{"id":"f3b2eef4-9cbb-4cb1-be7b-d440445b1cc9","shortId":"CNGxqA","kind":"skill","title":"devops-excellence","tagline":"DevOps and CI/CD expert. Use when setting up pipelines, containerizing applications, deploying to Kubernetes, or implementing release strategies. Covers GitHub Actions, Docker, K8s, Terraform, and GitOps.","description":"# DevOps Excellence\n\n## Core Principles\n\n- **Shift Left** — Address security and quality early in SDLC\n- **GitOps** — Git as single source of truth for infrastructure and deployments\n- **Infrastructure as Code** — All infrastructure versioned and reproducible\n- **Progressive Delivery** — Gradual rollouts with feature flags and canary releases\n- **Immutable Infrastructure** — Replace, don't modify running systems\n- **Observability-First** — Monitor metrics tied to deployments and features\n- **Policy as Code** — Enforce compliance and security automatically\n- **Platform Engineering** — Build golden paths and self-service portals\n\n---\n\n## Hard Rules (Must Follow)\n\n> These rules are mandatory. Violating them means the skill is not working correctly.\n\n### No Static Credentials\n\n**Never use long-lived static credentials. Always use OIDC or short-lived tokens.**\n\n```yaml\n# ❌ FORBIDDEN: Static AWS credentials\nenv:\n  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}\n  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n\n# ✅ REQUIRED: OIDC-based authentication\n- name: Configure AWS Credentials\n  uses: aws-actions/configure-aws-credentials@v4\n  with:\n    role-to-assume: arn:aws:iam::123456789012:role/GitHubActions\n    aws-region: us-east-1\n    # No long-lived secrets - uses GitHub OIDC provider\n```\n\n### No Root Containers\n\n**Containers must NEVER run as root. Always specify a non-root user.**\n\n```dockerfile\n# ❌ FORBIDDEN: Running as root (default)\nFROM node:20\nWORKDIR /app\nCMD [\"node\", \"server.js\"]\n\n# ❌ FORBIDDEN: Explicit root user\nUSER root\n\n# ✅ REQUIRED: Non-root user with UID > 1000\nFROM node:20-alpine\nRUN addgroup -g 1001 -S nodejs && \\\n    adduser -S nodejs -u 1001\nUSER nodejs\nWORKDIR /app\nCMD [\"node\", \"server.js\"]\n```\n\n### No Secrets in Images\n\n**Never bake secrets into Docker images. Use runtime injection or secrets managers.**\n\n```dockerfile\n# ❌ FORBIDDEN: Secrets in build args or ENV\nARG DATABASE_PASSWORD\nENV API_KEY=sk-xxx\n\n# ❌ FORBIDDEN: Copying secret files\nCOPY .env /app/.env\nCOPY credentials.json /app/\n\n# ✅ REQUIRED: Mount secrets at runtime\n# docker run -v /secrets:/app/secrets:ro myapp\n# Or use Kubernetes secrets/configmaps\n```\n\n### Protected Production Deployments\n\n**Production deployments must require approval and be restricted to main branch.**\n\n```yaml\n# ❌ FORBIDDEN: Direct production deploy without protection\ndeploy:\n  runs-on: ubuntu-latest\n  steps:\n    - run: deploy-to-prod.sh\n\n# ✅ REQUIRED: Environment protection\ndeploy:\n  runs-on: ubuntu-latest\n  environment:\n    name: production\n    url: https://myapp.com\n  # Requires: approval + main branch only\n```\n\n---\n\n## Quick Reference\n\n### When to Use What\n\n| Scenario | Tool/Pattern | Reason |\n|----------|--------------|--------|\n| Public GitHub project | GitHub Actions | Native integration, free for public repos |\n| Enterprise GitLab | GitLab CI | Unified platform, advanced security scanning |\n| Multi-cloud IaC | Terraform | Mature ecosystem, wide provider support |\n| Developer-centric IaC | Pulumi | Real programming languages, better testing |\n| Kubernetes deployments | ArgoCD + Kustomize | GitOps standard, declarative config |\n| Zero-downtime releases | Blue-Green or Canary | Instant rollback capability |\n| Gradual feature rollout | Feature flags (LaunchDarkly) | Progressive delivery with targeting |\n\n### Deployment Strategy Selection\n\n| Strategy | Downtime | Cost | Rollback Speed | Complexity | Best For |\n|----------|----------|------|----------------|------------|----------|\n| **Rolling** | Minimal | Low | Medium | Low | Regular updates, cost-conscious |\n| **Blue-Green** | Zero | High (2x) | Instant | Medium | Critical systems, easy rollback |\n| **Canary** | Zero | Medium | Fast | High | Risk mitigation, data-driven |\n| **Recreate** | High | Low | N/A | Very Low | Non-critical, dev/test only |\n\n---\n\n## CI/CD Pipeline Best Practices\n\n### Pipeline Security\n\n```yaml\n# Short-lived credentials (not static keys)\n- name: Configure AWS Credentials\n  uses: aws-actions/configure-aws-credentials@v4\n  with:\n    role-to-assume: arn:aws:iam::123456789012:role/GitHubActions\n    aws-region: us-east-1\n    # OIDC provider - no long-lived secrets!\n\n# Protected environments for production\nenvironment:\n  name: production\n  # Requires approval + restricts to main branch\n```\n\n### Speed Optimization\n\n- **10-minute build rule** — Most projects should build in <10 minutes\n- **Parallel jobs** — Run tests, linting, security scans concurrently\n- **Cache dependencies** — Cache node_modules, .m2, pip packages\n- **Conditional execution** — Skip jobs when files haven't changed\n\n```yaml\n# Example: conditional job execution\njobs:\n  backend-tests:\n    if: contains(github.event.head_commit.modified, 'backend/')\n    runs-on: ubuntu-latest\n```\n\n### Testing Pyramid\n\n```\n              /\\\n             /E2E\\        <- Few (slow, expensive)\n            /------\\\n           /Integration\\ <- Some (medium speed)\n          /------------\\\n         /  Unit Tests  \\ <- Many (fast, cheap)\n        /----------------\\\n```\n\n- 70% Unit tests (fast, isolated)\n- 20% Integration tests (service interactions)\n- 10% E2E tests (full user workflows)\n\n### Security Scanning Integration\n\n```yaml\n# Multi-layer security scanning\njobs:\n  security:\n    runs-on: ubuntu-latest\n    steps:\n      # SAST - Static code analysis\n      - uses: github/codeql-action/init@v3\n\n      # SCA - Dependency vulnerabilities\n      - name: Run Trivy\n        uses: aquasecurity/trivy-action@master\n        with:\n          scan-type: 'fs'\n          format: 'sarif'\n\n      # Secret scanning\n      - name: Gitleaks\n        uses: gitleaks/gitleaks-action@v2\n\n      # Container scanning\n      - name: Scan Docker image\n        run: trivy image myapp:${{ github.sha }}\n```\n\n---\n\n## Docker Best Practices\n\n### Multi-Stage Builds\n\n```dockerfile\n# Build stage - includes build tools (900MB+)\nFROM node:20-alpine AS builder\nWORKDIR /app\nCOPY package*.json ./\nRUN npm ci --only=production\n\n# Runtime stage - minimal image (<100MB)\nFROM node:20-alpine AS runtime\nRUN addgroup -g 1001 -S nodejs && \\\n    adduser -S nodejs -u 1001\nWORKDIR /app\nCOPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules\nCOPY --chown=nodejs:nodejs . .\nUSER nodejs\nEXPOSE 3000\nCMD [\"node\", \"server.js\"]\n```\n\n### Security Hardening\n\n- **Non-root user** — ALWAYS run as non-root (UID 1001)\n- **Minimal base images** — Use `alpine`, `distroless`, or `scratch`\n- **Read-only filesystem** — `docker run --read-only`\n- **No secrets in layers** — Use build secrets or external vaults\n- **Resource limits** — Set CPU/memory limits to prevent DoS\n- **Signed images** — Enable Docker Content Trust\n\n```dockerfile\n# Security best practices example\nFROM gcr.io/distroless/nodejs20-debian12\nCOPY --chown=65532:65532 /app /app\nUSER 65532\nEXPOSE 8080\n```\n\n### .dockerignore\n\n```\n# Version control\n.git\n.gitignore\n\n# Dependencies (install fresh in container)\nnode_modules\nvendor/\n*.pyc\n__pycache__\n\n# Secrets and configs\n.env\n.env.local\nsecrets/\n*.key\n*.pem\n\n# Development files\nREADME.md\nDockerfile\ndocker-compose.yml\n.vscode/\n.idea/\n\n# Testing and CI\ntests/\n*.test.js\n.github/\n```\n\n---\n\n## Kubernetes Deployment Patterns\n\n### Resource Management (Right-Sizing)\n\n```yaml\n# 99.94% of clusters are over-provisioned!\n# Average CPU usage: 10%, Memory: 23%\nresources:\n  requests:\n    memory: \"128Mi\"  # Guaranteed allocation\n    cpu: \"100m\"      # 0.1 CPU cores\n  limits:\n    memory: \"256Mi\"  # Maximum allowed\n    cpu: \"200m\"      # Hard cap\n\n# Use tools: Kubecost, Goldilocks, VPA\n```\n\n### Health Checks\n\n```yaml\n# Liveness: Is container alive?\nlivenessProbe:\n  httpGet:\n    path: /health\n    port: 8080\n  initialDelaySeconds: 30\n  periodSeconds: 10\n  timeoutSeconds: 5\n  failureThreshold: 3\n\n# Readiness: Can it receive traffic?\nreadinessProbe:\n  httpGet:\n    path: /ready\n    port: 8080\n  initialDelaySeconds: 5\n  periodSeconds: 5\n  successThreshold: 1\n\n# Startup: Has initialization completed?\nstartupProbe:\n  httpGet:\n    path: /startup\n    port: 8080\n  failureThreshold: 30  # 30*10s = 5min for slow starts\n  periodSeconds: 10\n```\n\n### ConfigMaps and Secrets\n\n```yaml\n# Group related resources in single manifest\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: app-config\ndata:\n  APP_ENV: production\n  LOG_LEVEL: info\n---\napiVersion: v1\nkind: Secret\nmetadata:\n  name: app-secrets\ntype: Opaque\nstringData:\n  DATABASE_URL: postgresql://user:pass@db:5432/mydb\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: myapp\nspec:\n  template:\n    spec:\n      containers:\n      - name: app\n        envFrom:\n        - configMapRef:\n            name: app-config\n        - secretRef:\n            name: app-secrets\n```\n\n### Security Best Practices\n\n```yaml\n# Pod Security Standards\nsecurityContext:\n  runAsNonRoot: true\n  runAsUser: 1000\n  fsGroup: 1000\n  seccompProfile:\n    type: RuntimeDefault\n  capabilities:\n    drop:\n    - ALL\n\n# Network Policies (deny-by-default)\napiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\n  name: deny-all-ingress\nspec:\n  podSelector: {}\n  policyTypes:\n  - Ingress\n```\n\n---\n\n## Infrastructure as Code (Terraform/Pulumi)\n\n### Directory Structure\n\n```\nterraform/\n├── environments/\n│   ├── dev/\n│   │   ├── main.tf\n│   │   └── terraform.tfvars\n│   ├── staging/\n│   └── prod/\n├── modules/\n│   ├── vpc/\n│   ├── eks/\n│   └── rds/\n├── backend.tf        # Remote state config\n└── versions.tf       # Provider versions\n```\n\n### Best Practices\n\n#### 1. Remote State with Locking\n\n```hcl\n# backend.tf\nterraform {\n  backend \"s3\" {\n    bucket         = \"mycompany-terraform-state\"\n    key            = \"prod/vpc/terraform.tfstate\"\n    region         = \"us-east-1\"\n    encrypt        = true\n    dynamodb_table = \"terraform-locks\"  # Prevents concurrent runs\n  }\n}\n```\n\n#### 2. Modularization\n\n```hcl\n# modules/vpc/main.tf\nvariable \"cidr_block\" {\n  type        = string\n  description = \"VPC CIDR block\"\n}\n\nresource \"aws_vpc\" \"main\" {\n  cidr_block           = var.cidr_block\n  enable_dns_hostnames = true\n  tags = {\n    Name = \"${var.environment}-vpc\"\n  }\n}\n\n# environments/prod/main.tf\nmodule \"vpc\" {\n  source     = \"../../modules/vpc\"\n  cidr_block = \"10.0.0.0/16\"\n  environment = \"prod\"\n}\n```\n\n#### 3. Policy as Code\n\n```hcl\n# Use Sentinel (Terraform Cloud) or OPA\npolicy \"enforce-tags\" {\n  enforcement_level = \"hard-mandatory\"\n\n  # Require tags on all resources\n  rule {\n    condition = all resource.tags contains \"Owner\"\n    error_message = \"All resources must have Owner tag\"\n  }\n}\n```\n\n#### 4. Automated Testing\n\n```go\n// Terratest example\nfunc TestVPCCreation(t *testing.T) {\n  terraformOptions := &terraform.Options{\n    TerraformDir: \"../environments/dev\",\n  }\n\n  defer terraform.Destroy(t, terraformOptions)\n  terraform.InitAndApply(t, terraformOptions)\n\n  vpcId := terraform.Output(t, terraformOptions, \"vpc_id\")\n  assert.NotEmpty(t, vpcId)\n}\n```\n\n### Pulumi Advantages\n\n```typescript\n// Pulumi - real programming language benefits\nimport * as aws from \"@pulumi/aws\";\n\nconst environments = [\"dev\", \"staging\", \"prod\"];\n\n// Use loops, conditionals, functions\nenvironments.forEach(env => {\n  new aws.ec2.Vpc(`${env}-vpc`, {\n    cidrBlock: env === \"prod\" ? \"10.0.0.0/16\" : \"10.1.0.0/16\",\n    tags: { Environment: env },\n  });\n});\n\n// Built-in testing framework\nimport * as pulumi from \"@pulumi/pulumi\";\npulumi.runtime.setMocks(...);\n```\n\n---\n\n## Release Strategies\n\n### Blue-Green Deployment\n\n```yaml\n# Two identical environments\n# Switch traffic instantly via load balancer\n\n# Step 1: Deploy to Green (idle)\n# Step 2: Test Green environment\n# Step 3: Switch LB from Blue to Green\n# Step 4: Keep Blue as rollback option\n\n# Kubernetes example\napiVersion: v1\nkind: Service\nmetadata:\n  name: myapp\nspec:\n  selector:\n    app: myapp\n    version: blue  # Change to 'green' to switch\n  ports:\n  - port: 80\n```\n\n**When to use:**\n- Critical systems requiring instant rollback\n- Compliance requirements for zero downtime\n- Budget allows 2x infrastructure\n\n### Canary Deployment\n\n```yaml\n# Gradual rollout: 5% → 25% → 50% → 100%\n# Monitor metrics at each stage\n\n# Argo Rollouts example\napiVersion: argoproj.io/v1alpha1\nkind: Rollout\nmetadata:\n  name: myapp\nspec:\n  replicas: 10\n  strategy:\n    canary:\n      steps:\n      - setWeight: 10      # 1 pod (10%)\n      - pause: {duration: 5m}\n      - setWeight: 50      # 5 pods\n      - pause: {duration: 10m}\n      - setWeight: 100     # All pods\n  template:\n    spec:\n      containers:\n      - name: myapp\n        image: myapp:v2.0\n```\n\n**When to use:**\n- High-risk deployments (major refactors)\n- User-facing features needing validation\n- Data-driven rollout decisions\n\n### Rolling Update\n\n```yaml\n# Default Kubernetes strategy\n# Gradually replace old pods with new\n\napiVersion: apps/v1\nkind: Deployment\nspec:\n  replicas: 10\n  strategy:\n    type: RollingUpdate\n    rollingUpdate:\n      maxUnavailable: 1  # Never < 9 pods available\n      maxSurge: 2        # Never > 12 pods total\n```\n\n**When to use:**\n- Regular incremental updates\n- Cost-conscious deployments\n- Low-risk changes\n\n---\n\n## Feature Flags and Progressive Delivery\n\n### Best Practices\n\n#### 1. Flag Lifecycle Management\n\n```typescript\n// Avoid \"flag debt\" - remove after rollout\nconst featureFlags = {\n  // Short-lived (remove after 100% rollout)\n  \"new-checkout-v4\": {\n    enabled: true,\n    rollout: 100,\n    created: \"2025-01-15\",\n    removeBy: \"2025-02-15\"\n  },\n\n  // Long-lived (kill switch)\n  \"payment-processing\": {\n    enabled: true,\n    permanent: true,  // Document why\n    reason: \"Emergency shutoff for payment issues\"\n  }\n};\n```\n\n#### 2. Progressive Rollout\n\n```typescript\n// LaunchDarkly example\nconst showNewFeature = ldClient.variation(\n  \"new-dashboard-ui\",\n  user,\n  false  // Default fallback\n);\n\n// Configuration\n{\n  \"targeting\": {\n    \"rules\": [\n      {\n        \"variation\": \"on\",\n        \"clauses\": [\n          {\n            \"attribute\": \"email\",\n            \"op\": \"endsWith\",\n            \"values\": [\"@mycompany.com\"]\n          }\n        ]\n      }\n    ],\n    \"rollout\": {\n      \"percentage\": 10  // 10% of remaining users\n    }\n  }\n}\n```\n\n#### 3. Segment Meaningfully\n\n- Geographic: Region-specific rollouts\n- Behavioral: Power users first, then general\n- Technical: Browser/device-based targeting\n- Business: Premium tier vs free tier\n\n#### 4. Observability Integration\n\n```typescript\n// Tie metrics to feature flags\nmetrics.increment('checkout.completed', {\n  feature_flag: 'new-checkout-v4',\n  enabled: showNewCheckout\n});\n\n// Automatic rollback on error spike\nif (errorRate > threshold) {\n  ldClient.updateFeatureFlag('new-checkout-v4', { enabled: false });\n  alerts.critical('Auto-rollback triggered for new-checkout-v4');\n}\n```\n\n---\n\n## GitOps Practices\n\n### Core Principles\n\n1. **Declarative** — Entire system state in Git\n2. **Versioned** — Git history = audit trail\n3. **Immutable** — Git commits are immutable\n4. **Automatic** — Agents auto-sync cluster to Git state\n5. **Continuous** — Reconciliation loop detects drift\n\n### ArgoCD Workflow\n\n```yaml\n# Application definition\napiVersion: argoproj.io/v1alpha1\nkind: Application\nmetadata:\n  name: myapp\n  namespace: argocd\nspec:\n  project: default\n  source:\n    repoURL: https://github.com/myorg/k8s-manifests\n    targetRevision: main\n    path: apps/myapp\n  destination:\n    server: https://kubernetes.default.svc\n    namespace: production\n  syncPolicy:\n    automated:\n      prune: true      # Delete resources not in Git\n      selfHeal: true   # Auto-sync on drift detection\n    syncOptions:\n    - CreateNamespace=true\n```\n\n### Repository Structure\n\n```\nk8s-manifests/\n├── apps/\n│   ├── myapp/\n│   │   ├── base/\n│   │   │   ├── deployment.yaml\n│   │   │   ├── service.yaml\n│   │   │   └── kustomization.yaml\n│   │   └── overlays/\n│   │       ├── dev/\n│   │       ├── staging/\n│   │       └── prod/\n│   │           ├── kustomization.yaml\n│   │           └── replicas-patch.yaml\n├── infrastructure/\n│   ├── ingress-nginx/\n│   └── cert-manager/\n└── argocd/\n    ├── projects.yaml\n    └── applications.yaml\n```\n\n### Policy Enforcement\n\n```yaml\n# OPA Gatekeeper - deny images without tags\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sRequiredLabels\nmetadata:\n  name: require-owner-label\nspec:\n  match:\n    kinds:\n    - apiGroups: [\"apps\"]\n      kinds: [\"Deployment\"]\n  parameters:\n    labels: [\"owner\", \"environment\"]\n```\n\n---\n\n## Platform Engineering\n\n### Internal Developer Portal (Backstage)\n\n```yaml\n# Software catalog\napiVersion: backstage.io/v1alpha1\nkind: Component\nmetadata:\n  name: order-service\n  