--- slug: pipeline-synthesis type: pattern summary: "Turn delivery intent into a validated CI/CD configuration by having an agent read the repo, draft the pipeline, and prove it works." created: 2026-06-14 updated: 2026-06-14 related: acceptance-criteria: relation: depends-on note: "The agent needs explicit delivery criteria before it can synthesize the right pipeline." approval-policy: relation: uses note: "Generated pipelines must preserve approval gates for risky stages such as production deployment." configuration: relation: produces note: "The output is configuration: versioned pipeline code in the target platform's format." continuous-delivery: relation: supports note: "A synthesized pipeline can create or extend the automated path from passing commit to releasable artifact." continuous-integration: relation: depends-on note: "Pipeline synthesis generates the workflows that run continuous integration checks." deployment: relation: supports note: "Deployment stages are often part of the generated pipeline and need the same safety checks as hand-written deployment automation." human-in-the-loop: relation: uses note: "A person reviews the generated pipeline artifact before it changes the repository's delivery path." tool: relation: depends-on note: "The agent needs repository, validator, and platform tools to synthesize a working artifact." verification-loop: relation: uses note: "Generated pipeline configuration must be validated, tested, and corrected before humans accept it." --- # Pipeline Synthesis > **Pattern** > > A named solution to a recurring problem. *Pipeline synthesis turns delivery intent into a validated CI/CD pipeline artifact, so the team reviews executable automation instead of hand-writing platform syntax from scratch.* You have probably asked an agent for a GitHub Actions workflow and received YAML that looked plausible. Sometimes it even worked. Pipeline synthesis makes that move disciplined: the agent reads the repository, derives the stages from the task, generates the target platform's configuration, validates it, and leaves a diff for a human to accept. ## Understand This First - [Continuous Integration](continuous-integration.md) — the checks the synthesized pipeline usually starts with. - [Continuous Delivery](continuous-delivery.md) — the releasable path the pipeline may extend. - [Acceptance Criteria](acceptance-criteria.md) — the concrete finish line the agent must encode. ## Context This is an **operational** pattern at the boundary between agentic coding and software delivery. It belongs where [configuration](configuration.md), [continuous integration](continuous-integration.md), and [deployment](deployment.md) meet. CI/CD systems are powerful because their behavior is versioned as code. They are also fussy: GitHub Actions, GitLab CI, Jenkins, Tekton, and CircleCI each have their own syntax, trigger model, secret handling, matrix support, caching rules, and deployment idioms. A senior platform engineer sees the shape quickly. A product engineer who needs "run tests on PRs and deploy staging on merge" may still lose an afternoon to YAML, permissions, and indentation. Agents are good at this translation when the task is bounded. They can read the repo, infer the language and test runner, compare existing workflow files, draft the configuration, and run validators. The useful output isn't advice or a generic example. It is a concrete artifact: a pull request that changes `.github/workflows/build.yml`, `.gitlab-ci.yml`, a `Jenkinsfile`, or the equivalent file for the team's delivery platform. ## Problem Delivery intent is often expressed in human terms: "build and test every pull request, scan the container image, deploy staging on `main`, and require approval before production." The CI/CD system needs a stricter artifact: platform-specific configuration with valid syntax, correct triggers, scoped secrets, cache keys, environment gates, and failure behavior. Writing that artifact by hand burns specialist time. Copying from a template is faster, but templates don't know this repo's package manager, test suite, deployment target, or security policy. A vague request for "a workflow" can produce a confident draft that misses one of those details. How do you turn delivery intent into executable pipeline code without trusting unverified YAML? ## Forces - Pipeline configuration is code, but it is code most application developers touch rarely. - The repository already contains clues: package files, test directories, Dockerfiles, deployment scripts, environment examples, and existing workflows. - Generated YAML can be syntactically valid while still violating secrets policy, skipping a required check, or deploying from the wrong branch. - Teams want delivery automation quickly, but the delivery path is too consequential to accept agent output without review. ## Solution **Have the agent synthesize the pipeline as a draft artifact, then require validation and human review before it changes the delivery path.