swe-workflow-skills 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +144 -0
- package/VERSION +1 -0
- package/bin/cli.mjs +44 -0
- package/catalog.json +225 -0
- package/commands/role.md +34 -0
- package/hooks/session-start.mjs +118 -0
- package/install.mjs +318 -0
- package/package.json +47 -0
- package/roles.json +194 -0
- package/scripts/resolve.mjs +296 -0
- package/skills/accessibility-design/SKILL.md +128 -0
- package/skills/accessibility-design/evals/evals.json +51 -0
- package/skills/accessibility-design/references/accessibility-patterns.md +321 -0
- package/skills/api-design/SKILL.md +144 -0
- package/skills/api-design/evals/evals.json +48 -0
- package/skills/api-design/references/rest-conventions.md +147 -0
- package/skills/api-design/templates/api-spec.md +156 -0
- package/skills/architecture-design/SKILL.md +86 -0
- package/skills/architecture-design/evals/evals.json +44 -0
- package/skills/architecture-design/references/clean-architecture.md +147 -0
- package/skills/architecture-design/references/component-principles.md +129 -0
- package/skills/architecture-design/references/principles.md +81 -0
- package/skills/architecture-design/references/solid-principles.md +106 -0
- package/skills/architecture-design/templates/adr.md +63 -0
- package/skills/architecture-documentation/SKILL.md +126 -0
- package/skills/architecture-documentation/evals/evals.json +44 -0
- package/skills/architecture-documentation/references/abstraction-levels.md +91 -0
- package/skills/architecture-documentation/references/diagram-tooling.md +141 -0
- package/skills/architecture-documentation/templates/architecture-doc.md +171 -0
- package/skills/bug-investigating/SKILL.md +133 -0
- package/skills/bug-investigating/evals/evals.json +56 -0
- package/skills/bug-investigating/references/common-bugs.md +62 -0
- package/skills/bug-investigating/references/debugging-patterns.md +94 -0
- package/skills/cicd-pipeline/SKILL.md +87 -0
- package/skills/cicd-pipeline/evals/evals.json +34 -0
- package/skills/cicd-pipeline/references/pipeline-patterns.md +206 -0
- package/skills/cicd-pipeline/templates/github-actions.md +206 -0
- package/skills/code-reviewing/SKILL.md +92 -0
- package/skills/code-reviewing/evals/evals.json +62 -0
- package/skills/code-reviewing/references/error-handling.md +108 -0
- package/skills/code-reviewing/references/review-checklist.md +144 -0
- package/skills/configuration-strategy/SKILL.md +109 -0
- package/skills/configuration-strategy/evals/evals.json +41 -0
- package/skills/configuration-strategy/references/config-patterns.md +161 -0
- package/skills/containerization/SKILL.md +90 -0
- package/skills/containerization/evals/evals.json +36 -0
- package/skills/containerization/references/dockerfile-patterns.md +168 -0
- package/skills/containerization/templates/dockerfile.md +154 -0
- package/skills/data-modeling/SKILL.md +83 -0
- package/skills/data-modeling/evals/evals.json +43 -0
- package/skills/data-modeling/references/conventions.md +57 -0
- package/skills/data-modeling/templates/schema.md +120 -0
- package/skills/dependency-impact-analysis/SKILL.md +113 -0
- package/skills/dependency-impact-analysis/evals/evals.json +41 -0
- package/skills/dependency-impact-analysis/references/impact-patterns.md +150 -0
- package/skills/dependency-management/SKILL.md +161 -0
- package/skills/dependency-management/evals/evals.json +48 -0
- package/skills/dependency-management/references/evaluation-checklist.md +127 -0
- package/skills/deployment-checklist/SKILL.md +132 -0
- package/skills/deployment-checklist/evals/evals.json +58 -0
- package/skills/deployment-checklist/references/pre-deploy-gates.md +91 -0
- package/skills/deployment-repo/SKILL.md +190 -0
- package/skills/deployment-repo/evals/evals.json +44 -0
- package/skills/deployment-repo/references/deployment-repo-patterns.md +258 -0
- package/skills/deployment-repo/references/version-compatibility.md +227 -0
- package/skills/deployment-repo/templates/deployment-repo-structure.md +226 -0
- package/skills/effort-estimation/SKILL.md +95 -0
- package/skills/effort-estimation/evals/evals.json +32 -0
- package/skills/effort-estimation/references/estimation-methods.md +154 -0
- package/skills/feature-planning/SKILL.md +84 -0
- package/skills/feature-planning/evals/evals.json +44 -0
- package/skills/feature-planning/templates/plan.md +55 -0
- package/skills/feature-planning/templates/task.md +26 -0
- package/skills/frontend-architecture/SKILL.md +154 -0
- package/skills/frontend-architecture/evals/evals.json +34 -0
- package/skills/frontend-architecture/references/component-patterns.md +264 -0
- package/skills/frontend-architecture/templates/folder-structure.md +203 -0
- package/skills/git-workflow/SKILL.md +127 -0
- package/skills/git-workflow/evals/evals.json +44 -0
- package/skills/git-workflow/references/conventions.md +142 -0
- package/skills/git-workflow/templates/pull-request.md +57 -0
- package/skills/gitops-delivery/SKILL.md +319 -0
- package/skills/gitops-delivery/evals/evals.json +44 -0
- package/skills/gitops-delivery/references/gitops-patterns.md +478 -0
- package/skills/gitops-delivery/templates/gitops-config.md +196 -0
- package/skills/incident-response/SKILL.md +130 -0
- package/skills/incident-response/evals/evals.json +55 -0
- package/skills/incident-response/references/communication-templates.md +134 -0
- package/skills/incident-response/references/severity-levels.md +77 -0
- package/skills/incident-response/templates/incident-timeline.md +57 -0
- package/skills/infrastructure-as-code/SKILL.md +86 -0
- package/skills/infrastructure-as-code/evals/evals.json +33 -0
- package/skills/infrastructure-as-code/references/iac-patterns.md +179 -0
- package/skills/infrastructure-as-code/templates/terraform-module.md +158 -0
- package/skills/metrics-and-okrs/SKILL.md +113 -0
- package/skills/metrics-and-okrs/evals/evals.json +33 -0
- package/skills/metrics-and-okrs/references/metric-catalog.md +90 -0
- package/skills/metrics-and-okrs/templates/okr-document.md +61 -0
- package/skills/ml-experiment-tracking/SKILL.md +96 -0
- package/skills/ml-experiment-tracking/evals/evals.json +32 -0
- package/skills/ml-experiment-tracking/references/tracking-tools.md +127 -0
- package/skills/ml-model-deployment/SKILL.md +106 -0
- package/skills/ml-model-deployment/evals/evals.json +34 -0
- package/skills/ml-model-deployment/references/serving-patterns.md +162 -0
- package/skills/ml-pipeline-design/SKILL.md +162 -0
- package/skills/ml-pipeline-design/evals/evals.json +34 -0
- package/skills/ml-pipeline-design/references/pipeline-components.md +174 -0
- package/skills/observability-design/SKILL.md +162 -0
- package/skills/observability-design/evals/evals.json +52 -0
- package/skills/observability-design/references/logging-patterns.md +229 -0
- package/skills/observability-design/references/slo-framework.md +151 -0
- package/skills/observability-design/templates/slo-document.md +80 -0
- package/skills/performance-optimization/SKILL.md +83 -0
- package/skills/performance-optimization/evals/evals.json +47 -0
- package/skills/performance-optimization/references/bottleneck-patterns.md +256 -0
- package/skills/performance-optimization/references/concurrency.md +101 -0
- package/skills/prd-writing/SKILL.md +109 -0
- package/skills/prd-writing/evals/evals.json +33 -0
- package/skills/prd-writing/references/prd-examples.md +132 -0
- package/skills/prd-writing/templates/prd.md +71 -0
- package/skills/prd-writing/templates/rfc.md +79 -0
- package/skills/project-documentation/SKILL.md +104 -0
- package/skills/project-documentation/evals/evals.json +48 -0
- package/skills/project-documentation/references/contributing-guide.md +100 -0
- package/skills/project-documentation/templates/changelog.md +59 -0
- package/skills/project-documentation/templates/readme.md +121 -0
- package/skills/project-proposal/SKILL.md +90 -0
- package/skills/project-proposal/evals/evals.json +31 -0
- package/skills/project-proposal/references/proposal-examples.md +140 -0
- package/skills/project-proposal/templates/proposal.md +76 -0
- package/skills/project-review/SKILL.md +111 -0
- package/skills/project-review/evals/evals.json +42 -0
- package/skills/refactoring/SKILL.md +90 -0
- package/skills/refactoring/evals/evals.json +44 -0
- package/skills/refactoring/references/transformations.md +132 -0
- package/skills/retrospective/SKILL.md +157 -0
- package/skills/retrospective/evals/evals.json +34 -0
- package/skills/retrospective/references/facilitation-guide.md +130 -0
- package/skills/retrospective/templates/post-mortem.md +121 -0
- package/skills/rollback-strategy/SKILL.md +116 -0
- package/skills/rollback-strategy/evals/evals.json +55 -0
- package/skills/rollback-strategy/references/rollback-patterns.md +125 -0
- package/skills/rollback-strategy/templates/rollback-plan.md +69 -0
- package/skills/security-audit/SKILL.md +146 -0
- package/skills/security-audit/evals/evals.json +66 -0
- package/skills/security-audit/references/owasp-top-10.md +167 -0
- package/skills/security-audit/templates/security-report.md +79 -0
- package/skills/skill-router/SKILL.md +171 -0
- package/skills/skill-router/evals/evals.json +39 -0
- package/skills/strategic-review/SKILL.md +106 -0
- package/skills/strategic-review/evals/evals.json +42 -0
- package/skills/strategic-review/templates/full-review-prompt.md +84 -0
- package/skills/tdd-workflow/SKILL.md +147 -0
- package/skills/tdd-workflow/evals/evals.json +58 -0
- package/skills/tdd-workflow/references/test-quality.md +71 -0
- package/skills/technical-debt-review/SKILL.md +113 -0
- package/skills/technical-debt-review/evals/evals.json +41 -0
- package/skills/technical-debt-review/references/debt-taxonomy.md +124 -0
- package/skills/technical-debt-review/templates/debt-audit.md +85 -0
- package/skills/test-data-strategy/SKILL.md +129 -0
- package/skills/test-data-strategy/evals/evals.json +49 -0
- package/skills/test-data-strategy/references/data-generation-patterns.md +341 -0
- package/skills/test-suite-design/SKILL.md +137 -0
- package/skills/test-suite-design/evals/evals.json +69 -0
- package/skills/test-suite-design/references/test-infrastructure.md +175 -0
- package/skills/test-suite-design/references/testing-pyramid.md +140 -0
- package/skills/ui-ux-design/SKILL.md +117 -0
- package/skills/ui-ux-design/evals/evals.json +35 -0
- package/skills/ui-ux-design/references/interaction-patterns.md +145 -0
- package/skills/ui-ux-design/templates/screen-spec.md +97 -0
- package/skills/verification-before-completion/SKILL.md +85 -0
- package/skills/verification-before-completion/evals/evals.json +53 -0
- package/skills/writing-skills/SKILL.md +87 -0
- package/skills/writing-skills/evals/evals.json +41 -0
- package/skills/writing-skills/references/pressure-testing.md +69 -0
- package/uninstall.mjs +182 -0
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: deployment-checklist
|
|
3
|
+
description: "Pre-deploy verification and release safety checks — config, migrations, monitoring, rollback readiness, comms. Triggers: deployment checklist, ready to deploy, pre-deploy, release checklist, go-live, ship checklist, deploy safety, is this safe to ship, release readiness."
|
|
4
|
+
model: haiku
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Deployment Checklist
|
|
9
|
+
|
|
10
|
+
Ensure code is production-ready before deploying. This skill runs through a structured verification process that catches common deployment failures before they reach users.
|
|
11
|
+
|
|
12
|
+
## ⛔ The Iron Law
|
|
13
|
+
|
|
14
|
+
**Don't check a box you haven't verified.**
|
|
15
|
+
|
|
16
|
+
Every checked item is backed by evidence — a command you ran in this session or code you read — not memory or assumption. "Should be fine" is not a verification. A blocked deploy is far cheaper than a production incident, so when a gate fails, stop and fix it before proceeding.
|
|
17
|
+
|
|
18
|
+
## Workflow
|
|
19
|
+
|
|
20
|
+
### Step 1: Assess the Change
|
|
21
|
+
|
|
22
|
+
Understand the scope and risk of what's being deployed:
|
|
23
|
+
|
|
24
|
+
- **What changed?** Review the diff against the deployment target branch
|
|
25
|
+
- **Change type?** Feature / bugfix / hotfix / infrastructure / dependency update
|
|
26
|
+
- **Risk level?** Low (cosmetic), Medium (logic change), High (data migration, auth, payments)
|
|
27
|
+
- **Rollback plan?** Can this be reverted with a simple deploy, or does it require data migration reversal?
