD practices typically include automated monitoring and alerting in production environments. This helps teams detect issues quickly. When issues do occur, CD enables rapid rollback or forward fixes. Automated deployments make it easier to apply fixes and quickly get the system back to a working state.

See https://dora.dev/ for more info on DORA and the four key metrics.

In the rest of this chapter, we describe the most important underlying CD practices in more detail, starting with CI.

Understanding continuous integration

Continuous integration (CI) is a set of software development practices for frequently integrating code changes. Each time a developer integrates changes (usually at least daily), those changes are automatically verified and tested. This means that there is always an up-to-date build ready to deploy.

The practice of CI was created to solve integration and compatibility problems caused by the old approach of developers working in isolation for an extended period on their version of code and then attempting to merge their changes into a shared code base.

CI follows the counterintuitive principle that if something is painful, you can make it less painful by doing it more often. This is based on the understanding that the integration effort is exponentially proportional to the amount of time between integrations (as found on https://martinfowler.com/articles/originalContinuousIntegration.html#TheMoreOftenTheBetter).

The next section describes how to bring these principles to your software development process.

How to implement CI

Here is a list of fundamental practices that a team should consider following to implement CI: