当前位置：首页 > article >正文

第八部分-企业级实践——36. CI/CD 集成

article 2026/5/13 15:50:24

36. CI/CD 集成1. CI/CD 概述CI/CD持续集成/持续部署与 Docker 结合可以实现代码提交后自动构建镜像、测试、部署的完整流程大幅提升开发效率和发布质量。┌─────────────────────────────────────────────────────────────┐ │ Docker CI/CD 流水线 │ ├─────────────────────────────────────────────────────────────┤ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ 代码提交 │───▶│ 自动构建 │───▶│ 自动测试 │───▶│ 镜像推送 │ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ Git Docker 测试套件镜像仓库│ │ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ 部署生产 │◀───│ 部署预发 │◀───│ 镜像扫描 │◀───│ 安全检测 │ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │ │ │ 生产环境预发环境安全扫描漏洞检测 │ │ │ └─────────────────────────────────────────────────────────────┘2. GitLab CI/CD2.1 GitLab Runner 安装# 注册 GitLab Runnerdockerrun-d--namegitlab-runner--restartalways\-v/var/run/docker.sock:/var/run/docker.sock\-v/srv/gitlab-runner/config:/etc/gitlab-runner\gitlab/gitlab-runner:latest# 注册 Runnerdockerexec-itgitlab-runner gitlab-runner register# 交互输入# GitLab URL: https://gitlab.com/# Registration token: PROJECT_TOKEN# Description: docker-runner# Tags: docker# Executor: docker# Default image: alpine:latest2.2 .gitlab-ci.yml 配置# .gitlab-ci.ymlstages:-build-test-scan-push-deployvariables:DOCKER_IMAGE:$CI_REGISTRY_IMAGE:$CI_COMMIT_SHADOCKER_LATEST:$CI_REGISTRY_IMAGE:latestDOCKER_TAG:$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG# 构建阶段build:stage:buildimage:docker:latestservices:-docker:dindscript:-docker build-t $DOCKER_IMAGE .-docker tag $DOCKER_IMAGE $DOCKER_LATESTonly:-main-develop-tags# 测试阶段test:stage:testimage:docker:latestservices:-docker:dindscript:-docker run--rm $DOCKER_IMAGE npm test-docker run--rm $DOCKER_IMAGE /app/scripts/test.shonly:-main-develop# 安全扫描scan:stage:scanimage:aquasec/trivy:latestscript:-trivy image--severity HIGH,CRITICAL--exit-code 1 $DOCKER_IMAGEonly:-main-tags# 推送镜像push:stage:pushimage:docker:latestservices:-docker:dindscript:-docker login-u $CI_REGISTRY_USER-p $CI_REGISTRY_PASSWORD $CI_REGISTRY-docker push $DOCKER_IMAGE-docker push $DOCKER_LATEST-if[-n $CI_COMMIT_TAG]; then docker tag $DOCKER_IMAGE $DOCKER_TAG; docker push $DOCKER_TAG; fionly:-main-tags# 部署到预发deploy-staging:stage:deployimage:docker:latestscript:-docker pull $DOCKER_IMAGE-docker stack deploy-c docker-compose.staging.yml--with-registry-auth myappenvironment:name:stagingurl:https://staging.example.comonly:-develop# 部署到生产deploy-production:stage:deployimage:docker:latestscript:-docker pull $DOCKER_IMAGE-docker stack deploy-c docker-compose.prod.yml--with-registry-auth myappenvironment:name:productionurl:https://example.comonly:-mainwhen:manual3. GitHub Actions3.1 Docker 镜像构建# .github/workflows/docker-build.ymlname:Docker Build and Pushon:push:branches:[main,develop]tags:[v*]pull_request:branches:[main]env:REGISTRY:ghcr.ioIMAGE_NAME:${{github.repository}}jobs:build:runs-on:ubuntu-latestpermissions:contents:readpackages:writesteps:-name:Checkout codeuses:actions/checkoutv3-name:Set up Docker Buildxuses:docker/setup-buildx-actionv2-name:Log in to GitHub Container Registryuses:docker/login-actionv2with:registry:${{env.REGISTRY}}username:${{github.actor}}password:${{secrets.GITHUB_TOKEN}}-name:Extract metadataid:metauses:docker/metadata-actionv4with:images:${{env.REGISTRY}}/${{env.IMAGE_NAME}}tags:|typeref,eventbranch typeref,eventpr typesemver,pattern{{version}} typesemver,pattern{{major}}.{{minor}} typesha-name:Build and push Docker imageuses:docker/build-push-actionv4with:context:.push:truetags:${{steps.meta.outputs.tags}}labels:${{steps.meta.outputs.labels}}cache-from:typeghacache-to:typegha,modemax-name:Scan image with Trivyuses:aquasecurity/trivy-actionmasterwith:image-ref:${{steps.meta.outputs.tags}}format:sarifoutput:trivy-results.sarifseverity:HIGH,CRITICAL-name:Upload Trivy resultsuses:github/codeql-action/upload-sarifv2with:sarif_file:trivy-results.sarif3.2 部署到服务器# .github/workflows/deploy.ymlname:Deploy to Serveron:workflow_run:workflows:[Docker Build and Push]types:-completedbranches:-mainjobs:deploy:runs-on:ubuntu-latestif:${{github.event.workflow_run.conclusion success}}steps:-name:Install SSH