Appearance
CI/CD Flow
Visual reference for the full CI/CD pipeline — from Git push through security scanning, container build, image push to ACR, and Container App deployment across all five environments.
End-to-End Pipeline Flow (Backend)
Branch to Environment Mapping
Approval gates:
| Target | Approval required | Approvers |
|---|---|---|
| production | Yes | Release Manager role in Azure DevOps |
| preprod | No | Auto |
| stage | No | Auto |
| uat | No | Auto |
| dev | No | Auto |
Frontend CI/CD Flow
Nx Affected — Only Rebuild What Changed
The nx affected command analyses the dependency graph and only rebuilds apps whose source code (or library dependencies) changed since the base branch. A commit touching only apps-accounting will not rebuild apps-hr.
Mobile CI/CD Flow (GitHub Actions)
Security Pipeline Stages Detail
The security pipeline runs on every PR and every merge. All 16 stages must pass for an artifact to reach any environment.
| # | Stage | Tool | Blocking | Typical duration |
|---|---|---|---|---|
| 1 | Secret scan | Gitleaks | Yes | ~30 s |
| 2 | SAST + quality gate | SonarCloud | Yes | ~3 min |
| 3 | NuGet CVEs | OWASP Dependency-Check | Yes | ~2 min |
| 4 | Dependency SCA | Trivy (deps) | Yes | ~1 min |
| 5 | IaC scan | Trivy (IaC) | Yes | ~30 s |
| 6 | Dockerfile lint | Hadolint | Yes | ~10 s |
| 7 | Build + unit tests | dotnet build + test | Yes | ~5 min |
| 8 | Container build | docker build | Yes | ~4 min |
| 9 | Image CVE scan | Trivy (image) | Yes | ~2 min |
| 10 | SBOM generation | Syft / CycloneDX | No | ~30 s |
| 11 | Integration tests | Newman / REST Assured | Yes | ~5 min |
| 12 | AI code review | Azure OpenAI GPT-4o | No | ~2 min |
| 13 | DAST | OWASP ZAP | Yes | ~10 min |
| 14 | Security report | HTML/PDF generator | No | ~30 s |
| 15 | Notification | Teams webhook | No | ~5 s |
| 16 | Archive | Azure Blob Storage | No | ~20 s |
Total pipeline duration: ~35–40 minutes (parallel stages reduce wall-clock time)
Deployment Strategy: Zero-Downtime Revisions
Container Apps use revision-based deployments for zero-downtime updates.
Rollback: If health probe fails on the new revision, ACA automatically keeps routing to the previous revision. The pipeline also runs az containerapp revision deactivate on the failed revision.
Fast Deploy Path
The fast-deployment.yml pipeline bypasses the full 16-stage security scan and directly deploys a pre-built image to a specified environment. It is never triggered automatically.
Fast Deploy — Use with Caution
The fast deploy path skips all security scans. It is intended only for emergency hotfixes where a pre-validated image must be pushed immediately. Every fast deploy must be followed by a full pipeline run within 24 hours.
Pipeline File Locations
Devops/azure/
├── pipelines/
│ ├── containerBackend/
│ │ └── deploy/
│ │ ├── container-deployment.yml # Main backend pipeline
│ │ └── fast-deployment.yml # Fast deploy (manual only)
│ └── frontApps/
│ └── deploy/
│ └── unified-frontend-pipeline.yml # All Angular apps
├── templates/
│ ├── containerBackend/
│ │ ├── build/build-docker.yml
│ │ ├── deploy/deploy-container.yml
│ │ └── security/security-pipeline-template.yml
│ └── frontApps/
│ └── build/build-angular.yml
└── config/
└── container-backend/
└── services-config.json # Master service config (13 services)