|
|
28
|
+
|
|
29
|
+
### Step 2: Run the Checklist
|
|
30
|
+
|
|
31
|
+
Walk through each section. Check items by reading code, running commands, and verifying artifacts.
|
|
32
|
+
|
|
33
|
+
#### Code Quality
|
|
34
|
+
- [ ] All tests pass (`npm test`, `pytest`, or project-specific command)
|
|
35
|
+
- [ ] No linting errors or warnings
|
|
36
|
+
- [ ] No `TODO` or `FIXME` items related to this change left unaddressed
|
|
37
|
+
- [ ] No debugging code (console.log, debugger, print statements) left in
|
|
38
|
+
- [ ] No commented-out code blocks
|
|
39
|
+
|
|
40
|
+
#### Testing
|
|
41
|
+
- [ ] New behavior has corresponding tests
|
|
42
|
+
- [ ] Edge cases and error paths are tested
|
|
43
|
+
- [ ] Integration tests pass against a clean environment
|
|
44
|
+
- [ ] If applicable: manual testing completed on staging
|
|
45
|
+
|
|
46
|
+
#### Security
|
|
47
|
+
- [ ] No hardcoded secrets, API keys, or credentials
|
|
48
|
+
- [ ] No new endpoints without authentication/authorization
|
|
49
|
+
- [ ] User input is validated and sanitized
|
|
50
|
+
- [ ] Dependencies have no known critical vulnerabilities (`npm audit`, `pip audit`)
|
|
51
|
+
|
|
52
|
+
#### Database & Data
|
|
53
|
+
- [ ] Migrations are forwards-compatible (old code works with new schema)
|
|
54
|
+
- [ ] Migrations are reversible
|
|
55
|
+
- [ ] Large data changes have been tested on production-sized data
|
|
56
|
+
- [ ] No destructive operations without confirmation (DROP, DELETE without WHERE)
|
|
57
|
+
- [ ] Backfill scripts are idempotent (safe to run multiple times)
|
|
58
|
+
|
|
59
|
+
#### Configuration & Environment
|
|
60
|
+
- [ ] New environment variables are documented and set in all target environments
|
|
61
|
+
- [ ] Feature flags are in the correct state for this release
|
|
62
|
+
- [ ] No environment-specific hardcoding (localhost URLs, test credentials)
|
|
63
|
+
|
|
64
|
+
#### Observability
|
|
65
|
+
- [ ] Errors are logged with sufficient context for debugging
|
|
66
|
+
- [ ] New endpoints/operations have appropriate metrics or monitoring
|
|
67
|
+
- [ ] Alert thresholds are reviewed for new functionality
|
|
68
|
+
|
|
69
|
+
#### Documentation
|
|
70
|
+
- [ ] README updated if setup steps changed
|
|
71
|
+
- [ ] API documentation updated for new/changed endpoints
|
|
72
|
+
- [ ] CHANGELOG updated (if project uses one)
|
|
73
|
+
- [ ] Breaking changes are clearly communicated
|
|
74
|
+
|
|
75
|
+
### Step 3: Report
|
|
76
|
+
|
|
77
|
+
Summarize the checklist results:
|
|
78
|
+
|
|
79
|
+
- **Ready to deploy**: All checks pass
|
|
80
|
+
- **Needs attention**: List specific items that need fixing
|
|
81
|
+
- **Blocked**: Critical issues that must be resolved (data loss risk, security gap, failing tests)
|
|
82
|
+
|
|
83
|
+
### Step 4: Deploy Safely
|
|
84
|
+
|
|
85
|
+
Based on the change risk level:
|
|
86
|
+
|
|
87
|
+
- **Low risk**: Deploy directly, monitor for 15 minutes
|
|
88
|
+
- **Medium risk**: Deploy to staging first, verify, then production. Monitor for 1 hour
|
|
89
|
+
- **High risk**: Deploy behind a feature flag, canary to a small percentage, monitor, then roll out gradually
|
|
90
|
+
|
|
91
|
+
## Quick Reference
|
|
92
|
+
|
|
93
|
+
For urgent hotfixes where the full checklist feels heavy, run at minimum:
|
|
94
|
+
1. Tests pass
|
|
95
|
+
2. No secrets in code
|
|
96
|
+
3. Migrations are reversible
|
|
97
|
+
4. Rollback plan exists
|
|
98
|
+
|
|
99
|
+
Everything else can be addressed in a follow-up, but these four prevent the worst outcomes.
