Generated AI image by Microsoft Bing Image Creator
Introduction
Since my last post on setting local AWS Glue using Docker, one of the potential extensions I mentioned is to setup Github Actions CI/CD pipeline for it. In modern data engineering, testing cloud-native applications locally before deployment is very crucial for rapid iteration and cost efficiency. Thus, as part of this exploratory exercise, I want my CI/CD pipeline to achieve the following outcomes(in scope):
- Automate testing of AWS Glue jobs in a local environment
- Use Docker to containerize the Glue runtime
- Leverage LocalStack to simulate AWS services locally
- Integrate with GitHub Actions for continuous integration and delivery
- Ensure code quality with SonarCloud and Codecov
Not in scope for this pipeline:
- Terraform or infrastructure-as-code testing
- Deployment to actual AWS environments
- Advanced security hardening for enterprise compliance
This guide walks you through building very robust (if not production-ready) CI/CD pipeline using GitHub Actions that integrates Docker containerization, LocalStack for AWS service emulation, and comprehensive testing for AWS Glue jobs.
This proof-of-concept end-to-end solution was conducted by trial and error using my Copilot and Claude Sonnets to help me along the learning journey. I’m pretty satisfied with its findings and I hope you find it useful too.
By the end of this post, you’ll understand how to leverage GitHub’s ecosystem to create automated pipelines that test your data engineering workloads without incurring cloud costs during development.
Why This Matters
Traditional cloud development workflows often require:
- Deploying to actual AWS environments for testing
- Incurring costs for every test run
- Waiting for cloud resource provisioning
- Managing multiple AWS accounts for dev/test/prod
The solution? A fully containerized CI/CD pipeline that:
- Tests AWS Glue jobs locally using Docker
- Simulates AWS services with LocalStack
- Runs automated tests on every commit
- Publishes Docker images to GitHub Container Registry
- Integrates code quality checks with SonarCloud and Codecov
Architecture Overview
The pipeline implements a multi-stage workflow:
- Build Stage: Creates Docker images with AWS Glue runtime
- Test Stage: Spins up LocalStack services and runs unit/integration tests
- Quality Stage: Analyzes code coverage and quality metrics
- Publish Stage: Pushes validated images to GitHub Container Registry
The Complete GitHub Actions Workflow
Let’s break down the workflow file (ci-pipeline.yml) into digestible components.
1. Workflow Triggers and Permissions
name: Run Tests with LocalStack, Build Docker Image, and Upload Coverage to SonarCloud & Codecov
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
permissions:
contents: read
packages: writeKey Points:
- Triggers on pushes and PRs to
mainanddevelopbranches packages: writepermission enables pushing to GitHub Container Registry (GHCR)contents: readallows checkout access
2. LocalStack Service Configuration
services:
localstack:
image: localstack/localstack:latest
env:
SERVICES: dynamodb,s3,cloudwatch,logs,iam,sts
DEFAULT_REGION: us-east-1
AWS_ACCESS_KEY_ID: test
AWS_SECRET_ACCESS_KEY: test
DEBUG: 1
ports:
- 4566:4566
options: >-
--health-cmd "curl -f http://localhost:4566/_localstack/health || exit 1"
--health-interval 10s
--health-timeout 5s
--health-retries 10Why LocalStack?
- Emulates AWS services locally without cloud costs
- Provides S3, DynamoDB, CloudWatch, and IAM functionality
- Health checks ensure services are ready before tests run
- Port 4566 is LocalStack’s unified endpoint
Pro Tip: The health check configuration prevents race conditions where tests start before LocalStack is fully initialized.
3. Disk Space Optimization
- name: Free up disk space
run: |
# Remove unnecessary tools and SDKs
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
# Clean apt package manager
sudo apt-get clean
sudo apt-get autoclean
sudo apt-get autoremove -y
# Aggressive Docker cleanup
docker system prune -af --volumes
docker builder prune -afWhy This Matters:
- GitHub Actions runners have limited disk space (~14GB free)
- Docker images for Glue environments can be 2-3GB+
- Build caches and intermediate layers consume additional space
- Cleanup can free up 10-15GB, preventing build failures
Real-World Impact: Without this step, builds often fail with “no space left on device” errors.
