My Drupal deployment workflow
In 20+ years of working on Drupal, this is my best Drupal development and deployment workflow.
I wanted to outline the development and deployment workflow I use on dri.es, my personal website.
My site uses Drupal (obviously) and runs on Acquia Cloud (of course), but a lot of this is a best practice for any web application.
I manage my website's code and configuration in Git. Each time I commit a change to my Git repository, I go through the following steps:
- I create a staging environment to test my code before deploying it to production. It's a complete staging environment: not just PHP, MySQL and Nginx, but also Varnish, Memcache, etc.
- I check out my Git repository. My Git repository hosts my custom files only. It's a best practice not to commit Drupal core or third-party Drupal modules to your Git repository.
- I run PHP Code Sniffer to make sure my code conforms to my coding style rules. I specify my coding style rules in
phpcsto make sure my code adheres to them. If not,
phpcbftries to fix my code automatically. I like my code tidy.
- I run PHPStan, a static code analysis tool for PHP, that scans my code base for bugs. It will find dead code, type casting problems, incorrect function arguments, missing type hints, unknown function calls, and much more. PHPStan is a fantastic tool.
- I run PHP Unit, a PHP testing framework, to make sure my unit tests pass.
- I run phpcs-security-audit, a static code analysis tool for PHP. It scans my PHP code for security vulnerabilities and security weaknesses.
- I run nodejs-scan to find insecure code patterns in my Node.js applications. I don't use Node.js at the moment though.
- I also run Semgrep, a static code analysis tool for a variety of programming languages.
- I run Rector to make sure I don't use deprecated Drupal code. When I do, Rector will try to programmatically update any deprecated code that it finds.
- As my Git repository only has custom files, I use Composer to download and install the latest version of Drupal and all third-party modules and components.
- I run
drush pm:security. Drush is a Drupal-specific tool, and the
pm:securityoption verifies that I have no insecure dependencies installed.
This all might sound like a lot of work to set up, and it can be. For Acquia customers and partners, Acquia Code Studio automates all the steps above. Acquia Code Studio is a fully managed CI/CD based on Gitlab, with specific steps optimized for Drupal. In 20+ years of working on Drupal, it's my best webops workflow yet. It couldn't be easier.
Acquia Code Studio also takes care of automating dependency updates. Code Studio regularly checks if Drupal or any of its dependencies have a new release available. If there is a new release, it will run all the steps above. When all of the above tools pass, Acquia Code Studio can deploy new code to production with one click of a button.
I love it!
— Dries Buytaert
Dries Buytaert is an Open Source advocate and technology executive. More than 10,000 people are subscribed to his blog. Sign up to have new posts emailed to you or subscribe using RSS. Write to Dries Buytaert at email@example.com.