We have ansible setup to deploy for jive-sdk apps with help of GO which is our own (Thoughworks) product for CD.
To explain in simple steps, every checkin to our repo triggers a pipeline in Go.
New code is deployed on a test server and ew run unit / integration tests there.
Then we generate an RPM with app dependencies and push it to a yum repo (spacewalk).
Then whenever we want to deploy to uat / prod, we trigger another pipeline which uses ansible scripts and ansible tower to deploy to the CentOS vms.
For security reasons we have not enabled npm on prod servers. The dependencies are downloaded and packaged before it reaches prod server.
As we use oauth for google and jive, the keys are deployed on that cent OS vm.
Using ansible we deploy the keys when required.
We have only two node servers running for prod.
One handles all webhooks related stuff, and other has some 14 jive-sdk apps on single node process and also supporting services for these apps connected through jive connects.
We have uploaded extension.zip for these server only once.
So now deploying changes to an existing app or adding a new app takes only a checkin.
This triggers all pipelines and stuff gets deployed to prod without any manual intervention to replicate the add-on changes on prod jive instance.