4. Docker Build and Push with Caching
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Convert repository owner to lowercase
id: repo
run: |
REPO_OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')
echo "owner=$REPO_OWNER_LOWER" >> $GITHUB_OUTPUT
echo "name=$REPO_NAME_LOWER" >> $GITHUB_OUTPUT
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Glue PySpark Docker image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile
push: true
tags: ghcr.io/${{ steps.repo.outputs.owner }}/${{ steps.repo.outputs.name }}/glue-pyspark:latest
cache-from: type=registry,ref=ghcr.io/${{ steps.repo.outputs.owner }}/${{ steps.repo.outputs.name }}/glue-pyspark:buildcache
cache-to: type=registry,ref=ghcr.io/${{ steps.repo.outputs.owner }}/${{ steps.repo.outputs.name }}/glue-pyspark:buildcache,mode=maxAdvanced Techniques:
- Docker Buildx: Enables advanced build features and multi-platform support
- Lowercase Conversion: GHCR requires lowercase repository names (GitHub allows mixed case)
- Registry Caching: Dramatically speeds up builds by reusing layers from previous runs
- Automatic Authentication: Uses
GITHUB_TOKENfor seamless GHCR access
Performance Impact: Registry caching can reduce build times from 15+ minutes to 2-3 minutes on subsequent runs.
5. LocalStack Health Check and Initialization
- name: Wait for LocalStack to be ready
run: |
echo "Waiting for LocalStack to be ready..."
max_attempts=60
attempt=0
until curl -f -s http://localhost:4566/_localstack/health | grep -q '"s3"' || [ $attempt -eq $max_attempts ]; do
echo "Attempt $((++attempt))/$max_attempts: Waiting for LocalStack..."
if [ $((attempt % 10)) -eq 0 ]; then
echo "Health check response:"
curl -s http://localhost:4566/_localstack/health || echo "No response"
fi
sleep 2
doneRobust Error Handling:
- Polls LocalStack health endpoint up to 60 times (2 minutes)
- Provides diagnostic output every 10 attempts
- Fails fast with detailed logs if LocalStack doesn’t start
- Checks for specific service availability (S3 in this case)
6. AWS Resource Provisioning in LocalStack
- name: Configure AWS resources in LocalStack
run: |
docker run --rm \
--network host \
-e AWS_ACCESS_KEY_ID=test \
-e AWS_SECRET_ACCESS_KEY=test \
-e AWS_REGION=us-east-1 \
amazon/aws-cli:latest \
--endpoint-url=http://localhost:4566 s3 mb s3://bronze-bucket || true
docker run --rm \
--network host \
-e AWS_ACCESS_KEY_ID=test \
-e AWS_SECRET_ACCESS_KEY=test \
-e AWS_REGION=us-east-1 \
amazon/aws-cli:latest \
--endpoint-url=http://localhost:4566 dynamodb create-table \
--table-name gold_table_plain \
--attribute-definitions AttributeName=id,AttributeType=N \
--key-schema AttributeName=id,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 || trueInfrastructure as Code in CI:
- Creates S3 buckets for data lake layers (bronze, iceberg)
- Provisions DynamoDB tables for gold layer aggregations
- Sets up CloudWatch log groups for Glue job monitoring
- Uses
|| trueto handle idempotent operations gracefully
Design Pattern: This mirrors production infrastructure setup, ensuring test environments match production.
7. Running Tests in the Glue Container
- name: Run tests inside Glue container
run: |
docker run --rm \
--network host \
-v ${{ github.workspace }}/plain:/app/plain \
-v ${{ github.workspace }}/purchase_order:/app/purchase_order \
-v ${{ github.workspace }}/tests:/app/tests \
-v ${{ github.workspace }}/pytest.ini:/app/pytest.ini \
-v ${{ github.workspace }}:/output \
-e AWS_ACCESS_KEY_ID=test \
-e AWS_SECRET_ACCESS_KEY=test \
-e AWS_REGION=us-east-1 \
my-glue-pyspark:latest \
"poetry run pytest tests/ --cov=plain --cov=purchase_order --cov-report=term-missing --cov-report=xml:/output/coverage.xml --cov-report=html:/output/htmlcov -v"Container Testing Strategy:
- Volume Mounts: Source code and tests are mounted into the container
- Network Mode:
--network hostallows container to access LocalStack on localhost - Output Persistence: Coverage reports are written back to GitHub workspace
- Poetry Integration: Uses Poetry for dependency management and test execution
- Multiple Coverage Formats: XML for SonarCloud/Codecov, HTML for artifact viewing
Why This Works:
- Tests run in the exact same environment as production Glue jobs
- No “works on my machine” issues
- Consistent Python version, dependencies, and Spark configuration
8. Code Quality Integration
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4
if: always()
with:
files: ./coverage.xml
flags: unittests
name: codecov-umbrella
fail_ci_if_error: false
- name: Upload coverage HTML report
uses: actions/upload-artifact@v4
if: always()
with:
name: coverage-report
path: htmlcov/
retention-days: 7Multi-Tool Quality Assurance:
- SonarCloud: Static code analysis, security vulnerabilities, code smells
- Codecov: Coverage tracking with historical trends and PR comments
- GitHub Artifacts: Downloadable HTML reports for detailed inspection
Pro Tip: if: always() ensures quality reports are uploaded even if tests fail, providing debugging information.
