Design and implement a secure, efficient CI/CD pipeline for a microservice that builds a Docker image, runs tests, scans for vulnerabilities, signs the image, and promotes it through dev/staging/prod environments. The service is a Python Flask app with dependencies defined in requirements.txt. You must:
Provide a production-grade Dockerfile that uses multi-stage builds, minimizes image size, leverages layer caching, and runs as a non-root user.
Write a GitHub Actions workflow (or equivalent) that:
Lints the Python code and Dockerfile
Runs unit and integration tests in parallel
Builds the image and caches layers
Scans the image for CVEs with Trivy and fails on HIGH/CRITICAL
Pushes the image to a registry using tags derived from git SHA and semver
Signs the image with cosign and attaches an SBOM
Deploys to dev on every push to main, to staging on git tags matching v*.., and to prod only after manual approval
Explain how you would handle secrets (registry credentials, cosign key) and enforce policies (e.g., no images older than 30 days, must pass CVE threshold) using OPA/Gatekeeper.
Describe how you would monitor the pipeline (logs, metrics, alerts) and roll back a bad release.
You have 45 minutes to discuss your design and show key snippets; you do not need to code the entire pipeline live, but be ready to justify every decision.