keyuses:shimataro/ssh-key-actionv2with:key:${{secrets.SSH_PRIVATE_KEY}}known_hosts:${{secrets.KNOWN_HOSTS}}-name:Deploy via SSHrun:|ssh -o StrictHostKeyCheckingno ${{ secrets.SERVER_USER }}${{ secrets.SERVER_HOST }} EOF cd /app docker pull ghcr.io/${{ github.repository }}:main docker-compose down docker-compose up -d docker system prune -f EOF4. Jenkins Pipeline4.1 Jenkinsfile// Jenkinsfilepipeline{agent any environment{DOCKER_REGISTRYregistry.example.comDOCKER_IMAGE${DOCKER_REGISTRY}/${JOB_NAME}:${BUILD_NUMBER}DOCKER_LATEST${DOCKER_REGISTRY}/${JOB_NAME}:latest}stages{stage(Checkout){steps{checkout scm}}stage(Build){steps{script{docker.build(${DOCKER_IMAGE})docker.image(${DOCKER_IMAGE}).tag(${DOCKER_LATEST})}}}stage(Test){steps{script{docker.image(${DOCKER_IMAGE}).inside{shnpm testshgo test ./...}}}}stage(Scan){steps{shtrivy image --severity HIGH,CRITICAL${DOCKER_IMAGE}}}stage(Push){steps{script{docker.withRegistry(https://${DOCKER_REGISTRY},registry-credentials){docker.image(${DOCKER_IMAGE}).push()docker.image(${DOCKER_LATEST}).push()}}}}stage(Deploy){steps{sh ssh deployserver cd /app \ docker pull${DOCKER_IMAGE} \ docker-compose up -d \ docker system prune -f }}}post{failure{notify.build.failure()}success{notify.build.success()}}}4.2 Docker 插件配置// Jenkins 配置// 安装 Docker Pipeline 插件// 配置 Docker 云pipeline{agent{docker{imagenode:14-alpineargs-v /var/run/docker.sock:/var/run/docker.sock}}stages{stage(Build){steps{shnpm installshnpm run build}}}}5. 自动化测试集成5.1 Docker Compose 测试# docker-compose.test.ymlversion:3.8services:sut:build:.command:npm testenvironment:-NODE_ENVtestdepends_on:-db-redisdb:image:postgres:13-alpineenvironment:-POSTGRES_DBtestdb-POSTGRES_USERtest-POSTGRES_PASSWORDtestredis:image:redis:alpine# 运行集成测试docker-compose-fdocker-compose.test.yml up --abort-on-container-exit5.2 单元测试集成# .gitlab-ci.ymltest-unit:stage:testimage:node:14-alpinescript:-npm ci-npm run test:unitcoverage:/All files[^|]*\|[^|]*\s([\d\.])/integration-test:stage:testscript:-docker-compose-f docker-compose.test.yml up--abort-on-container-exit--exit-code-from sutafter_script:-docker-compose-f docker-compose.test.yml down-v6. 多环境部署6.1 环境分离# .gitlab-ci.ymldeploy-dev:stage:deployenvironment:devscript:-docker stack deploy-c docker-compose.dev.yml myapponly:-developdeploy-staging:stage:deployenvironment:stagingscript:-docker stack deploy-c docker-compose.staging.yml myapponly:-mainwhen:manualdeploy-production:stage:deployenvironment:productionscript:-docker stack deploy-c docker-compose.prod.yml myapponly:-tagswhen:manual6.2 蓝绿部署#!/bin/bash# blue-green-deploy.sh# 获取当前环境current$(dockerservicels--filternamemyapp_web-q)if[$currentmyapp_web_blue];thennewgreenelsenewbluefi# 部署新版本dockerserviceupdate--imagemyapp:${CI_COMMIT_SHA}myapp_web_${new}# 健康检查sleep10ifcurl-fhttp://localhost:8080/health;then# 切换流量dockerserviceupdate --network-add myapp_net_${new}myapp_lbdockerserviceupdate --network-rm myapp_net_${current}myapp_lbelseechoHealth check failed!exit1fi7. 缓存优化7.1 Docker 层缓存# .gitlab-ci.ymlvariables:DOCKER_BUILDKIT:1BUILDKIT_INLINE_CACHE:1build:script:-docker pull $CI_REGISTRY_IMAGE:cache||true-docker build--cache-from $CI_REGISTRY_IMAGE:cache--tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .-docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:cache-docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA-docker push $CI_REGISTRY_IMAGE:cache7.2 GitHub Actions 缓存-name:Cache Docker layersuses:actions/cachev3with:path:/tmp/.buildx-cachekey:${{runner.os}}-buildx-${{github.sha}}restore-keys:|${{ runner.os }}-buildx--name:Build and pushuses:docker/build-push-actionv4with:cache-from:typelocal,src/tmp/.buildx-cachecache-to:typelocal,dest/tmp/.buildx-cache-new,modemax8. 命令速查操作命令/配置GitLab Runnerdocker run -d --name gitlab-runner gitlab/gitlab-runnerGitHub Actions.github/workflows/*.ymlJenkinsfileJenkinsfile测试 Composedocker-compose -f docker-compose.test.yml up镜像缓存--cache-from9. 最佳实践✅ CI/CD 建议分层构建利用 Docker 层缓存并行测试单元测试和集成测试并行安全扫描构建后自动扫描镜像标签使用 commit SHA 作为标签环境隔离开发、测试、生产环境分离回滚机制保留历史版本通知机制构建失败及时通知❌ 避免事项在 CI 中硬编码密钥忽略缓存导致构建缓慢跳过测试和安全扫描生产环境直接使用 latest 标签10. 小结GitLab CI内置 CI/CD配置简单GitHub Actions与 GitHub 深度集成Jenkins灵活强大插件丰富自动化测试集成测试确保质量多环境部署开发/预发/生产蓝绿部署零停机发布缓存优化加速构建安全扫描是 CI 流程的重要环节

