https://blog.abhipraya.dev/tags/ci-cd/Recent content in Ci-Cd on Daffa AbhiprayaHugoen-us© Daffa AbhiprayaThu, 09 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/qa/Thu, 09 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/qa/<p>Quality tools are useless if they are not enforced. Our project had SonarQube analyzing every commit, schema fuzzing running against our API, and load tests measuring latency, but every single one of them was set to <code>allow_failure: true</code>. Violations were silently ignored, real bugs slipped through, and nobody noticed because the pipeline was always green. This blog covers how we turned those advisory checks into blocking gates, built automated CI reporting so reviewers could actually see the results, and watched the tools catch a JWT vulnerability, a production crash, and 31 code quality violations that had been accumulating for weeks.</p>https://blog.abhipraya.dev/ppl/part-a/tdd-and-qa/Sun, 15 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/tdd-and-qa/<p>We had 91% line coverage and felt good about it. Then we ran mutation testing and scored 0%. Every line of our service layer was executed by tests; almost nothing was actually verified. This is the story of how six advanced testing tools exposed the gap between &ldquo;code was run&rdquo; and &ldquo;code was checked,&rdquo; and what that means for any team relying on coverage as a quality signal.</p> <blockquote> <p><strong>Note:</strong> Our project is hosted on an internal GitLab instance, so we use the term <strong>MR (Merge Request)</strong> throughout this blog. If you&rsquo;re coming from GitHub, MRs are the equivalent of <strong>Pull Requests (PRs)</strong>.</p>https://blog.abhipraya.dev/ppl/part-b/s1w3-discipline/Fri, 13 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s1w3-discipline/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Sprint 1 Week 3 was the highest-output week of the project so far. I authored and merged <strong>14 merge requests</strong> covering full-stack features, CI/CD pipeline improvements, production infrastructure fixes, and data integrity patches.</p> <h2 id="mr-summary"> <a class="anchor" href="#mr-summary" data-anchor="mr-summary" aria-hidden="true">#</a> MR Summary </h2> <table> <thead> <tr> <th>MR</th> <th>Type</th> <th>Title</th> <th>Date</th> </tr> </thead> <tbody> <tr> <td>!20</td> <td>feat</td> <td>Layout, navigation &amp; dashboard (full stack)</td> <td>Mar 7</td> </tr> <tr> <td>!47</td> <td>feat</td> <td>Seed production admin and staff users with Nashta emails</td> <td>Mar 7</td> </tr> <tr> <td>!12</td> <td>feat</td> <td>Invoice management (full stack)</td> <td>Mar 8</td> </tr> <tr> <td>!54</td> <td>feat</td> <td>Add Payments link to sidebar navigation</td> <td>Mar 8</td> </tr> <tr> <td>!66</td> <td>fix</td> <td>Rename out-of-order migration timestamps to unblock CI deploy</td> <td>Mar 9</td> </tr> <tr> <td>!67</td> <td>feat</td> <td>Add migration dry-run validation to MR pipelines</td> <td>Mar 9</td> </tr> <tr> <td>!68</td> <td>fix</td> <td>Add missing ENCRYPTION_KEY to deploy env generation</td> <td>Mar 9</td> </tr> <tr> <td>!71</td> <td>fix</td> <td>Add proxy-headers to uvicorn for HTTPS redirect support</td> <td>Mar 10</td> </tr> <tr> <td>!74</td> <td>chore</td> <td>Add Conductor workspace support</td> <td>Mar 11</td> </tr> <tr> <td>!76</td> <td>fix</td> <td>Resolve invoice seeder subquery returning multiple rows</td> <td>Mar 11</td> </tr> <tr> <td>!77</td> <td>fix</td> <td>Deduplicate invoice numbers in seed CSV</td> <td>Mar 11</td> </tr> <tr> <td>!78</td> <td>fix</td> <td>Polish sidebar, header, profile edit, and invoices page consistency</td> <td>Mar 11</td> </tr> <tr> <td>!79</td> <td>fix</td> <td>Remove sidebar header bottom border</td> <td>Mar 11</td> </tr> <tr> <td>!17</td> <td>feat</td> <td>Client management (full stack, merged by me)</td> <td>Mar 9</td> </tr> </tbody> </table> <h3 id="breakdown-by-category"> <a class="anchor" href="#breakdown-by-category" data-anchor="breakdown-by-category" aria-hidden="true">#</a> Breakdown by category </h3> <ul> <li><strong>Full-stack features:</strong> 4 MRs (!20, !12, !54, !17)</li> <li><strong>CI/CD pipeline:</strong> 3 MRs (!66, !67, !68)</li> <li><strong>Infrastructure:</strong> 2 MRs (!71, !74)</li> <li><strong>Data integrity:</strong> 3 MRs (!47, !76, !77)</li> <li><strong>UI polish:</strong> 2 MRs (!78, !79)</li> </ul> <h2 id="commit-message-quality"> <a class="anchor" href="#commit-message-quality" data-anchor="commit-message-quality" aria-hidden="true">#</a> Commit Message Quality </h2> <p>Every commit follows the conventional commits format: <code>type(scope): description</code>. The scope tells you exactly which app/layer is affected, and the description is specific enough to understand the change without reading the diff.</p>https://blog.abhipraya.dev/ppl/part-a/data-seeding/Thu, 12 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/data-seeding/<h2 id="why-database-migrations-need-safety-nets"> <a class="anchor" href="#why-database-migrations-need-safety-nets" data-anchor="why-database-migrations-need-safety-nets" aria-hidden="true">#</a> Why Database Migrations Need Safety Nets </h2> <p>Imagine this scenario: a developer adds a new column to the invoices table, pushes to <code>main</code>, and the CI/CD pipeline deploys it to production. Everything looks fine until the next morning, when the team discovers that the migration also dropped a constraint that was silently relied on by another service. Rolling back means manually writing SQL against the production database at 2 AM.</p>https://blog.abhipraya.dev/ppl/part-a/teamwork-tools/Thu, 12 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/teamwork-tools/<h2 id="why-tooling-is-a-team-problem-not-a-devops-problem"> <a class="anchor" href="#why-tooling-is-a-team-problem-not-a-devops-problem" data-anchor="why-tooling-is-a-team-problem-not-a-devops-problem" aria-hidden="true">#</a> Why Tooling Is a Team Problem, Not a DevOps Problem </h2> <p>Most university software engineering courses teach you <em>which</em> tools to use (Git for version control, Jira for tickets, Docker for deployment). What they rarely teach is <strong>how tools interact with each other</strong>, and what happens when they don&rsquo;t.</p> <p>In a professional environment, a single commit can trigger a cascade: CI runs tests, a Slack bot notifies the team, a coverage report lands in SonarQube, and the ticket moves to &ldquo;In Review&rdquo; on the project board. This doesn&rsquo;t happen by accident. Someone has to build that integration layer, and in a university team, that someone is usually whoever cares enough about developer experience to do it.</p>