Standardizing CI/CD and Artifact Releases across 70+ Services

#The Chaos of Custom Build Pipelines

When multiple teams run microservices independently, CI/CD pipelines tend to diverge. We found that different services used disparate Docker base images, built artifacts with varying compiler parameters, and completely skipped vulnerability scans. This version drift led to slow deployment cycles, brittle build stages, and vulnerabilities going unnoticed until production runtime.

#Standardizing with Reusable GitHub Actions

We eliminated custom script blocks inside repositories by creating a centralized library of **Reusable Workflows** in a global DevOps repository. Microservices now reference these centralized templates rather than writing their own build scripts.

# central-build-workflow.yml - Reusable platform pipeline template
name: Platform Reusable Build
on:
  workflow_call:
    inputs:
      service-name:
        required: true
        type: string

jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up JDK 21
        uses: actions/setup-java@v4
        with:
          java-version: '21'
          distribution: 'temurin'
      - name: Build with Maven
        run: mvn clean package --batch-mode
      - name: Static Security Scan (SonarQube)
        uses: sonarsource/sonarqube-scan-action@v2
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

#DevSecOps Security Gates & Dependency Checks

We integrated OWASP Dependency-Check and Trivy container image scanning directly into the build pipeline template. If a build contains dependencies with vulnerabilities exceeding a CVSS score of 7.5 (High/Critical), the security gate fails the build, preventing a merge. This enforcement automatically keeps the platform's dependency footprint clean and compliant.