description: Order processing microservice\n  tags:\n    - java\n    - spring-boot\n  annotations:\n    github.com/project-slug: myorg/order-service\n    pagerduty.com/integration-key: xyz\nspec:\n  type: service\n  lifecycle: production\n  owner: team-orders\n  system: ecommerce-platform\n```\n\n### Golden Paths (Templates)\n\n```yaml\n# Self-service project scaffolding\napiVersion: scaffolder.backstage.io/v1beta3\nkind: Template\nmetadata:\n  name: nodejs-service\n  title: Node.js Microservice\nspec:\n  steps:\n  - id: fetch-template\n    action: fetch:template\n    input:\n      url: ./skeleton\n  - id: create-repo\n    action: github:repo:create\n  - id: setup-pipeline\n    action: github:actions:create\n  - id: provision-k8s\n    action: argocd:create-app\n```\n\n### Benefits\n\n- **Setup time** — Days to minutes (40% reduction in tickets)\n- **Consistency** — Standardized patterns across teams\n- **Security** — Policies enforced at platform level\n- **Autonomy** — Self-service without DevOps bottleneck\n\n---\n\n## Security Scanning (SAST/DAST/SCA)\n\n### Testing Types\n\n| Type | What | When | Tools |\n|------|------|------|-------|\n| **SAST** | Static code analysis | Build time | SonarQube, CodeQL, Semgrep |\n| **DAST** | Runtime testing | After deployment | OWASP ZAP, Burp Suite |\n| **SCA** | Dependency vulnerabilities | Build + runtime | Trivy, Snyk, Dependabot |\n| **Secret Scanning** | Detect leaked credentials | Pre-commit + CI | Gitleaks, TruffleHog |\n| **Container Scanning** | Image vulnerabilities | Build + registry | Trivy, Clair, Grype |\n\n### Complete Pipeline Integration\n\n```yaml\n# GitHub Actions security workflow\nname: Security Scan\non: [push, pull_request]\n\njobs:\n  sast:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - uses: github/codeql-action/init@v3\n      with:\n        languages: javascript, python\n    - uses: github/codeql-action/analyze@v3\n\n  sca:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n    - name: Run Trivy SCA\n      uses: aquasecurity/trivy-action@master\n      with:\n        scan-type: 'fs'\n        severity: 'CRITICAL,HIGH'\n\n  secrets:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v4\n      with:\n        fetch-depth: 0  # Full history\n    - uses: gitleaks/gitleaks-action@v2\n\n  container:\n    runs-on: ubuntu-latest\n    steps:\n    - name: Build image\n      run: docker build -t myapp:${{ github.sha }} .\n    - name: Scan image\n      uses: aquasecurity/trivy-action@master\n      with:\n        image-ref: myapp:${{ github.sha }}\n        severity: 'CRITICAL,HIGH'\n        exit-code: 1  # Fail on vulnerabilities\n```\n\n### Runtime Security (Falco)\n\n```yaml\n# Detect suspicious container activity\n- rule: Shell in Container\n  desc: Unexpected shell execution in container\n  condition: >\n    spawned_process and\n    container and\n    proc.name in (bash, sh, zsh)\n  output: >\n    Shell spawned in container\n    (user=%user.name container=%container.name\n    command=%proc.cmdline)\n  priority: WARNING\n```\n\n---\n\n## Metrics and Observability\n\n### DORA Metrics (2025 Benchmarks)\n\n| Metric | Elite | High | Medium | Low |\n|--------|-------|------|--------|-----|\n| **Deployment Frequency** | Multiple/day | Weekly | Monthly | Less than monthly |\n| **Lead Time for Changes** | < 1 hour | < 1 day | 1 week | > 6 months |\n| **Mean Time to Recovery** | < 1 hour | < 1 day | < 1 week | > 6 months |\n| **Change Failure Rate** | 0-15% | 16-30% | 31-45% | > 45% |\n\n### Key Metrics to Track\n\n```yaml\n# Deployment metrics\ndeployment.frequency: counter\ndeployment.duration: histogram\ndeployment.rollback: counter\n\n# Pipeline metrics\npipeline.success_rate: gauge\npipeline.duration: histogram\npipeline.queue_time: histogram\n\n# Feature flag metrics\nfeature_flag.evaluation: counter\nfeature_flag.enabled_users: gauge\nfeature_flag.error_rate: gauge (by flag)\n\n# Resource metrics\npod.cpu_usage: gauge\npod.memory_usage: gauge\npod.restart_count: counter\n```\n\n---\n\n## Checklist\n\n```markdown\n## CI/CD Pipeline\n- [ ] Short-lived credentials (OIDC, not static keys)\n- [ ] Protected branches for production\n- [ ] Parallel jobs for speed\n- [ ] Dependency caching configured\n- [ ] Build completes in < 10 minutes\n- [ ] Security scanning (SAST, SCA, secrets)\n\n## Containers\n- [ ] Multi-stage Dockerfile\n- [ ] Non-root user (UID > 1000)\n- [ ] Minimal base image (alpine/distroless)\n- [ ] .dockerignore configured\n- [ ] Image scanning in CI\n- [ ] Resource limits defined\n\n## Kubernetes\n- [ ] Resource requests/limits set\n- [ ] Liveness and readiness probes\n- [ ] Security context (runAsNonRoot)\n- [ ] Network policies defined\n- [ ] ConfigMaps/Secrets for config\n- [ ] Deployment strategy chosen\n- [ ] Image pull policy configured\n\n## Infrastructure as Code\n- [ ] Remote state with locking\n- [ ] Modular architecture\n- [ ] Policy as Code enforcement\n- [ ] Automated tests (Terratest/Pulumi tests)\n- [ ] Version pinning for providers\n- [ ] Environment parity\n\n## Deployments\n- [ ] Deployment strategy selected\n- [ ] Rollback plan documented\n- [ ] Feature flags for large changes\n- [ ] Gradual rollout configured\n- [ ] Metrics tied to deployments\n- [ ] Automated rollback on errors\n\n## Security\n- [ ] SAST in pipeline\n- [ ] SCA for dependencies\n- [ ] Secret scanning enabled\n- [ ] Container vulnerability scanning\n- [ ] Runtime security monitoring\n- [ ] Supply chain security (signed images)\n\n## Observability\n- [ ] Deployment frequency tracked\n- [ ] Lead time measured\n- [ ] MTTR tracked\n- [ ] Change failure rate monitored\n- [ ] Feature flag metrics\n- [ ] Resource utilization dashboards\n```\n\n---\n\n## See Also\n\n- [reference/cicd.md](reference/cicd.md) — CI/CD pipeline patterns and examples\n- [reference/containers.md](reference/containers.md) — Docker and Kubernetes deep