This chapter covers DevOps practices of Continuous Integration (CI) and Continuous Delivery (CD) as they relate to Google Cloud and the GCDL exam. Understanding CI/CD is critical for the Apps domain (Objective 4.3), which typically accounts for 10-15% of exam questions. The exam tests your ability to explain the benefits of CI/CD, identify the correct tools and services on Google Cloud (like Cloud Build, Artifact Registry, and Deployment Manager), and understand how CI/CD enables faster, more reliable software releases. You will not be asked to write pipelines, but you must know the concepts, terminology, and Google Cloud services involved.
Jump to a section
Continuous Integration and Delivery (CI/CD) is like a modern automated assembly line in a car factory. In a traditional factory, each car is built from scratch by a single team, leading to inconsistencies and delays. In a CI/CD factory, each developer's change (like a new engine component) is immediately integrated into the main assembly line. The line automatically runs quality checks (unit tests, static analysis) — if a part fails, the line stops and alerts the team. Once all checks pass, the change moves to the next station: packaging (creating a deployable artifact). Then, it travels through a series of test environments (like test tracks): first a staging track that mimics real roads, then a performance track, and finally a production track. The entire process is automated: every change triggers the same pipeline, ensuring consistency. The factory also uses version control for every part and every step, so if a defect is found, you can trace exactly which change caused it and roll back. This is fundamentally different from the old 'waterfall' approach where changes were batched and tested only at the end, causing massive rework. In CI/CD, the pipeline is the assembly line, and every commit is a new car that goes through the same rigorous, automated process from start to finish.
What is Continuous Integration (CI)?
Continuous Integration is a software development practice where developers frequently merge their code changes into a shared repository, often multiple times per day. Each merge triggers an automated build and test process to detect integration errors as early as possible. The goal is to catch bugs quickly and reduce the cost of fixing them. In Google Cloud, the primary CI service is Cloud Build, which executes build steps defined in a cloudbuild.yaml file.
What is Continuous Delivery (CD)?
Continuous Delivery extends CI by automatically deploying all code changes to a testing/staging environment after the build and test stage. The key is that the deployment is automated, but the release to production is a manual decision (a 'go/no-go' gate). Continuous Deployment goes further: every change that passes all stages is automatically released to production. The GCDL exam expects you to distinguish between these two. Google Cloud's CD tools include Cloud Deploy (for delivery pipelines) and Deployment Manager (for infrastructure deployment).
Why CI/CD Matters for Cloud
In a cloud environment, infrastructure is programmable (Infrastructure as Code, IaC). CI/CD pipelines can manage not just application code but also infrastructure changes. This is called GitOps: using Git as the single source of truth for both code and configuration. On Google Cloud, you can use Cloud Build with Terraform or Deployment Manager to apply infrastructure changes automatically. The exam tests the understanding that CI/CD reduces risk, increases release frequency, and improves team velocity.
How Cloud Build Works
Cloud Build is a managed CI/CD platform that runs builds on Google Cloud's infrastructure. You define build steps in a YAML or JSON configuration file. Each step runs in a Docker container. Steps can compile code, run tests, produce artifacts, and deploy. Key components:
Build Triggers: Automatically start a build when changes are pushed to a repository (Cloud Source Repositories, GitHub, Bitbucket). You can filter by branch, tag, or file path.
Build Steps: Each step has a name (the container image to use), entrypoint, args, and optionally env, dir, and timeout. Steps run sequentially by default but can run in parallel using waitFor.
Artifacts: You can store build outputs (e.g., JAR files, Docker images) in Cloud Storage or Artifact Registry. Artifact Registry is the recommended service for container images and language packages.
Build Logs: Automatically streamed to Cloud Logging and available in the Cloud Console.
Service Account: Cloud Build uses a default service account ([PROJECT-NUMBER]@cloudbuild.gserviceaccount.com) with permissions to execute builds and access resources. For custom permissions, you can use a user-specified service account.
Example cloudbuild.yaml for a Python app:
steps:
- name: 'python:3.9'
entrypoint: pip
args: ['install', '-r', 'requirements.txt', '--user']
- name: 'python:3.9'
entrypoint: python
args: ['-m', 'pytest', 'tests/']
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'us-central1-docker.pkg.dev/$PROJECT_ID/my-repo/my-image:$SHORT_SHA', '.']
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'us-central1-docker.pkg.dev/$PROJECT_ID/my-repo/my-image:$SHORT_SHA']
images:
- 'us-central1-docker.pkg.dev/$PROJECT_ID/my-repo/my-image:$SHORT_SHA'Key Build Configuration Options
Timeout: Default 10 minutes per build, max 24 hours. Set with timeout: 3600s.
