# [ GitLab CI/CD Operations ] ( CheatSheet )

1. Basic Pipeline Configuration

● Define stages: stages: [build, test, deploy]

● Define a job: job_name: {script: ["command1", "command2"]}
● Set job stage: job_name: {stage: build}
● Set job image: job_name: {image: alpine:latest}
● Set job tags: job_name: {tags: [docker, linux]}

2. Job Control

● Manual job trigger: job_name: {when: manual}

● Allow job failure: job_name: {allow_failure: true}
● Set job timeout: job_name: {timeout: 1 hour}
● Set job dependencies: job_name: {dependencies: [other_job]}
● Set job artifacts: job_name: {artifacts: {paths: [path/to/artifact]}}
● Set job cache: job_name: {cache: {paths: [path/to/cache]}}

3. Environment Variables

● Define variable: variables: {VAR_NAME: "value"}

● Use predefined variable: script: ["echo $CI_COMMIT_SHA"]
● Use GitLab UI variable: script: ["echo $UI_DEFINED_VARIABLE"]
● Mask a variable: variables: {MASKED_VAR: {value: "secret", masked: true}}

4. Conditional Execution

● Run on specific branch: job_name: {only: [master]}

● Exclude specific branch: job_name: {except: [develop]}
● Run on tags: job_name: {only: {refs: [tags]}}
● Run on merge requests: job_name: {only: {refs: [merge_requests]}}
● Use complex rules: job_name: {rules: [{if: '$CI_COMMIT_BRANCH ==
"master"', when: always}]}

5. Docker Operations

● Use Docker image: image: docker:latest

● Build Docker image: script: ["docker build -t myimage:$CI_COMMIT_SHA ."]

By: Waleed Mousa

 ● Push Docker image: script: ["docker push
myregistry/myimage:$CI_COMMIT_SHA"]
● Login to Docker registry: script: ["echo $CI_REGISTRY_PASSWORD | docker
login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY"]
● Use Docker-in-Docker: services: [docker:dind]

6. Kubernetes Operations

● Deploy to Kubernetes: script: ["kubectl apply -f deployment.yaml"]

● Set Kubernetes namespace: script: ["kubectl config set-context --current
--namespace=myapp"]
● Rollout Kubernetes deployment: script: ["kubectl rollout restart
deployment/myapp"]
● Get Kubernetes pods: script: ["kubectl get pods"]
● Use Kubernetes executor: job_name: {kubernetes: {namespace: myapp}}

7. Artifacts and Dependencies

● Define artifacts: artifacts: {paths: [path/to/artifact]}

● Set artifacts expiry: artifacts: {expire_in: 1 week}
● Define reports artifact: artifacts: {reports: {junit: path/to/report.xml}}
● Download artifacts: dependencies: [job_name]
● Use artifacts between stages: needs: [{job: job_name, artifacts: true}]

8. Caching

● Define cache: cache: {paths: [path/to/cache]}

● Set cache key: cache: {key: ${CI_COMMIT_REF_SLUG}}
● Use per-job cache: job_name: {cache: {key: {files: [Gemfile.lock]}}}
● Clear cache: cache: {}
● Use multiple caches: cache: [{key: cache1, paths: [path1]}, {key: cache2,
paths: [path2]}]

9. Pages and Static Site Deployment

● Deploy GitLab Pages: pages: {script: [mkdir public, cp index.html

public/], artifacts: {paths: [public]}}
● Set custom domain for Pages: pages: {script: ["echo mysite.com >
public/CNAME"]}
● Use Hugo for Pages: script: ["hugo", "mv public public_html"]

By: Waleed Mousa

 ● Use Jekyll for Pages: script: ["bundle exec jekyll build -d public"]

10. Testing and Code Quality

● Run unit tests: script: ["npm test"]

● Run integration tests: script: ["npm run test:integration"]
● Generate code coverage: script: ["npm run test:coverage"]
● Run linter: script: ["npm run lint"]
● Use GitLab Code Quality: include: {template: Code-Quality.gitlab-ci.yml}
● Use GitLab SAST: include: {template: SAST.gitlab-ci.yml}

