Learning Resources
This module is populated from official docs and canonical external references, supplemented by local chunked books for Git mechanics, shell fluency, CI workflow design, and release culture. Pro Git still anchors the Git mechanics, but Semester 9 now also includes local chunks from GitHub Actions in Action and Software Engineering at Google that are worth using before you open a blog post.
Source Stack
| Source | Role | How to use it in this module |
|---|---|---|
| Pro Git (Chacon & Straub) | Primary for git mechanics | Clusters 1 (branching), 2 (hooks, policy), 4 (tags, signing), 5 (pre-receive, ACL). Read the specific chunks linked below; they are short. |
| Git from the bottom up (Wiegley) | Selective support | Cluster 1 branching mental model (commits as snapshots, rebase as replay). Skim once; deep-dive only if branch semantics feel fuzzy. |
| The Linux Command Line | Background for CI shell | Shell scripts, environment variables, here-docs, test/defensive programming for runner scripts and deploy scripts. |
| GitHub Actions in Action | Local workflow support | Use for workflow structure, reusable jobs, environments, secrets, and release-pipeline examples before dropping to syntax reference pages. |
| Software Engineering at Google | Local engineering-practice support | Use for testing, review culture, change management, and release-discipline framing. |
| GitHub Actions official docs | Primary for clusters 2 / 5 | Canonical workflow, OIDC, environments, reusable workflows, and secrets reference. |
| GitLab CI official docs | Primary for clusters 2 / 5 | Canonical .gitlab-ci.yml reference and CI/CD concepts. |
| DORA (dora.dev) | Primary for cluster 1 | The empirical grounding for the four keys and capabilities. |
| Martin Fowler bliki / articles | Primary for clusters 1 / 3 / 4 | Canonical short definitions: ContinuousDelivery, FeatureToggle, Blue-green, Canary, EvodB, ParallelChange, TestPyramid, EradicatingNonDeterminism. |
| Semver.org / Keep a Changelog / Conventional Commits | Primary for cluster 4 | Authoritative specs for versioning and changelogs. |
| SLSA spec, Sigstore docs, in-toto | Primary for cluster 4 | Supply-chain integrity, provenance, and signing. |
| OWASP CI/CD Top 10, Google SLSA threats | Primary for cluster 5 | Pipeline threat modeling. |
| Google SRE Workbook | Primary for cluster 3 | Canarying, SLO burn-rate alerting, rollback discipline. |
Resource Map by Cluster
Cluster 1: Delivery as a Discipline
| Need | Best source | Why |
|---|---|---|
| branching model | Trunk-Based Development -- introduction | The canonical description |
| short-lived branches rules | Trunk-Based Development -- short-lived feature branches | Concrete rules for branch lifetimes |
| scaled trunk-based | Trunk-Based Development -- scaled | How Google/Facebook run it |
| branching patterns taxonomy | Martin Fowler: PatternsForManagingSourceCodeBranches | Long-form taxonomy |
| GitHub Flow (minimalist trunk-based variant) | GitHub Flow | Simpler variant |
| atomic commits | Pro Git: Viewing staged changes and committing | Commit as the unit of change |
| branch management in git | Pro Git: Branch Management / Long-Running Branches | Bridge from TBD concept to git operations |
| topic branches in practice | Pro Git: Topic Branches and Remote Branches | Short-lived branch discipline in git vocabulary |
| pushing / tracking branches | Pro Git: Pushing and tracking branches | Remote-tracking mechanics |
| perils of rebasing | Pro Git: The perils of rebasing | The one rebase rule you cannot break |
| distributed workflows | Pro Git: Distributed Git workflows | Taxonomy of centralized / integration-manager / dictator |
| private small team workflow | Pro Git: Private small team | Realistic small-team TBD reference |
| private managed team workflow | Pro Git: Private managed team | Realistic mid-size team workflow |
| commit identity mental model | Git from the bottom up: A commit by any other name | Commits as content-addressed snapshots |
| rebase vs merge mental model | Git from the bottom up: Branching and rebase | Cleanest explanation of rebase |
| DORA metrics and capabilities | DORA -- homepage and DORA -- Capabilities | The research body |
| the four keys in one place | DORA -- Quick Check | Self-assessment against the four metrics |
| DORA metric definitions | DORA -- Four keys definitions | Precise operational definitions |
| small batches | DORA -- Working in small batches | Capability behind concept 1 |