dive\n- [reference/release-strategies.md](reference/release-strategies.md) — Deployment patterns comparison\n- [templates/github-actions.yaml](templates/github-actions.yaml) — Production-ready workflow\n- [templates/Dockerfile](templates/Dockerfile) — Secure multi-stage Dockerfile","tags":["devops","excellence","claude","arsenal","majiayu000","agent-skills","ai-agents","ai-coding-assistant","automation","claude-code","code-review","developer-tools"],"capabilities":["skill","source-majiayu000","skill-devops-excellence","topic-agent-skills","topic-ai-agents","topic-ai-coding-assistant","topic-automation","topic-claude","topic-claude-code","topic-code-review","topic-developer-tools","topic-devops","topic-productivity","topic-prompt-engineering","topic-python"],"categories":["claude-arsenal"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/majiayu000/claude-arsenal/devops-excellence","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add majiayu000/claude-arsenal","source_repo":"https://github.com/majiayu000/claude-arsenal","install_from":"skills.sh"}},"qualityScore":"0.464","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 29 github stars · SKILL.md body (22,471 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T07:01:13.472Z","embedding":null,"createdAt":"2026-04-18T22:24:07.930Z","updatedAt":"2026-05-01T07:01:13.472Z","lastSeenAt":"2026-05-01T07:01:13.472Z","tsv":"'-01':1584 '-02':1588 '-15':1585,1589,2271 '-30':2273 '-45':2275 '/../modules/vpc':1212 '/16':1216,1320,1322 '/app':232,268,314,744,776,864,865 '/app/.env':311 '/app/node_modules':783 '/app/secrets':324 '/configure-aws-credentials':178,537 '/distroless/nodejs20-debian12':859 '/e2e':635 '/environments/dev':1271 '/health':963 '/integration':639 '/integration-key:':1900 '/myorg/k8s-manifests':1775 '/node_modules':784 '/project-slug:':1896 '/ready':982 '/secrets':323 '/skeleton':1949 '/startup':998 '/v1':1108 '/v1alpha1':1439,1760,1876 '/v1beta1':1844 '/v1beta3':1927 '0':2136,2270 '0.1':936 '1':196,555,990,1147,1168,1354,1453,1522,1554,1717,2177,2247,2249,2251,2259,2261,2263 '10':578,587,658,925,969,1010,1447,1452,1455,1516,1641,1642,2350 '10.0.0.0':1215,1319 '10.1.0.0':1321 '100':1427,1467,1572,1581 '1000':249,1090,1092,2367 '1001':257,264,767,774,809 '100m':935 '100mb':757 '10m':1465 '10s':1004 '12':1530 '123456789012':188,547 '128mi':931 '16':2272 '2':1179,1360,1528,1610,1724 '20':230,252,653,739,760 '200m':945 '2025':1583,1587,2228 '23':927 '25':1425 '256mi':941 '2x':487,1417 '3':973,1219,1365,1646,1730 '30':967,1002,1003 '3000':792 '31':2274 '4':1258,1373,1669,1736 '40':1981 '45':2276 '5':971,986,988,1424,1461,1746 '50':1426,1460 '5432/mydb':1054 '5m':1458 '5min':1005 '6':2253,2265 '65532':862,863,867 '70':648 '80':1401 '8080':869,965,984,1000 '9':1524 '900mb':736 '99.94':915 'access':150,154,159,163 'across':1988 'action':24,177,395,536,1944,1954,1962,1964,1970,2063 'actions/checkout':2083,2104,2130 'activ':2188 'addgroup':255,765 'address':36 'addus':260,770 'advanc':408 'advantag':1289 'agent':1738 'alerts.critical':1703 'aliv':959 'alloc':933 'allow':943,1416 'alpin':253,740,761,814 'alpine/distroless':2371 'also':2492 'alway':135,215,802 'analysi':685,2015 'annot':1893 'api':300 'apigroup':1856 'apivers':1021,1037,1055,1105,1381,1436,1510,1757,1841,1873,1924 'app':1028,1031,1044,1067,1072,1077,1390,1810,1857,1974 'app-config':1027,1071 'app-secret':1043,1076 'applic':14,1755,1762 'applications.yaml':1831 'approv':338,378,571 'apps/myapp':1779 'apps/v1':1056,1511 'aquasecurity/trivy-action':696,2111,2163 'architectur':2413 'arg':293,296 'argo':1433 'argocd':433,1752,1767,1829,1971 'argoproj.io':1438,1759 'argoproj.io/v1alpha1':1437,1758 'arn':185,544 'assert.notempty':1285 'assum':184,543 'attribut':1633 'audit':1728 'authent':169 'auto':1705,1740,1797 'auto-rollback':1704 'auto-sync':1739,1796 'autom':1259,1786,2418,2447 'automat':97,1688,1737 'autonomi':1996 'avail':1526 'averag':922 'avoid':1559 'aw':146,149,157,172,176,186,191,531,535,545,550,1193,1298 'aws-act':175,534 'aws-region':190,549 'aws.ec2.vpc':1313 'backend':621,626,1155 'backend-test':620 'backend.tf':1138,1153 'backstag':1869 'backstage.io':1875 'backstage.io/v1alpha1':1874 'bake':277 'balanc':1352 'base':168,811,1812,2369 'bash':2207 'behavior':1654 'benchmark':2229 'benefit':1295,1975 'best':470,517,724,853,1080,1145,1552 'better':429 'block':1185,1191,1197,1199,1214 'blue':444,483,1340,1369,1375,1393 'blue-green':443,482,1339 'boot':1892 'bottleneck':2002 'branch':344,380,575,2337 'browser/device-based':1661 'bucket':1157 'budget':1415 'build':100,292,580,585,729,731,734,832,2016,2033,2053,2151,2155,2347 'builder':742,779 'built':1327 'built-in':1326 'burp':2028 'busi':1663 'cach':597,599,2345 'canari':70,447,494,1419,1449 'cap':947 'capabl':450,1096 'catalog':1872 'centric':423 'cert':1827 'cert-manag':1826 'chain':2468 'chang':613,1394,1546,2246,2267,2439,2481 'cheap':647 'check':954 'checklist':2324 'checkout':1576,1684,1699,1711 'checkout.completed':1679 'chosen':2400 'chown':780,786,861 'ci':405,750,902,2046,2377 'ci/cd':6,515,2326,2495 'cidr':1184,1190,1196,1213 'cidrblock':1316 'clair':2056 'claus':1632 'cloud':413,1227 'cluster':917,1742 'cmd':233,269,793 'code':56,92,684,1123,1222,2014,2176,2407,2416 'codeql':2019 'command':2219 'commit':1733,2045 'comparison':2511 'complet':994,2058,2348 'complex':469 'complianc':94,1410 'compon':1878 'concurr':596,1177 'condit':605,616,1245,1308,2199 'config':438,887,1029,1073,1141,2397 'configmap':1011,1024 'configmapref':1069 'configmaps/secrets':2395 'configur':171,530,1627,2346,2373,2404,2442 'conscious':481,1541 'consist':1985 'const':1301,1565,1616 'constraints.gatekeeper.sh':1843 'constraints.gatekeeper.sh/v1beta1':1842 'contain':208,209,624,712,879,958,1065,1248,1472,2049,2142,2187,2192,2198,2203,2214,2217,2357,2461 'container':13 'container.name':2218 'content':849 'context':2390 'continu':1747 