A complete CI/CD setup for a Salesforce DX project, with GitHub Actions as the example runner.
Pipeline phases:
1. PR validation pipeline (runs on pull request) — checkout code, install Salesforce CLI, authenticate to dev hub via stored auth URL, create scratch org from config/project-scratch-def.json, deploy source, run all Apex tests with code coverage, delete scratch org. Failures block merge.
2. UAT deploy pipeline (runs on merge to develop branch) — auth to UAT sandbox, run validate-only deploy first (catches issues without commit), then deploy with all tests.
3. Production deploy pipeline (runs on merge to main, with manual approval gate) — uses GitHub Environments to require human approval before production deploy. Always run all tests on production deploys.
4. Quality gates:
- Apex test coverage enforced at 75% via
sf apex run test --code-coverage. Fail pipeline if below. - PMD / ESLint static analysis on Apex / LWC.
- Pre-commit hooks (Husky + Prettier) for code style.
5. Secrets management:
- Store auth tokens for each org (DevHub, UAT, Prod) as GitHub Secrets, referenced by the workflow.
- Use JWT-based auth for headless CI: register a private key in a Connected App, sign JWT tokens for CLI auth.
6. Advanced patterns:
- Unlocked Packages for modular delivery.
- Salesforce Git Delta (sgd) — computes metadata diff between commits and deploys only that subset (faster for large orgs).
- Cypress / Playwright for end-to-end LWC UI testing.
Migration from legacy "change set" workflow: convert metadata to source format via sf project retrieve start; set up Git repo; establish branch policy (feature -> develop -> main); wire CI/CD starting with PR validation; phase out change sets.
This is the standard professional Salesforce delivery setup as of 2026.