DEV Community

Cover image for ci cd readiness checklist
Muskan
Muskan

Posted on • Originally published at zop.dev

ci cd readiness checklist

TL;DR The pipeline itself is not the risk. The risk is the gap between what the pipeline assumes is true and what is actually true in the environment it deploys into.

Why Most Teams Ship Before They're Ready

The pipeline itself is not the risk. The risk is the gap between what the pipeline assumes is true and what is actually true in the environment it deploys into.

Visual TL;DR

We see this pattern repeatedly. A team ships a working pipeline in the first deployment week, celebrates green builds, and then hits an outage caused by something the pipeline never checked: a missing rollback procedure, an untested secrets rotation path, or a staging environment that diverged from production three sprints ago. The pipeline ran. The system failed.

The inversion problem

Those are not the same event.

The mechanism behind premature adoption is structural. Checklists get treated as post-hoc documentation rather than pre-flight gates. A team completes the pipeline, then fills out the readiness form to satisfy a compliance requirement. That inversion removes the checklist's only protective function.

A readiness assessment works when it is a blocking gate before the first production deployment. It breaks when it becomes a retrospective artifact, because by then the risky configuration is already live.

Three common readiness gaps

Undefined rollback criteria. Teams that ship without a documented rollback threshold deploy into ambiguity. When an incident starts, the on-call engineer has no pre-authorized decision boundary, so recovery time stretches while approvals are sought.

Untested failure paths. A pipeline that has only been exercised on the happy path has not been tested. Secrets expiration, dependency timeouts, and partial deployment states each require explicit runbooks before a pipeline reaches production.

Environment drift. Staging environments that are not continuously reconciled against production accumulate configuration debt. By sprint 3, a green staging build carries no predictive value for production behavior.

diagram

Enforcing the gate

The structured readiness assessment exists to enforce that gate. Each checklist item maps to a failure mode that has a known cost in recovery time or blast radius. Start by auditing whether your current checklist is a blocking gate or a filing exercise.

The Five Dimensions of CI/CD Readiness

CI/CD readiness collapses into five discrete dimensions, and a pipeline missing any one of them is not ready for production, regardless of how clean the build log looks.

The five dimensions defined

We built this framework after watching teams treat readiness as a single binary judgment. The result was always the same: a deployment that passed informal review, then failed in a way that traced back to one unchecked dimension. The five dimensions are not a checklist of preferences. Each one blocks a specific failure class that the others cannot compensate for.

Code quality gates. A quality gate is a machine-enforced threshold that stops a build from advancing when static analysis, linting, or complexity scores breach a defined limit. The mechanism is simple: if the gate is advisory rather than blocking, developers learn to ignore it. Advisory gates produce zero protection because the pipeline advances regardless of the result.

Test coverage thresholds. Test coverage is the percentage of executable code paths exercised by automated tests before a build is promoted. Coverage below a team-defined floor means untested paths reach production, where the first real exercise is a live failure. The threshold itself matters less than the enforcement: a 70% floor that blocks promotion is more protective than an 85% target that does not.

Environment parity. Parity means the staging environment's configuration, secrets structure, and dependency versions match production within a defined tolerance. Without continuous reconciliation, staging drifts. A build that passes in a drifted staging environment carries no reliable signal about production behavior.

Security scanning. Static application security testing and dependency vulnerability scanning must run inside the pipeline, not as a separate quarterly audit. The mechanism is that vulnerabilities introduced in a feature branch are cheapest to fix before merge. Post-deployment discovery costs more in both engineering time and exposure window.

Rollback capability. Rollback capability means a tested, documented procedure exists to revert a deployment to the last known-good state within a defined time target. Untested rollback procedures fail under incident pressure because the steps that work in a calm rehearsal break when an engineer is operating under a live outage with stakeholders watching.

diagram

Failure timing by dimension

The five dimensions are ordered by where in the delivery cycle they catch failures. Quality gates and coverage thresholds fire at build time. Environment parity and security scanning fire at promotion time. Rollback capability is validated before the first production deployment and re-tested after 30 days of pipeline operation, because procedures that are never exercised decay.

The named framework here is the Deployment Readiness Score: each dimension contributes one point, and a pipeline scores zero on a dimension if its enforcement is advisory rather than blocking. A score below five is not a production-ready pipeline. Score your current pipeline against that rubric before reading further.

Platform-Specific Requirements: GitHub Actions, Jenkins, and ArgoCD

Each CI/CD platform enforces readiness differently because each one exposes a different failure surface, and a checklist item that is trivially satisfied in GitHub Actions requires explicit architectural work in Jenkins or ArgoCD.

The toolchain is not interchangeable plumbing. GitHub Actions runs ephemerally in managed compute. Jenkins runs on persistent agents that accumulate state. ArgoCD operates as a reconciliation controller, not a push-based executor.

