CI/CD for Cloud Engineers: GitHub Actions from Zero to Deployment

CI/CD is the bridge between writing infrastructure code and deploying it safely. Without CI/CD, you're running terraform apply from your laptop — which is fine for learning but a disaster in production. With CI/CD, every change goes through automated testing, review, and controlled deployment.

GitHub Actions is the most accessible CI/CD platform for cloud engineers. It's free for public repos, has deep GitHub integration, and requires zero infrastructure to set up. Let's build a real pipeline.

How GitHub Actions Works

GitHub Actions runs automated workflows in response to events. A workflow is a YAML file in .github/workflows/ that defines:

• Triggers — What starts the workflow (push, pull request, schedule, manual)
• Jobs — Groups of steps that run on a runner (Ubuntu, macOS, Windows)
• Steps — Individual commands or pre-built actions

Here's a minimal workflow that runs on every push:

name: CI
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: echo "Hello from GitHub Actions"

Building a Terraform CI/CD Pipeline

This is the pipeline every cloud engineer should know how to build. It does three things:

1. On pull request: runs terraform plan and posts the output as a PR comment
2. Reviewers can see exactly what infrastructure changes will be made
3. On merge to main: runs terraform apply to deploy the changes

This workflow mirrors how real companies manage infrastructure. Changes are proposed in PRs, reviewed by team members, and automatically deployed when approved.

Workflow Structure for Terraform

A production-ready Terraform pipeline includes:

• Format check — terraform fmt -check ensures consistent code style
• Validation — terraform validate checks for syntax errors
• Security scan — Tools like tfsec or checkov scan for misconfigurations
• Plan — terraform plan previews changes
• Apply — terraform apply -auto-approve deploys (only on main branch merge)

Each step acts as a quality gate. If formatting is wrong, the pipeline fails before reaching plan. If the security scan finds issues, it fails before apply. This layered approach catches problems early.

Connecting GitHub Actions to AWS

The modern, secure way to authenticate GitHub Actions with AWS is OIDC (OpenID Connect). This eliminates the need for storing AWS access keys as secrets:

1. Create an IAM OIDC provider for token.actions.githubusercontent.com
2. Create an IAM role that trusts the GitHub OIDC provider
3. Attach the required policies (e.g., AdministratorAccess for Terraform, or scoped-down policies for production)
4. In your workflow, use aws-actions/configure-aws-credentials with the role ARN

This is a best practice that shows security awareness in interviews. When asked "How would you set up CI/CD for infrastructure?" — mention OIDC authentication before anything else.

Beyond Terraform: Application CI/CD

Cloud engineers also build pipelines for application deployments:

• Docker builds — Build container images, push to ECR
• ECS deployments — Update task definitions, trigger service updates
• Lambda deployments — Package and deploy function code
• S3 deployments — Sync static website files to S3, invalidate CloudFront cache

A common portfolio project: create a pipeline that builds a Docker image on every push, pushes it to ECR, and deploys it to ECS Fargate. Add infrastructure provisioning with Terraform and you have a complete end-to-end deployment pipeline.

Pipeline Best Practices

• Use branch protection rules — Require PR reviews and passing CI checks before merge
• Separate plan and apply — Plan on PR, apply on merge. Never auto-apply on PR
• Use environment protection rules — Require approval for production deployments
• Pin action versions — Use @v4 not @main for stability
• Cache dependencies — Speed up pipelines by caching Terraform providers, Docker layers
• Add notifications — Slack or email alerts on pipeline failures

These practices demonstrate production awareness. Including them in your portfolio projects tells interviewers that you understand not just how to build pipelines, but how to build them safely and reliably.