Workflow Pipeline Execution
Once you’re done setting up the workflow pipeline above, you can commit and push it to your repository. GitHub Actions will automatically trigger the pipeline on pushes or pull requests to the specified branches. In this case, for mine, main and develop.
You can monitor the progress of each job in the “Actions” tab of your GitHub repository. Each stage will show logs, status, and any errors encountered during execution.
With this ci-pipeline.yml workflow, you will see only one job running all the steps sequentially and you can view its steps log in detail. But by good general practice, you should use the ci-sequential.yml workflow if you want to see each stage as separate jobs for better visibility and parallel execution - see it here.
Enterprise Considerations: Security, Compliance, and Risk Management
The Open-Source vs. Corporate Reality
While everything what I discovered and achieved here so far has been great exprience so far and this guide demonstrates a powerful open-source DevOps stack, enterprise adoption, however, requires careful evaluation of organizational constraints. What works seamlessly in exploratory projects may face significant hurdles in regulated corporate environments. Thus that leaves you plenty of critical questions and notes to ponder before adopting this stack wholesome.
Critical Evaluation Framework
1. GitHub Actions and Third-Party Runners
Open-Source Approach:
- Uses GitHub-hosted runners (shared infrastructure)
- Free for public repositories
- Minimal setup required
Enterprise Constraints:
| Risk Factor | Consideration | Mitigation Options |
|---|---|---|
| Data Residency | Code and artifacts processed on GitHub’s infrastructure | Self-hosted runners in your VPC/data center |
| Compliance | May violate SOC2, HIPAA, PCI-DSS requirements | GitHub Enterprise Server (on-premises) |
| Network Security | Runners access public internet | Private networking with GitHub Enterprise Cloud |
| Audit Trails | Limited visibility into runner environment | Enhanced audit logging with Enterprise features |
Questions to Ask Your Security Team:
- Can our source code leave our network perimeter?
- What data classification levels are we handling?
- Do we need SOC2 Type II compliance for our CI/CD?
- Are GitHub’s data centers in approved geographic regions?
2. LocalStack Licensing and Support
Open-Source Approach:
- Uses LocalStack Community Edition (free, limited features)
- No official support or SLAs
- Community-driven bug fixes
Enterprise Constraints:
| Aspect | Community Edition | Enterprise Considerations |
|---|---|---|
| License | Apache 2.0 (permissive) | Legal review required for commercial use |
| Features | Basic AWS service emulation | Advanced services require Pro license ($50-500/dev/month) |
| Support | GitHub issues only | Enterprise support with SLAs may be mandated |
| Security Updates | Community-driven timeline | Compliance may require guaranteed patch schedules |
| Accuracy | Best-effort AWS parity | Production validation required for critical workloads |
Red Flags for Enterprise:
- Financial services: LocalStack may not meet regulatory testing requirements
- Healthcare: PHI data cannot touch LocalStack without BAA (not available)
- Government: FedRAMP/IL5 compliance impossible with LocalStack
Alternative Approaches:
- AWS-native testing: Use dedicated AWS accounts with cost controls
- Moto library: Python-only AWS mocking (more limited but officially maintained)
- Hybrid approach: LocalStack for dev, real AWS for pre-production CI
3. Docker and Container Registry Security
Open-Source Approach:
- Pulls base images from Docker Hub
- Pushes to GitHub Container Registry (public or private)
- Minimal image scanning
Enterprise Constraints:
| Security Concern | Risk Level | Enterprise Solution |
|---|---|---|
| Supply Chain Attacks | HIGH | Private registries with approved base images only |
| Image Vulnerabilities | HIGH | Mandatory scanning (Trivy, Snyk, Prisma Cloud) |
| Secrets in Images | CRITICAL | Secret scanning + admission controllers |
| Registry Access | MEDIUM | SSO integration, RBAC, audit logging |
| Image Provenance | MEDIUM | Image signing with Sigstore/Notary |
Corporate Policies That May Block This Approach:
- No Docker Hub access: Many enterprises block external registries
- Approved base images only: Must use hardened, patched internal images
- Image signing required: Unsigned images cannot be deployed
- SBOM requirements: Software Bill of Materials for compliance
Adaptation Strategy:
# Enterprise-compliant Docker build
- name: Build with approved base image
run: |
# Use internal registry with approved images
docker build \
--build-arg BASE_IMAGE=registry.company.com/approved/python:3.9-slim \
--label "git.commit=${{ github.sha }}" \
--label "build.date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-t registry.company.com/data-eng/glue-pyspark:${{ github.sha }} .