'control':872 'copi':306,309,312,745,777,785,860 'core':32,938,1715 'correct':124 'cost':466,480,1540 'cost-consci':479,1539 'count':2322 'counter':2285,2289,2304,2323 'cover':22 'cpu':923,934,937,944 'cpu/memory':840 'creat':1582,1952,1957,1965,1973 'create-app':1972 'create-repo':1951 'createnamespac':1803 'credenti':127,134,147,173,525,532,2042,2331 'credentials.json':313 'critic':490,512,1405,2119,2172 'dashboard':1621,2490 'dast':2021 'data':502,1030,1494 'data-driven':501,1493 'databas':297,1049 'day':1978,2250,2262 'db':1053 'debt':1561 'decis':1497 'declar':437,1718 'deep':2505 'default':227,1104,1501,1625,1770 'defer':1272 'defin':2380,2394 'definit':1756 'delet':1789 'deliveri':63,458,1551 'deni':1102,1114,1837 'deny-all-ingress':1113 'deny-by-default':1101 'depend':598,690,875,2031,2344,2457 'dependabot':2037 'deploy':15,53,87,333,335,349,352,365,432,461,907,1058,1342,1355,1420,1484,1513,1542,1859,2025,2235,2282,2398,2428,2429,2446,2473,2509 'deploy-to-prod.sh':361 'deployment.duration':2286 'deployment.frequency':2284 'deployment.rollback':2288 'deployment.yaml':1813 'depth':2135 'desc':2193 'descript':1188,1884 'destin':1780 'detect':1750,1801,2040,2185 'dev':1129,1303,1817 'dev/test':513 'develop':422,893,1867 'developer-centr':421 'devop':2,4,30,2001 'devops-excel':1 'direct':347 'directori':1125 'distroless':815 'dive':2506 'dns':1201 'docker':25,280,320,716,723,822,848,2154,2502 'docker-compose.yml':897 'dockerfil':222,288,730,851,896,2361,2524 'dockerignor':870,2372 'document':1602,2434 'dora':2226 'dos':844 'downtim':441,465,1414 'drift':1751,1800 'driven':503,1495 'drop':1097 'durat':1457,1464 'dynamodb':1171 'e2e':659 'earli':40 'easi':492 'east':195,554,1167 'ecommerc':1913 'ecommerce-platform':1912 'ecosystem':417 'ek':1136 'elit':2231 'email':1634 'emerg':1605 'enabl':847,1200,1578,1598,1686,1701,2460 'encrypt':1169 'endswith':1636 'enforc':93,1232,1234,1833,1992,2417 'enforce-tag':1231 'engin':99,1865 'enterpris':402 'entir':1719 'env':148,295,299,310,888,1032,1311,1314,1317,1325 'env.local':889 'envfrom':1068 'environ':363,372,564,567,1128,1217,1302,1324,1346,1363,1863,2426 'environments.foreach':1310 'environments/prod/main.tf':1208 'error':1250,1691,2450 'errorr':1694 'exampl':615,855,1263,1380,1435,1615,2499 'excel':3,31 'execut':606,618,2196 'exit':2175 'exit-cod':2174 'expens':638 'expert':7 'explicit':237 'expos':791,868 'extern':835 'face':1489 'fail':2178 'failur':2268,2482 'failurethreshold':972,1001 'falco':2183 'fallback':1626 'fals':1624,1702 'fast':497,646,651 'featur':67,89,452,454,1490,1547,1676,1680,2300,2435,2485 'feature_flag.enabled':2305 'feature_flag.error':2308 'feature_flag.evaluation':2303 'featureflag':1566 'fetch':1942,1945,2134 'fetch-depth':2133 'fetch-templ':1941 'file':308,610,894 'filesystem':821 'first':82,1657 'flag':68,455,1548,1555,1560,1677,1681,2301,2312,2436,2486 'follow':111 'forbidden':144,223,236,289,305,346 'format':703 'framework':1330 'free':398,1667 'frequenc':2236,2474 'fresh':877 'fs':702,2117 'fsgroup':1091 'full':661,2137 'func':1264 'function':1309 'g':256,766 'gatekeep':1836 'gaug':2294,2307,2310,2317,2320 'gcr.io':858 'gcr.io/distroless/nodejs20-debian12':857 'general':1659 'geograph':1649 'git':44,873,1723,1726,1732,1744,1793 'github':23,203,392,394,905,1955,1963,2062 'github.com':1774,1895 'github.com/myorg/k8s-manifests':1773 'github.com/project-slug:':1894 'github.event.head_commit.modified':625 'github.sha':722,2158,2170 'github/codeql-action/analyze':2093 'github/codeql-action/init':687,2086 'gitignor':874 'gitlab':403,404 'gitleak':708,2047 'gitleaks/gitleaks-action':710,2140 'gitop':29,43,435,1713 'go':1261 'golden':101,1915 'goldilock':951 'gradual':64,451,1422,1504,2440 'green':445,484,1341,1357,1362,1371,1396 'group':1015 'grype':2057 'guarante':932 'hard':108,946,1237 'hard-mandatori':1236 'harden':797 'haven':611 'hcl':1152,1181,1223 'health':953 'high':486,498,505,1482,2120,2173,2232 'high-risk':1481 'histogram':2287,2296,2299 'histori':1727,2138 'hostnam':1202 'hour':2248,2260 'httpget':961,980,996 'iac':414,424 'iam':187,546 'id':152,156,1284,1940,1950,1958,1966 'idea':899 'ident':1345 'idl':1358 'imag':275,281,717,720,756,812,846,1475,1838,2051,2152,2161,2167,2370,2374,2401,2471 'image-ref':2166 'immut':72,1731,1735 'implement':19 'import':1296,1331 'includ':733 'increment':1537 'info':1036 'infrastructur':51,54,58,73,1121,1418,1822,2405 'ingress':1116,1120,1824 'ingress-nginx':1823 'initi':993 'initialdelaysecond':966,985 'inject':284 'input':1947 'instal':876 'instant':448,488,1349,1408 'integr':397,654,666,1671,2060 'interact':657 'intern':1866 'isol':652 'issu':1609 'java':1889 'javascript':2090 'job':590,608,617,619,673,2073,2341 'json':747 'k8s':26,1808,1969 'k8s-manifests':1807 'k8srequiredlabels':1846 'keep':1374 'key':151,155,160,164,301,528,891,1162,2277,2335 'kill':1593 'kind':1023,1039,1057,1109,1383,1440,1512,1761,1845,1855,1858,1877,1928 'kubecost':950 'kubernet':17,329,431,906,1379,1502,2381,2504 'kubernetes.default.svc':1782 'kustom':434 'kustomization.yaml':1815,1820 'label':1852,1861 'languag':428,1294,2089 'larg':2438 'latest':358,371,632,680,2080,2101,2127,2148 'launchdark':456,1614 'layer':670,830 'lb':1367 'ldclient.updatefeatureflag':1696 'ldclient.variation':1618 'lead':2243,2476 'leak':2041 'left':35 'less':2240 'level':1035,1235,1995 'lifecycl':1556,1905 'limit':838,841,939,2379 'lint':593 'live':132,141,200,524,561,956,1569,1592,2330,2385 'livenessprob':960 'load':1351 'lock':1151,1175,2411 'log':1034 'long':131,199,560,1591 'long-liv':130,198,559,1590 'loop':1307,1749 'low':474,476,506,509,1544,2234 'low-risk':1543 'm2':602 'main':343,379,574,1195,1777 'main.tf':1130 'major':1485 'manag':287,910,1557,1828 'mandatori':115,1238 'mani':645 'manifest':1020,1809 'markdown':2325 'master':697,2112,2164 'match':1854 'matur':416 'maximum':942 'maxsurg':1527 'maxunavail':1521 