11. Deployment

● Deploy to staging: script: ["ansible-playbook deploy-staging.yml"]

● Deploy to production: script: ["ansible-playbook deploy-prod.yml"]
● Use continuous deployment: script: ["cap production deploy"]
● Use blue-green deployment: script: ["kubectl apply -f
blue-green-deploy.yaml"]
● Canary deployment: script: ["kubectl apply -f canary-deploy.yaml"]

12. Notifications

● Slack notification: script: ["curl -X POST -H 'Content-type:

application/json' --data '{\"text\":\"Deployment successful\"}'
$SLACK_WEBHOOK"]
● Email notification: script: ["echo 'Deployment done' | mail -s 'CI/CD
Notification' [email protected]"]
● Use GitLab ChatOps: chatops: {command: /deploy}

13. Environment Management

● Define environment: environment: {name: production, url:

https://prod.example.com}
● Stop environment: environment: {name: production, action: stop}
● Use dynamic environment: environment: {name: review/$CI_COMMIT_REF_NAME}
● Deploy to multiple environments: parallel: {matrix: [{ENVIRONMENT:
[staging, production]}]}

14. Parallel and Matrix Jobs

● Run jobs in parallel: parallel: 5

By: Waleed Mousa
 ● Use matrix strategy: parallel: {matrix: [{RUBY: ['2.5', '2.6']},
{DATABASE: [mysql, postgres]}]}
● Include matrix variables: script: ["bundle install
--gemfile=Gemfile.$RUBY"]

15. Includes and Templates

● Include local file: include: path/to/local.yml

● Include remote file: include: 'https://company.com/gitlab-ci-template.yml'
● Include template: include: {template: Auto-DevOps.gitlab-ci.yml}
● Use extends keyword: job_name: {extends: .base_job}

16. Workflow Control

● Define workflow rules: workflow: {rules: [{if: '$CI_COMMIT_BRANCH ==

"master"'}]}
● Skip pipeline creation: workflow: {rules: [{when: never}]}
● Create merge request pipelines: workflow: {rules: [{if:
$CI_MERGE_REQUEST_ID}]}

17. Job Control Flow

● Run job after failure: job_name: {when: on_failure}

● Run job always: job_name: {when: always}
● Define job prerequisites: needs: [job1, job2]
● Use parallel needs: needs: {job: test-job, parallel: {matrix: [{BROWSER:
[firefox, chrome]}]}}

18. GitLab Runners

● Use specific runner: job_name: {tags: [specific-runner]}

● Use shared runners: job_name: {tags: [shared-runner]}
● Disable shared runners: job_name: {tags: []} (in project settings)
● Set concurrent jobs limit: concurrent = 5 (in gitlab-runner config)

19. Pipeline Triggers

● Trigger child pipeline: trigger: {include: child-pipeline.yml}

● Use parent-child pipelines: job_name: {trigger: {include:
child-pipeline.yml}}

By: Waleed Mousa

 ● Trigger downstream pipeline: script: ["curl -X POST -F
token=$CI_JOB_TOKEN -F ref=master
https://gitlab.example.com/api/v4/projects/9/trigger/pipeline"]

20. Advanced Techniques

● Use anchors: job_name: {<<: *job_template}

● Define hidden jobs: .hidden_job: {script: ["echo 'This job is hidden']}
● Use default configuration: default: {image: ruby:2.7}
● Override default: job_name: {image: {name: ruby:2.7, entrypoint:
["/bin/bash"]}}
● Use retry on failure: job_name: {retry: {max: 2, when:
[runner_system_failure, stuck_or_timeout_failure]}}
● Set global variables: variables: {GLOBAL_VAR: "value"}
● Use dotenv files: script: ["source .env.${CI_COMMIT_REF_NAME}"]
● Use CI/CD dashboard: status_page: {enabled: true}
● Set pipeline-level timeout: default: {timeout: 2 hours}
● Use multi-project pipelines: trigger: {project: group/project, branch:
master}
● Schedule pipelines: schedule: {cron: "0 1 * * *"}
● Use GitLab Auto Deploy: include: {template: Auto-Deploy.gitlab-ci.yml}
● Use GitLab Release jobs: include: {template: Release.gitlab-ci.yml}
● Use GitLab Review Apps: include: {template: Review-Apps.gitlab-ci.yml}
● Set pipeline variables: script: ["gitlab-ci-multi-runner exec shell --env
CI_DEBUG_TRACE=true job_name"]
● Use GitLab Container Registry: script: ["docker push
${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}"]
● Implement feature flags: script:
["feature_flag_client.enable('new_feature')"]
● Use GitLab Environments Dashboard: environment: {name: production,
deployment_tier: production}
● Implement Progressive Delivery: script: ["kubectl apply -f
progressive-delivery.yaml"]