| SPACE framework | The SPACE of Developer Productivity (ACM Queue) | Team-experience complement to DORA |
| CI/CD stance | Martin Fowler: ContinuousDelivery | Short canonical definition |
| CI discipline | Martin Fowler: ContinuousIntegration | Foundational long-form |
Cluster 2: The CI Pipeline
| Need | Best source | Why |
|---|---|---|
| GitHub Actions fundamentals | Writing workflows | The entry point for GHA |
| full workflow YAML reference | Workflow syntax for GitHub Actions | Every on:, jobs:, steps: key explained |
| artifacts between jobs | Storing and sharing workflow data | Implementing build-once, promote-everywhere |
| reusable workflows | GitHub -- Reusable workflows | Sharing pipelines across repos |
| GitLab CI fundamentals | Get started with GitLab CI/CD | Entry point for GitLab |
| GitLab CI YAML reference | .gitlab-ci.yml keyword reference | Every keyword explained |
GitLab CI include: | GitLab -- include keyword | Config sharing in GitLab |
| twelve-factor config | The Twelve-Factor App -- III. Config | Why config lives outside the artifact |
| twelve-factor build/release/run | The Twelve-Factor App -- V. Build, release, run | Separation this cluster operationalizes |
| OCI digest as identity | OCI Image spec -- descriptor | Why digests beat tags |
| test strategy | Martin Fowler: TestPyramid | Foundational on test shape |
| flaky tests | Martin Fowler: EradicatingNonDeterminism | The essay on flakes |
| flake rates at scale | Google Testing Blog -- Flaky Tests at Google | Real industry data |
| contract tests | Martin Fowler: ContractTest and Pact docs | Consumer-driven contracts in theory and tool |
| integration with real services | Testcontainers | Realistic integration tests without shared envs |
| git hooks -- overview | Pro Git: Hooks overview | What hooks are and where they live |
| git hooks -- usage | Pro Git: Basic hooks usage | Example client-side hook |
| server-side hooks | Pro Git: Server-side hooks | Pre-receive, update, post-receive |
| enforcing commit format | Pro Git: Enforcing commit messages / ACL | The gate before the pipeline runs |
| hook-based policy in practice | Pro Git: Testing it out | Live example rejecting bad pushes |
| shell scripting basics | Linux Command Line: What are shell scripts | Baseline CI shell fluency |
| shell functions | Linux Command Line: Shell functions and locals | Reuse in pipeline scripts |
| env vars | Linux Command Line: What is stored in the environment | Runtime config mechanics |
| here documents | Linux Command Line: Here documents | Shaping payloads in CI |
| defensive scripts & testing | Linux Command Line: Defensive programming / testing | set -euo pipefail, trap, assertions |
| script test cases | Linux Command Line: Test cases | Debugging shell in CI |
Cluster 3: The CD Pipeline
| Need | Best source | Why |
|---|---|---|
| blue-green definition | Martin Fowler: BlueGreenDeployment | Canonical |
| canary definition | Martin Fowler: CanaryRelease | Canonical |
| Kubernetes rolling updates | Kubernetes -- Deployments | Authoritative on maxSurge, maxUnavailable, readiness |
| PodDisruptionBudgets | Kubernetes -- PodDisruptionBudget | Eviction safety under rolls |
| ALB weighted target groups | AWS -- ALB weighted target groups | Cloud LB traffic split |
| Kubernetes canary operator | Argo Rollouts -- Canary | Production-grade canary with analysis |
| Argo analysis and rollback | Argo Rollouts -- Analysis | Automated promotion and abort |
| alternative canary operator | Flagger | GitOps-friendly progressive delivery |
| feature-flag types | Martin Fowler: FeatureToggle | Best short classification |
| feature-flag implementation patterns | Pete Hodgson: Feature Toggles | Long-form implementation patterns |
| vendor-neutral flag API | OpenFeature | Standard flag SDK interface |
| dark launches | LaunchDarkly -- dark launches | Practical walkthroughs |
| self-host flag service | Unleash docs | Open-source flag provider |
| A/B comparison in code | GitHub -- Scientist | Library for dark-launch comparison |
| canary + rollback in practice | Google SRE Workbook: Canarying Releases | Operational treatment |
| burn-rate alerting | Google SRE Workbook: Alerting on SLOs | Multi-window multi-burn-rate |
| origin of "progressive delivery" | RedMonk: Towards Progressive Delivery | James Governor's coinage |
Cluster 4: Release Engineering
| Need | Best source | Why |
|---|---|---|
| semantic versioning | Semantic Versioning 2.0.0 | Authoritative spec |
| changelog format | Keep a Changelog 1.1.0 | The standard format |
