The document lists the top 10 pipeline mistakes, including unsafe secrets, untraceable artifacts, environment-specific deploy packages, lack of testing, use of bleeding edge technology, overly complex builds, flaky builds, overuse of versioning, implicit assumptions, and reliance on dubious plugins. The author provides recommendations to address each mistake, such as using secret stores, adding versioning and links to artifacts, deploying the same packages to all environments, including quality checks, ensuring deployable technology and available agents, splitting processes, enabling reproducible builds, adding version specifications, checking tool requirements, and using autonomous pipelines.

1. Top 10 pipeline mistakes
Giulio Vian — 7 July 2020
@giulio_vian
https://www.getlatestversion.eu
http://blog.casavian.eu
https://www.slideshare.net/giuliov
https://github.com/giuliov

2. Unsafe Secrets
Sloppy handling of
secrets
Fix: use a safe store
Security risk

3. Unsafe Secrets
Wrong
<add
name="DefaultConnection"
connectionString="Data
Source=*omiss*;Initial
Catalog=*omiss*;Persist
Security Info=False;User
ID=*omiss*;Password=*omiss*
"
providerName="System.Data
.SqlClient"/>
Correct
GitHub Secrets
Azure Pipelines Service
Connections
Azure Pipelines Secret Variables
Jenkins Credentials
AWS Systems Manager Parameter
Store
AWS Secrets Manager
Azure KeyVault

4. Untraceable
artifacts
No artifact versioning
Careless versioning
Unrelated binary and source
versions
No links to work items or
deployments
Fixes: careful versioning, link
artifacts

5. Untraceable
Wrong
.NET
AssemblyVersion["1.0.*"]
Maven
<version>1.0.0</version>
Correct
Add #id and/or URLs in
commits and work items
Patch AssemblyInfo.cs
Use VersionPrefix and
Version with .NET Core
Use Maven version plugin
Add version data into .ps1
.sql .xml .yaml .json

6. Too specific
Environment-specific
deploy packages
Fix: just stop doing,
I mean, stop it

7. Too specific
Wrong
React App PUBLIC_URL
Correct
Ship you package to
Artifactory, Nexus or else
Deploy the same package
to all environments (and
patch config files along the
way)

8. What, quality?
No testing
No quality scan
Fix: add quality checks to
your pipelines

9. What, quality?
Wrong Correct
linters
SonarQube
Checkmarx
GitHub
CodeQL
WhiteSource
OWASP ZAP
Atlassian
Crucible
Veracode
Fortify
…

10. Bleeding edge
Undeployable technology
No agents
Fix: ask and negotiate, do
not assume

11. Galactic build
Does too much
Takes too much
Slow feedback
Fix: split the process

12. Flaky builds
Same source different
binaries
Test randomly pass/fail
Loose dependencies
specifications
Fixes: reproducible builds,
drop flaky tests, pinpoint
dependencies

13. Deterministic Builds
.NET
<PropertyGroup>
<Deterministic>True</Deterministic>
</PropertyGroup>
msbuild /property:Deterministic=True
Java
<properties>
<project.build.outputTimestamp>2020-05-
02T08:00:00Z</project.build.outputTimestamp>
</properties>

14. Loose dependencies
NuGet (4.9+)
<PropertyGroup>
<RestorePackagesWithLockFile>true</RestorePackages
WithLockFile>
</PropertyGroup>
msbuild.exe /t:restore /p:RestoreLockedMode=true
dotnet.exe restore –locked-mode

15. Too much
of a good thing
Too much versioning
Fix: libraries ≠ deploy
packages, use SemVer in
full

16. Too much of a good thing
SemVer
https://semver.org/
1.0.0-dev+sha.5114f85
Maven
1.0-SNAPSHOT

17. Implicit
assumptions
No conditions on agent
requirements
No checks on toolchain
versions
Magic agents (e.g. tools
dropped in obscure
corners)
Fix: explicit tool checks

18. Implicit assumptions
Wrong
GitVersion.exe
/output buildserver
Correct
dotnet tool install
-g GitVersion.Tool
dotnet gitversion

19. Untamed plugins
Relying on dubious
plugins/extensions
Fix: autonomous pipelines

20. Best (worst?) Mistakes
1. Unsafe Secrets
2. Untraceable
3. Too specific
4. What quality?
5. Bleeding edge
6. Galactic build
7. Flaky builds
8. Too much of a good thing
9. Implicit assumptions
10. Untamed plugins

21. Unpardonable
No pipeline at all

22. References
Reproducible builds
https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/deterministic-compiler-
option
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
https://zlika.github.io/reproducible-build-maven-plugin/
https://reproducible-builds.org/
Pin dependencies
https://github.com/NuGet/Home/wiki/Repeatable-build-using-lock-file-implementation
https://docs.npmjs.com/configuring-npm/package-locks.html
https://docs.gradle.org/current/userguide/dependency_locking.html
http://maven.apache.org/guides/introduction/introduction-to-dependency-
mechanism.html#Dependency_Management
Flaky tests
https://docs.microsoft.com/en-us/azure/devops/pipelines/test/flaky-test-management
https://docs.gitlab.com/ee/development/testing_guide/flaky_tests.html
https://plugins.jenkins.io/flaky-test-handler/
SemVer https://semver.org/

23. Hardware spec:
1 KB RAM
(16KB after upgrade)
4 KB ROM
(8KB after upgrade)
First computer Past Companies Communities
Giulio Vian Senior DevOps Engineer

24. End of trasmissions
25