Autolastic

CI/CD for SaaS: The Pipeline We Ship With Every Project

Custom Development

Every SaaS we build ships with the same CI/CD pipeline. It's not glamorous, but it's the difference between confident Friday deploys and weekend war rooms. Here's the exact shape of it.

Stages, in order

  1. Forbidden-strings scan (no stray TODO FIXMEs in prod code)
  2. Workflow linting (actionlint)
  3. Secrets scan (gitleaks)
  4. Lint (ESLint, strict)
  5. Typecheck (tsc, app + infra)
  6. Build
  7. Pre-deploy cleanup (state recovery)
  8. Deploy (CDK)
  9. Post-deploy verification (smoke tests)

Why pre-deploy cleanup is non-optional

CloudFormation leaves stacks in strange states: ROLLBACK_COMPLETE, REVIEW_IN_PROGRESS, ROLLBACK_IN_PROGRESS. A deploy pipeline that doesn't know how to handle those states just goes red and pages you. Ours quietly heals them: delete the stuck stack, release the orphaned resources, then deploy.

We also clean up orphaned S3 buckets, ACM certificates, and Route 53 records that previous failed deploys left behind. It's unglamorous, and it's the reason deploys don't require human intervention.

OIDC, not long-lived keys

GitHub Actions authenticates to AWS via OIDC. No access keys live in GitHub secrets. The role is scoped to a specific repo (repo:org/name:*) and carries only the permissions it needs.

Per-environment IAM

One IAM role per environment, wildcarded to the environment suffix (e.g., my-app* covers my-app-dev and my-app-prod). No single role can touch another environment. If a pipeline gets compromised, the blast radius is one environment, not the whole account.

Post-deploy smoke tests

Every deploy runs curl-based HTTP 200 + content-presence checks on critical pages. If CloudFront invalidation hasn't propagated or a hashed asset went missing, the smoke test catches it before anyone else does.

The shape of a good deploy

Push to main → CI runs the full suite → on green, deploy runs cleanup → CDK deploys → assets upload (long cache) → HTML upload (short cache) → CloudFront invalidate → wait for invalidation → delete stale files. Every step is reversible or idempotent. No step requires a human.

This pipeline is the spine of every custom build we ship and the default for the Autolastic SaaS Platform.

Ready to put this to work?

Book a free 30 min discovery call — we'll map the first automation to install and estimate ROI timeline.

Book a FREE 30 min discovery callSend us a message

Related posts

Custom Development

From Idea to Live SaaS in 30 Days: A Founder's Playbook

A realistic 30-day plan for going from a product idea to a production SaaS that's safe to hand to real customers.

AI Automation

5 AI Automations Every Small Business Should Install in 2026

Our top-5 picks for small businesses in 2026 — the automations with the fastest ROI, lowest risk, and widest industry fit.

SaaS Platform

Build vs. License: When a SaaS Platform Starter Beats Starting from Scratch

If you're building a new SaaS in 2026, starting from a licensed platform is almost always the right move. We explain the exceptions.