SafeOps Academy
Core Track Guardrails-first chapter in core learning path.

Estimated Time

  • Reading: 20-25 min
  • Lab: 45-60 min
  • Quiz: 10-15 min

Prerequisites

Artifacts

What You Will Produce

A reproducible lab result plus quiz verification and incident-safe operating evidence.

Lab: CI/CD Guardrails in Practice

Goal

Validate each guardrail layer by triggering it:

  • pre-commit hooks block unsafe local operations
  • CI pipeline structure enforces plan-approve-apply
  • CodeRabbit configuration provides automated review coverage

Prerequisites

  • pre-commit installed (pip install pre-commit or brew install pre-commit)
  • Access to the sre/ platform repository
  • Familiarity with GitHub Actions workflow syntax

Step 1: Install Pre-commit Hooks

cd sre/
pre-commit install --install-hooks

Verify installation:

ls -la .git/hooks/pre-commit
pre-commit --version

Expected:

  • hook symlink present
  • pre-commit version output

Step 2: Trigger Branch Protection Hook

Attempt to commit directly on main:

git checkout main
echo "# test" >> README.md
git add README.md
git commit -m "test direct commit to main"

Expected:

  • commit is blocked by master-branch-check.sh
  • error message indicates direct commits to main/master are not allowed

Clean up:

git checkout -- README.md
git checkout -  # return to previous branch

Step 3: Trigger Secret Blocking Hook

Create a test file that matches secret patterns:

git checkout -b test-hooks
echo "KUBECONFIG=/home/user/.kube/config" > test.env
git add test.env
git commit -m "test secret detection"

Expected:

  • commit is blocked by block-secrets.sh
  • error identifies the .env file as a potential secret

Clean up:

rm test.env
git reset HEAD test.env

Step 4: Trigger Flux Manifest Validation

Introduce a deliberate YAML error in a Flux manifest:

cp flux/apps/backend/base/deployment.yaml flux/apps/backend/base/deployment.yaml.bak
# Add invalid YAML (wrong indentation)
echo "  invalid_field: [unclosed" >> flux/apps/backend/base/deployment.yaml
git add flux/apps/backend/base/deployment.yaml
git commit -m "test flux validation"

Expected:

  • commit is blocked by flux-kustomize-validate.sh
  • error shows YAML syntax or kustomize build failure

Clean up:

mv flux/apps/backend/base/deployment.yaml.bak flux/apps/backend/base/deployment.yaml
git restore --staged flux/apps/backend/base/deployment.yaml 2>/dev/null || true
git checkout -- flux/apps/backend/base/deployment.yaml
git checkout - 2>/dev/null || true
git branch -D test-hooks 2>/dev/null || true

Step 5: Review GitHub Actions Pipeline Structure

Open .github/workflows/terraform-hcloud.yml and identify:

  1. Concurrency block: What does cancel-in-progress: false protect against?
  2. Plan job: What artifact is uploaded and with what retention?
  3. Approval gate: Which manual approval action is used? What is the timeout?
  4. Apply job: How does it retrieve the exact plan that was reviewed?
  5. Secret handling: How are credentials passed to Terraform?

Record answers for each question.

Step 6: Analyze the Destroy Workflow

Open .github/workflows/terraform-hcloud-destroy.yml and identify:

  1. What confirmation string is required to trigger destroy?
  2. How many approvers are required?
  3. What cleanup steps run before terraform destroy?

Step 7: Review CodeRabbit Configuration

Open .coderabbit.yml and identify:

  1. What review profile is used and what does it mean?
  2. Which security scanning tools are enabled?
  3. Are there path-specific review rules?

Step 8: Evidence Collection

For lab completion, document:

  1. Screenshot or terminal output of a blocked commit (branch protection, secret detection, or manifest validation)
  2. Written answers to the pipeline analysis questions from Steps 5-7
  3. Guardrails layer diagram — draw or describe the 4-layer model:
    • What each layer catches
    • What happens if that layer is bypassed

Failure Scenarios

  1. Pre-commit hooks not installed

    • pre-commit run --all-files reports no hooks configured
    • solution: pre-commit install --install-hooks

  2. Hook passes when it should block

    • verify hook script is executable
    • verify .pre-commit-config.yaml references correct script path

  3. CI pipeline applies without approval

    • verify manual approval step is present in workflow
    • verify approvers and timeout-minutes are configured

Done When

  • Learner has triggered at least two different pre-commit hooks and seen them block
  • Learner can explain the Plan-Approve-Apply pipeline flow
  • Learner can describe what CodeRabbit adds beyond human review
  • Learner can draw the 4-layer guardrails model with examples of what each catches