The ordering of elements in stages defines the ordering of jobs' execution:
Stages:
preflight- Things that MUST pass otherwise there is no use in running the pipeline.quality- Things that SHOULD pass but DO NOT mean the code is broken. (or:linting?)test- Things that MUST pass and DO mean the code is broken.build- Create assets from the working code.scan- Scan any created assets for vulnerabilities.deploy- Send the assets somewhere, so they can be scanned/accessed by external systems.manifest- Create manifests for created assets (hashes, manifests, keys, etc.).publish- Publish created manifests, hashes, artifacts, etc.monitor- Verify deployed or published assets. Rename to what? Both monitor and verify are not very descriptive.clean- Clean up the environment
Things that MUST pass before running the pipeline.
This includes things like syntax errors and checking remote dependencies, but also other process-related requirements.
If sign-off is required, has it been given? Or if commits must match a certain format, do they?
Things that SHOULD pass but DO NOT mean the code is broken.
This includes things like code convention compliance and code formatting, rather than its contents. This can be all sorts of static code analysis, including Static Application Security Testing (SAST).
Things that MUST pass and DO mean the code is broken.
Create assets from the working code.
Scan any created assets for vulnerabilities.
This can be all sorts of dynamic artifact or asset analysis, including Dynamic Application Security Testing (DAST).
Send the assets somewhere.
So they can be scanned/accessed by external systems.
Create manifests for created assets.
(hashes, manifests, keys, etc.)
Publish created manifests
Verify deployed or published assets.
Rename? To what? Both "monitor" and "verify" are not very descriptive.
Clean up things
Clean up the environment, redundant (published) docker images, temporary git tags, etc.