Required by the Secure Development Policy. Use this checklist as the PR template or release ticket for any non-trivial production deploy.

Pre-merge

  • PR has at least one approving review from someone other than the author.
  • CI checks pass (tests, lint, build).
  • Static analysis findings reviewed.
  • Dependency scanning findings reviewed; no new criticals/highs.
  • Secret scan clean.
  • Env / config check — every new production env var that holds a secret reads from Vault at runtime; no secret values in .env, config.yaml, values.yaml, container images, Helm charts, Terraform state, static Secret manifests, or CI logs. See Secrets Management → Application configuration and environment variables.
  • Migrations are backward-compatible (or flagged with an explicit downtime plan).
  • Tests added / updated.
  • Documentation updated (public APIs, operational changes).

Pre-deploy

  • Tested in staging.
  • Rollback plan documented in the release ticket.
  • Stakeholders informed if customer-facing.
  • Runbook updated if on-call response changes.

Post-deploy

  • Smoke tests pass.
  • Error rates and latency dashboards green.
  • No new alerts firing.
  • Release notes published (where applicable).

Security-sensitive releases

For changes to authentication, authorization, payment handling, customer data export, or other sensitive areas:
  • Threat model reviewed by Security.
  • Pen-test or targeted review completed if scope warrants.
  • Logging and audit trail verified.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani