ADR-004: GitLab CI/CD Pipeline with Staged Deployments
Date: 2026-02-15
Status: Accepted
Deciders: Jeff Mosley, Brian Moore
Context
Manual deployments are error-prone and time-consuming. We need:
- Automated Quality Gates: Catch bugs before deployment via linting, security scans, and tests
- Consistent Builds: Same build process every time, no "works on my machine"
- Safe Deployments: Staging validation before production, with manual approval for production
- Dependency Security: Automated alerts and updates for vulnerable dependencies
Decision
Implement GitLab CI/CD with staged deployments and comprehensive quality gates.
Pipeline Stages
┌─────────┐ ┌──────────┐ ┌────────┐ ┌─────────┐ ┌────────────────┐ ┌───────────────────┐
│ lint │ → │ security │ → │ test │ → │ build │ → │ deploy-staging │ → │ deploy-production │
└─────────┘ └──────────┘ └────────┘ └─────────┘ └────────────────┘ └───────────────────┘
↓ ↓ ↓ ↓ ↓ ↓
golangci-lint gosec go test All 4 components Single node HA cluster
ESLint govulncheck mocha in parallel (api1, web1) (manual approval)
npm audit
Stage Details
| Stage |
Tools |
Components |
Blocking? |
| lint |
golangci-lint, ESLint |
All Go + TypeScript |
No (warning only initially) |
| security |
gosec, govulncheck, npm audit |
All |
No (warning only) |
| test |
go test -race, mocha |
cortex-api, cortex-indexer-v2, cortex-vscode |
Yes |
| build |
go build, npm run package |
All 4 components |
Yes |
| deploy-staging |
SSH + scp |
api1, web1 |
Yes |
| deploy-production |
SSH + scp |
api½, web½, indexer½ |
Manual |
Deployment Targets
| Environment |
Hosts |
Trigger |
| Staging |
api1 (192.168.11.132), web1 (192.168.11.136) |
Auto on main push |
| Production |
api½, web½, indexer½ |
Manual approval |
.golangci.yml: Linter configuration with security checks (gosec), formatting (gofmt, goimports), and static analysisrenovate.json: Automated dependency updates with auto-merge for minor/patch, manual review for major
Consequences
Positive
- Quality Assurance: Every push is linted, scanned, and tested
- Security: Vulnerability scanning catches issues before production
- Consistency: Same build process, reproducible artifacts
- Safe Rollouts: Staging validation prevents broken production deploys
- Self-Aware AI: Priority Context Decision makes Cortex aware of its own deployment process
Negative
- Pipeline Time: Full pipeline takes ~5-10 minutes
- GitLab Dependency: Requires GitLab CI/CD runners
- SSH Key Management: Deployment keys need secure storage
Neutral
- Gradual Strictness: Lint/security are warnings initially, made blocking later
- Runner Location: Uses GitLab shared runners (can add self-hosted later)
Implementation
Key Files
| File |
Purpose |
.gitlab-ci.yml |
Main pipeline configuration |
.golangci.yml |
Go linter settings |
renovate.json |
Dependency update automation |
GitLab CI/CD Variables Required
| Variable |
Description |
SSH_PRIVATE_KEY |
Deployment SSH private key |
SSH_KNOWN_HOSTS |
Known hosts for target servers |
Build Artifacts
| Component |
Artifact |
Size |
| cortex-api |
cortex-api-linux-amd64 |
~15MB |
| cortex-web |
cortex-web-linux-amd64 |
~12MB |
| cortex-indexer |
cortex-indexer-linux-amd64 |
~12MB |
| cortex-vscode |
cortex-ai-X.X.X.vsix |
~500KB |
See Also