Machine Type: Default is e2-medium. For larger builds, use machineType: 'E2_HIGHCPU_8' or N1_HIGHCPU_32.
Substitutions: Built-in variables like $PROJECT_ID, $BUILD_ID, $SHORT_SHA (first 7 chars of commit SHA). Custom substitutions can be defined.
Secrets: Store sensitive data in Secret Manager and access via availableSecrets.
Private Pools: For builds that need access to VPC resources, you can use Cloud Build Private Pools with a specific network.
Continuous Delivery with Cloud Deploy
Cloud Deploy is a managed delivery service that automates the promotion of application releases across a series of targets (environments). It uses a delivery pipeline defined in a YAML file. Key concepts:
Targets: Represent environments (e.g., dev, staging, prod). Each target is a GKE cluster, Cloud Run service, or Anthos cluster.
Delivery Pipeline: Defines a series of targets in order, with optional approval gates.
Release: A specific version of the application, created from a Cloud Build artifact.
Rollout: The process of deploying a release to a target. Rollouts can be automated or require manual approval.
Promotion: Moving a release from one target to the next in the pipeline.
Example delivery pipeline:
apiVersion: deploy.cloud.google.com/v1
kind: DeliveryPipeline
metadata:
name: my-pipeline
serialPipeline:
stages:
- targetId: dev
- targetId: staging
strategy:
canary:
canaryDeployment:
percentages: [25, 50, 75]
verify: true
- targetId: prod
strategy:
canary:
canaryDeployment:
percentages: [10, 20, 70]
verify: trueInfrastructure as Code (IaC) and CI/CD
CI/CD pipelines can also manage infrastructure. On Google Cloud, you can use Deployment Manager (Google's native IaC) or Terraform (third-party). The pipeline applies changes to infrastructure declaratively. This ensures that infrastructure is versioned, testable, and repeatable. The exam expects you to know that IaC is a prerequisite for effective CI/CD in cloud environments.
Interaction with Other Google Cloud Services
Cloud Source Repositories: Private Git repositories hosted on Google Cloud. Can trigger Cloud Build automatically.
Artifact Registry: Stores build artifacts (Docker images, Maven packages, etc.). Integrates with Cloud Build for push steps.
Container Registry: Legacy service; Artifact Registry is recommended.
Cloud Run: Serverless container platform. CI/CD can deploy to Cloud Run using Cloud Build or Cloud Deploy.
GKE: Google Kubernetes Engine. Cloud Build can deploy to GKE using kubectl or via Cloud Deploy.
Cloud Functions: Serverless functions. CI/CD can deploy functions using gcloud functions deploy in a build step.
Secret Manager: Store secrets (e.g., API keys) and access them in build steps.
Cloud Logging & Monitoring: Build logs are automatically sent to Cloud Logging. You can set up alerts on build failures.
Common CI/CD Patterns on Google Cloud
Push-to-Deploy: A commit to a specific branch (e.g., main) triggers Cloud Build, which runs tests, builds a container, pushes to Artifact Registry, and deploys to Cloud Run.
Canary Deployments: Using Cloud Deploy, you can gradually roll out a new version to a percentage of traffic, with automatic rollback if verification fails.
Multi-Environment Pipelines: A pipeline that promotes through dev, staging, and prod with manual approval gates at each stage.
GitOps: Using a Git repository as the source of truth for both application code and infrastructure config. A tool like Config Sync on GKE or Terraform Cloud can apply changes automatically.
Exam-Relevant Details
Cloud Build is serverless — you pay only for the build time (per minute).
Build triggers support regex patterns for branch and tag names.
Cloud Build can run custom build steps using any public Docker image.
Cloud Deploy supports canary and blue-green strategies for GKE and Cloud Run.
Artifact Registry replaces Container Registry — the exam may mention both.
Deployment Manager uses YAML templates and supports Python and Jinja2 for advanced logic.
The default Cloud Build service account has limited permissions — you may need to grant additional roles (e.g., roles/cloudbuild.builds.builder).
Verification Commands
gcloud builds list — list recent builds.
gcloud builds log [BUILD_ID] — view logs for a specific build.
gcloud builds submit . --config=cloudbuild.yaml — submit a build manually.
gcloud deploy releases list --delivery-pipeline=my-pipeline --region=us-central1 — list releases.
gcloud deploy rollouts list --delivery-pipeline=my-pipeline --release=my-release --region=us-central1 — list rollouts.
