β Q1 β Design a production-grade CI/CD pipeline β what stages must exist?
At minimum: source β build β test β security scan β artifact publish β deploy β verify. I separate CI and CD logically. CI produces versioned immutable artifacts. CD promotes same artifact across environments. Never rebuild per environment.
β Q2 β How do you prevent broken code from reaching production automatically?
Use gated pipeline stages β unit tests, integration tests, lint, and security scans must pass before artifact publish. Production deploy requires manual approval or protected branch merge. Also use policy checks and quality gates.
β Q3 β Dev team wants direct deploy on every commit to main β do you allow?
Only for non-prod. For production, I require PR + review + checks. Direct commit deploy to prod is high risk. Speed without control creates outages. Balance automation with guardrails.
β Q4 β Build works in CI but fails in production runtime β why common?
Environment mismatch β different dependencies, configs, or OS libs. Fix is containerized builds and runtime parity. Build once, run same container everywhere. Avoid environment drift.
β Q5 β How do you implement artifact versioning correctly?
Use immutable version tags β commit SHA or semantic version. Store artifacts in registry (ECR/Nexus/Artifactory). Never use βlatestβ in production deploy. Version must map to exact source commit.
β Q6 β What is artifact promotion vs rebuild β which is correct?
Promotion is correct. Same artifact moves from dev β stage β prod. Rebuilding per env risks different binaries. Promotion guarantees consistency and rollback ability.
β Q7 β Pipeline is slow because tests take 25 minutes β what do you change?
Split tests into parallel jobs. Run fast tests first, slow tests later. Cache dependencies. Separate smoke vs full regression suites. Donβt block quick feedback with heavy tests every commit.
β Q8 β How do you implement rollback in CI/CD design?
Rollback uses previously published artifact version. Deployment step supports version parameter. No rebuild β just redeploy previous version. Store deployment metadata for traceability.
β Q9 β How do you handle database migrations safely in pipeline?
Migrations must be versioned and backward compatible. Run migration as separate controlled step. Use expand-contract pattern. Never couple destructive schema change with app deploy blindly.
β Q10 β How do you secure secrets in CI/CD pipelines?
Secrets stored in secret manager or CI credential store. Inject at runtime only. Never commit in repo or bake into image. Mask in logs and restrict access by role.
β Q11 β How do you support multiple environments with same pipeline?
Same pipeline, different config inputs. Use env-specific variables and values files. Artifact stays same β only config changes. Avoid separate pipeline logic per env.
β Q12 β Canary or blue-green β when do you choose which?
Blue-green when you can switch traffic instantly and infra cost is acceptable. Canary when you want gradual exposure and metric-based validation. Canary is safer for high-risk releases.
β Q13 β Pipeline triggered twice per commit β debugging steps?
Check webhook duplication and polling overlap. Verify only one trigger type active. Inspect CI server webhook logs. Duplicate triggers waste capacity and cause race deploys.
β Q14 β How do you add security scanning into CI/CD without killing speed?
Run fast SAST and dependency scan in CI. Run deeper scans async or nightly. Fail build only on high severity. Security must be integrated, not blocking everything blindly.
β Q15 β Biggest CI/CD anti-pattern youβve seen in real orgs?
Rebuilding artifacts per environment + manual hotfix deploys outside pipeline. That destroys traceability and rollback safety. CI/CD must be single path to production β no side doors.