第八部分-企业级实践——36. CI/CD 集成

相关文章：

第八部分-企业级实践——36. CI/CD 集成

生物 -- 神经系统（三）

【零基础部署】Ubuntu 安装 Docker 保姆级教程

终极指南：5分钟免费解锁Cursor Pro全部功能的完整解决方案

产品兼容性实战：硬件与软件设计的平衡艺术与工程策略

终极矢量图标库完全指南：Remix Icon 3200+免费图标深度解析

嵌入式处理器IP选型指南：从ARM到RISC-V的权衡与实战

AI 搜索重新重视来源：内容平台的新机会不是被点击，而是被正确引用

3分钟搞定Axure RP中文界面：全版本汉化终极指南

Loop：Mac窗口管理的终极免费解决方案，告别杂乱桌面

百度网盘Mac版加速插件：突破下载限制的实用方案

AI编程助手与代码质量守护：Trunk Cursor插件实战指南

Erupt 七年最有诚意升级：官网、文档、脚手架更新，迈向工业级开源生态！

RevokeMsgPatcher实战指南：Windows微信QQ防撤回的终极秘籍

声明式数据转换利器：Refiner 实战指南与架构集成

Python 3.14.5 发布：多项改进，垃圾回收器回滚，还有这些新特性！

手机号到QQ号查询技术实现原理与TEA加密通信架构解析

从Kaggle竞赛到现实应用：聊聊ResNet18在驾驶安全监控中的潜力与局限

3步解锁网易云音乐NCM加密文件：ncmdumpGUI图形化工具完全指南

AI编码助手配置框架：六层缰绳架构实现团队规范与上下文持久化

利用Taotoken模型广场为内容生成应用挑选合适模型

Avogadro 2：开源分子可视化库的终极技术解析

连接器选型五大雷区：从故障数据到设计落地的实战手册

面向非技术人员的AI智能体实战：零代码自动化工作流构建指南

为OpenClaw智能体工作流配置Taotoken作为稳定后端API

ModuleNotFoundError: No module named ‘ui_form‘

终极指南：5分钟让Illustrator批量替换效率提升10倍

终极指南：轻松突破Cursor Pro限制，实现永久免费使用

ComfyUI-FramePackWrapper终极指南：8GB显存玩转高质量AI视频生成

ChromaControl终极指南：如何实现多品牌RGB设备统一灯光控制