Production Deployment Workflows
CI/CD Pipelines for AI-Generated Code
5 min read
The Trust but Verify Approach
AI-generated code requires additional validation steps in CI/CD pipelines. While AI assistants produce high-quality code, automated verification provides an essential safety net.
Enhanced Pipeline Structure
# .github/workflows/ai-code-validation.yml
name: AI Code Validation
on:
push:
branches: [main, develop]
pull_request:
jobs:
# Standard quality gates
quality-gates:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Type Check
run: npm run typecheck
- name: Lint
run: npm run lint
- name: Unit Tests
run: npm run test:unit
- name: Integration Tests
run: npm run test:integration
# AI-specific validation
ai-code-validation:
runs-on: ubuntu-latest
needs: quality-gates
steps:
- name: Security Scan
uses: github/codeql-action/analyze@v3
- name: Dependency Audit
run: npm audit --audit-level=high
- name: Check for Hardcoded Secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
- name: License Compliance
run: npx license-checker --onlyAllow "MIT;Apache-2.0;BSD-3-Clause"
# Performance validation
performance-check:
runs-on: ubuntu-latest
needs: quality-gates
steps:
- name: Bundle Size Check
run: |
npm run build
npx bundlesize
- name: Lighthouse CI
uses: treosh/lighthouse-ci-action@v10
with:
budgetPath: ./lighthouse-budget.json
Quality Gates for AI Code
Type Safety Enforcement
// tsconfig.strict.json - Maximum type safety for AI code
{
"compilerOptions": {
"strict": true,
"noImplicitAny": true,
"strictNullChecks": true,
"strictFunctionTypes": true,
"strictBindCallApply": true,
"strictPropertyInitialization": true,
"noImplicitThis": true,
"useUnknownInCatchVariables": true,
"alwaysStrict": true,
"noUnusedLocals": true,
"noUnusedParameters": true,
"exactOptionalPropertyTypes": true,
"noImplicitReturns": true,
"noFallthroughCasesInSwitch": true,
"noUncheckedIndexedAccess": true,
"noImplicitOverride": true,
"noPropertyAccessFromIndexSignature": true
}
}
Custom ESLint Rules
// .eslintrc.js - AI code specific rules
module.exports = {
rules: {
// Prevent common AI code issues
'no-console': 'error',
'no-debugger': 'error',
'no-alert': 'error',
// Ensure proper error handling
'no-throw-literal': 'error',
'@typescript-eslint/no-floating-promises': 'error',
'@typescript-eslint/no-misused-promises': 'error',
// Security focused
'no-eval': 'error',
'no-implied-eval': 'error',
'no-new-func': 'error',
// AI sometimes generates overly complex code
'complexity': ['error', { max: 15 }],
'max-depth': ['error', { max: 4 }],
'max-lines-per-function': ['error', { max: 100 }],
// Ensure documentation for public APIs
'jsdoc/require-jsdoc': ['error', {
publicOnly: true,
require: {
FunctionDeclaration: true,
ClassDeclaration: true,
MethodDefinition: true
}
}]
}
};
Automated Code Review
AI-Assisted PR Review
# .github/workflows/ai-review.yml
name: AI Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
ai-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get Changed Files
id: changed
run: |
echo "files=$(git diff --name-only origin/main...HEAD | tr '\n' ' ')" >> $GITHUB_OUTPUT
- name: Claude Code Review
run: |
claude "Review these changed files for:
1. Security vulnerabilities
2. Performance issues
3. Error handling gaps
4. Test coverage
5. Code style consistency
Files: ${{ steps.changed.outputs.files }}
Output a structured review with severity levels."
Review Checklist Automation
claude "Create a PR review checklist for this diff.
Check for:
- [ ] No hardcoded secrets or credentials
- [ ] All new functions have error handling
- [ ] Async operations have proper await
- [ ] Database queries are parameterized
- [ ] User input is validated
- [ ] New APIs have rate limiting
- [ ] Tests cover the happy path and edge cases
- [ ] No console.log statements in production code"
Test Coverage Requirements
# jest.config.js
module.exports = {
coverageThreshold: {
global: {
branches: 80,
functions: 80,
lines: 80,
statements: 80
},
// Higher bar for critical paths
'./src/services/payment/': {
branches: 95,
functions: 95,
lines: 95,
statements: 95
},
'./src/services/auth/': {
branches: 95,
functions: 95,
lines: 95,
statements: 95
}
}
};
Pre-commit Hooks
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: typecheck
name: Type Check
entry: npm run typecheck
language: system
types: [typescript]
pass_filenames: false
- id: lint
name: Lint
entry: npm run lint:fix
language: system
types: [typescript, javascript]
- id: test-related
name: Test Related Files
entry: npm run test:related
language: system
types: [typescript]
- id: check-secrets
name: Check for Secrets
entry: git secrets --scan
language: system
Branch Protection
claude "Create a branch protection configuration that:
1. Requires all CI checks to pass
2. Requires at least one approval
3. Dismisses stale reviews on new commits
4. Enforces linear history
5. Prevents force pushes"
# Branch protection via GitHub API or settings
branch_protection:
main:
required_status_checks:
strict: true
checks:
- context: "quality-gates"
- context: "ai-code-validation"
- context: "performance-check"
required_pull_request_reviews:
required_approving_review_count: 1
dismiss_stale_reviews: true
require_code_owner_reviews: true
enforce_admins: true
required_linear_history: true
allow_force_pushes: false
Next Lesson
We'll cover safe deployment strategies for AI-generated code, including gradual rollouts and canary deployments. :::