Summary of Key Benefits for the Exam
Faster time to market by automating repetitive tasks.
Reduced risk because changes are smaller and tested earlier.
Higher quality because every change is tested.
Improved collaboration because developers integrate frequently.
Traceability because every change is linked to a build and deployment.
The GCDL exam expects you to understand these benefits and be able to identify the correct Google Cloud service for a given scenario.
Developer pushes code to repository
The developer commits code changes and pushes to a Git repository (Cloud Source Repositories, GitHub, or Bitbucket). The push includes the commit SHA, branch name, and changed files. This event triggers the CI pipeline if a build trigger is configured to match the branch or tag pattern. For example, a trigger on the 'main' branch with a regex pattern like '^main$' will fire on any push to main. The trigger also supports file path filtering (e.g., only when files in 'src/' change). At this stage, no build has started yet; the trigger is pending.
Build trigger initiates Cloud Build
The build trigger creates a new build in Cloud Build. The trigger includes the configuration source (inline or from a cloudbuild.yaml in the repo), the repository details, and substitutions (e.g., $COMMIT_SHA, $BRANCH_NAME). Cloud Build allocates a VM (based on the machine type) and pulls the build steps' container images. The build ID is generated and logs begin streaming. The build's status changes from QUEUED to WORKING. If the build queue is full (default max 100 concurrent builds per region), the build may be queued.
Cloud Build executes build steps
Cloud Build runs each step in order, unless parallel execution is configured using `waitFor: ['-']`. Each step runs in a fresh container with the specified image. Steps can compile code (e.g., `javac`), run tests (e.g., `pytest`), build Docker images, push artifacts, or run any command. The build environment has access to the source code mounted at `/workspace`. Steps can persist data across steps by writing to `/workspace`. The default timeout per step is 10 minutes, configurable via `timeout` field. If a step fails (non-zero exit code), the build stops and status becomes FAILURE.
Artifacts are stored in Artifact Registry
After successful build, artifacts (e.g., Docker images, JAR files) are pushed to Artifact Registry. For Docker images, the push step uses `docker push` to a repository URL like `us-central1-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE:TAG`. Artifact Registry stores the image layers, and the tag (e.g., `$SHORT_SHA` or `latest`) is updated. The build's `images` field can automatically push images. Artifact Registry also supports vulnerability scanning (Container Analysis) and IAM permissions for access control.
Cloud Deploy creates a release and initiates rollout
If the pipeline includes a Cloud Deploy stage, a release is created from the artifact (e.g., a specific Docker image tag). The release references the delivery pipeline and target (e.g., dev). Cloud Deploy then initiates a rollout to the first target. For a canary strategy, the rollout proceeds through defined percentages (e.g., 25%, 50%, 75%) with optional verification steps. If verification fails, the rollout is automatically rolled back. For a blue-green strategy, a new version is deployed alongside the old, and traffic is switched after verification.
Manual approval gate (if configured) for promotion
Between targets (e.g., from staging to prod), Cloud Deploy can require manual approval. An approver uses the Cloud Console or `gcloud deploy approvals approve` command to approve or reject. Until approved, the rollout remains in a PENDING_APPROVAL state. If rejected, the rollout is aborted. This gate ensures human oversight before production deployment. The approval can be time-bound; if not approved within a set period, the rollout may timeout.
Scenario 1: E-commerce Platform with Microservices
An online retailer uses a microservices architecture on GKE. Each service has its own CI/CD pipeline. Developers push to feature branches, which trigger Cloud Build to run unit tests and build a Docker image. On merge to main, a build trigger deploys to a dev GKE namespace using Cloud Deploy. After automated integration tests pass, a manual approval promotes the release to staging, where performance tests run. Finally, a canary deployment to production rolls out to 10% of users, then 50%, then 100% with automatic rollback if error rates spike. This setup reduces deployment time from hours to minutes and catches issues before full rollout. Misconfiguration example: forgetting to set the verify step in the canary strategy, causing a bad release to reach 100% before detection.
Scenario 2: Financial Services with Compliance Requirements
A bank uses Cloud Build to compile Java applications, run static code analysis (SonarQube), and package into JARs. Artifacts are stored in Artifact Registry with vulnerability scanning enabled. For regulatory compliance, every deployment must be audited. Cloud Deploy's delivery pipeline includes approval gates at each environment (dev, QA, staging, prod). All approvals are logged in Cloud Audit Logs. The pipeline also runs integration tests against a test database spun up in Cloud SQL. Common issue: the Cloud Build service account lacks permissions to access Cloud SQL, causing test failures. Solution: grant the Cloud Build service account the cloudsql.client role.