|
|
100
|
+
|
|
101
|
+
## Principles Applied
|
|
102
|
+
|
|
103
|
+
- **KISS**: The simplest deploy that can safely reach production. Avoid adding complexity (new flags, new services) in the same deployment as the feature.
|
|
104
|
+
- **Defense in depth**: Validate at every gate — tests, staging, canary — not just once. Each gate catches a different class of failure.
|
|
105
|
+
- **Fail fast**: If a check fails, stop and fix before proceeding. A blocked deploy is far cheaper than a production incident.
|
|
106
|
+
- **YAGNI**: Don't deploy speculative configuration or unused feature flags. Unused config is future confusion.
|
|
107
|
+
|
|
108
|
+
See [references/pre-deploy-gates.md](references/pre-deploy-gates.md) for environment-specific checklists, schema migration safety, and rollback trigger criteria.
|
|
109
|
+
|
|
110
|
+
## Rationalizations to reject
|
|
111
|
+
|
|
112
|
+
| Excuse | Reality |
|
|
113
|
+
|--------|---------|
|
|
114
|
+
| "Tests passed in CI yesterday" | Verify against the exact commit being deployed, now — not a stale run. |
|
|
115
|
+
| "It's a tiny change, skip the checklist" | Tiny changes cause outages too. Run at least the four-item minimum. |
|
|
116
|
+
| "Migrations are probably reversible" | "Probably" is not verified. Confirm the down-path exists and runs. |
|
|
117
|
+
| "We'll add monitoring after launch" | You can't observe an incident you never instrumented. |
|
|
118
|
+
| "No time for staging" | Skipping staging on a high-risk change is how data-loss incidents start. |
|
|
119
|
+
|
|
120
|
+
## Red flags — stop and correct course
|
|
121
|
+
|
|
122
|
+
- Marking items complete from memory rather than checking.
|
|
123
|
+
- "Should be fine" / "probably works" language about any gate.
|
|
124
|
+
- Deploying a High-risk change with no rollback plan.
|
|
125
|
+
- Bundling a risky migration and a feature in the same deploy.
|
|
126
|
+
|
|
127
|
+
## Cross-Skill References
|
|
128
|
+
|
|
129
|
+
- `rollback-strategy` — design the rollback plan before deploying (required for High-risk changes)
|
|
130
|
+
- `configuration-strategy` — verify all environment variables and feature flags are configured correctly
|
|
131
|
+
- `incident-response` — use if the deployment causes a production incident
|
|
132
|
+
- `verification-before-completion` — the evidence gate behind every checked box
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "deployment-checklist",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "I've finished implementing the payment integration feature. It adds Stripe webhook handling and stores payment events in the database. I'm ready to deploy to production. Can you run through the deployment checklist?",
|
|
7
|
+
"expected_output": "Should run the full checklist with emphasis on security (webhook signature verification), database (migration review), and high-risk assessment. Should classify this as high-risk due to payment handling.",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Classifies this as high-risk (payments)",
|
|
10
|
+
"Checks for webhook signature verification",
|
|
11
|
+
"Reviews database migrations for reversibility",
|
|
12
|
+
"Checks for hardcoded API keys/secrets",
|
|
13
|
+
"Recommends feature flag or canary deployment",
|
|
14
|
+
"Asks about rollback plan for the data migration",
|
|
15
|
+
"Runs or requests test suite execution"
|
|
16
|
+
]
|
|
17
|
+
},
|
|
18
|
+
{
|
|
19
|
+
"id": 2,
|
|
20
|
+
"prompt": "quick fix for a typo in the About page. can I just deploy this?",
|
|
21
|
+
"expected_output": "Should classify as low-risk, run a minimal checklist, and give a quick green light if checks pass.",
|
|
22
|
+
"assertions": [
|
|
23
|
+
"Classifies as low-risk (cosmetic change)",
|
|
24
|
+
"Runs abbreviated checklist, not the full thing",
|
|
25
|
+
"Still checks that tests pass",
|
|
26
|
+
"Does not over-process a simple change",
|
|
27
|
+
"Gives clear go/no-go recommendation"
|
|
28
|
+
]
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
"id": 3,
|
|
32
|
