Continuous Deployment

Continuous deployment is safe when every change is small, observable, and reversible. Start with continuous delivery if the client lacks automated tests, ownership, or production telemetry.

Pipeline baseline

A production-grade pipeline should include:

• Dependency install from pinned lockfiles and trusted registries.
• Unit, integration, contract, and smoke tests appropriate to the service.
• Static analysis, secret scanning, image scanning, and license checks.
• Artifact build, signing, provenance, and registry publication.
• Environment promotion using immutable artifact references.
• Post-deploy verification and automated rollback triggers where possible.

Deployment strategies

Choose the simplest strategy that controls risk:

• Rolling deployment for low-risk stateless services.
• Blue-green deployment for fast rollback and clean cutover.
• Canary deployment for high-traffic or high-risk services.
• Shadow traffic for validating major behavior changes.
• Feature flags when user exposure must be independent from deployment.

Environment promotion

Avoid rebuilding per environment. Build once and promote artifact digests through dev, test, staging, and production. Environment-specific behavior should come from configuration, not from rebuilding code.

Quality gates

Keep gates automated and close to the change:

• Pull request gates catch code, test, and policy issues early.
• Pre-deploy gates validate infrastructure, manifests, and permissions.
• Post-deploy gates verify health, SLO impact, and critical user journeys.

Tooling examples

• GitHub Actions, GitLab CI, Buildkite, Tekton, or Dagger for pipelines.
• Argo Rollouts, Flagger, Spinnaker, or cloud deploy services for progressive delivery.
• Trivy, Grype, Syft, Semgrep, Gitleaks, Checkov, and Conftest for automated checks.