21. Advanced Security and Compliance

● Implement Container Scanning: include: {template:

Container-Scanning.gitlab-ci.yml}
● Use Dependency Scanning: include: {template:
Dependency-Scanning.gitlab-ci.yml}

By: Waleed Mousa

 ● Implement License Compliance: include: {template:
License-Scanning.gitlab-ci.yml}
● Use Secret Detection: include: {template: Secret-Detection.gitlab-ci.yml}
● Implement API Fuzzing: include: {template: API-Fuzzing.gitlab-ci.yml}

22. Advanced Monitoring and Observability

● Integrate Prometheus metrics: script: ["push_metrics_to_prometheus"]

● Use GitLab Error Tracking: script:
["gitlab_error_tracking.capture_exception(e)"]
● Implement Distributed Tracing: script: ["jaeger_client.init_tracer()"]
● Use GitLab Incident Management: script: ["trigger_incident_if_error"]

23. Infrastructure as Code

● Use Terraform in pipeline: script: ["terraform init", "terraform apply

-auto-approve"]
● Implement GitOps with ArgoCD: script: ["argocd app sync myapp"]
● Use CloudFormation: script: ["aws cloudformation deploy --template-file
template.yaml --stack-name mystack"]

24. Advanced Deployment Strategies

● Implement Feature Flags: script:

["feature_flag_service.enable('new_feature', percentage: 10)"]
● Use A/B Testing: script:
["ab_test_service.create_experiment('button_color', variants: ['blue',
'green'])"]
● Implement Shadow Deployment: script: ["deploy_shadow_service"]

25. Performance and Load Testing

● Implement Load Testing: script: ["k6 run loadtest.js"]

● Use Performance Testing: script: ["apache_bench -n 1000 -c 100
https://myapp.com/"]
● Implement Stress Testing: script: ["stress-ng --cpu 8 --io 4 --vm 2
--vm-bytes 128M --timeout 60s"]

By: Waleed Mousa

26. A complete Pipeline

# Complete GitLab CI/CD Pipeline

stages:
- prepare
- build
- test
- security
- deploy
- post-deploy

variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
KUBERNETES_NAMESPACE: ${CI_PROJECT_PATH_SLUG}-${CI_COMMIT_REF_SLUG}

include:
- template: Auto-DevOps.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
- template: Security/DAST.gitlab-ci.yml

# Cache configuration
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- node_modules/
- .npm/

# Job templates
.build_template: &build_definition
stage: build
image: node:14
script:
- npm ci
- npm run build
artifacts:
paths:
- dist/

.test_template: &test_definition
stage: test
image: node:14
script:
- npm ci

By: Waleed Mousa

 - npm run test:coverage
coverage: '/Lines\s*:\s*(\d+\.?\d*)%/'

# Jobs
prepare:
stage: prepare
image: alpine:latest
script:
- apk add --no-cache curl
- curl -o .env.$CI_COMMIT_REF_NAME
https://config-server.example.com/config/$CI_COMMIT_REF_NAME
artifacts:
paths:
- .env.$CI_COMMIT_REF_NAME

lint:
stage: test
image: node:14
script:
- npm ci
- npm run lint
allow_failure: true

unit_test:
<<: *test_definition
script:
- npm ci
- npm run test:unit

integration_test:
<<: *test_definition
script:
- npm ci
- npm run test:integration

build:
<<: *build_definition

container_build:
stage: build
image: docker:stable
services:
- docker:dind
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

dependency_scanning:

