Skip to main content
    DevOps
    Way of Working
    1. Home
    3. Roadmap
    5. Foundation
    7. Cicd Baseline

    CI/CD & Build Automation

    Foundation Milestone
    Phase: build
    DF
    LT

    Automated builds, artifact management, SBOM generation, and CI pipeline templates for every team.

    Business Value

    Reduces manual build time from 2 hours to 10 minutes and enables 3-5x more frequent integration testing through automated pipeline execution

    DORA Impact

    • Deployment Frequency
    • Lead Time

    Key Features

    • CI Pipeline Template
    • Artifact Versioning
    • SBOM Generation
    • Automated Security Scanning
    • Secrets Detection
    • Fast Feedback Loop

    Who

    platform
    engineer
    teams

    When

    Foundation (0-90 days)

    Capabilities in This Epic

    1.

    CI Pipeline Template

    >= 90% of repos use org-wide CI template with lint, test, build, scan stages.

    Target: >= 90% repos use CI template
    2.

    Artifact Versioning

    100% of builds produce semantically versioned artifacts (semver) pushed to artifact registry.

    Target: 100% builds produce versioned artifacts
    3.

    SBOM Generation

    >= 80% of builds generate Software Bill of Materials (SBOM) in SPDX or CycloneDX format.

    Target: >= 80% builds generate SBOM
    4.

    Automated Security Scanning

    100% of builds run SAST (code scan) and SCA (dependency scan) with >= HIGH severity blocking merge.

    Target: 100% builds scanned, HIGH+ blocks merge
    5.

    Secrets Detection

    >= 95% of commits scanned for leaked secrets (API keys, passwords) pre-commit and in CI.

    Target: >= 95% commits scanned for secrets
    6.

    Fast Feedback Loop

    >= 80% of CI pipeline runs complete in < 10 minutes from commit to pass/fail result.

    Target: >= 80% CI runs < 10 minutes

    Implementation Journey

    Prerequisites

    Complete these before starting:

    • Code foundations epic complete (Git workflow, PR reviews)
    • Build tool configured (Maven, npm, etc.)
    • Artifact repository available (Artifactory, npm registry, etc.)

    Typical Timeline

    3.5 weeks

    Effort Estimate

    140 hours
    ≈ 18 days

    Breakdown by role:

    Platform:80 hours
    Engineering:40 hours
    Security:20 hours

    Team Composition

    Cross-functional team including: platform, engineer, teams

    Applicable Environments

    regulated
    non-regulated

    Success Metrics

    Entry Criteria

    Prerequisites to start implementing this epic:

    Code foundations epic complete (Git workflow, PR reviews)
    Build tool configured (Maven, npm, etc.)
    Artifact repository available (Artifactory, npm registry, etc.)

    Exit Criteria

    Criteria defined at the Foundation milestone level:

    deployment Frequency: >= weekly (staging)
    lead Time: <= 7 days (commit to staging)
    change Failure Rate: <= 20%
    mttr: <= 4h (staging)
    observability Coverage: >= 80% services instrumented
    ci Success: >= 90%
    flaky Tests: < 5%
    sbom Coverage: >= 90% services
    secrets Policy: Approved secrets manager only
    pr Cycle Time: p50 <= 24h
    build Success: main >= 95%, PR >= 90%
    ownership Coverage: >= 90% services

    DORA Metrics Impact

    DF
    1/month to 1/week
    4x
    LT
    30 days to 7 days
    77%

    Resources

    Implementation Kit

    Step-by-step guide, templates, and tools for this epic

    View CI/CD & Build Automation Implementation Kit

    Templates

    Ready-to-use templates for implementing capabilities

    Browse All Templates

    Learn More

    Tutorials & Learning PathsCase Studies & Examples

    Common Pitfalls

    CI pipeline too slow (>30 min) causing developers to skip it
    Mitigation: Parallelize jobs. Cache dependencies. Run expensive tests (e2e) only on main branch. Target <10 min for PR builds.
    Build fails intermittently due to flaky tests
    Mitigation: Quarantine flaky tests. Track flake rate per test. Set threshold (e.g., <5% flaky). Disable tests exceeding threshold.
    Artifacts not versioned, causing "works on my machine" issues
    Mitigation: Use semantic versioning. Tag artifacts with Git SHA. Store build metadata (commit, timestamp, builder) with artifacts.

    Next Steps

    After Completing This Epic

    Once you've met all exit criteria, consider these next steps:

    • Review metrics to validate DORA improvements
    • Document lessons learned and update team playbooks
    • Share success stories with other teams

    Continue To

    The natural next epic in the roadmap sequence:

    Testing Strategy & Quality Gates

    Alternative Paths

    Other epics that can be tackled in parallel:

    Backlog Quality & Planning EnablementCode Quality & Review StandardsTesting Strategy & Quality GatesRelease Management Foundations
    DevOps
    Way of Working

    DevOps practices for the entire delivery lifecycle

    © 2019-2026 devopswow.com. Created by Burhan Öcüt

    PartnersAboutPrivacyTermsCookies