● refactoringbuildingsamridhlimbu.com/projects/notes-app · v0.1

❯ cd projects/notes-app

notes-app

● CI/CD showcase

Full-stack notes app — Next.js client, Express + MongoDB server — wrapped in a 10-stage Jenkins pipeline that runs lint, tests, SonarCloud, Snyk, release tagging, manual-approval SSH deploy to AWS EC2, smoke test, and Prometheus target check, with auto-rollback on failure. The pipeline is the product.

github

pipeline stages

quality gates

auto-rollback

Context

Built to demonstrate end-to-end DevOps practice. The app itself is deliberately simple — register/login with JWT cookies, notes CRUD in MongoDB, Next.js middleware guarding routes — because the point is the pipeline. Every commit moves through lint, tests, versioned Docker builds, SonarCloud, Snyk, automated release tagging, a manual approval gate, SSH deploy via docker-compose to AWS EC2, a /server/ping smoke test, and a post-deploy Prometheus target check. If any stage fails, the post block rolls back to the last successful build.

Timeline

2025

App scaffold

Next.js 15 (App Router, React 19, Tailwind 4, Radix UI) on the client; Express 5 + Mongoose on the server. JWT cookies with bcrypt, Next.js middleware guards routes, API routes proxy to the Express server at /server/api/*.

2025

Containerisation

Per-app Dockerfiles (node:22-slim) and three Compose files — base, dev override, and prod. Prod stack adds Prometheus, Grafana, Node Exporter, and Alertmanager on a shared bridge network.

2025

Jenkins pipeline

10-stage declarative pipeline: lint+test (server, then client) → build+push versioned Docker images → SonarCloud → Snyk → auto release tagging (npm version + git tag) → manual approval → SSH deploy via docker-compose → smoke test → Prometheus target check. Auto-rollback to last good build on failure.

2025

Observability stack

express-prometheus-middleware exposes /server/metrics; Prometheus scrapes app + Node Exporter; Grafana dashboards; Alertmanager for thresholds. The post-deploy stage validates the notes-app target is up before the pipeline reports success.

Key technical decisions

client + server split › monolith

Next.js renders pages and exposes API routes that proxy to a separate Express server. Independently testable, independently deployable, and the split maps cleanly to how Jenkins stages each side.

jenkins declarative pipeline › github actions

SIT assessment context: Jenkins makes CI/CD internals visible. Each stage is explicit in Blue Ocean; each failure is isolated with its own log; manual approval before prod deploy is a first-class gate.

sonarcloud + snyk in-pipeline › post-deploy scanning

Quality and security gates run before deploy. Snyk scans dependencies on both apps; SonarCloud runs a full quality scan. A failed gate blocks the pipeline — not a post-incident cleanup task.

smoke test + target check › deploy-and-pray

After SSH deploy, the pipeline hits /server/ping and verifies the notes-app Prometheus target is active. If either fails — or any earlier stage does — the post block rolls back to the last successful build automatically.

prometheus + grafana › logs-only observability

Metrics are queryable; logs are not. You can correlate request rate with CPU within the same time window — impossible with grep alone.

The pipeline

kairos/scheduler.pypy

1pipeline {
2  stages {
3    stage('Lint & Test (server, client)') { ... }
4    stage('Build & Push Docker Images')  { ... }
5    stage('Quality: SonarCloud')         { ... }
6    stage('Security: Snyk')             { ... }
7    stage('Release Tagging')            { ... }
8    stage('Deploy to Production (SSH → EC2)') {
9      input 'Deploy to Production?'
10    }
11    stage('Smoke Test (/server/ping)')   { ... }
12    stage('Monitoring & Alerts')        { ... }
13  }
14  post { failure { /* rollback to last good build */ } }
15}

Jenkins Declarative Pipeline. SonarCloud runs static analysis on both apps; Snyk scans dependencies on both apps. Release tagging bumps package.json versions and pushes a git tag automatically. Deploy waits on a manual approval input, then ssh-pulls the versioned images and runs docker-compose on EC2.

Stack

FrontendNext.js 15 · React 19 · Tailwind 4 · Radix UI · Lucide

BackendExpress 5 · MongoDB · Mongoose · JWT · bcrypt · express-prometheus-middleware

TestingJest + jsdom (client) · ts-jest + MongoMemoryServer (server)

CI/CDJenkins · Docker · DockerHub · AWS EC2 · docker-compose

QualitySonarCloud · Snyk · ESLint

ObservabilityPrometheus · Grafana · Node Exporter · Alertmanager

source ← back to projects

1pipeline {

2 stages {

3 stage('Lint & Test (server, client)') { ... }

4 stage('Build & Push Docker Images') { ... }

5 stage('Quality: SonarCloud') { ... }

6 stage('Security: Snyk') { ... }

7 stage('Release Tagging') { ... }

8 stage('Deploy to Production (SSH → EC2)') {

9 input 'Deploy to Production?'

10 }

11 stage('Smoke Test (/server/ping)') { ... }

12 stage('Monitoring & Alerts') { ... }

13 }

14 post { failure { /* rollback to last good build */ } }

15}