Deployment Procedure
Policy
Section titled “Policy”Deployments use build-once, deploy-many. Production receives an already-built artifact identified by a SemVer tag and pinned digest. Rebuilding from source during promotion is not allowed because it weakens traceability and makes rollback evidence ambiguous.
flowchart LR mr[Merge request] --> checks[Lint, tests, SAST, SCA, IaC] checks --> image[Build image once] image --> evidence[SBOM, PBOM, provenance, signature] evidence --> staging[Deploy staging] staging --> approval[Manual production approval] approval --> production[Promote digest to production]Execution Modes
Section titled “Execution Modes”Validate the merge request pipeline and review security findings.
Build the image once and publish SBOM, provenance and signature artifacts.
- Deploy the same digest to staging.
- Run health, integration and DAST checks against staging.
Promote the approved digest to production with a recorded deployment event.
Render Helm manifests or Argo CD applications from the exact Git revision.
- Run schema, policy and security validation before sync.
- Review Argo CD diff and Kyverno policy impact.
- Sync in the expected wave order.
Confirm rollout status, alerts and post-deployment health checks.
Run
ansible-playbook --check --diffwith the intended inventory.- Document tasks that cannot predict changes in check mode.
- Execute the playbook only after the diff is reviewed.
- Re-run in check mode to validate idempotence.
- Record service health and rollback instructions.
Required Checks
Section titled “Required Checks”- Unit tests and integration tests pass.
- Secret scanning passes or has a documented exception.
- Image scan is reviewed.
- Deployment diff is reviewed.
- Rollback target is known.
Rollback
Section titled “Rollback”Rollback uses the previous known-good digest, not a rebuild from source.