My Drupal deployment workflow
I wanted to outline the deployment workflow I use on dri.es, my personal website.
My site uses Drupal (obviously) and runs on Acquia Cloud (of course), but a lot of this is a best practice for any web application.
I manage my website's code and configuration in Git. Each time I commit a change to my Git repository, I go through the following steps:
- I create a staging environment to test my code before deploying it to production. It's a complete staging environment: not just PHP, MySQL and Nginx, but also Varnish, Memcache, etc.
- I check out my Git repository. My Git repository hosts my custom files only. It's a best practice not to commit Drupal core or third-party Drupal modules to your Git repository.
- I run PHP Code Sniffer to make sure my code comforms my coding style rules. I specify my coding style rules in
phpcs.xml
and usephpcs
to make sure my code adheres to them. If not,phpcbf
tries to fix my code automatically. I like my code tidy. - I run PHPStan, a static code analysis tool for PHP, that scans my code base for bugs. It will find dead code, type casting problems, incorrect function arguments, missing type hints, unknown function calls, and much more. PHPStan is a fantastic tool.
- I run PHP Unit, a PHP testing framework, to make sure my unit tests pass.
- I run phpcs-security-audit, a static code analysis tool for PHP. It scans my PHP code for security vulnerabilities and security weaknesses.
- I run ESLint, a static code analysis tool for JavaScript. It scans my JavaScript code for security vulnerabilities and weaknesses.
- I run nodejs-scan to find insecure code patterns in Node.js applications. I don't use Node.js though, so this is a no-op.
- I also run Semgrep, a static code analysis tool for a variety of programming languages.
- I run Rector to make sure I don't use deprecated Drupal code. When I do, Rector will try to programmatically update any deprecated code that it finds.
- As my Git repository only has custom files, I use Composer to download and install the latest version of Drupal and all third-party modules and components.
- I run
drush pm:security
. Drush is a Drupal-specific tool, and thepm:security
option verifies that I have no insecure dependencies installed.
It might sound like a lot of work to set up, and it can be. For Acquia customers and partners, Acquia Code Studio automates all the steps above. Acquia Code Studio is a fully managed CI/CD based on Gitlab, with specific steps optimized for Drupal. It couldn't be easier.
A screenshot of Acquia Code Studio showing the automated tests feature. For more details, check this video.
Acquia Code Studio also takes care of automating dependency updates. Code Studio regularly checks if Drupal or any of its dependencies have a new release available. If there is a new release, it will run all the steps above. When all of the above tools pass, Acquia Code Studio can deploy new code to production with one click of a button.
A screenshot of Acquia Code Studio showing the automated update feature. For more details, check this video.
I love it!