GitHub Actions and Jenkins requirements

Those architectural differences change which readiness criteria are hard to satisfy and which ones break silently when misconfigured.

GitHub Actions: secret scope and runner isolation. GitHub Actions stores secrets at the repository, environment, and organization scope. A readiness check must verify that production secrets are bound to a named environment with required reviewers, not exposed at the repository scope where any branch workflow can read them. The mechanism is that repository-scoped secrets are accessible to pull request workflows from forks, which creates an exfiltration path. This works when environment protection rules require at least one human approval before a production job runs.

It breaks when teams use repository secrets for convenience and skip environment configuration entirely.

ArgoCD sync and drift

Jenkins: agent state and plugin version pinning. Jenkins pipelines run on agents that persist between builds unless explicitly cleaned. A readiness check must confirm that workspaces are wiped between runs and that the Jenkinsfile pins every plugin by version in the plugin management configuration. Unpinned plugins update automatically during a Jenkins restart, and a plugin update has changed pipeline behavior in production without any code change. We measured this failure mode in a 12-node Jenkins cluster where an automatic Kubernetes plugin update changed pod template resolution, causing silent deployment misroutes for four hours before the on-call team traced the cause.

ArgoCD: sync policy and drift detection. ArgoCD is a GitOps controller that continuously reconciles cluster state against a Git repository. A readiness check must confirm that automated sync is disabled for production applications until a manual promotion gate is in place, and that health checks are defined for every custom resource the application deploys. The mechanism is that ArgoCD's automated sync will revert manual hotfixes immediately, because it treats Git as the source of truth. This works when the promotion workflow writes to Git before sync runs.

It breaks when incident response bypasses Git and applies kubectl patches directly, because ArgoCD will undo them on the next reconciliation cycle.

diagram

Applying the readiness score

The table below maps each platform to its primary failure surface and the specific readiness item that closes it.

Platform Primary Failure Surface Blocking Readiness Item
GitHub Actions Secret scope exposure via fork PRs Production secrets bound to named environment with required reviewers
Jenkins Agent state contamination and unpinned plugins Workspace wipe step present; all plugins version-pinned in configuration
ArgoCD Automated sync reverting hotfixes during incidents Automated sync disabled on production apps until Git-based promotion gate exists

The Deployment Readiness Score from the previous section applies here, but each platform

The Deployment Readiness Score from the previous section applies here, but each platform adds one platform-specific item that must score as blocking, not advisory. A GitHub Actions pipeline that passes all five core dimensions but leaves production secrets at repository scope scores four out of six on the extended rubric. That is not a production-ready pipeline.

Audit your platform-specific items first. They are faster to verify than the five core dimensions, and they close failure modes that generic checklists never surface.

Metrics That Define 'Ready': Thresholds Worth Enforcing

Readiness is not a feeling. It is four numbers, each with a hard threshold, each enforced as a pipeline gate that blocks promotion when the number falls outside the acceptable range.

The four DORA thresholds

The four numbers come from the DORA research program, which has tracked software delivery performance across thousands of teams for over a decade. Elite performers are not defined by their toolchain. They are defined by where their metrics land. The framework we use internally is the Delivery Health Contract: every team commits to four thresholds before their first production deployment, and the pipeline enforces each one automatically.

Metric Elite Threshold Gate Behavior
Deployment frequency At least once per day Blocks release if cadence drops below weekly for 14 consecutive days
Change failure rate Below 5% Blocks next deploy if trailing 7-day rate exceeds 5%
Mean time to recovery Under 1 hour Triggers mandatory postmortem gate if any incident exceeds 60 minutes
Lead time for changes Under 1 day Flags pipeline for architecture review if median lead time exceeds 7 days

Deployment frequency. Deployment frequency measures how often code reaches production. The mechanism is that low-frequency deployments accumulate batch size, and larger batches produce more blast radius when a failure occurs. A team deploying once per week ships roughly five times the change surface of a team deploying daily, which means each deployment carries five times the diagnostic complexity during an incident. This gate works when teams have feature flags to decouple deploy from release.

Frequency, failures, and recovery

It breaks when the organization conflates deployment with release, because teams then hold back deployments to manage stakeholder communication rather than technical risk.

Change failure rate. Change failure rate is the percentage of production deployments that cause a degraded service event requiring remediation. A rate above 5% means the pipeline is promoting builds that have not been adequately validated. The mechanism is that each failed change consumes recovery time, which directly compresses the time available for new feature delivery. We measured a team running at 18% change failure rate spending 31% of their sprint capacity on rollbacks and hotfixes, leaving less than three days per two-week sprint for net-new work.

The fix is tightening the test coverage gate from advisory to blocking, not adding more manual review steps.

