[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"pack-detail-ci-cd-build-pipeline-es":3,"seo:pack:ci-cd-build-pipeline:es":94},{"code":4,"message":5,"data":6},200,"操作成功",{"pack":7},{"slug":8,"icon":9,"tone":10,"status":11,"status_label":12,"title":13,"description":14,"items":15,"install_cmd":93},"ci-cd-build-pipeline","⚙️","#1E40AF","new","Nuevo · esta semana","Pack CI\u002FCD — Del Primer Workflow al Deploy Gate","Monta un pipeline real de extremo a extremo: GitHub Actions \u002F GitLab CI \u002F Dagger, caché de BuildKit, builds matriciales, gestión de secretos con sops + Infisical + Gitleaks, y un gate de despliegue sin caídas con Kamal. Configs amigables para que un agente IA los genere, depure y optimice.",[16,28,37,44,51,58,65,72,78,86],{"id":17,"uuid":18,"slug":19,"title":20,"description":21,"author_name":22,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},3214,"2a65110c-eb7a-4e41-ac09-2f700b5043a1","actionlint-lint-github-actions-locally","actionlint — Lint GitHub Actions Locally","actionlint catches syntax mistakes and expression\u002Ftype errors in GitHub Actions workflows before CI runs, so broken YAML never blocks your team.","Script Depot",109,0,"en","script","Script",{"id":29,"uuid":30,"slug":31,"title":32,"description":33,"author_name":22,"view_count":34,"vote_count":24,"lang_type":25,"type":35,"type_label":36},1181,"006a587e-371c-11f1-9bc6-00163e2b0d79","act-run-github-actions-locally-006a587e","act — Run GitHub Actions Locally","act lets you run GitHub Actions workflows on your local machine. Test and debug your CI\u002FCD pipelines without pushing to GitHub, using Docker containers to simulate the GitHub Actions runner environment.",180,"skill","Skill",{"id":38,"uuid":39,"slug":40,"title":41,"description":42,"author_name":22,"view_count":43,"vote_count":24,"lang_type":25,"type":35,"type_label":36},2160,"1ff009e7-414b-11f1-9bc6-00163e2b0d79","super-linter-multi-language-linter-aggregator-ci-1ff009e7","Super-Linter — Multi-Language Linter Aggregator for CI","Super-Linter combines dozens of linters into a single GitHub Action or standalone Docker container, enforcing code quality across languages in one step.",57,{"id":45,"uuid":46,"slug":47,"title":48,"description":49,"author_name":22,"view_count":50,"vote_count":24,"lang_type":25,"type":35,"type_label":36},1469,"cd46c5c6-3928-11f1-9bc6-00163e2b0d79","buildkit-concurrent-cache-efficient-oci-image-builder-cd46c5c6","BuildKit — Concurrent, Cache-Efficient OCI Image Builder","BuildKit is the modern container image builder behind docker build and buildx, providing a concurrent DAG-based frontend, cross-platform builds, remote caching, and rootless operation.",124,{"id":52,"uuid":53,"slug":54,"title":55,"description":56,"author_name":22,"view_count":57,"vote_count":24,"lang_type":25,"type":35,"type_label":36},241,"7649c33b-4b70-4395-81d9-68994aaa743a","dagger-programmable-ci-cd-engine-7649c33b","Dagger — Programmable CI\u002FCD Engine","Run CI\u002FCD pipelines as code — locally, in CI, or in the cloud. Replace YAML with real programming languages. Cacheable, portable, testable. 15.6K+ stars.",139,{"id":59,"uuid":60,"slug":61,"title":62,"description":63,"author_name":22,"view_count":64,"vote_count":24,"lang_type":25,"type":35,"type_label":36},1539,"8c85c9b7-3939-11f1-9bc6-00163e2b0d79","concourse-container-native-ci-cd-pipelines-code-8c85c9b7","Concourse — Container-Native CI\u002FCD with Pipelines as Code","Build reliable CI\u002FCD pipelines with Concourse. Every step runs in an isolated container, pipelines are declarative YAML, and the resource model makes dependencies explicit and reproducible.",125,{"id":66,"uuid":67,"slug":68,"title":69,"description":70,"author_name":71,"view_count":64,"vote_count":24,"lang_type":25,"type":35,"type_label":36},1194,"40b108c4-372b-11f1-9bc6-00163e2b0d79","gitleaks-find-secrets-git-repos-code-40b108c4","Gitleaks — Find Secrets in Git Repos and Code","Gitleaks is a fast SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens in Git repositories. It scans commit history and source code using regex patterns, preventing secret leaks before they reach production.","AI Open Source",{"id":73,"uuid":74,"slug":75,"title":76,"description":77,"author_name":22,"view_count":64,"vote_count":24,"lang_type":25,"type":35,"type_label":36},1179,"f8f53103-3712-11f1-9bc6-00163e2b0d79","sops-simple-flexible-secrets-management-f8f53103","sops — Simple and Flexible Secrets Management","sops (Secrets OPerationS) encrypts values in YAML, JSON, ENV, and INI files while keeping keys in plaintext. This lets you version-control encrypted secrets in Git, using age, AWS KMS, GCP KMS, Azure Key Vault, or PGP as encryption backends.",{"id":79,"uuid":80,"slug":81,"title":82,"description":83,"author_name":84,"view_count":85,"vote_count":24,"lang_type":25,"type":35,"type_label":36},452,"41fbcc5c-aac8-4f3e-8305-cf2462809684","infisical-open-source-secret-management-41fbcc5c","Infisical — Open-Source Secret Management","Manage API keys and secrets across teams and environments. Auto-sync to apps, rotation, audit logs. 25K+ GitHub stars.","Skill Factory",268,{"id":87,"uuid":88,"slug":89,"title":90,"description":91,"author_name":22,"view_count":92,"vote_count":24,"lang_type":25,"type":35,"type_label":36},1443,"5211d45c-3908-11f1-9bc6-00163e2b0d79","kamal-zero-downtime-docker-deploys-any-server-5211d45c","Kamal — Zero-Downtime Docker Deploys to Any Server","Kamal is Basecamp's deploy tool that ships Docker containers to bare metal or cloud VMs with a single command, giving you Heroku-like workflows on servers you actually own.",122,"tokrepo install pack\u002Fci-cd-build-pipeline",{"pageType":95,"pageKey":8,"locale":25,"title":96,"metaDescription":97,"h1":98,"tldr":99,"bodyMarkdown":100,"faq":101,"schema":117,"internalLinks":123,"citations":136,"wordCount":149,"generatedAt":150},"pack","CI\u002FCD Build Pipeline Pack — 10 Open-Source Picks from First Workflow to Deploy Gate","actionlint, act, Super-Linter, BuildKit, Dagger, Concourse, Gitleaks, sops, Infisical, Kamal — a deliberate install order that takes a fresh repo from no CI to matrix builds, cached layers, scanned secrets, and a zero-downtime deploy gate. AI-friendly configs throughout.","CI\u002FCD Build Pipeline Pack — A Real Pipeline, In One Pass","Ten open-source picks in install order: first lint your workflow locally, then run it locally, then add a linter step, then cache layers with BuildKit, then make it portable with Dagger, then add a self-hosted alt with Concourse, then scan + manage secrets (Gitleaks + sops + Infisical), then gate the deploy with Kamal. Every step is a configuration an AI agent can generate or debug.","## What's in this pack\n\nMost CI\u002FCD how-tos hand you a 200-line `.github\u002Fworkflows\u002Fci.yml` and call it done. That works for a hobby project — it does not work for a real pipeline that has to survive matrix builds, slow caches, leaked secrets, and a 2 a.m. failed deploy. This pack is the **opposite** angle: ten open-source picks installed in a deliberate order, each one earning its place by solving a problem the previous step exposed.\n\nEvery pick is **open-source**, **actively maintained**, and produces a config file an AI agent can read, generate, or debug. No hosted-only black boxes. By the end you have a pipeline that runs locally, runs in CI, caches aggressively, scans for secrets, and only ships green builds.\n\n## Install in this order\n\n1. **actionlint** — Lint your workflow YAML before you push. Catches typos in `uses:`, broken `if:` expressions, and bad shell escapes that would otherwise burn a 4-minute CI run. Run as a pre-commit hook. Zero excuses.\n2. **act** — Run GitHub Actions locally in Docker. The single biggest CI iteration killer is the `commit → push → wait 5 min → see red → repeat` loop. `act` cuts that to seconds. Pair with actionlint and you debug workflows the way you debug code.\n3. **Super-Linter** — Drop-in multi-language linter aggregator from GitHub. One step in your workflow, 50+ linters under the hood (shellcheck, hadolint, yamllint, eslint, ruff). Stops style debates by making the CI the source of truth.\n4. **BuildKit** — Modern OCI image builder with parallel layers and cache-mount support. Once your build runs through BuildKit, `RUN apt-get` and `RUN npm ci` survive across commits via `--mount=type=cache`. Typical CI cuts: 8 min → 90 sec for a Node + Python service.\n5. **Dagger** — Programmable CI\u002FCD engine: pipelines as actual code (Go, Python, TypeScript), runs identically on GitHub Actions, GitLab CI, Buildkite, or your laptop. The moment your `.yml` exceeds 300 lines, you reach for Dagger and never look back. Provider lock-in goes away in one afternoon.\n6. **Concourse** — Container-native CI with declarative pipelines for self-hosted setups. When you can't put proprietary code on hosted CI, Concourse is the sane open-source alternative. Pipelines live in YAML, every step is a container, state lives in S3 or a PG.\n7. **Gitleaks** — Static secret scanner. One step in your pipeline that fails the build if an AWS key, GitHub token, or JWT slips into a commit. Catches the 5% of secret leaks that all the careful coding in the world won't prevent.\n8. **sops** — Mozilla's encrypted-file secrets manager. Commit `secrets.enc.yaml` to git, decrypt at deploy time with KMS \u002F age \u002F PGP. Tiny, no service to run, perfect for the 80% of teams that don't yet need Vault.\n9. **Infisical** — Open-source secret management service when sops stops scaling. Web UI, role-based access, CI integrations for GitHub Actions \u002F GitLab \u002F Vercel. The graduation path from sops, before you reach for HashiCorp Vault.\n10. **Kamal** — Zero-downtime Docker deploy tool. After CI passes, Kamal handles the rolling deploy with health checks across one or many servers. Replaces the messy `ssh && docker pull && docker restart` script every team writes and regrets.\n\n## How they fit together\n\n```\nWrite workflow.yml\n   │\n   ├─ actionlint  (local, pre-commit)\n   │\n   ├─ act         (local, docker-compose for CI)\n   │\nCI runs ──┐\n          ├─ Super-Linter step           (style + correctness)\n          ├─ BuildKit step               (cached docker build)\n          ├─ Dagger pipeline             (portable across providers)\n          │     └─ or Concourse          (self-hosted alt)\n          ├─ Gitleaks scan step          (block on secret leak)\n          └─ sops decrypt step           (inject secrets at runtime)\n                 └─ Infisical (if team > 5 people)\n                       │\n                       ▼\n                  Kamal deploy            (zero-downtime gate)\n```\n\nThe **actionlint + act + Super-Linter** triad is the cheap-but-massive iteration win — most teams skip it and waste hours on red CI per week. The **Dagger + BuildKit** pairing is the long-term lock-in escape: if your CI YAML feels brittle, this is the rewrite path. **sops first, Infisical when you grow** is the right secrets ramp; jumping straight to Vault for a 3-person team is YAGNI in cardboard armor.\n\n## Tradeoffs you'll hit\n\n- **act vs hosted runners** — `act` is great for 80% of workflow debugging but doesn't perfectly emulate GitHub-hosted runner features (matrix expansion edge cases, OIDC tokens, hosted-only services). Use it for iteration, then verify on real CI before merging the workflow change.\n- **Dagger vs raw YAML** — Dagger adds a language layer (Go\u002FPython\u002FTS) on top of CI. Worth it past ~300 YAML lines or when you need to run the same pipeline across providers. For a single-file 50-line workflow, raw YAML is still right.\n- **sops vs Infisical vs Vault** — sops = files in git, no service. Infisical = web UI + RBAC, one service. Vault = full-blown secrets platform with dynamic credentials, multiple services. Pick the smallest that solves your problem this quarter.\n- **Kamal vs Kubernetes** — Kamal is for teams that want zero-downtime Docker deploys without running k8s. The moment you need autoscaling, scheduled jobs, or service mesh, you're outside its target. Don't fight that boundary.\n- **Concourse vs GitHub Actions** — If you can use hosted CI, do. Concourse is for when compliance, air-gap, or cost forces self-hosted. Operating a Concourse cluster has real ops overhead.\n\n## Common pitfalls\n\n- **No cache key strategy** — `actions\u002Fcache` with the wrong key invalidates every run. Hash the lockfile (`package-lock.json`, `poetry.lock`), not the source tree.\n- **Matrix builds with `fail-fast: true`** — by default GitHub kills the whole matrix on first failure. Set `fail-fast: false` when you want to see all OS \u002F version failures at once for triage.\n- **Secrets in env at the workflow level** — anything in `env:` at the job level is visible to every step, including third-party actions. Inject secrets only into the specific step that needs them.