Lerna CI/CD Production Deployment - Stop Breaking Prod with Bad Releases

You've got Lerna working locally, publishing packages manually like a caveman. Time to automate this before you accidentally publish dev credentials to production like an idiot.

The Authentication Nightmare That Kills Every First Deployment

Your first production deploy fails with npm ERR! 401 Unauthorized and you spend 4 hours debugging npm tokens. The Artifactory E401 mystery hits everyone - Lerna moved from npm_config__auth to _authToken and nobody updated the docs.

GitHub Actions setup that actually works:

env:
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

steps:
- name: "Configure npm"
  run: |
    npm config set //registry.npmjs.org/:_authToken $NPM_TOKEN
    npm config set registry https://registry.npmjs.org/

Don't use npm_config__auth - it's deprecated and will silently fail in ways that waste your entire Tuesday. The authentication token setup needs to be _authToken or you're debugging phantom auth errors.

Docker Production Builds That Don't Suck

Building Docker images in a monorepo is where most teams fuck up caching. You change one comment in Package A and suddenly Package B rebuilds from scratch, because your Dockerfile copies the entire workspace like an amateur.

The problem: Standard Docker builds treat monorepos like a single codebase. Change anything, rebuild everything. Your build takes 15 minutes when it should take 2.

Multi-stage builds that work:

## Stage 1: Install all dependencies
FROM node:18-alpine AS deps
WORKDIR /app
COPY package*.json lerna.json ./
COPY packages/*/package*.json ./packages/
RUN npm ci --only=production

## Stage 2: Build specific package
FROM deps AS build
COPY packages/api ./packages/api
RUN npx lerna run build --scope=@company/api

This uses Docker BuildKit to cache dependencies so you don't rebuild everything when you change one comment. Change your API code, only the API rebuilds. The TurboRepo Docker guide has more examples.

Package Publishing Order Hell

We fucked up the publishing order once and got like 30-45 seconds of broken installs - might've been a full minute, felt like forever when Slack was exploding with complaints.

The publishing sequence that breaks everything:

1. Update @company/utils from 1.2.0 to 1.3.0
2. Update @company/ui to depend on @company/utils@^1.3.0
3. Publish @company/ui@2.1.0 first (WRONG)
4. Users install UI 2.1.0, get dependency error for utils 1.3.0
5. Your phone rings at 11pm

Lerna handles this automatically with dependency topology sorting, but only if you configure it right:

{
  "version": "independent",
  "npmClient": "npm",
  "command": {
    "publish": {
      "conventionalCommits": true,
      "message": "chore(release): publish",
      "registry": "https://registry.npmjs.org"
    }
  }
}

The lerna publish command calculates the dependency graph and publishes in order. Package A depends on Package B? Lerna publishes B first. This is the main reason you use Lerna instead of manual npm publish.

Environment-Specific Configuration Without Hardcoding

Your app needs different configs for staging vs prod, but hardcoding environment variables in Docker images is how you leak API keys to customers.

Use build args and runtime environment injection:

ARG NODE_ENV=production
ENV NODE_ENV=${NODE_ENV}

## Don't copy .env files into images
COPY --exclude=*.env* . .

Configure secrets at deploy time, not build time. The 12-factor app methodology covers this in detail. Your CI should inject secrets as environment variables, never commit them to images.

Monitoring Deployments Without Going Insane

You publish 8 packages at once. Which one broke production? Without proper monitoring, you're grep'ing logs at 2am trying to figure out if the error came from @company/auth@1.2.3 or @company/api@2.1.1.

Tag deployments in your monitoring:

• Use semantic versioning tags for release tracking
• Conventional commits for automated changelog generation
• Monitor package-specific error rates with tools like Sentry or DataDog

Lerna generates changelogs automatically if you use conventional commits. The output tells you exactly what changed in each package, which helps track down issues. This is why teams enforce commit message formats - not bureaucracy, but debugging sanity.

When package publishing fails mid-process, you end up with some packages published and others stuck. The lerna publish from-git command recovers from partial failures by reading git tags to determine what needs publishing.

Your basic pipeline works for 3 packages.

Scale to 15+ packages and suddenly everything is on fire. Here's how to build CI/CD that survives contact with real production workloads.

Selective Package Deployment (The Right Way)

Publishing all packages because one changed is wasteful and dangerous. You touch a README in Package A, suddenly Package B deploys to production for no reason. This is how you accidentally break working systems.

Path-based triggering with GitHub Actions:

name:

 Deploy Changed Packages
on:
  push:
    paths:

- 'packages/api/**'
      
- 'packages/auth/**'

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:

- name:

 Detect changes
        uses: dorny/paths-filter@v2
        id: changes
        with:
          filters: |
            api:

- 'packages/api/**'
            auth:

- 'packages/auth/**'
      
      
- name:

 Deploy API
        if: steps.changes.outputs.api == 'true'
        run: npx lerna run deploy --scope=@company/api

This approach prevents deploying unchanged packages.

