---

name: gcp-nodejs-cicd version: 2.1.0 description: Generate CI/CD pipelines for Node.js and Angular applications on GCP with Cloud Build and GKE deployment. Use when creating or updating deployment pipelines for Node.js services, Express APIs, NestJS applications, or Angular frontends targeting Google Cloud Platform. author: Platform Engineering Team tags: [nodejs, angular, gcp, cloud-build, gke]

Knowledge Dependency Graph: Explicit dependency declarations

See 06-KNOWLEDGE-GRAPH.md for full documentation

dependencies: required: - name: security-scanning version: ">=1.5.0" reason: "Mandatory security scans (Snyk, Trivy, SonarQube) for all pipelines" - name: gke-deployment version: "^3.0.0" reason: "Kubernetes deployment patterns and strategies" optional: - name: observability version: ">=2.0.0" condition: "context.monitoring_required == true" reason: "Enhanced monitoring for production services" suggested: - name: cost-optimization version: "*" reason: "Resource sizing recommendations"

Context requirements for this Skill

context_requirements:

• type: runtime values: [nodejs-18, nodejs-20]
• type: platform values: [gcp]

Policies this Skill enforces (for compliance traceability)

policies_enforced:

• security-scan-required
• test-coverage-minimum
• approval-gate-production

---

GCP Node.js CI/CD Pipeline Generation

This Skill generates production-ready CI/CD pipelines for Node.js and Angular applications deployed to Google Kubernetes Engine (GKE) via Cloud Build.

When to Use This Skill

• Creating new Node.js or Angular services
• Setting up deployment pipelines
• Configuring multi-environment deployments (dev, staging, production)
• Implementing security scanning and quality gates
• Deploying containerized applications to GKE

Organizational Context

Build Standards

• Node.js versions: 18.x, 20.x (LTS only)
• Package manager: npm (lock file required)
• Build process: Multi-stage Docker builds
• Test coverage: Minimum 80% for production deployments
• Linting: ESLint with organizational config

Security Requirements

• Dependency scanning: Snyk (0 critical vulnerabilities allowed)
• Container scanning: Trivy (no high/critical CVEs)
• SAST: SonarQube (Quality Gate must pass)
• SBOM: Generate and upload to Artifact Registry
• Secrets: Must use GCP Secret Manager (never hardcoded)

Deployment Strategies

• Development: Auto-deploy on commit
• Staging: Manual approval required
• Production: Canary deployment (5% → 50% → 100%)
• Rollback: Automatic on health check failures or error rate >5%

Instructions

Step 1: Analyze Service Context

First, determine the service type and requirements by checking:

# Check package.json for framework
cat package.json | jq '.dependencies'

# Identify service type
if [ -f "angular.json" ]; then
  SERVICE_TYPE="angular"
elif grep -q "express" package.json; then
  SERVICE_TYPE="express"
elif grep -q "@nestjs" package.json; then
  SERVICE_TYPE="nestjs"
else
  SERVICE_TYPE="nodejs-generic"
fi

Step 2: Generate Cloud Build Configuration

Use the appropriate template from templates/cloudbuild/:

For Node.js services:

# See templates/cloudbuild/nodejs-service.yaml
steps:
  - name: 'node:${NODE_VERSION}'
    entrypoint: npm
    args: ['ci']
  
  - name: 'node:${NODE_VERSION}'
    entrypoint: npm
    args: ['run', 'build']
  
  - name: 'node:${NODE_VERSION}'
    entrypoint: npm
    args: ['test']
    
  # Security scanning - see templates/security/
  # Docker build - see templates/docker/
  # GKE deployment - see templates/kubernetes/

For Angular applications:

# See templates/cloudbuild/angular-app.yaml
# Includes ng build with optimization flags
# Static asset handling
# Environment-specific configurations

Step 3: Implement Security Scanning

Always include all three security scans:

# Snyk dependency scan
- name: 'snyk/snyk:node'
  entrypoint: 'sh'
  args:
    - '-c'
    - 'snyk test --severity-threshold=high || exit 1'
  secretEnv: ['SNYK_TOKEN']

# Trivy container scan
- name: 'aquasec/trivy'
  args: ['image', '--severity', 'HIGH,CRITICAL', '${IMAGE_NAME}']

# SonarQube SAST
- name: 'sonarsource/sonar-scanner-cli'
  args: ['sonar-scanner', '-Dsonar.qualitygate.wait=true']

Use validator at validators/security-policy.rego to verify all scans are present.