'mean':118,2255 'meaning':1648 'measur':2478 'medium':475,489,496,641,2233 'memori':926,930,940 'messag':1251 'metadata':1025,1041,1059,1111,1385,1442,1763,1847,1879,1930 'metric':84,1429,1674,2223,2227,2230,2278,2283,2291,2302,2314,2443,2487 'metrics.increment':1678 'microservic':1887,1937 'minim':473,755,810,2368 'minut':579,588,1980,2351 'mitig':500 'modifi':77 'modul':601,881,1134,1209 'modular':1180,2412 'modules/vpc/main.tf':1182 'monitor':83,1428,2466,2484 'month':2239,2242,2254,2266 'mount':316 'mttr':2479 'multi':412,669,727,2359,2522 'multi-cloud':411 'multi-lay':668 'multi-stag':726,2358,2521 'multiple/day':2237 'must':110,210,336,1254 'myapp':326,721,1061,1387,1391,1444,1474,1476,1765,1811,2157,2169 'myapp.com':376 'mycompani':1159 'mycompany-terraform-st':1158 'mycompany.com':1638 'myorg/order-service':1897 'n/a':507 'name':170,373,529,568,692,707,714,1026,1042,1060,1066,1070,1075,1112,1205,1386,1443,1473,1764,1848,1880,1931,2066,2106,2150,2159 'namespac':1766,1783 'nativ':396 'need':1491 'network':1099,2392 'networking.k8s.io':1107 'networking.k8s.io/v1':1106 'networkpolici':1110 'never':128,211,276,1523,1529 'new':1312,1509,1575,1620,1683,1698,1710 'new-checkout-v4':1574,1682,1697,1709 'new-dashboard-ui':1619 'nginx':1825 'node':229,234,251,270,600,738,759,794,880 'node.js':1936 'nodej':259,262,266,769,772,781,782,787,788,790,1933 'nodejs-servic':1932 'non':219,244,511,799,806,2363 'non-crit':510 'non-root':218,243,798,805,2362 'npm':749 'observ':81,1670,2225,2472 'observability-first':80 'oidc':137,167,204,556,2332 'oidc-bas':166 'old':1506 'op':1635 'opa':1229,1835 'opaqu':1047 'optim':577 'option':1378 'order':1882,1885,1910 'order-servic':1881 'output':2210 'over-provis':919 'overlay':1816 'owasp':2026 'owner':1249,1256,1851,1862,1907 'packag':604,746 'pagerduty.com':1899 'pagerduty.com/integration-key:':1898 'parallel':589,2340 'paramet':1860 'pariti':2427 'pass':1052 'password':298 'path':102,962,981,997,1778,1916 'pattern':908,1987,2497,2510 'paus':1456,1463 'payment':1596,1608 'payment-process':1595 'pem':892 'percentag':1640 'periodsecond':968,987,1009 'perman':1600 'pin':2423 'pip':603 'pipelin':12,516,519,1961,2059,2290,2327,2454,2496 'pipeline.duration':2295 'pipeline.queue':2297 'pipeline.success':2292 'plan':2433 'platform':98,407,1864,1914,1994 'pod':1083,1454,1462,1469,1507,1525,1531 'pod.cpu':2315 'pod.memory':2318 'pod.restart':2321 'podselector':1118 'polici':90,1100,1220,1230,1832,1991,2393,2403,2414 'policytyp':1119 'port':964,983,999,1399,1400 'portal':107,1868 'power':1655 'practic':518,725,854,1081,1146,1553,1714 'pre':2044 'pre-commit':2043 'premium':1664 'prevent':843,1176 'principl':33,1716 'prioriti':2221 'probe':2388 'proc.cmdline':2220 'proc.name':2205 'process':1597,1886,2201 'prod':1133,1218,1305,1318,1819 'prod/vpc/terraform.tfstate':1163 'product':332,334,348,374,566,569,752,1033,1784,1906,2339,2515 'production-readi':2514 'program':427,1293 'progress':62,457,1550,1611 'project':393,583,1769,1922 'projects.yaml':1830 'protect':331,351,364,563,2336 'provid':205,419,557,1143,2425 'provis':921,1968 'provision-k8s':1967 'prune':1787 'public':391,400 'pull':2071,2402 'pulumi':425,1288,1291,1333 'pulumi.runtime.setmocks':1336 'pulumi/aws':1300 'pulumi/pulumi':1335 'push':2070 'pyc':883 'pycach':884 'pyramid':634 'python':2091 'qualiti':39 'quick':382 'rate':2269,2293,2309,2483 'rds':1137 'read':819,825 'read-on':818,824 'readi':974,2387,2516 'readinessprob':979 'readme.md':895 'real':426,1292 'reason':390,1604 'receiv':977 'reconcili':1748 'recoveri':2258 'recreat':504 'reduct':1982 'ref':2168 'refactor':1486 'refer':383 'reference/cicd.md':2493,2494 'reference/containers.md':2500,2501 'reference/release-strategies.md':2507,2508 'region':192,551,1164,1651 'region-specif':1650 'registri':2054 'regular':477,1536 'relat':1016 'releas':20,71,442,1337 'remain':1644 'remot':1139,1148,2408 'remov':1562,1570 'removebi':1586 'replac':74,1505 'replica':1446,1515 'replicas-patch.yaml':1821 'repo':401,1953,1956 'repositori':1805 'repourl':1772 'reproduc':61 'request':929,2072 'requests/limits':2383 'requir':165,242,315,337,362,377,570,1239,1407,1411,1850 'require-owner-label':1849 'resourc':837,909,928,1017,1192,1243,1253,1790,2313,2378,2382,2488 'resource.tags':1247 'restrict':341,572 'right':912 'right-siz':911 'risk':499,1483,1545 'ro':325 'role':182,541 'role-to-assum':181,540 'role/githubactions':189,548 'roll':472,1498 'rollback':449,467,493,1377,1409,1689,1706,2432,2448 'rollingupd':1519,1520 'rollout':65,453,1423,1434,1441,1496,1564,1573,1580,1612,1639,1653,2441 'root':207,214,220,226,238,241,245,800,807,2364 'rule':109,113,581,1244,1629,2189 'run':78,212,224,254,321,354,360,367,591,628,676,693,718,748,764,803,823,1178,2076,2097,2107,2123,2144,2153 'runasnonroot':1087,2391 'runasus':1089 'runs-on':353,366,627,675,2075,2096,2122,2143 'runtim':283,319,753,763,2022,2034,2181,2464 'runtimedefault':1095 's3':1156 'sarif':704 'sast':682,2012,2074,2354,2452 'sast/dast/sca':2005 'sca':689,2030,2095,2109,2355,2455 'scaffold':1923 'scaffolder.backstage.io':1926 'scaffolder.backstage.io/v1beta3':1925 'scan':410,595,665,672,700,706,713,715,2004,2039,2050,2068,2115,2160,2353,2375,2459,2463 'scan-typ':699,2114 'scenario':388 'scratch':817 'sdlc':42 'seccompprofil':1093 'secret':158,162,201,273,278,286,290,307,317,562,705,828,833,885,890,1013,1040,1045,1078,2038,2121,2356,2458 'secretref':1074 'secrets.aws':153,161 'secrets/configmaps':330 'secur':37,96,409,520,594,664,671,674,796,852,1079,1084,1990,2003,2064,2067,2182,2352,2389,2451,2465,2469,2520 'securitycontext':1086 'see':2491 'segment':1647 'select':463,2431 'selector':1389 'self':105,1920,1998 'self-servic':104,1919,1997 'selfheal':1794 'semgrep':2020 'sentinel':1225 'server':1781 'server.js':235,271,795 'servic':106,656,1384,1883,1904,1921,1934,1999 'service.yaml':1814 'set':10,839,2384 