CAFE:CONNECT Architecture

The Deployment Pipeline

Architecting an enterprise-grade, multi-stage Docker build pipeline on Google Cloud Platform to reduce image footprints by 90%, harden security, and guarantee zero-downtime rollouts.

Immutable Infrastructure

Every deployment creates a new, cryptographically sealed container. We do not patch live servers; we completely replace them.

Security by Design

Enforcing non-root execution within minimal Alpine Linux environments to drastically reduce the application's attack surface.

Optimized for Scale

Leveraging Next.js Standalone tracing to eliminate dead code, reducing payload size and ensuring instantaneous cold starts.

1. Local Trigger & Context Filter

deploy.ps1.gcloudignorePowerShell Core

The deployment sequence demands speed and efficiency. We strictly filter the upload context before it ever touches the cloud.

A custom automation script runs a git-based version tag and packages the source code. Crucially, it ignores the massive `node_modules` directory via `.gcloudignore`, drastically reducing the upload payload from >1GB to <5MB, minimizing bandwidth and exposure.

2. Cloud Build & Zero-Trust Ingestion

Cloud BuildGCP Secret ManagerIAM

Google Cloud Build ingests the lightweight source artifact and initiates the secure pipeline.

The `cloudbuild.yaml` manifesto orchestrates the environment. Utilizing a Zero-Trust approach, it securely retrieves environment variables and API keys directly from GCP Secret Manager, injecting them only as temporary build-args.

3. Docker Builder Stage

npm ciTypeScriptNext.js Standalone

A heavy, temporary build environment handles the compilation and tracing logic.

Executing a clean install (`npm ci`) ensures reproducible builds. We compile the TypeScript and Next.js assets leveraging the 'Standalone' output trace—stripping away unused dependencies and generating a highly optimized artifact.

Input: Raw SourceOutput: Standalone Build

4. Immutable Runner & Security Hardening

Alpine LinuxNon-root UserCompliance

Construction of the final, secure production image utilizing minimal attack surfaces.

This stage imports ONLY the standalone compiled assets from the Builder. Built on minimal Alpine Linux, it completely discards source code and dev tools. A dedicated system user (`nextjs`) is created to ensure the container executes strictly without root privileges, meeting enterprise compliance standards.

1GB+

Builder

80MB

Runner

5. Serverless Edge Rollout

Cloud RunRevisionsTraffic Splitting

Zero-downtime deployment and traffic migration to the GCP edge.

The final 80MB micro-image is deployed to Google Cloud Run. The platform provisions the container, executes readiness health checks, and performs an atomic traffic migration to the new revision only when absolute stability is confirmed.

Pipeline Infrastructure

Google Cloud RunGCP Secret ManagerCloud BuildDocker Multi-StageNext.js 15 StandalonePowerShell Core