- name: Scan image for vulnerabilities
run: |
trivy image --severity HIGH,CRITICAL \
--exit-code 1 \
registry.company.com/data-eng/glue-pyspark:${{ github.sha }}
- name: Sign image
run: |
cosign sign --key cosign.key \
registry.company.com/data-eng/glue-pyspark:${{ github.sha }}4. Third-Party GitHub Actions and Supply Chain Risk
Open-Source Approach:
- Uses community actions (
actions/checkout@v4,docker/build-push-action@v5) - Trusts action maintainers implicitly
- Auto-updates to latest versions
Enterprise Constraints:
| Risk | Impact | Mitigation |
|---|---|---|
| Malicious Actions | Code injection, credential theft | Pin to commit SHAs, not tags |
| Abandoned Actions | Security vulnerabilities unpatched | Fork and maintain internally |
| Compliance | Actions not vetted by security team | Approved action registry |
| Audit Requirements | Cannot trace action provenance | SBOM for actions, vendoring |
Secure Action Usage Pattern:
# ❌ INSECURE: Uses mutable tag
- uses: actions/checkout@v4
# ✅ SECURE: Pinned to immutable commit SHA
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Comment includes version for human readabilityCorporate Alternatives:
- Self-hosted action runners: Host approved actions in internal registry
- Action vendoring: Copy actions into your repository
- Restricted marketplace: Only allow pre-approved actions
5. SonarCloud and Codecov: Data Exfiltration Concerns
Open-Source Approach:
- Sends source code to SonarCloud (third-party SaaS)
- Uploads coverage data to Codecov (third-party SaaS)
- Convenient integrations with GitHub
Enterprise Constraints:
| Service | Data Shared | Compliance Risk | Enterprise Alternative |
|---|---|---|---|
| SonarCloud | Full source code, secrets (if leaked) | HIGH - IP theft, compliance violations | SonarQube self-hosted |
| Codecov | Coverage reports, file paths, metadata | MEDIUM - Reveals architecture | Self-hosted coverage tools |
Real-World Incident:
- Codecov breach (2021): Supply chain attack exposed customer credentials for months
- Impact: Many enterprises banned Codecov permanently
Secure Alternatives:
# Self-hosted SonarQube
- name: SonarQube Scan
run: |
sonar-scanner \
-Dsonar.host.url=https://sonarqube.company.com \
-Dsonar.login=${{ secrets.SONAR_TOKEN_INTERNAL }}
# Internal coverage dashboard
- name: Upload coverage to internal system
run: |
curl -X POST https://coverage.company.com/api/upload \
-H "Authorization: Bearer ${{ secrets.COVERAGE_TOKEN }}" \
-F "coverage=@coverage.xml" \
-F "project=${{ github.repository }}" \
-F "commit=${{ github.sha }}"6. Secrets Management and Credential Exposure
Open-Source Approach:
- Uses GitHub Secrets (encrypted at rest)
- Secrets accessible to all workflows
- Limited rotation capabilities
Enterprise Constraints:
| Requirement | GitHub Secrets | Enterprise Solution |
|---|---|---|
| Secrets Rotation | Manual only | HashiCorp Vault, AWS Secrets Manager |
| Audit Logging | Limited | Comprehensive audit trails required |
| Access Control | Repository-level | Fine-grained RBAC per secret |
| Compliance | May not meet standards | FIPS 140-2 validated HSMs |
| Just-in-Time Access | Not supported | Dynamic credential generation |
Enterprise Pattern:
- name: Retrieve secrets from Vault
id: vault
uses: hashicorp/vault-action@v2
with:
url: https://vault.company.com
method: jwt
role: github-actions-role
secrets: |
secret/data/aws/credentials access_key | AWS_ACCESS_KEY_ID ;
secret/data/aws/credentials secret_key | AWS_SECRET_ACCESS_KEY
- name: Use short-lived credentials
run: |
# Credentials automatically expire after job completion
aws s3 ls
env:
AWS_ACCESS_KEY_ID: ${{ steps.vault.outputs.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ steps.vault.outputs.AWS_SECRET_ACCESS_KEY }}Decision Matrix: Can Your Organization Use This Stack?