'setup':1960,1976 'setup-pipelin':1959 'setweight':1451,1459,1466 'sever':2118,2171 'sh':2208 'shell':2190,2195,2211 'shift':34 'short':140,523,1568,2329 'short-liv':139,522,1567,2328 'shownewcheckout':1687 'shownewfeatur':1617 'shutoff':1606 'sign':845,2470 'singl':46,1019 'size':913 'sk':303 'sk-xxx':302 'skill':120 'skill-devops-excellence' 'skip':607 'slow':637,1007 'snyk':2036 'softwar':1871 'sonarqub':2018 'sourc':47,1211,1771 'source-majiayu000' 'spawn':2200,2212 'spec':1062,1064,1117,1388,1445,1471,1514,1768,1853,1902,1938 'specif':1652 'specifi':216 'speed':468,576,642,2343 'spike':1692 'spring':1891 'spring-boot':1890 'stage':728,732,754,1132,1304,1432,1818,2360,2523 'standard':436,1085,1986 'start':1008 'startup':991 'startupprob':995 'state':1140,1149,1161,1721,1745,2409 'static':126,133,145,527,683,2013,2334 'step':359,681,1353,1359,1364,1372,1450,1939,2081,2102,2128,2149 'strategi':21,462,464,1338,1448,1503,1517,2399,2430 'string':1187 'stringdata':1048 'structur':1126,1806 'successthreshold':989 'suit':2029 'suppli':2467 'support':420 'suspici':2186 'switch':1347,1366,1398,1594 'sync':1741,1798 'syncopt':1802 'syncpolici':1785 'system':79,491,1406,1720,1911 'tabl':1172 'tag':1204,1233,1240,1257,1323,1840,1888 'target':460,1628,1662 'targetrevis':1776 'team':1909,1989 'team-ord':1908 'technic':1660 'templat':1063,1470,1917,1929,1943,1946 'templates/dockerfile':2518,2519 'templates/github-actions.yaml':2512,2513 'terraform':27,415,1127,1154,1160,1174,1226 'terraform-lock':1173 'terraform.destroy':1273 'terraform.initandapply':1276 'terraform.options':1269 'terraform.output':1280 'terraform.tfvars':1131 'terraform/pulumi':1124 'terraformdir':1270 'terraformopt':1268,1275,1278,1282 'terratest':1262 'terratest/pulumi':2420 'test':430,592,622,633,644,650,655,660,900,903,1260,1329,1361,2006,2023,2419,2421 'test.js':904 'testing.t':1267 'testvpccreat':1265 'threshold':1695 'ticket':1984 'tie':85,1673,2444 'tier':1665,1668 'time':1977,2017,2244,2256,2298,2477 'timeoutsecond':970 'titl':1935 'token':142 'tool':735,949,2011 'tool/pattern':389 'topic-agent-skills' 'topic-ai-agents' 'topic-ai-coding-assistant' 'topic-automation' 'topic-claude' 'topic-claude-code' 'topic-code-review' 'topic-developer-tools' 'topic-devops' 'topic-productivity' 'topic-prompt-engineering' 'topic-python' 'total':1532 'track':2280,2475,2480 'traffic':978,1348 'trail':1729 'trigger':1707 'trivi':694,719,2035,2055,2108 'true':1088,1170,1203,1579,1599,1601,1788,1795,1804 'trufflehog':2048 'trust':850 'truth':49 'two':1344 'type':701,1046,1094,1186,1518,1903,2007,2008,2116 'typescript':1290,1558,1613,1672 'u':263,773 'ubuntu':357,370,631,679,2079,2100,2126,2147 'ubuntu-latest':356,369,630,678,2078,2099,2125,2146 'ui':1622 'uid':248,808,2366 'unexpect':2194 'unifi':406 'unit':643,649 'updat':478,1499,1538 'url':375,1050,1948 'us':194,553,1166 'us-east':193,552,1165 'usag':924,2316,2319 'use':8,129,136,174,202,282,328,386,533,686,695,709,813,831,948,1224,1306,1404,1480,1535,2082,2085,2092,2103,2110,2129,2139,2162 'user':221,239,240,246,265,662,789,801,866,1051,1488,1623,1645,1656,2215,2306,2365 'user-fac':1487 'user.name':2216 'util':2489 'v':322 'v1':1022,1038,1382 'v2':711,2141 'v2.0':1477 'v3':688,2087,2094 'v4':179,538,1577,1685,1700,1712,2084,2105,2131 'valid':1492 'valu':1637 'var.cidr':1198 'var.environment':1206 'variabl':1183 'variat':1630 'vault':836 'vendor':882 'version':59,871,1144,1392,1725,2422 'versions.tf':1142 'via':1350 'violat':116 'vpa':952 'vpc':1135,1189,1194,1207,1210,1283,1315 'vpcid':1279,1287 'vs':1666 'vscode':898 'vulner':691,2032,2052,2180,2462 'warn':2222 'week':2238,2252,2264 'wide':418 'without':350,1839,2000 'work':123 'workdir':231,267,743,775 'workflow':663,1753,2065,2517 'xxx':304 'xyz':1901 'yaml':143,345,521,614,667,914,955,1014,1082,1343,1421,1500,1754,1834,1870,1918,2061,2184,2281 'zap':2027 'zero':440,485,495,1413 'zero-downtim':439 'zsh':2209","prices":[{"id":"4daa5084-24b4-4a4b-917c-d74cf88be627","listingId":"f3b2eef4-9cbb-4cb1-be7b-d440445b1cc9","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"majiayu000","category":"claude-arsenal","install_from":"skills.sh"},"createdAt":"2026-04-18T22:24:07.930Z"}],"sources":[{"listingId":"f3b2eef4-9cbb-4cb1-be7b-d440445b1cc9","source":"github","sourceId":"majiayu000/claude-arsenal/devops-excellence","sourceUrl":"https://github.com/majiayu000/claude-arsenal/tree/main/skills/devops-excellence","isPrimary":false,"firstSeenAt":"2026-04-18T22:24:07.930Z","lastSeenAt":"2026-05-01T07:01:13.472Z"}],"details":{"listingId":"f3b2eef4-9cbb-4cb1-be7b-d440445b1cc9","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"majiayu000","slug":"devops-excellence","github":{"repo":"majiayu000/claude-arsenal","stars":29,"topics":["agent-skills","ai-agents","ai-coding-assistant","automation","claude","claude-code","code-review","developer-tools","devops","productivity","prompt-engineering","python","software-development","typescript","workflows"],"license":"mit","html_url":"https://github.com/majiayu000/claude-arsenal","pushed_at":"2026-04-29T04:12:22Z","description":"52 production-ready Claude Code skills and 7 specialized agents for software development, DevOps, product workflows, and automation.","skill_md_sha":"58cd304a7291de3473234b5f3fcd96b579ff5f50","skill_md_path":"skills/devops-excellence/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/majiayu000/claude-arsenal/tree/main/skills/devops-excellence"},"layout":"multi","source":"github","category":"claude-arsenal","frontmatter":{"name":"devops-excellence","description":"DevOps and CI/CD expert. Use when setting up pipelines, containerizing applications, deploying to Kubernetes, or implementing release strategies. Covers GitHub Actions, Docker, K8s, Terraform, and GitOps."},"skills_sh_url":"https://skills.sh/majiayu000/claude-arsenal/devops-excellence"},"updatedAt":"2026-05-01T07:01:13.472Z"}}