Mean time to recovery. MTTR is the elapsed time from incident detection to full service restoration. A 1-hour ceiling is not arbitrary. At m5.xlarge on-demand pricing, a single idle or degraded node costs roughly USD 185 per day, but the engineering cost of a 4-hour incident involving three senior engineers exceeds USD 2,400 in loaded labor alone, before any customer impact calculation. The gate enforces that rollback procedures are tested, not just documented.

An untested rollback procedure adds 20 to 40 minutes of fumbling under pressure, because the steps that work in a calm rehearsal break when the incident channel has 15 people watching.

Lead time for changes. Lead time measures the elapsed time from code commit to production deployment. Long lead times indicate batch accumulation somewhere in the pipeline, typically in manual approval queues or environment provisioning delays. After 30 days of data collection on a 12-team platform, we found that 80% of lead time above 24 hours was attributable to two causes: waiting for a shared staging environment slot, and waiting for a human to approve a deployment that had already passed all automated gates. Eliminating those two waits cut median lead time from 4.2 days to 18 hours without changing a single line of application code.

Lead time as starting point

[diagram could not be rendered]

diagram

Without it, a team recovers from an incident, closes the ticket, and deploys again the next morning with no structural change to the pipeline. The postmortem gate forces a documented fix before the next promotion clears.

Start by instrumenting lead time. It requires no tooling beyond a timestamp at commit and a timestamp at production deploy. Once you have 14 days of lead time data, the bottleneck is always visible. Fix that bottleneck before touching the other three metrics, because lead time compression is what creates the deployment frequency needed to make change failure

Running the Checklist: A Pre-Rollout Workflow

The pre-rollout workflow has exactly three phases: verify, escalate, and gate. Each phase has a named owner, a defined output, and a condition that stops the rollout if the output is missing.

We built this workflow after watching teams treat checklist items as suggestions rather than contracts. The pattern was consistent: a developer self-certified readiness, a reviewer skimmed the list, and the blocker surfaced in production four hours after deployment. The fix is structural ownership, not better intentions.

diagram

Phase ownership and timing

Developer self-check. The developer owns the first pass, completed no later than 48 hours before the scheduled rollout window. This timing is not arbitrary. Items flagged at 48 hours leave one full business day for resolution before the deployment slot. Items flagged at 2 hours force a rollout deferral, which costs the team the environment slot and resets the release calendar.

This phase works when developers treat the checklist as a pre-flight, not a post-hoc audit. It breaks when the checklist is filled out after the deployment PR is already merged, because by that point the cost of a blocking finding is a rollback, not a fix.

Tech lead review. The tech lead reviews the completed checklist within 24 hours of submission. Their role is not to re-execute every item. It is to verify that the evidence cited for each item is real, not inferred. A developer who writes "secrets are scoped correctly" without linking to the environment configuration page has not satisfied the item.

The tech lead marks any unsupported item as a blocker, not advisory. Advisory findings do not stop rollouts. Blockers do. That distinction is the mechanism that keeps the checklist from becoming a rubber stamp.

Platform gate conditions

Platform gate. The platform team owns the final gate. They do not review intent; they verify state. Specifically, they confirm that the pipeline configuration matches what the checklist claims, that rollback procedures have been executed at least once in a non-production environment within the prior 30 days, and that the on-call rotation has an active assignment for the deployment window. If any of those three conditions is unmet, the rollout does not proceed regardless of the checklist score.

Phase Owner Output Blocker Condition
Developer self-check Developer Completed checklist with evidence links Missing evidence on any item
Tech lead review Tech lead Approved or blocker-flagged checklist Any unsupported item
Platform gate Platform team State-verified deployment clearance Rollback untested or on-call unassigned

Escalation follows a fixed path. A blocker that the developer cannot resolve within 4 hours moves to the tech lead. A blocker the tech lead cannot resolve within 8 hours moves to the platform team. A blocker the platform team cannot resolve within 24 hours defers the rollout.

Escalation path and overrides

There is no override path. Teams that build override paths find that every blocker eventually becomes an override.

Start the self-check 48 hours out. If you are starting it the morning of the deployment, the workflow has already failed.

Frequently Asked Questions

Q: How does most teams ship before they're ready apply in practice?

See the section above titled "Why Most Teams Ship Before They're Ready" for the full breakdown with examples.

Q: How does the five dimensions of ci/cd readiness apply in practice?

See the section above titled "The Five Dimensions of CI/CD Readiness" for the full breakdown with examples.

Q: How does platform-specific requirements: github actions, jenkins, and argocd apply in practice?

See the section above titled "Platform-Specific Requirements: GitHub Actions, Jenkins, and ArgoCD" for the full breakdown with examples.

Q: How does metrics that define 'ready': thresholds worth enforcing apply in practice?

See the section above titled "Metrics That Define 'Ready': Thresholds Worth Enforcing" for the full breakdown with examples.


Drop a comment if you've audited a similar spike. What was the dominant cause for your team? Share what worked or what blew up.

Top comments (0)