Use this matrix to assess feasibility:
| Factor | Green Light ✅ | Yellow Light ⚠️ | Red Light 🛑 |
|---|---|---|---|
| Industry | Tech startups, SaaS | Professional services | Finance, Healthcare, Government |
| Data Classification | Public, Internal | Confidential | Restricted, PHI, PCI, PII |
| Compliance | None, ISO 27001 | SOC2, GDPR | HIPAA, PCI-DSS, FedRAMP |
| Security Posture | Risk-tolerant | Risk-aware | Risk-averse |
| Budget | Limited | Moderate | Enterprise |
| Team Size | <50 engineers | 50-500 engineers | 500+ engineers |
Interpretation:
- All Green: Adopt this stack with minimal modifications
- Some Yellow: Requires adaptations (self-hosted runners, private registries)
- Any Red: Significant re-architecture needed or complete alternative approach
Hybrid Approach: Balancing Innovation and Compliance
Most enterprises land somewhere in the middle. Consider this graduated adoption strategy:
Phase 1: Proof of Concept (Open-Source Stack)
- Use for non-production, non-sensitive projects
- Validate technical feasibility
- Build team expertise
- Duration: 1-3 months
Phase 2: Security Hardening (Hybrid)
- Migrate to self-hosted GitHub Actions runners
- Replace LocalStack with AWS dev accounts
- Implement image scanning and signing
- Use internal SonarQube instead of SonarCloud
- Duration: 3-6 months
Phase 3: Enterprise Integration (Fully Compliant)
- Integrate with corporate Vault/secrets management
- Implement RBAC and audit logging
- Add compliance gates (policy-as-code with OPA)
- Establish SLAs and support processes
- Duration: 6-12 months
Questions to Ask Before Adopting
For Engineering Leadership:
- What is our organization’s risk appetite for CI/CD tooling?
- Do we have budget for enterprise licenses (GitHub Enterprise, LocalStack Pro)?
- Can we dedicate resources to maintain self-hosted infrastructure?
- What is our timeline for compliance certification (SOC2, ISO, etc.)?
For Security Teams:
- Can source code be processed outside our network perimeter?
- What are our requirements for secrets management and rotation?
- Do we need FIPS 140-2 validated cryptography?
- What audit logging and retention requirements apply?
For Compliance Teams:
- What data classification levels will this pipeline handle?
- Are there geographic restrictions on data processing?
- Do we need vendor security assessments (VSAs) for all third parties?
- What is our incident response process for supply chain compromises?
The Bottom Line
This open-source stack is ideal for:
- Startups and scale-ups with minimal compliance requirements
- Public open-source projects
- Internal tools handling non-sensitive data
- Proof-of-concept and learning environments
- Teams with high risk tolerance and technical sophistication
This stack requires significant modification for:
- Regulated industries (finance, healthcare, government)
- Enterprises with strict data residency requirements
- Organizations handling PII, PHI, or PCI data
- Companies requiring SOC2 Type II or ISO 27001 certification
- Risk-averse security cultures
The key insight: Open-source DevOps tools provide incredible velocity and developer experience, but enterprise adoption is not a copy-paste exercise. Successful implementation requires understanding your organization’s specific constraints and adapting accordingly.
Key Takeaways and Best Practices
1. Use Service Containers for Dependencies
GitHub Actions service containers provide isolated, ephemeral infrastructure perfect for testing AWS services with LocalStack.