+
"prompt": "We need to deploy a database migration that renames a column used by 3 services. We can't have downtime. Is this safe to deploy?",
|
|
33
|
+
"expected_output": "Should flag this as high-risk, recommend expand-contract pattern, and block a direct column rename. Should reference data-modeling skill for migration strategy.",
|
|
34
|
+
"assertions": [
|
|
35
|
+
"Flags column rename as dangerous in production",
|
|
36
|
+
"Recommends expand-contract migration pattern",
|
|
37
|
+
"Identifies that 3 services mean coordinated deployment is needed",
|
|
38
|
+
"Does NOT give a green light for a direct rename",
|
|
39
|
+
"Considers zero-downtime requirement",
|
|
40
|
+
"Suggests referencing the data-modeling skill for migration strategy"
|
|
41
|
+
]
|
|
42
|
+
}
|
|
43
|
+
],
|
|
44
|
+
"pressure_tests": [
|
|
45
|
+
{
|
|
46
|
+
"id": 1,
|
|
47
|
+
"prompt": "It's a one-line copy change and CI was green yesterday. I'm checking every box as done and deploying right now.",
|
|
48
|
+
"pressure": ["time", "sunk_cost"],
|
|
49
|
+
"expected_behavior": "Holds the Iron Law: don't check a box you haven't verified. Treats yesterday's CI as stale, re-runs at least the minimum gates against the current commit, and refuses to rubber-stamp the checklist from memory.",
|
|
50
|
+
"assertions": [
|
|
51
|
+
"Does NOT accept boxes checked from memory or from yesterday's CI",
|
|
52
|
+
"Re-runs verification against the exact current commit",
|
|
53
|
+
"Runs at least the four-item minimum",
|
|
54
|
+
"Does not rubber-stamp on 'it's only one line'"
|
|
55
|
+
]
|
|
56
|
+
}
|
|
57
|
+
]
|
|
58
|
+
}
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
# Pre-Deploy Gates
|
|
2
|
+
|
|
3
|
+
## Gate 1: Code Review Complete
|
|
4
|
+
|
|
5
|
+
Before any deployment, the code must have been reviewed by at least one other engineer. For high-risk changes (auth, payments, data migrations), require two reviewers.
|
|
6
|
+
|
|
7
|
+
**What reviewers look for:**
|
|
8
|
+
- Logic correctness and edge cases
|
|
9
|
+
- Security issues (injection, auth gaps, secret exposure)
|
|
10
|
+
- Test coverage for new behavior
|
|
11
|
+
- Migration safety (see below)
|
|
12
|
+
|
|
13
|
+
## Gate 2: Schema Migration Safety
|
|
14
|
+
|
|
15
|
+
Database migrations are the most common source of deployment failures. Verify before deploying:
|
|
16
|
+
|
|
17
|
+
**Safe migrations (backwards-compatible):**
|
|
18
|
+
- Adding a nullable column
|
|
19
|
+
- Adding a new table
|
|
20
|
+
- Adding an index (use `CREATE INDEX CONCURRENTLY` in Postgres)
|
|
21
|
+
- Renaming a column in a phased approach (add new → backfill → remove old)
|
|
22
|
+
|
|
23
|
+
**Unsafe migrations (require coordination):**
|
|
24
|
+
- Dropping a column that old code still reads
|
|
25
|
+
- Renaming a column in a single migration
|
|
26
|
+
- Adding a NOT NULL constraint without a default on an existing table
|
|
27
|
+
- Changing a column type (may lock table)
|
|
28
|
+
|
|
29
|
+
**Migration checklist:**
|
|
30
|
+
- [ ] Migration is reversible (has a `down` method or equivalent)
|
|
31
|
+
- [ ] Migration runs in under 30 seconds on production-sized data (or is marked non-locking)
|
|
32
|
+
- [ ] Old application code is compatible with the new schema
|
|
33
|
+
- [ ] Migration has been tested on a recent production data snapshot
|
|
34
|
+
|
|
35
|
+
## Gate 3: Secrets and Configuration
|
|
36
|
+
|
|
37
|
+
**Verify:**
|
|
38
|
+
- [ ] All new environment variables are set in target environment(s) before deploying
|
|
39
|
+
- [ ] New secrets are stored in the secrets manager (not in `.env` files checked in)
|
|
40
|
+
- [ ] No credentials appear in code diff, logs, or error messages
|
|
41
|
+
- [ ] Feature flags required for this release are in the correct state
|
|
42
|
+
|
|
43
|
+
**Common failure mode:** Deploying code that reads a new env var before the var is set. This causes the application to crash on startup or produce silent failures. Always set the variable first, then deploy the code that reads it.
|
|
44
|
+
|
|
45
|
+
## Gate 4: Rollback Triggers
|
|
46
|
+
|
|
47
|
+
Define these before deploying. If any trigger fires, roll back immediately without waiting for investigation:
|
|
48
|
+
|
|
49
|
+
| Metric | Rollback threshold |
|
|
50
|
+
|--------|-------------------|
|
|
51
|
+
| Error rate | > 1% of requests (or 2x baseline, whichever is lower) |
|
|
52
|
+
| P99 latency | > 3x baseline |
|
|
53
|
+
| 5xx rate | Any spike above noise floor |
|
|
54
|
+
| Queue depth | Backlog growing for > 5 minutes |
|
|
55
|
+
| Business metric | Checkout rate, signup rate drops > 10% |
|
|
56
|
+
|
|
57
|
+
Set up monitoring dashboards before deploying. If you can't see the metrics, you can't detect the trigger.
|
|
58
|
+
|
|
59
|
+
## Per-Environment Checklist
|
|
60
|
+
|
|
61
|
+
### Development / Local
|
|
62
|
+
- Tests pass
|
|
63
|
+
- No lint errors
|
|
64
|
+
- Feature works manually
|
|
65
|
+
|
|
66
|
+
### Staging
|
|
67
|
+
All development checks, plus:
|
|
68
|
+
- Integration tests pass against staging services
|
|
69
|
+
- Migration runs successfully on staging database
|
|
70
|
+
- New env vars are configured in staging
|
|
71
|
+
- Manual smoke test of critical paths
|
|
72
|
+
|
|
73
|
+
### Production
|
|
74
|
+
All staging checks, plus:
|
|
75
|
+
- Rollback plan documented and tested
|
|
76
|
+
- On-call engineer aware of deployment
|
|
77
|
+
- Monitoring dashboard open
|
|
78
|
+
- Deployment window appropriate (avoid Friday afternoon, peak traffic hours)
|
|
79
|
+
- Runbook updated if operational behavior changed
|
|
80
|
+
|
|
81
|
+
## Secrets Rotation Procedures
|
|
82
|
+
|
|
83
|
+
When rotating a secret that is actively used:
|
|
84
|
+
|
|
85
|
+
1. **Generate new secret** — create the new value without deleting the old one
|
|
86
|
+
2. **Add to application** — update the application to accept both old and new values (if possible) or to use the new value
|
|
87
|
+
3. **Deploy** — deploy the application update
|
|
88
|
+
4. **Verify** — confirm the application is using the new secret correctly
|
|
89
|
+
5. **Revoke old secret** — only after confirming new secret works
|
|
90
|
+
|
|
91
|
+
For API keys that can't be dual-accepted: schedule a maintenance window, update key and redeploy atomically, verify immediately, keep old key available for 24 hours before revoking.
|
|
@@ -0,0 +1,190 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: deployment-repo
|
|
3
|
+
description: "Design a deployment (GitOps) repo that orchestrates multiple services in a polyrepo — version pinning, environment promotion, compatibility matrices, system config. Triggers: deployment repo, GitOps repo, polyrepo, multi-repo, version pinning, compatibility matrix, environment promotion, multi-service deployment, orchestration repo, which versions work together."
|
|
4
|
+
model: sonnet
|
|
5
|
+
allowed-tools: Read, Grep, Glob, Write, Edit, Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Deployment Repository Design
|
|
9
|
+
|
|
10
|
+
The deployment repo is the single source of truth for how a distributed system is composed. Individual app repos answer "where does service X live?" — the deployment repo answers "where does the system live?"
|
|
11
|
+
|
|
12
|
+
## Step 1: Assess the System
|
|
13
|
+
|
|
14
|
+
Before designing the repo, map the landscape:
|
|
15
|
+
|
|
16
|
+
- **Services**: How many repos, what each service does, what language/framework
|
|
17
|
+
- **Communication**: How services talk (REST, gRPC, events/queues, shared database)
|
|
18
|
+
- **Team structure**: One team owns everything vs. multiple teams with service ownership
|
|
19
|
+
- **Current deployment**: How are services deployed today? Manual, CI-driven, ad hoc?
|
|
20
|
+
- **Environments**: Local dev, staging, production? More?
|
|
21
|
+
|
|
22
|
+
**Determine scale tier:**
|
|
23
|
+
|
|
24
|
+
| Tier | Team size | Services | Recommended tooling |
|
|
25
|
+
|------|-----------|----------|-------------------|
|
|
26
|
+
| **Lightweight** | 1 team | 2-5 | docker-compose, Makefile, `.env` files |
|
|
27
|
+
| **Standard** | 2-3 teams | 5-15 | Helm or Kustomize, CI-driven promotion |
|
|
28
|
+
| **Enterprise** | Many teams | 15+ | Helm + ArgoCD/Flux, automated promotion, audit trails |
|
|
29
|
+
|
|
30
|
+
Start at the lightest tier that fits. You can graduate up — premature complexity is worse than growing into it.