Step 4: Generate Kubernetes Manifests

Create deployment, service, and HPA configurations:

# See templates/kubernetes/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ${SERVICE_NAME}
  namespace: ${NAMESPACE}
spec:
  replicas: ${REPLICAS}
  template:
    spec:
      containers:
      - name: ${SERVICE_NAME}
        image: ${IMAGE_NAME}
        resources:
          requests:
            cpu: "100m"
            memory: "128Mi"
          limits:
            cpu: "500m"
            memory: "512Mi"
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5

Step 5: Configure Multi-Environment Deployment

Set up deployment strategy per environment:

Development:

• Auto-deploy on every commit
• No approval required
• Rolling update strategy

Staging:

• Manual approval required (team lead)
• Smoke tests must pass
• Rolling update strategy

Production:

• Two approvals required (team lead + platform lead)
• Canary deployment strategy
• Automated rollback on metrics degradation

Step 6: Add Monitoring and Observability

Include Cloud Monitoring configuration:

# Metrics to collect
metrics:
  - http_requests_total
  - http_request_duration_seconds
  - http_errors_total
  
# Alerts to configure
alerts:
  - error_rate_high (>5% for 5 minutes)
  - latency_p99_high (>2s for 5 minutes)
  - pod_restart_frequent (>3 in 10 minutes)

Step 7: Generate Documentation

Create comprehensive documentation:

# Service Name

## CI/CD Pipeline

This service uses the following deployment pipeline:
- Build: Multi-stage Docker with Node.js ${VERSION}
- Test: Unit tests with 80%+ coverage
- Security: Snyk + Trivy + SonarQube
- Deploy: Canary to GKE with automated rollback

## Deployment

**Development:**
- Auto-deployed on commit to main
- URL: https://dev.example.com

**Production:**
- Requires 2 approvals
- Canary deployment (5% → 50% → 100%)
- URL: https://api.example.com

## Rollback

If deployment fails:
```bash
platform-cli rollback payment-api --to-version previous

## Validation Rules

Before completing generation, validate using `validators/security-policy.rego`:

```rego
# Validation checks
package cloudbuild

# Rule: Security scans required
deny[msg] {
  not input.steps[_].name == "snyk/snyk:node"
  msg = "Snyk dependency scan is required"
}

deny[msg] {
  not input.steps[_].name == "aquasec/trivy"
  msg = "Trivy container scan is required"
}

# Rule: Secrets must be in Secret Manager
deny[msg] {
  input.steps[_].args[_] contains "password"
  msg = "Hardcoded secrets detected. Use Secret Manager."
}

# Rule: Production requires approval
deny[msg] {
  input.environment == "production"
  not input.approvals
  msg = "Production deployments require approval"
}

Examples

For complete working examples, see:

• examples/payment-service/ - Express API with PCI compliance
• examples/user-api/ - NestJS service with authentication
• examples/frontend-app/ - Angular SPA with SSR

Troubleshooting

Build fails with "npm ci" error:

• Ensure package-lock.json is committed
• Check Node.js version matches package.json engines

Security scan fails:

• Review Snyk dashboard for vulnerabilities
• Update dependencies to patch CVEs
• Request exception if no patch available

Deployment fails:

• Check GKE cluster has sufficient resources
• Verify namespace exists
• Confirm image was pushed to Artifact Registry

Canary rollback triggered:

• Check Cloud Monitoring for error rates
• Review logs in Cloud Logging
• Validate health check endpoints

Additional Resources

• Cloud Build Docs
• GKE Best Practices
• Organizational Build Standards
• Security Requirements