Comprehensive Rules for building, testing, and operating Continuous Delivery pipelines in large-scale enterprise environments using GitOps, Kubernetes, and modern CI/CD tooling.
Your current deployment process is costing your team hours every week. Manual environment coordination, broken promotion workflows, and production hotfixes that bypass your entire pipeline? These aren't just productivity killers—they're actively undermining your team's ability to deliver reliable software at enterprise scale.
Enterprise environments create unique deployment challenges that standard CI/CD tutorials completely ignore:
The result? Teams spend more time managing deployments than building features, and production issues become fire-fighting exercises instead of predictable, automated responses.
These Cursor Rules transform your development environment into a continuous delivery powerhouse that handles enterprise complexity automatically. You get battle-tested patterns for GitOps workflows, Kubernetes deployments, and multi-stage promotion pipelines that actually work in large organizations.
The rules implement a complete enterprise CD strategy:
# Automated quality gates that prevent broken code from advancing
stage('Quality Gates') {
parallel {
unit-tests: { coverage: 85%, timeout: '10m' }
security-scan: { fail-on: 'critical', tools: ['trivy', 'codeql'] }
compliance-check: { policies: ['sox', 'pci'], blocking: true }
}
}
Instead of fighting with YAML syntax and debugging pipeline failures, you focus on building features while the automation handles promotion, security scanning, and environment management.
Trunk-Based Development That Actually Works
GitOps Deployment Automation
Security Integration That Developers Don't Hate
Enterprise Compliance Made Simple
# The old way - 2+ hours every release
1. Manually coordinate staging deployment
2. Run tests and hope nothing breaks
3. Create deployment ticket and wait for approval
4. SSH into production servers for manual deployment
5. Monitor for issues and manually rollback if needed
6. Update documentation and notify stakeholders
# The new way - 5 minutes, fully automated
git push origin main
# Everything else happens automatically:
# - Quality gates pass/fail in parallel
# - Staging deployment with automated testing
# - Security scans and compliance checks
# - Automatic production promotion after approval
# - Monitoring alerts and automatic rollback triggers
Instead of emergency SSH sessions and manual hotfixes:
# Automatic rollback triggered by health checks
monitoring:
health-check-failure:
action: rollback
timeout: 300s
notification: ["slack://ops-channel", "pagerduty://on-call"]
No more "works on my machine" or staging-vs-production differences:
# Same artifact, promoted through environments
artifact: "myapp:sha-abc123"
environments:
staging: { replicas: 2, resources: { cpu: "100m" } }
production: { replicas: 10, resources: { cpu: "500m" } }
# Configuration differences, same immutable container
.cursorrules fileyour-repo/
├── .ci/ # Reusable pipeline templates
├── envs/
│ ├── staging/ # Environment-specific configs
│ └── prod/
├── k8s/ # Kubernetes manifests
├── terraform/ # Infrastructure as code
└── scripts/ # Deployment automation
The rules automatically generate pipelines that:
Cursor generates Argo CD configurations that provide:
Time Savings Per Release Cycle
Quality Improvements
Developer Experience Wins
Enterprise Compliance Benefits
Your enterprise CD pipeline becomes a competitive advantage instead of a productivity bottleneck. Developers push code confidently, knowing that quality gates, security scanning, and progressive deployment strategies protect production automatically.
The rules handle the enterprise complexity—multi-stage approvals, environment coordination, security compliance, and disaster recovery—so your team focuses on delivering features instead of managing deployments.
You are an expert in Continuous Delivery, GitOps, Kubernetes, Docker, Terraform, Jenkins, GitHub Actions, Argo CD, Flux, Spinnaker, AWS CodePipeline, Azure Pipelines, Bash, Groovy, YAML, Python.
Key Principles
- Treat pipelines as code and store them in version control next to application code.
- Shift-Left: embed security, quality, and compliance checks early and automatically.
- Prefer small, incremental commits merged via trunk-based development with mandatory code review.
- All infrastructure and application configs managed via GitOps, immutable containers, and declarative manifests.
- Pipelines must be idempotent, self-service, and reproducible, requiring no manual steps.
- Build once, promote the same artifact through all stages.
- Every change must be observable: collect metrics, logs, traces, and send feedback to developers.
- Default to least privilege; secrets never appear in logs or in plaintext.
- Keep pipelines simple, modular, and well-documented.
YAML
- Use 2-space indentation, no tabs; wrap long >100-char lines.
- Use lowercase keys with hyphens: build-stage, unit-tests.
- Use anchors (&) and aliases (*) to DRY repeated blocks (e.g., image, cache).
- Reference secrets via environment variables or secret managers, never hard-code.
- Use explicit version tags for Docker images; never use :latest.
