Skip to main content

On This Page
← AI News
AI News DevOps Software Engineering

Automating AquaChain: Building a Robust CI/CD Pipeline with GitHub Actions

3 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

I Stopped Deploying Manually - Here’s My CI/CD Pipeline with GitHub Actions

Karthik K Pradeep transitioned the AquaChain IoT platform from manual SSH-based deployments to an automated GitHub Actions workflow. The new system enforces quality checks and completes deployments in under five minutes to prevent production environment misconfigurations.

Why This Matters

Manual deployment processes often rely on local state and developer memory, creating a fragile environment where avoidable errors—such as incorrect production environment settings—reach live users. Moving to a structured CI/CD pipeline replaces social conventions with automated safeguards like path-filtered deployments and OIDC-based authentication, reducing the cost of GitHub-hosted runner minutes and eliminating the risks associated with long-lived security credentials.

Key Insights

  • npm ci Consistency: Using ‘npm ci’ instead of ‘npm install’ in the AquaChain pipeline ensures the runner uses the exact package-lock.json versions, preventing drift between local and CI environments.
  • OIDC for AWS: AquaChain utilizes OpenID Connect (OIDC) to assume IAM roles dynamically, replacing the security risk of long-lived AWS_ACCESS_KEY_ID secrets with short-lived tokens.
  • Path-Filtered Deployments: By using the ‘dorny/paths-filter’ action, the pipeline ensures Lambda functions and frontend assets only deploy when their specific sub-directories contain changes.
  • CI Caching Performance: Implementing warm caches for npm and pip reduced AquaChain’s build steps from 90 seconds to under 20 seconds, optimizing the use of GitHub Actions’ included allowance.
  • Branch Protection: Locking the main branch with required status checks ensures that failed linting or tests physically block merges rather than serving as optional feedback.

Working Examples

Automated quality checks for frontend PRs including caching and strict dependency installation.

name: PR Checks
on:
  pull_request:
    branches: [main, develop]
  push:
    branches: [main]
jobs:
  frontend-checks:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: frontend
    steps:
      - uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "18"
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
      - name: Install dependencies
        run: npm ci
      - name: Build
        run: npm run build

AWS CDK implementation of OIDC for secure, credential-less GitHub Actions authentication.

from aws_cdk import aws_iam as iam
github_provider = iam.OpenIdConnectProvider(
    self,
    "GitHubOIDC",
    url="https://token.actions.githubusercontent.com",
    client_ids=["sts.amazonaws.com"],
)
deploy_role = iam.Role(
    self,
    "GitHubActionsDeployRole",
    role_name="github-actions-deploy",
    assumed_by=iam.WebIdentityPrincipal(
        github_provider.open_id_connect_provider_arn,
        conditions={
            "StringEquals": {
                "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
            },
            "StringLike": {
                "token.actions.githubusercontent.com:sub": "repo:your-org/your-repo:ref:refs/heads/main"
            },
        },
    ),
)

Practical Applications

  • Use Case: AquaChain uses path filters to prevent backend Python commits from triggering expensive Vercel frontend builds. Pitfall: Relying on github.event.commits[0].modified which fails to detect changes in multi-commit pushes or squash merges.
  • Use Case: Environment-specific secrets management with protection rules to force manual approval before production deployments. Pitfall: Storing AWS_ACCESS_KEY_ID as a repository-wide secret, which creates a permanent security vulnerability if leaked.
  • Use Case: Setting —watchAll=false on Jest test suites within the pipeline. Pitfall: Forgetting this flag causes the CI job to hang indefinitely while waiting for interactive user input.

References:

Continue reading

Next article

7 Underutilized JavaScript Functions to Modernize Your Codebase

Related Content

Apr 2, 2026

Automating Production: Setting Up a CI/CD Pipeline in 10 Minutes

Learn how to implement a GitHub Actions and Render-based CI/CD pipeline that automates testing and deployment to reduce bugs by 90% in under 10 minutes.

Read article
Mar 18, 2026

Building an Automated Multi-Platform Blog Pipeline with GitHub Actions and AI

Learn how to build a GitHub Actions pipeline that automates blog distribution across DEV.to, Hashnode, and Blogger using AI-driven workflow design and OAuth2 token management.

Read article
May 20, 2026

Trunk-Based Development: Decoupling Deployment from Release for True CI/CD

Learn how to implement true continuous integration by eliminating long-lived feature branches and decoupling deployments from releases.

Read article