Who this guide is for #
This guide is for small teams (3–10 engineers) that want reliable deployments without building an entire platform team.
You probably use GitHub or GitLab, ship a web or SaaS product, and don’t want your release process to depend on one person’s laptop.
The goal here is a simple, boring CI/CD setup: predictable, fast enough, and easy to hand over.
Principles of small-team CI/CD #
- Keep pipelines simple. One main pipeline per service, no maze of jobs.
- Same pipeline for all environments. Staging and production differ only by config, not scripts.
- Every change goes through CI. No direct pushes to main, no “Friday night hotfix from laptop”.
- Fast feedback. Developers should get test results in minutes, not half an hour.
- Automate what’s repeatable, document what’s not.
1. Choose your CI platform #
For most small teams, use the CI that comes with your git host:
- GitHub → GitHub Actions
- GitLab → GitLab CI
- Bitbucket → Bitbucket Pipelines
Reasons:
- Single place for code + pipelines + checks.
- Native integration with PR/MR checks, required statuses, environments.
- Less to manage: no separate CI server to patch and babysit.
If you have very specific needs (self‑hosted runners, special compliance), you can still start here and move to a dedicated CI later.
2. Basic pipeline structure #
For each service/repo you want at least two pipelines:
- Pull request / merge request pipeline
- Main branch pipeline (deploy pipeline)
2.1. PR / MR pipeline #
Triggers: on every push to a feature branch and on PR/MR open/update.
Typical steps:
- Checkout code.
- Install dependencies / build.
- Run unit tests.
- Run linters / formatters.
- (Optional) Run light security checks (SAST, dependency scan).
Requirements:
- Must finish fast enough (aim for <10 min).
- Must report status back to the PR/MR.
- Main branch should be protected to require green CI before merge.
2.2. Main branch / deploy pipeline #
Triggers: on merge to main or release/*.
Typical steps:
- Build artifact or container image.
- Run tests that are too slow for PR (integration, e2e smoke).
- Push artifact/image to registry.
- Deploy to staging environment.
- Run smoke tests against staging.
- Await manual approval for production.
- Deploy to production.
Important:
- Staging and production use the same deploy logic — same scripts/manifests/Helm charts, only config/env vars differ.
- Every deployment should be traceable to a commit, PR and build number.
3. Environments and configuration #
For a small team, you usually need:
- Staging — always deploy here first, used for testing and demos.
- Production — customer‑facing environment.
Configuration tips:
- Use environment variables or a secrets manager instead of hard‑coded config files.
- Keep environment‑specific config in code (values files, env‑specific manifests), not in someone’s head.
- Keep the number of environments low; too many will slow you down.
Example mapping:
ENVIRONMENT=staging→ deploy to staging cluster/app.ENVIRONMENT=prod→ deploy to production cluster/app.
4. Deployment strategies that are not overkill #
For early‑stage teams, you usually don’t need complex blue‑green / canary setups from day one.
Reasonable defaults:
- Rolling deployments (Kubernetes / app platform default) with health checks.
- Simple blue‑green via two app slots/environments if your platform supports it.
Key requirement: rollback must be easy:
- Keep the last few builds/artifacts available.
- Have a documented way to deploy a previous version (a job or script, not a manual re‑build).
5. Handling secrets and credentials in CI #
Bad pattern: credentials in plain text in the pipeline file or checked into the repo.
Minimal approach:
- Use the CI platform’s secrets/variables feature for passwords, tokens, keys.
- Use per‑environment secrets (staging vs prod) with least privilege.
- Rotate secrets regularly and when people leave the team.
For anything more serious, plug in a dedicated secrets manager and let CI fetch temporary credentials at runtime.
6. Testing strategy that fits a small team #
You don’t need a perfect test pyramid, but you do need something.
Reasonable split:
- Fast unit tests — always on PR.
- A few integration tests — run on PR or at least on main branch after merge.
- Smoke tests against staging and production — run post‑deploy.
Aim for:
- Fast feedback on PR (<10 minutes).
- Catch the worst regressions before production without requiring a full e2e farm.
7. Typical CI/CD anti‑patterns in small teams #
Watch out for:
- Long‑running pipelines nobody waits for (devs merge “because it’s probably fine”).
- Manual deploy scripts only one person knows how to run.
- No staging, everything goes straight to prod.
- Secrets scattered across repos, wikis and sticky notes.
- No clear owner of the pipeline (no one feels responsible).
If you see any of these, fix them before adding new tools.
8. Minimal checklist for your CI/CD #
You can use this as a quick audit:
- Every change goes through PR/MR and CI.
- Main branch is protected and requires green CI.
- There is an automatic deploy to staging on merge.
- Production deploy is a documented, reproducible process (ideally a pipeline job).
- Rollback is simple and tested at least once.
- Secrets are not stored in plain text in the repo.
- CI logs are readable and not spammed with noise.
If you can tick these boxes, your CI/CD is already better than what many small teams have.
Recommended next steps #
- Map your current flow: where code lives, how you test, how you deploy.
- Compare it to this checklist and pick 2–3 small improvements you can realistically ship this month.
- Once your basic CI/CD is in place, move on to the Minimal DevOps Stack guide and align the rest of your tooling with it.
If you’d like help designing or implementing a clean CI/CD setup for your team, check the Services page — I can help with one‑off reviews or full setup for your stack.
Reply by Email