2. Implement Robust Health Checks
Never assume services are ready immediately. Implement polling with timeouts and diagnostic logging.
3. Optimize Disk Space Proactively
Large Docker images require aggressive cleanup on GitHub runners. Monitor disk usage and clean early.
4. Leverage Registry Caching
Docker layer caching can reduce build times by 80-90%. Always configure cache-from and cache-to.
5. Test in Production-Like Environments
Running tests inside the actual Glue container eliminates environment discrepancies.
6. Integrate Multiple Quality Tools
Combine SonarCloud, Codecov, and GitHub Artifacts for comprehensive quality visibility.
7. Make Workflows Idempotent
Use || true for resource creation commands that might already exist (especially in LocalStack).
8. Separate Concerns with Volume Mounts
Mount only necessary directories into containers to maintain clean separation and faster builds.
9. Assess Organizational Constraints Early
Evaluate security, compliance, and risk requirements before committing to open-source tooling.
10. Plan for Graduated Adoption
Start with POCs, then progressively harden for enterprise requirements.
Real-World Benefits
Teams using this approach report:
- 90% reduction in AWS testing costs
- 5x faster feedback loops (minutes vs. hours)
- Zero production incidents from environment mismatches
- Improved developer experience with local-first workflows
However, enterprise teams also report:
- 3-6 months to adapt for compliance requirements
- Significant investment in self-hosted infrastructure
- Ongoing maintenance burden for custom solutions
Advanced Extensions
Consider these enhancements for production use:
- Matrix Testing: Test against multiple Python/Spark versions
- Parallel Execution: Split tests across multiple jobs
- Deployment Gates: Require quality thresholds before merging
- Terraform Integration: Validate infrastructure code in CI
- Performance Benchmarking: Track job execution times over commits
- Multi-Architecture Builds: Support ARM64 for Apple Silicon developers
- Policy-as-Code: Implement OPA for compliance enforcement
- SBOM Generation: Create Software Bill of Materials for supply chain security
Conclusion
Modern CI/CD pipelines should be fast, reliable, and cost-effective. By combining GitHub Actions, Docker, and LocalStack, you can build sophisticated testing workflows that rival enterprise CI systems—all within GitHub’s free tier for public repositories.
The critical caveat: This open-source stack is a starting point, not a universal solution. Successful enterprise adoption requires understanding your organization’s security posture, compliance obligations, and risk tolerance. What works for a startup may be completely inappropriate for a regulated financial institution.
The workflows I demonstrated here provides a foundation for data engineering teams to iterate quickly, catch issues early, and deploy with confidence. Whether you’re building AWS Glue jobs, Lambda functions, or any cloud-native application, these patterns apply universally—but always through the lens of your organizational constraints.
Remember: The best DevOps pipeline is one that balances developer velocity with organizational risk management. Don’t let perfect security become the enemy of good engineering, but equally, don’t let engineering convenience compromise critical compliance requirements.
In my next post, I will explore the items not in scope for this guide, including Terraform testing, deployment strategies, and advanced security hardening for enterprise compliance. One of them is about configuration of OIDC with GitHub Actions for secure, token-based authentication to AWS resources without long-lived credentials. This is important because enterprises are increasingly adopting OIDC to enhance security posture and reduce risk of credential leakage since short-lived tokens are used instead of static secrets.
Thanks for reading. Till then, Happy Coding!
For more information on my CI/CD setup guide, please refer to the links below.
Resources
- Repository: docker_glue_pyspark_demo
- Workflow File: ci-pipeline.yml
- Workflow File: ci-sequential.yml
- LocalStack Documentation: docs.localstack.cloud
- GitHub Actions: docs.github.com/actions
- Docker Buildx: docs.docker.com/buildx
- GitHub Security Best Practices: docs.github.com/actions/security-guides
- OWASP CI/CD Security: owasp.org/www-project-devsecops-guideline
Disclaimer: Again, I stressed this is only an exploratory exercise and proof-of-concept for learning purposes as well as sharing the knowledge with the community. It’s not by far the best and only approach to build CI/CD pipelines for AWS Glue jobs. Always evaluate your organization’s specific needs and constraints before adopting new technologies. This guide reflects technical patterns and does not constitute legal or compliance advice. Always consult your organization’s security, legal, and compliance teams before adopting new tooling.