Most discussions of CI/CD pipelines assume a world of cloud servers and containerised workloads — infrastructure that is uniform, addressable, and easy to reach from a build system. The reality in many industries is far messier. A modern automotive assembly plant runs on thousands of nodes: edge compute servers managing production line telemetry, PLCs orchestrating robotic arms, SoC controllers embedded in quality inspection systems, and everything in between. None of these devices are in a cloud data centre. Most of them are air-gapped from the public internet by design. And every single one of them requires regular software updates, security patches, and configuration management.
When I was designing the awaBerry Agentic API, the industrial CI/CD use case was central to my thinking. Let me explain why the problem is harder than it looks — and how we solved it.
The Hidden Complexity of Industrial Device Fleets
A single out-of-date server or embedded device can stall an entire assembly line. A missed security patch on a node that processes production data can become a ransomware entry point. And yet the operational reality is that patching thousands of heterogeneous devices — across multiple factory buildings, multiple shifts, and multiple device generations — has historically been a manual burden that teams have accepted as unavoidable.
The traditional approach involves a combination of scheduled maintenance windows, manual SSH sessions to individual devices, scripts that are inconsistently maintained across teams, and — inevitably — devices that fall through the cracks and remain unpatched for months. It is not that the engineers lack skill or care. It is that the tooling was not designed for this scale of heterogeneous infrastructure.
awaBerry Agentic API as a CI/CD Orchestration Layer
The awaBerry Agentic API provides the programmatic access layer that industrial CI/CD pipelines have been missing. Here is how a typical deployment pipeline works with awaBerry:
Your build system — whether that is GitHub Actions, GitLab CI, Jenkins, or a custom pipeline — produces a tested, versioned artifact. Rather than requiring VPN access or manual deployment, the pipeline uses a project-scoped awaBerry API key to authenticate against the Agentic API. It then connects to each target device over an encrypted, outbound-only HTTPS tunnel and executes the deployment script that was pre-staged on the device using the awaBerry Smart Automation Framework.
The Smart Automation Framework is important here. The deployment logic — the actual shell commands that update packages, restart services, validate checksums, and report success or failure — lives as a locally-stored, deterministic script on each device. The CI pipeline does not execute arbitrary commands at runtime. It triggers a named, auditable script with defined inputs and outputs. This is both more secure and more reliable than ad-hoc SSH command execution, because the execution path is known in advance and logged precisely.
One project configuration in the Agentic API can target multiple devices simultaneously. A single pipeline run can update an entire fleet segment — all edge servers in Building A, for example — while a separate configuration handles the SoC devices on the assembly lines, with different permission scopes and deployment scripts appropriate to each device class.
Web-to-Local: Making Management Interfaces Reachable
Industrial devices frequently run embedded web interfaces for monitoring and configuration — SCADA systems, OPC-UA clients, custom dashboards, database admin panels. These interfaces are designed to be accessed on the local network. Historically, reaching them remotely meant either exposing them to the internet (unacceptable) or connecting via VPN (complex and broad in its access grant).
awaBerry's Web-to-Local feature solves this cleanly. Once a device is registered in awaBerry, any locally-running web application can be reached through an encrypted zero-trust tunnel directly in your browser, without that application ever touching the public internet. A maintenance engineer can inspect the configuration interface of an embedded controller from an operations centre on the other side of the planet — and close the tunnel when the work is done, with no residual exposure.
The Security Properties That Matter in Production
In a production environment, the security properties of the access layer are not optional. Every connection through the awaBerry Agentic API is made with a scoped Project Key that can be configured with four independent dimensions: privilege level, filesystem access scope, write permissions, and command execution scope. A deployment pipeline that only needs to trigger a specific update script can be configured with an explicit command allowlist — it literally cannot execute anything outside that list, even if the pipeline is compromised.
Instant revocation means that if a project key is suspected to be compromised, access terminates the moment the project is deleted from the dashboard. No waiting for certificate revocations to propagate. No firewall rule cleanup. Immediate, complete termination of access.
The full audit trail generated by every Agentic API interaction is available in the awaBerry dashboard and can be streamed to your SIEM. For regulated industries — automotive, medical device manufacturing, aerospace — this produces the kind of documented evidence of access controls that compliance frameworks require.
From the Server Rack to the Smallest SoC
What makes the awaBerry approach distinctive is that the same platform handles the full range of device classes in a modern industrial environment. The same Agentic API that orchestrates updates to your edge compute servers also handles the SoC devices embedded in your production line controllers. The same zero-trust tunnel infrastructure that reaches your Linux servers in the data centre reaches the ARM-based devices running your quality inspection cameras.
Your production should not stop because a patch is overdue. And your security posture should not depend on the hope that your maintenance window scripts happened to run correctly on every node last Tuesday. Explore the Agentic API → | The Power of Combination →
