Skip to content
Matt Edwards
Back to blog
Part 4 of 10 in series
Building a Production-Grade Blog

A curated collection of articles exploring this topic in depth.

4 min read

Automation as a Trust Mechanism

Why automation is more about psychological safety than technical speed, even for a simple static site.

ci-cdautomationengineering-discipline

I would imagine one of the most common arguments against setting up a full CI/CD pipeline for a personal blog or small site is that it is overkill or even YAGNI (You Ain't Gonna Need It). When you are the only developer and the only author, the overhead of maintenance could be considered to outweigh the benefits of automation.

This argument misses the primary purpose of CI/CD: it is not about speed; it is about trust.

Automation is a mechanism for offloading the burden of manual discipline. By encoding our standards into a pipeline, we free ourselves from the need to remember them.

The "Simple Site" fallacy#

Even a "simple" static blog has a set of implicit rules that must be followed for it to function correctly. You must remember to:

  • Ensure all posts have the required metadata.
  • Verify that links are not broken.
  • Check that the build actually produced the expected files.
  • Ensure that drafts do not accidentally leak into production.
  • Use the correct cloud credentials for deployment.

As a project grows, the mental cost of performing these checks manually increases until it becomes a barrier to publishing. CI/CD replaces this mental cost with a deterministic gate.

Content validation as a safety rail#

The specifics below reflect my own implementation, but the pattern is what matters: automation enforces the rules so I don't have to remember them.

Building on the idea of content as data, the pipeline acts as the enforcer of the data contract. When I push a new post, the first thing the system does is run the validation scripts.

pnpm test:content

This doesn't just check for syntax errors. It ensures that every post in the repository adheres to the Zod schemas we defined. If I have forgotten a tag or used an invalid series name, the pipeline fails immediately. I don't have to "remember" to validate my content; the system refuses to move forward until I do.

Build verification: Checking the output#

The build process for a modern static site can be complex. It involves transpiling TypeScript, processing images, and generating search indexes. Occasionally, a tool update or a configuration change can cause the build to succeed but produce an incomplete result, a "silent failure."

To catch this, the pipeline includes a post-build validation step. It verifies that critical files like index.html, rss.xml, and the search index actually exist in the output directory. It also runs a check to ensure that no draft content has been accidentally exported.

- name: Ensure no drafts are present
  run: |
    if grep -R "draft: true" out/; then
      echo "Draft content detected in build output"
      exit 1
    fi

Deployment with confidence#

The final stage of the pipeline is deployment. In a less disciplined setup, this often involves keeping long-lived AWS access keys on a local machine or in GitHub Secrets.

In this architecture, I use OIDC (OpenID Connect) to allow GitHub Actions to assume a specific IAM role in AWS without static credentials. This is the "Security as intent" principle in practice. The pipeline is only allowed to touch the specific S3 bucket and CloudFront distribution it needs, and it only does so after every previous check has passed.

Peace of mind#

The result of this investment is a high degree of psychological safety. When I push a change, I know that if it goes live, it has passed every test I have deemed important.

I am no longer relying on my own consistency to maintain the quality of the site. I am relying on a system I designed to be more consistent than I am. This peace of mind is intended to allow the project to remain a joy to maintain rather than a chore to keep from breaking and subsequently a barrier to overcome for each post.

In the next post, I will look at the AWS primitives that serve as the foundation for this delivery, and why using them directly is a better long-term strategy than relying on "magic" platforms.