\n- **Forgetting `concurrency:`** — without a concurrency group, two pushes to the same branch run two deploys in parallel and race. Add `concurrency: { group: deploy-${{ github.ref }}, cancel-in-progress: true }`.\n- **Gitleaks with no allowlist** — first run will flag test fixtures and example tokens. Curate the `.gitleaks.toml` allowlist once, then it stays useful instead of being muted.\n- **Kamal without a healthcheck endpoint** — Kamal's zero-downtime relies on `\u002Fup` returning 200 before traffic switches. Skip that and you get downtime-ish deploys instead.",[102,105,108,111,114],{"q":103,"a":104},"Do I really need all ten? It looks like a lot for one repo.","No. The minimum viable pipeline is actionlint + Super-Linter + BuildKit + Gitleaks + one of (sops or Infisical) + Kamal. Add act when you start debugging workflows often, Dagger when YAML hurts, Concourse only if hosted CI is off the table. Treat the list as a ramp, not a shopping cart.",{"q":106,"a":107},"Can I use this pack with GitLab CI or Buildkite instead of GitHub Actions?","Yes — that's exactly why Dagger and Concourse are in the list. actionlint \u002F act are GitHub-specific, but BuildKit, Super-Linter (via Docker), Gitleaks, sops, Infisical, and Kamal are CI-agnostic. The Dagger pipeline you write runs identically on all three providers, so the lock-in shrinks to two thin entry-point YAML files.",{"q":109,"a":110},"How much CI time does the BuildKit cache actually save?","On a typical Node + Python service: cold build ~7-9 minutes, warm build (changed source only, cache hit on dependencies) ~60-120 seconds. The win compounds when you also use cache-mount on package manager caches (`--mount=type=cache,target=\u002Froot\u002F.npm`) instead of just COPY-then-install. Diminishing returns past that — focus optimization elsewhere.",{"q":112,"a":113},"Why sops AND Infisical — aren't they the same thing?","Different stages of growth. sops encrypts files committed to git — no service to run, perfect for solo or small teams. Infisical runs a service with a UI, RBAC, audit log, and CI integrations — needed once non-engineers (PMs, marketers) need to rotate API keys without git access. Start with sops; migrate when the friction shows up.",{"q":115,"a":116},"How do I make AI agents (Claude, Copilot, Cursor) actually useful for CI configs?","Three habits help. First, keep one canonical workflow file per repo and a comment header explaining the pipeline's stages — the agent reads that and writes the right step. Second, give it the actionlint output when something fails (`actionlint -format '{{json .}}'`) so it can fix root cause, not symptom. Third, when migrating between providers, point it at your Dagger pipeline file rather than YAML — it's regular code, so the agent generates correct provider entry-points easily.",{"@context":118,"@type":119,"name":120,"description":121,"numberOfItems":122,"inLanguage":25},"https:\u002F\u002Fschema.org","ItemList","CI\u002FCD Build Pipeline Pack","Ten open-source CI\u002FCD tools in install order — from workflow linting and local execution to layer caching, portable pipelines, secret scanning, secret management, and zero-downtime deploys.",10,[124,128,132],{"url":125,"anchor":126,"reason":127},"\u002Fen\u002Fai-tools-for\u002Fdevops","DevOps tools for AI agents","CI\u002FCD configs benefit from agent generation and debugging",{"url":129,"anchor":130,"reason":131},"\u002Fen\u002Ftopics","Browse other topic packs","Find related packs for backend engineering, deployment, and security",{"url":133,"anchor":134,"reason":135},"\u002Fen\u002Ffeatured","Featured assets on TokRepo","These CI\u002FCD tools live alongside the broader curated catalog",[137,141,145],{"claim":138,"source_name":139,"source_url":140},"actionlint is a static checker for GitHub Actions workflow files","actionlint GitHub","https:\u002F\u002Fgithub.com\u002Frhysd\u002Factionlint",{"claim":142,"source_name":143,"source_url":144},"BuildKit supports cache mounts for incremental container builds","BuildKit documentation","https:\u002F\u002Fdocs.docker.com\u002Fbuild\u002Fcache\u002Fbackends\u002F",{"claim":146,"source_name":147,"source_url":148},"sops uses KMS, age, and PGP to encrypt files committed to git","sops project","https:\u002F\u002Fgithub.com\u002Fgetsops\u002Fsops",920,"2026-05-22T10:00:00Z"]