Most CI tutorials give you a green pipeline that checks nothing. A real gate fails when code is bad. Here's a pipeline that actually protects main — and the drop-in Actions that remove the YAML entirely.
name: CI
on: [push, pull_request]
jobs:
quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: {python-version: '3.12'}
- run: pip install ruff black mypy bandit pytest
- run: ruff check .
- run: black --check .
- run: mypy src/
- run: bandit -r src/ -f txt
- run: pytest
Every one of those steps exits non-zero on a problem. No || true. No "warning" that gets ignored.
A separate job tags and ships only when quality passes:
release:
needs: [quality]
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
with: {fetch-depth: 0}
- uses: CodeGero/release-forge@v1
with: {github-token: ${{ secrets.GITHUB_TOKEN }}
Writing that by hand every repo is the tax. The Kryptorious Actions drop in one line:
Staging deploys automatically; production waits for a human. DevFlow Premium generates this exact pattern — see version drift for why gating matters. The generated workflow has a manual approval gate on prod via GitHub Environments.
← Back to Blog · ← Kryptorious Tools
Keep reading: