Cloud & DevOps · 03 of 04

From commit to production, on autopilot.

CI/CD that ships safely while you sleep. Infrastructure as code that actually matches what's running. GitOps where Git is the source of truth, not just the source of arguments. The pipelines a senior engineer would build — without the year it usually takes.

Plan an automation sprint See the loop
12 / dayDeploys on operated stacks
8 minMedian commit-to-prod
< 9%Change-fail rate
What you get

Automation that earns production trust.

Six muscles built into every automation engagement — instrumented, tested, owned.

CI/CD pipelines

Trunk-based, fast tests, parallel jobs, ephemeral environments per PR. The Friday-deploy story stops being scary.

trunk · parallel · ephemeral

Infrastructure as code

Terraform or Pulumi with state management, modules, drift detection. The diagram and the cloud match — permanently.

Terraform · drift · modules

GitOps delivery

Argo CD or Flux. Cluster state == Git. Pull-based reconciliation, easy rollbacks, no manual kubectl apply hero moments.

Argo · Flux · pull-based

Supply-chain security

SLSA-aligned builds, signed images, SBOM in every release, secrets scanned at pre-commit. Shift-left, not shift-aside.

SLSA · cosign · SBOM

Progressive delivery

Feature flags, blue/green, canary, automatic rollback on SLO breach. Bad releases become boring events.

canary · flags · rollback

Internal developer platform

Backstage or Port with golden-paths, scaffolding, self-service infra. The platform becomes the easy path, not the only one.

Backstage · Port · golden-path
How it works

Git is the source of truth. Everything else reconciles.

A GitOps-shaped loop we've hardened across two dozen production estates.

01 · CommitEngineer commitsPR · main02 · CIBuild · test · signSBOM · scan03 · RegistryOCI · chartsigned04 · Manifest repo (the truth)env-prod-eu · env-prod-us · env-stageversion pinned · reviewed · audited05 · GitOps controllerArgo CD · Flux — pull · diff · reconcile06 · Clusters & cloudEKSAKSCloud infra (TF)

The pipeline is boring. That's the brief.

Every interesting story about CI/CD is a war story. Our goal is to make yours forgettable — commits ship, releases deploy, rollbacks happen quietly.

  • 01
    Trunk-based, fast feedback

    PRs ship in hours, not days. Ephemeral preview env per PR — bugs caught before review.

  • 02
    Pipelines as code, modular

    Reusable workflow templates, language-agnostic. Devs add a pipeline by importing, not copy-pasting.

  • 03
    Pull-based delivery

    Argo / Flux reconciles cluster state from Git. No CI job ever holds a kubeconfig.

  • 04
    Auto-rollback on SLO

    Canary watches error budget. Breach → rollback. Slack notified. Engineers sleep.

Tech stack

Pipelines we've operated, not just designed.

Each chip below has held production traffic for someone we still answer the phone for.

CI / CD

GitHub ActionsGitLab CICircleCIBuildkiteJenkins

GitOps

Argo CDFluxArgo RolloutsFlagger

IaC

TerraformOpenTofuPulumiCDKCrossplane

Containers

KubernetesEKS · AKS · GKEHelmKustomize

Supply chain

cosign · sigstoreSLSATrivySnykSyft

Secrets

VaultSOPSExternal SecretsDoppler

Progressive delivery

LaunchDarklyStatsigUnleashArgo Rollouts

Platform UX

BackstagePortCortexHumanitec
From vision to victory

A six-week automation sprint.

First production deploy through the new pipeline by the end of week three. Hardening from there.

01
Week 1
Audit & design

Current pipelines, secrets, environments, branching. Target topology drafted.

02
Week 2
Foundations

IaC repo, secrets manager, registry, manifest repo, GitOps controller. Boring infrastructure.

03
Week 3
First service

One service end-to-end through the new pipeline. Reference for everything else.

04
Week 4–5
Migrate the fleet

Templates applied across services. Old pipelines retired in waves.

05
Week 6
Progressive delivery

Canary + auto-rollback wired to SLOs. Platform documented, handoff complete.

Where it lands

Three automation sprints we've finished.

Real systems where the lead-time number actually moved — and stayed moved.

Pattern · Greenfield · Series B

Day-one CI/CD that grew with the team.

Series-B SaaS without a platform team. Built CI/CD, IaC and GitOps end-to-end in six weeks. Eight months in: still working, no SRE hire needed yet.

6 wkZero → multi-region prod
14 / dayDeploy cadence
GitHub ActionsArgo CDTerraform
Pattern · Enterprise · Migration

Off Jenkins, onto GitOps — without a war.

120-service enterprise on a Jenkins monolith. Phased migration to GitHub Actions + Argo CD over a quarter, with no production incident.

120 svcsMigrated
0 P0During migration
GHAArgo CDHelm
Pattern · Scale-up · IDP

An internal platform engineers actually use.

Backstage-powered IDP with golden-paths for “new service” and “new environment.” 80% of teams onboarded in three months — opt-in, not mandate.

80%Teams onboarded
−54%Time-to-prod
BackstageCrossplaneArgo
Why ETY

Pipelines that outlast the engagement.

12 / dayMedian deploy frequency on operated stacks.
8 minMedian commit-to-production lead time.
< 9%Change-failure rate — elite tier in the DORA report.
IaC-firstEvery production resource we touch is described in code.
Continue exploring
SRE · Site Reliability

The SLOs and runbooks that turn fast deploys into safe deploys.

Solution Architecture

The cloud foundation these pipelines deploy into — well-architected from day one.

Ship safely while you sleep.

Send us the one service you wish you could deploy every day. We'll come back with a pipeline shape, a six-week plan, and the lead-time number we'll commit to.

Book a discovery call Back to Cloud & DevOps