Scenario 3: SaaS Startup with Frequent Releases
A startup uses Cloud Run for a serverless application. They use a push-to-deploy pipeline: every commit to main triggers Cloud Build, which runs tests, builds a container, pushes to Artifact Registry, and deploys to Cloud Run using gcloud run deploy. To minimize downtime, they use Cloud Run's traffic splitting: the new revision receives 0% traffic initially; after smoke tests, a Cloud Build step updates traffic to 100%. They also use Cloud Deploy for a canary rollout to gradually shift traffic. Performance consideration: Cloud Build's default machine type may be too slow for large builds; they switch to E2_HIGHCPU_8 to reduce build time. Misconfiguration: not setting --no-traffic on the initial deploy, causing the new revision to immediately receive 100% traffic before tests.
Exactly What GCDL Tests (Objective 4.3)
The GCDL exam focuses on the concepts and benefits of CI/CD, not on the specific commands. You should be able to:
Explain the difference between CI, CD, and Continuous Deployment.
Identify the correct Google Cloud service for a given scenario (e.g., Cloud Build for CI, Cloud Deploy for CD, Artifact Registry for storing artifacts).
Understand how CI/CD reduces risk and accelerates releases.
Recognize that Infrastructure as Code is a prerequisite for effective CI/CD.
Know that Cloud Build is serverless and integrates with multiple source repositories.
Common Wrong Answers and Why Candidates Choose Them
'Continuous Integration means deploying to production automatically.' This is Continuous Deployment. CI is about integrating and testing code frequently. Candidates confuse the terms because they sound similar.
'Cloud Build can only be triggered from Cloud Source Repositories.' Cloud Build supports GitHub, Bitbucket, GitLab, and any Git repo via webhook. Candidates may think it's limited to Google's own repo.
'Artifact Registry is used only for Docker images.' It also supports Maven, npm, Python packages, and generic artifacts. Candidates may think it's only for containers.
'CI/CD pipelines eliminate the need for testing.' Actually, CI/CD automates testing; it does not eliminate it. Candidates may overestimate automation.
Specific Numbers and Terms on the Exam
Default build timeout: 10 minutes. Max: 24 hours.
Default concurrent builds per region: 100.
Cloud Build machine types: E2_MEDIUM (default), E2_HIGHCPU_8, N1_HIGHCPU_32.
Artifact Registry locations: multi-region (us, europe, asia) or single region.
Cloud Deploy supports canary and blue-green deployment strategies.
The term 'GitOps' appears in exam questions about using Git as the source of truth.
Edge Cases and Exceptions
Private pools: If the build needs access to a VPC (e.g., to deploy to a private GKE cluster), you must use a private pool. The default pool has no network access.
Build triggers with regex: The exam may test that you can filter by branch using regex (e.g., ^feature-.*$).
Artifact Registry vs. Container Registry: The exam may mention Container Registry as a legacy option. Artifact Registry is the recommended service.
Cloud Build service account permissions: The default service account may not have permissions to deploy to Cloud Run or GKE; you need to grant the appropriate roles.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question says 'automatically deploy to production after tests pass', it's Continuous Deployment, not Delivery.
If the question mentions 'storing build artifacts', look for Artifact Registry or Container Registry.
If the question says 'automated build and test', it's CI.
If the question mentions 'approval gates', it's CD (Continuous Delivery).
If the question mentions 'infrastructure changes', think of IaC tools like Deployment Manager or Terraform, not just app deployment.
Remember: the exam is conceptual. You need to understand the 'why' behind CI/CD, not the 'how' of configuring Cloud Build.
CI/CD automates the build, test, and deployment process, reducing manual errors and accelerating releases.
Continuous Integration (CI) focuses on merging and testing code frequently; Continuous Delivery (CD) automates deployment to staging with manual approval for production.
Cloud Build is Google Cloud's CI service; it runs build steps in containers and is serverless.
Cloud Deploy is Google Cloud's CD service; it manages delivery pipelines with approval gates and canary rollouts.
Artifact Registry is the recommended service for storing build artifacts (Docker images, packages, etc.).
Build triggers can be configured from Cloud Source Repositories, GitHub, Bitbucket, or GitLab.
The default Cloud Build timeout is 10 minutes; maximum is 24 hours.
