Night Mode LabsBlue Book
Migration Playbooks

Pipeline Migration

Pipeline migration moves build, test, release, or deployment workflows to a new CI/CD system or paved-road template. The goal is safer delivery, not a different place to run the same fragile steps.

Inventory

For each pipeline, capture:

  • Repository and owning team.
  • Trigger conditions.
  • Build and test commands.
  • Required secrets and permissions.
  • Artifacts produced.
  • Deployment targets.
  • Manual approvals.
  • Notifications and evidence needs.

Migration approach

Security improvements

Use migration to improve security:

  • Replace static secrets with OIDC federation where possible.
  • Scope permissions by repository, environment, and workflow.
  • Pin third-party actions and plugins.
  • Add secret scanning and dependency scanning.
  • Record artifact identity and provenance.

Validation

Before switching, prove the new pipeline:

  • Builds equivalent artifacts.
  • Runs required checks.
  • Publishes to approved registries.
  • Deploys to the right environment.
  • Produces required audit evidence.
  • Handles rollback or promotion correctly.

Watchouts

  • Hidden manual steps often live outside pipeline code.
  • Notification and evidence consumers may depend on old workflow names.
  • Copying old permissions can preserve excessive access.
  • Retire old runners, tokens, webhooks, and credentials after cutover.

Data Migration

Previous Page

Decommissioning

Next Page

On this page

InventoryMigration approachSecurity improvementsValidationWatchouts