By: Waleed Mousa

 stage: security
script:
- npm audit --json | ./node_modules/.bin/npm-audit-html -o
dependency-report.html
artifacts:
paths:
- dependency-report.html

deploy_review:
stage: deploy
image:
name: bitnami/kubectl:latest
entrypoint: ['']
script:
- kubectl config set-cluster k8s --server="$KUBE_URL"
--insecure-skip-tls-verify=true
- kubectl config set-credentials gitlab --token="$KUBE_TOKEN"
- kubectl config set-context default --cluster=k8s --user=gitlab
- kubectl config use-context default
- sed -i "s~IMAGE_TAG~${CI_COMMIT_SHA}~g" k8s/deployment.yaml
- kubectl apply -f k8s/deployment.yaml -n $KUBERNETES_NAMESPACE
environment:
name: review/$CI_COMMIT_REF_NAME
url: https://$CI_ENVIRONMENT_SLUG.example.com
only:
- merge_requests

deploy_staging:
stage: deploy
image:
name: bitnami/kubectl:latest
entrypoint: ['']
script:
- kubectl config set-cluster k8s --server="$KUBE_URL"
--insecure-skip-tls-verify=true
- kubectl config set-credentials gitlab --token="$KUBE_TOKEN"
- kubectl config set-context default --cluster=k8s --user=gitlab
- kubectl config use-context default
- sed -i "s~IMAGE_TAG~${CI_COMMIT_SHA}~g" k8s/deployment.yaml
- kubectl apply -f k8s/deployment.yaml -n staging
environment:
name: staging
url: https://staging.example.com
only:
- develop

deploy_production:
stage: deploy

By: Waleed Mousa

 image:
name: bitnami/kubectl:latest
entrypoint: ['']
script:
- kubectl config set-cluster k8s --server="$KUBE_URL"
--insecure-skip-tls-verify=true
- kubectl config set-credentials gitlab --token="$KUBE_TOKEN"
- kubectl config set-context default --cluster=k8s --user=gitlab
- kubectl config use-context default
- sed -i "s~IMAGE_TAG~${CI_COMMIT_SHA}~g" k8s/deployment.yaml
- kubectl apply -f k8s/deployment.yaml -n production
environment:
name: production
url: https://www.example.com
when: manual
only:
- master

performance:
stage: post-deploy
image: docker:git
variables:
URL: https://$CI_ENVIRONMENT_SLUG.example.com
script:
- mkdir lighthouse
- docker run --rm -v $(pwd)/lighthouse:/home/chrome/reports
femtopixel/google-lighthouse $URL
- mv lighthouse/*.report.html performance.html
artifacts:
paths:
- performance.html
only:
- master

sentry_release:
stage: post-deploy
image: getsentry/sentry-cli
script:
- sentry-cli releases new -p $SENTRY_PROJECT $CI_COMMIT_SHA
- sentry-cli releases set-commits --auto $CI_COMMIT_SHA
- sentry-cli releases finalize $CI_COMMIT_SHA
only:
- master

notification:
stage: .post
script:
- 'curl -X POST -H "Content-type: application/json" --data

By: Waleed Mousa

"{\"text\":\"Application deployed to production\"}" $SLACK_WEBHOOK'
only:
- master

This pipeline includes:

● Multiple stages for a complete CI/CD workflow

● Inclusion of GitLab Auto-DevOps and security templates
● Caching for faster builds
● Job templates for reusability
● Linting and different types of testing (unit, integration)
● Docker image building and pushing
● Security scanning (SAST, Secret Detection, Container Scanning, DAST)
● Dependency scanning and reporting
● Deployment to review, staging, and production environments
● Kubernetes deployment
● Performance testing with Google Lighthouse
● Sentry release tracking
● Slack notification on successful deployment

This pipeline demonstrates many best practices, including:

● Separation of concerns with distinct stages and jobs

● Use of templates and includes for reusability and maintainability
● Comprehensive testing and security scanning
● Environment-specific deployments
● Manual approval for production deployment
● Performance testing and monitoring
● Error tracking integration
● Notification system

By: Waleed Mousa