The paths-filter action detects which packages actually changed and only triggers deployment for those.

No more accidental prod deployments.

But here's the catch: dependency changes still require coordinated deployments.

If Package A depends on Package B and you update B's API, both packages need deployment even if A's code didn't change. Lerna handles this with --include-dependencies flag.

Nx Cloud Integration for Enterprise Scale

Once your monorepo hits 20+ packages, build times become a problem. Local builds take 15 minutes. CI builds take 25 minutes. Developers start grabbing coffee during test runs, which means they're not catching errors early.

Nx Cloud distributed caching actually helps here:

- name:

 Restore Nx cache
  uses: actions/cache@v3
  with:
    path: node_modules/.cache/nx
    key: nx-cache-${{ hashFiles('**/package-lock.json') }}

- name:

 Run builds with Nx Cloud
  run: |
    npx nx run-many --target=build --all --parallel=3
  env:

    NX_CLOUD_ACCESS_TOKEN: ${{ secrets.

NX_CLOUD_ACCESS_TOKEN }}

The Nx Cloud distributed execution splits your build across multiple agents.

Package A builds on agent 1 while Package B builds on agent 2. Build time went from maybe 20+ minutes down to under 10 on a good day.

**But (big but)

• Nx Cloud costs money after the free tier.** For most teams, the local caching is sufficient.

Only upgrade to distributed builds when your team is actively losing productivity to slow CI.

Zero-Downtime Deployment Strategies

Deploying 8 packages simultaneously without downtime requires coordination. You can't just kubectl apply and hope for the best

• that's how you get 5 minutes of 500 errors while services restart.

Blue-green deployments with package versioning: 1.

Deploy new package versions to "green" environment 2. Run smoke tests against green environment 3. Switch traffic from blue to green environment 4. Keep blue environment as rollback option

- name: Deploy to staging slot
  run: |
    az webapp deployment slot create --name ${{ env.

APP_NAME }} --slot staging
    az webapp deploy --name ${{ env.APP_NAME }} --slot staging
    
- name: Run health checks
  run: |
    curl -f https://${{ env.

APP_NAME }}-staging.azurewebsites.net/health
    
- name: Swap slots
  run: |
    az webapp deployment slot swap --name ${{ env.

APP_NAME }} --slot staging

This works for web apps, but microservices need [canary deployments](https://martinfowler.com/bliki/Canary

Release.html).

Deploy new version to 5% of traffic, monitor error rates, gradually increase to 100%. Tools like Istio or Linkerd handle the traffic splitting.

Handling Secrets and Environment Configuration

Every team fucks up secrets management.

API keys in git repos, database passwords in Docker images, auth tokens committed to package.json. Don't be that team.

Secrets injection at runtime, not build time:

- name:

 Deploy with secrets
  run: |
    kubectl create secret generic app-secrets \
      --from-literal=DATABASE_URL=${{ secrets.

DATABASE_URL }} \
      --from-literal=API_KEY=${{ secrets.API_KEY }}
    
    npx lerna run deploy --scope=@company/api
  env:
    NODE_ENV: production

Use your platform's secret management: GitHub Secrets, AWS Secrets Manager, Azure Key Vault.

Never hardcode secrets in images or config files.

Environment-specific package configuration:

{
  "scripts": {
    "deploy:staging": "npm run build && deploy --env=staging",
    "deploy:prod": "npm run build && deploy --env=production"
  }
}

Different environments need different configurations.

Your staging API points to staging database, prod API points to prod database. Use environment variables for this, not separate codebases.

Rollback Strategies When Everything Goes Wrong

Your deployment passes all tests but breaks production anyway. Users can't log in, orders aren't processing, and your CEO is asking uncomfortable questions. You need rollback strategies that work in under 5 minutes.

Git-based rollbacks with Lerna:

## Find the last working version
git log --oneline --grep="chore(release): publish"

## Rollback to previous release
git revert <commit-hash>
npx lerna publish from-git --yes

This reverts the version bump and publishes the previous working versions.

Fast but not instantaneous

• npm takes 30 seconds to propagate new versions.

Infrastructure rollbacks for immediate relief:

• Container orchestrators: kubectl rollout undo deployment/api
• App services: az webapp deployment slot swap (back to previous slot)
• Load balancers:

Route traffic to previous version cluster

Keep previous deployment artifacts available for quick rollbacks. The deployment artifacts from your CI should be downloadable for emergency recovery.

Cost Optimization for Large Monorepos

Nx Cloud costs add up fast.

GitHub Actions minutes aren't free for private repos. Docker registry storage grows every deployment. Your AWS bill includes line items you don't recognize.

Optimize CI/CD costs without breaking functionality:

• Use GitHub-hosted runners for small builds, self-hosted runners for heavy workloads
• Clean up old Docker images automatically: docker system prune --all --filter "until=168h"
• Use artifact retention policies to delete old build artifacts

Monitor your costs. AWS bill went from a few hundred to over 2 grand because someone left debug logging on in production and nobody noticed for weeks.