** Start with an intent statement that names the platform, triggers, checks, deployment stages, secrets, and approval gates. Treat this as [acceptance criteria](acceptance-criteria.md), not as a loose prompt. If production deployment requires manual approval, say so. If the workflow must never expose secrets to pull requests from forks, say that too. Give the agent repository context before generation. It should inspect package manifests, test commands, container files, deployment scripts, environment examples, and any existing CI/CD configuration. For a greenfield pipeline, the agent derives the workflow from these signals. For an existing pipeline, it changes the smallest surface that satisfies the new intent. Make validation part of the task, not a follow-up. The agent checks YAML syntax, platform schema, secret references, branch triggers, permissions, and whether the generated commands actually exist in the repository. When possible, it runs the same local commands the pipeline will run: install, lint, test, build, package. The generated pipeline doesn't have to be perfect on the first pass. It does have to enter a [verification loop](verification-loop.md) until the draft is internally consistent. The final output is a reviewable diff, not an autonomous deployment. A person reviews the pipeline before merge, paying special attention to secrets, permissions, production gates, cost, and failure behavior. Pipeline synthesis saves the blank-page and syntax work; it doesn't remove ownership from the team. > **⚠️ Warning** > > Do not let an agent commit generated pipeline configuration straight to the default branch. A broken pipeline blocks work. An over-permissive pipeline can leak secrets or deploy unsafe code. Keep the human review step unless the pipeline class is low risk and already covered by an explicit approval policy. ## How It Plays Out A team maintains a Python service with no CI. A developer asks an agent: "Create a GitHub Actions workflow for this repo. On every pull request, install dependencies with `uv`, run `ruff`, run `pytest`, and upload coverage. Use the existing `pyproject.toml`. Keep permissions read-only." The agent reads the repo, finds the test directory, writes `.github/workflows/ci.yml`, and runs the same commands locally. The first draft calls `pip install`; validation fails because the repo uses `uv`. The agent corrects the workflow before opening the diff. A platform team has a standard delivery pipeline, but each new service still needs a slightly different version. The agent reads the organization's template library, the service's Dockerfile, and the deployment manifest. It generates a GitLab CI file with build, test, image scan, staging deploy, and production deploy stages. Production is gated by manual approval because the intent statement required it. Review takes ten minutes instead of a half day because the platform engineer is reviewing a concrete proposal. An agent tries to synthesize a pipeline for a monorepo. It notices three package managers and no obvious root test command. Rather than inventing one, it reports the ambiguity and proposes two alternatives: a matrix workflow per package directory, or a first pass that covers only the service named in the ticket. That refusal is part of the pattern. A pipeline generator that guesses across ambiguous delivery boundaries isn't helping. > **💡 Example Prompt** > > "Create a GitHub Actions workflow for this repository. On pull requests, install dependencies, run lint, type checks, and tests. On merge to main, build the Docker image and push it to our staging registry. Do not deploy production. Validate the YAML, verify the commands exist, and leave the workflow as a diff for review." ## Consequences **Benefits.** Pipeline synthesis lowers the expertise barrier for ordinary delivery automation. Developers can express intent in the language of checks, stages, and release policy, then review generated configuration in the platform's real format. The agent also makes hidden assumptions visible: the package manager it found, the tests it will run, the branch triggers it chose, and the secrets it expects. **Liabilities.** The pattern can create false confidence if validation is shallow. A pipeline that parses may still be unsafe, slow, flaky, or wrong for the organization's delivery policy. Agents also tend to overfit to nearby examples, including stale or insecure pipeline files already in the repo. The review step therefore matters most when the generated file looks routine. That's when people are tempted to rubber-stamp it. Generated pipeline files are production infrastructure. They need ownership, tests where possible, and periodic cleanup when build tools, deployment targets, or policy change. Pair this pattern with [garbage collection](garbage-collection.md) so the delivery path doesn't rot after the first generated draft lands. ## Sources - Jez Humble and David Farley's *[Continuous Delivery](https://martinfowler.com/books/continuousDelivery.html)* (Addison-Wesley, 2010) established the deployment pipeline as a first-class artifact that carries software from commit to release through automated build, test, and deployment stages. - Youssef Mohamed Aboelfotoh, Mohamed Ahmed Hemdan, Mohammad El-Ramly, Khlood Hassan, Mahmoud Saleh Saad, Ahmed Mohamed Tolba, and Seif Gamal Abdelmonem's *[AutoPipelineAI: Context-Aware CI/CD Pipeline Generation from Natural Language](https://arxiv.org/abs/2606.06662)* (arXiv, 2026) describes a repository-aware system that translates natural-language delivery intent into platform-specific CI/CD configuration and validates the generated artifact. - Pruthvi Raj Seknametla's *[Autonomous DevOps Platforms: The Role of Generative AI in CI/CD Optimization and Infrastructure Management](https://doi.org/10.55454/rcsas.6.03.2026.002)* (RCSAS, 2026) describes GenDOP's natural-language pipeline synthesis capability and argues that generated pipeline artifacts should remain human-reviewed before they enter a version-controlled delivery path. --- - [Next: Rollback](rollback.md) - [Previous: Continuous Deployment](continuous-deployment.md)