Infrastructure as Code (IaC) is a prerequisite for effective CI/CD in cloud environments.
Cloud Deploy supports canary and blue-green deployment strategies with automatic rollback on verification failure.
The GCDL exam tests conceptual understanding of CI/CD benefits and Google Cloud services, not command syntax.
These come up on the exam all the time. Here's how to tell them apart.
Continuous Integration (CI)
Focuses on merging code changes frequently and running automated builds/tests.
Typically ends with a deployable artifact stored in a registry.
Does not include deployment to any environment.
Goal is to detect integration errors early.
Example: Cloud Build running tests and building a Docker image.
Continuous Delivery (CD)
Extends CI by automatically deploying to a staging/testing environment.
Includes manual approval gates for production deployment.
Automates the entire release process except the final production release decision.
Goal is to ensure software is always ready for production release.
Example: Cloud Deploy promoting a release from dev to staging to prod with approvals.
Cloud Build
CI service for building, testing, and packaging code.
Executes build steps in containers.
Can push artifacts to Artifact Registry.
Can be triggered by source code changes or manually.
Does not manage environment promotion or approval gates.
Cloud Deploy
CD service for managing releases and rollouts across environments.
Defines delivery pipelines with targets and strategies.
Handles canary, blue-green, and standard deployments.
Supports manual approval gates between targets.
Integrates with Cloud Build to create releases from artifacts.
Mistake
Continuous Integration means deploying to production automatically.
Correct
Continuous Integration (CI) is about automatically building and testing every code change. Deploying to production automatically is Continuous Deployment. Continuous Delivery includes automated deployment to staging but requires manual approval for production.
Mistake
Cloud Build can only be triggered from Cloud Source Repositories.
Correct
Cloud Build supports triggers from GitHub, Bitbucket, GitLab, and any Git repository via webhook. Cloud Source Repositories is just one option.
Mistake
Artifact Registry is only for Docker images.
Correct
Artifact Registry supports multiple artifact types: Docker images, Maven packages, npm packages, Python packages, APT/Debian packages, and generic artifacts.
Mistake
CI/CD pipelines eliminate the need for manual testing.
Correct
CI/CD automates testing (unit, integration, etc.) but does not eliminate the need for manual exploratory testing or user acceptance testing (UAT). Automation increases confidence but cannot catch all issues.
Mistake
Cloud Build builds run indefinitely until they succeed.
Correct
Each build has a default timeout of 10 minutes and a maximum of 24 hours. If the build exceeds the timeout, it fails.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Continuous Delivery means every change that passes all stages of the pipeline is released to staging, but the final release to production is a manual decision (a 'go/no-go' gate). Continuous Deployment goes further: every change that passes all stages is automatically released to production without human intervention. The exam expects you to know that Continuous Delivery includes an approval gate, while Continuous Deployment does not.
Yes, Cloud Build can deploy to Cloud Run using a build step that runs `gcloud run deploy`. However, for more advanced deployment strategies like canary rollouts, Cloud Deploy is recommended. Cloud Build can also trigger Cloud Deploy to create a release.
The default service account is `[PROJECT-NUMBER]@cloudbuild.gserviceaccount.com`. It has the `Cloud Build Service Account` role, which includes permissions to execute builds and access Cloud Storage. For deployments to other services (e.g., Cloud Run, GKE), you may need to grant additional roles like `Cloud Run Admin` or `Kubernetes Engine Developer`.
Use Secret Manager to store secrets. In your `cloudbuild.yaml`, reference the secret using `availableSecrets`. For example: `availableSecrets: {'secretManager': [{'versionName': 'projects/PROJECT_ID/secrets/MY_SECRET/versions/latest', 'env': 'MY_SECRET'}]}`. Then access it as an environment variable in the build step.
The maximum build timeout is 24 hours (86400 seconds). The default is 10 minutes. You can set a custom timeout in the `timeout` field of the `cloudbuild.yaml` or via the `--timeout` flag in `gcloud builds submit`.
Yes. By default, steps run sequentially. To run steps in parallel, use the `waitFor` field. Set `waitFor: ['-']` to indicate that a step does not wait for any previous step (i.e., it starts immediately). You can also specify specific step IDs to wait for.
Artifact Registry is a managed service for storing and managing build artifacts. It supports Docker images, Maven packages, npm packages, Python packages, and more. It integrates with Cloud Build for pushing artifacts and with Cloud Deploy for creating releases. It also provides vulnerability scanning and IAM access control.
You've just covered DevOps: Continuous Integration and Delivery — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?