# CI/CD Pipelines

Pipeline discipline that gates quality, not theater.

## Rules

1. **The pipeline must block bad merges.** If tests fail, the merge fails. A pipeline that reports failures but doesn't prevent them is a dashboard, not a gate.

2. **Fast feedback on the critical path.** Unit tests and lint run on every push. Slow integration tests run before merge. Don't make developers wait twenty minutes to learn about a typo.

3. **Reproducible builds.** Same commit, same artifact, every time. Pin dependencies. No "works on the build machine" mysteries.

4. **Secrets stay in the vault.** CI credentials in environment variables or secret managers — never in the repo, never in logs, never in build output artifacts.

5. **Deploy from CI, not from laptops.** Production deploys trace to a commit, a pipeline run, and an approver. Manual SSH deploys are untraceable and unrepeatable.

6. **Fix broken pipelines immediately.** A red CI on main is a stop sign for the entire team. A flaky test is a bug — fix it or quarantine it with a ticket, don't ignore it.

## What This Replaces

Pipelines that pass while shipping broken code, manual deploys with no audit trail, and flaky tests everyone learns to dismiss.