Top 10 pipeline mistakes - dotnetsheff
Download as PPTX, PDF•0 likes•188 views
The document lists the top 10 pipeline mistakes, including unsafe secrets, untraceable artifacts, environment-specific deploy packages, lack of testing, use of bleeding edge technology, overly complex builds, flaky builds, overuse of versioning, implicit assumptions, and reliance on dubious plugins. The author provides recommendations to address each mistake, such as using secret stores, adding versioning and links to artifacts, deploying the same packages to all environments, including quality checks, ensuring deployable technology and available agents, splitting processes, enabling reproducible builds, adding version specifications, checking tool requirements, and using autonomous pipelines.
![Untraceable
Wrong
.NET
AssemblyVersion["1.0.*"]
Maven
<version>1.0.0</version>
Correct
Add #id and/or URLs in
commits and work items
Patch AssemblyInfo.cs
Use VersionPrefix and
Version with .NET Core
Use Maven version plugin
Add version data into .ps1
.sql .xml .yaml .json](https://image.slidesharecdn.com/top10pipelinemistakes-200707202120/85/Top-10-pipeline-mistakes-dotnetsheff-5-320.jpg)
Top 10 pipeline mistakes - dotnetsheff
- 1. Top 10 pipeline mistakes Giulio Vian — 7 July 2020 @giulio_vian https://www.getlatestversion.eu http://blog.casavian.eu https://www.slideshare.net/giuliov https://github.com/giuliov
- 2. Unsafe Secrets Sloppy handling of secrets Fix: use a safe store Security risk
- 3. Unsafe Secrets Wrong <add name="DefaultConnection" connectionString="Data Source=*omiss*;Initial Catalog=*omiss*;Persist Security Info=False;User ID=*omiss*;Password=*omiss* " providerName="System.Data .SqlClient"/> Correct GitHub Secrets Azure Pipelines Service Connections Azure Pipelines Secret Variables Jenkins Credentials AWS Systems Manager Parameter Store AWS Secrets Manager Azure KeyVault
- 4. Untraceable artifacts No artifact versioning Careless versioning Unrelated binary and source versions No links to work items or deployments Fixes: careful versioning, link artifacts
- 5. Untraceable Wrong .NET AssemblyVersion["1.0.*"] Maven <version>1.0.0</version> Correct Add #id and/or URLs in commits and work items Patch AssemblyInfo.cs Use VersionPrefix and Version with .NET Core Use Maven version plugin Add version data into .ps1 .sql .xml .yaml .json
- 6. Too specific Environment-specific deploy packages Fix: just stop doing, I mean, stop it
- 7. Too specific Wrong React App PUBLIC_URL Correct Ship you package to Artifactory, Nexus or else Deploy the same package to all environments (and patch config files along the way)
- 8. What, quality? No testing No quality scan Fix: add quality checks to your pipelines
- 9. What, quality? Wrong Correct linters SonarQube Checkmarx GitHub CodeQL WhiteSource OWASP ZAP Atlassian Crucible Veracode Fortify …
- 10. Bleeding edge Undeployable technology No agents Fix: ask and negotiate, do not assume
- 11. Galactic build Does too much Takes too much Slow feedback Fix: split the process
- 12. Flaky builds Same source different binaries Test randomly pass/fail Loose dependencies specifications Fixes: reproducible builds, drop flaky tests, pinpoint dependencies
- 14. Loose dependencies NuGet (4.9+) <PropertyGroup> <RestorePackagesWithLockFile>true</RestorePackages WithLockFile> </PropertyGroup> msbuild.exe /t:restore /p:RestoreLockedMode=true dotnet.exe restore –locked-mode
- 15. Too much of a good thing Too much versioning Fix: libraries ≠ deploy packages, use SemVer in full
- 16. Too much of a good thing SemVer https://semver.org/ 1.0.0-dev+sha.5114f85 Maven 1.0-SNAPSHOT
- 17. Implicit assumptions No conditions on agent requirements No checks on toolchain versions Magic agents (e.g. tools dropped in obscure corners) Fix: explicit tool checks
- 18. Implicit assumptions Wrong GitVersion.exe /output buildserver Correct dotnet tool install -g GitVersion.Tool dotnet gitversion
- 19. Untamed plugins Relying on dubious plugins/extensions Fix: autonomous pipelines
- 20. Best (worst?) Mistakes 1. Unsafe Secrets 2. Untraceable 3. Too specific 4. What quality? 5. Bleeding edge 6. Galactic build 7. Flaky builds 8. Too much of a good thing 9. Implicit assumptions 10. Untamed plugins
- 21. Unpardonable No pipeline at all
- 22. References Reproducible builds https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/deterministic-compiler- option https://maven.apache.org/guides/mini/guide-reproducible-builds.html https://zlika.github.io/reproducible-build-maven-plugin/ https://reproducible-builds.org/ Pin dependencies https://github.com/NuGet/Home/wiki/Repeatable-build-using-lock-file-implementation https://docs.npmjs.com/configuring-npm/package-locks.html https://docs.gradle.org/current/userguide/dependency_locking.html http://maven.apache.org/guides/introduction/introduction-to-dependency- mechanism.html#Dependency_Management Flaky tests https://docs.microsoft.com/en-us/azure/devops/pipelines/test/flaky-test-management https://docs.gitlab.com/ee/development/testing_guide/flaky_tests.html https://plugins.jenkins.io/flaky-test-handler/ SemVer https://semver.org/
- 23. Hardware spec: 1 KB RAM (16KB after upgrade) 4 KB ROM (8KB after upgrade) First computer Past Companies Communities Giulio Vian Senior DevOps Engineer
Editor's Notes
- #23: Le Jugement Dernier de Jean Cousin le Jeune (v. 1585), Musée du Louvre.