| commit convention | Conventional Commits 1.0.0 | Drives automated versioning |
| calendar versioning | CalVer | When date-based version is right |
| release automation | semantic-release | End-to-end automated versioning |
| monorepo release automation | release-please | Google's release automation |
| git tagging basics | Pro Git: Tagging | How tags work |
| tag ops | Pro Git: Listing / creating / deleting tags | Operations on tags |
| checkout tags | Pro Git: Checking out tags | Using tags to fetch a release |
| preparing a release | Pro Git: Rebasing / cherry-picking workflows and preparing a release | Release prep patterns |
| git shortlog for changelogs | Pro Git: The shortlog | Summarizing commits per release |
| verifying tags | Pro Git: Verifying tags | Checking tag signatures |
| signing commits and tags | Pro Git: Signing your work | GPG signing semantics in git |
| supply-chain provenance | SLSA v1.0 specification | Levels, requirements, definitions |
| SLSA build levels | SLSA -- Build levels | L1, L2, L3 requirements |
| keyless signing | Sigstore docs | Cosign and Fulcio |
| attestation formats | in-toto | Machine-readable provenance documents |
| L3 provenance from GH Actions | slsa-github-generator | Ready-made SLSA L3 pipeline |
| SBOM spec | CycloneDX | Common SBOM format |
| evolutionary DB design | Martin Fowler: EvodB | Foundational for migrations alongside code |
| parallel change pattern | Martin Fowler: ParallelChange | Expand/contract in pattern form |
| migration tools | Flyway and Liquibase | Canonical JVM / SQL migration tools |
| online MySQL schema change | gh-ost | GitHub's online migration tool |
| declarative Postgres expand/contract | pgroll | Postgres equivalent with explicit phases |
| Postgres lock monitoring | Postgres wiki -- Lock monitoring | Diagnosing migration locks |
Cluster 5: Quality Gates and Safety
| Need | Best source | Why |
|---|---|---|
| OIDC in GitHub Actions | About security hardening with OIDC | The concept and flow |
| OIDC + AWS setup | Configuring OIDC in AWS | Step-by-step |
| GitHub Actions security hardening | Security hardening for GitHub Actions | Defense-in-depth guide |
| GitLab OIDC / ID tokens | GitLab -- OIDC for cloud | Equivalent for GitLab CI |
| secrets in Actions | Using secrets in GitHub Actions | Storing and scoping secrets |
| environments and approvals | Managing environments for deployment | Reviewers, wait timers, branch filters |
| protected environments in GitLab | GitLab -- Protected environments | Approvals and restrictions |
| policy-as-code | Open Policy Agent (OPA) | Policy engine for deploy gates |
| ChatOps deploys | GitHub Blog -- Deploying branches at GitHub | Canonical ChatOps pattern |
| CI/CD threat model | OWASP -- CI/CD Top 10 | Ten real-world attack classes |
| supply-chain threat model | SLSA -- Threat model | What signing + OIDC defend against |
| CAB effectiveness | DORA -- Streamlining change approval | Empirical view on approval processes |
| CI observability product | Datadog -- CI Visibility | Reference implementation of pipeline metrics |
| deploy-marker API | Grafana -- Annotations API | How to emit deploy markers |
| vendor-neutral CI attributes | OpenTelemetry -- CI/CD semantic conventions | Standard attribute names |
| trace-shaped pipelines | OpenTelemetry -- tracing CI/CD pipelines | Distributed-trace model for pipelines |
| observability as a delivery capability | DORA -- Monitoring and observability | Why this is a delivery concern |
Exercise Support
Use these when concepts are understood but fluency is weak:
- GitHub Actions -- Example workflows -- copyable starting points
- GitLab CI -- Example CI/CD pipelines -- working reference pipelines
- Argo Rollouts -- Tutorials -- canary from zero
- Flyway -- Tutorial -- migrations end-to-end
- Cosign -- getting started -- sign and verify your first container
Use Rules
- Start with the concept page and the official docs for the feature you are using.
- Pro Git is the primary book citation for every cluster -- when git mechanics come up (branches, tags, hooks, signing), the chunks linked here are the source of truth.
- If a Martin Fowler article and an official vendor doc disagree, the vendor doc wins for current syntax and the Fowler article wins for intent.
- SLSA, Sigstore, and OWASP CI/CD Top 10 are the authoritative references for supply-chain and pipeline security claims -- do not rely on blog posts when these exist.
- If rereading is not unblocking you, stop and write the thing you are stuck on in your own words for 10 minutes before reading more.