- Always declare `shell: bash -euo pipefail` for run steps.
- Group related steps into reusable templates (e.g., GitHub composite actions, Jenkins shared libs).
- Validate YAML syntax in CI with `yamllint`.
Example (GitHub Actions):
```
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with: { node-version: '20' }
```
Bash (helper scripts)
- Start every script with `#!/usr/bin/env bash` and `set -euo pipefail`.
- Quote all variables: "$var".
- Use functions and `trap` for cleanup.
- Return non-zero exit codes; avoid silent failures.
- Log with timestamps: `echo "$(date -Is) message"`.
Groovy (Jenkinsfile)
- Prefer Declarative rather than Scripted pipeline for readability.
- Separate stages: lint, test, build, scan, deploy.
- Use `options { durabilityHint('MAX_SURVIVABILITY') }` for robustness.
- Define parameters for environment, image tag, feature flag.
- Use shared libraries for reusable logic; version them.
Example:
```
pipeline {
agent any
stages {
stage('Unit Test') {
steps {
sh './gradlew test'
}
}
}
}
```
Error Handling and Validation
- Fail fast: place validation, linting, and security scans at the earliest applicable stage.
- Configure quality gates: min 85% unit-test coverage, zero critical vulnerabilities.
- Use retry with exponential backoff for flaky external services, max 2 retries.
- Implement automatic rollback (Argo CD `automated: rollbackOnFailure`) on failed health checks.
- Post status to VCS; block merge if any check fails.
Framework-Specific Rules
Jenkins
- Use Docker agents to provide immutable build environments.
- Pin plugin versions; run weekly dependency-update job.
- Store Jenkinsfile at repo root; enforce linter with `jenkinslint`.
GitHub Actions
- Use reusable workflows and composite actions to standardize stages.
- Configure `concurrency: { group: ${{ github.workflow }}-${{ github.ref }}, cancel-in-progress: true }` to avoid duplicate runs.
- Always sign artifacts with OIDC + cosign.
- Use `environment` protection rules and required reviewers for prod.
Argo CD / Flux
- Reconcile every 1-3 minutes; set `syncOptions: [CreateNamespace=true, Prune=true]`.
- Use health checks and automated progressive sync (e.g., canary) via Argo Rollouts.
- Store K8s manifests in environment-specific directories: envs/prod, envs/stage.
Terraform
- Use remote backend (S3 + DynamoDB) with state locking.
- Run `terraform fmt -check` and `terraform validate` in CI.
- Tag every resource with `service`, `owner`, and `environment`.
- Use workspaces or separate states per environment; avoid complex conditional logic.
Testing
- Stage order: lint → unit → integration → e2e → security → performance.
- Run unit tests in <10 s; parallelize across cores.
- Integration tests spin up ephemeral env via Docker Compose or KinD.
- Use feature toggles to test incomplete features in prod safely.
Performance & Scalability
- Cache dependencies; use checksum keys.
- Use parallel matrix strategy for multi-platform builds.
- Prune Docker builder cache weekly.
Security
- Integrate SAST (CodeQL), Dependency Scanning (OWASP Dependency-Check), Container Scanning (Trivy), and DAST (OWASP ZAP).
- Use signed commits; require branch protection and mandatory reviews.
- Store secrets in Vault/Secrets Manager and inject at runtime.
Observability
- Emit deployment events to APM (Datadog, Prometheus).
- Alert on failure rate >1% or latency p95 >SLO within 5 min.
- Auto-create Jira ticket on failed production deployment.
Version Control & Branching
- Mainline (trunk) protected; only fast-forward merges via PR with status checks.
- Feature branches live <3 days; rebase frequently.
- Tag releases with semantic versioning.
Directory Convention
```
.ci/ # reusable pipeline templates
envs/
staging/
prod/
scripts/
terraform/
k8s/
```
Documentation
- Provide `README.md` with pipeline diagram and how-to rollback.
- Update CHANGELOG.md via conventional commits automation.
- Record runbooks in `docs/runbooks/`.
Tool Selection Criteria
- Must provide CLI and API for automation.
- Cloud-native, stateless, horizontally scalable.
- Enterprise SSO (SAML/OIDC) support.
Common Pitfalls
- Long-running feature branches → merge hell.
- Using :latest images → non-reproducible builds.
- Ignoring failed tests with `continue-on-error`.
Example End-to-End Flow
1. Developer pushes to trunk; webhook triggers CI.
2. Lint, unit, integration tests run in parallel.
3. Build container, sign, push to registry.
4. Argo CD detects manifest change pointing to new digest; deploys to staging.
5. E2E & performance tests execute against staging.
6. On success, pull request auto-updates prod manifests; after approval, prod deploys with canary rollout.
7. Metrics pass; rollout promoted.