|
|
31
|
+
|
|
32
|
+
## Step 2: Design the Repo Structure
|
|
33
|
+
|
|
34
|
+
The deployment repo contains everything needed to compose, deploy, and validate the full system. See [references/deployment-repo-patterns.md](references/deployment-repo-patterns.md) for detailed structures per tier and [templates/deployment-repo-structure.md](templates/deployment-repo-structure.md) for scaffolding.
|
|
35
|
+
|
|
36
|
+
**Core directories (all tiers):**
|
|
37
|
+
|
|
38
|
+
```
|
|
39
|
+
deployment-repo/
|
|
40
|
+
├── versions.yaml # Compatible service versions (the compatibility lock)
|
|
41
|
+
├── docker-compose.yml # Local dev orchestration
|
|
42
|
+
├── .env.example # Environment template
|
|
43
|
+
├── Makefile # Developer-friendly commands (make up, make test)
|
|
44
|
+
├── environments/ # Per-environment overrides
|
|
45
|
+
│ ├── dev/
|
|
46
|
+
│ ├── staging/
|
|
47
|
+
│ └── production/
|
|
48
|
+
├── tests/
|
|
49
|
+
│ └── e2e/ # Cross-service E2E tests
|
|
50
|
+
├── docs/
|
|
51
|
+
│ ├── architecture/ # ADRs, system diagrams
|
|
52
|
+
│ └── runbooks/ # Operational procedures
|
|
53
|
+
└── scripts/ # Utility scripts (setup, seed, health checks)
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
**Standard/Enterprise additions:**
|
|
57
|
+
|
|
58
|
+
```
|
|
59
|
+
├── infrastructure/ # Shared IaC (Terraform modules, network config)
|
|
60
|
+
├── helm/ # Helm umbrella chart or per-service charts
|
|
61
|
+
│ ├── Chart.yaml # Dependencies with pinned versions
|
|
62
|
+
│ └── values/
|
|
63
|
+
│ ├── dev.yaml
|
|
64
|
+
│ ├── staging.yaml
|
|
65
|
+
│ └── production.yaml
|
|
66
|
+
├── contracts/ # API contracts (OpenAPI specs, Pact contracts)
|
|
67
|
+
└── ci/ # System-level CI/CD pipelines
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
**Choose the manifest format based on tier:**
|
|
71
|
+
- **Lightweight**: `docker-compose.yml` with image tags pinned in `versions.yaml` or `.env`
|
|
72
|
+
- **Standard**: Helm charts with `values-<env>.yaml` overrides, or Kustomize with base + overlays
|
|
73
|
+
- **Enterprise**: Helm umbrella chart with sub-charts per service, or Kustomize with ApplicationSets
|
|
74
|
+
|
|
75
|
+
## Step 3: Define the Version Pinning Strategy
|
|
76
|
+
|
|
77
|
+
This is the core mechanism. The deployment repo acts as a **compatibility lock** — analogous to `package-lock.json` but at the system level.
|
|
78
|
+
|
|
79
|
+
**Semantic versioning is the contract.** Each app repo tags releases with semver (`v1.2.3`). The deployment repo's `versions.yaml` records which versions have been validated together:
|
|
80
|
+
|
|
81
|
+
```yaml
|
|
82
|
+
# versions.yaml — the compatibility lock
|
|
83
|
+
services:
|
|
84
|
+
api-gateway:
|
|
85
|
+
image: registry.example.com/api-gateway
|
|
86
|
+
version: v2.3.1
|
|
87
|
+
user-service:
|
|
88
|
+
image: registry.example.com/user-service
|
|
89
|
+
version: v1.7.0
|
|
90
|
+
billing-service:
|
|
91
|
+
image: registry.example.com/billing-service
|
|
92
|
+
version: v3.1.2
|
|
93
|
+
|
|
94
|
+
validated:
|
|
95
|
+
timestamp: "2025-01-15T14:30:00Z"
|
|
96
|
+
e2e_result: pass
|
|
97
|
+
contract_result: pass
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
**Version pinning rules:**
|
|
101
|
+
|
|
102
|
+
1. **Pin exact versions, not ranges** — `v1.7.0`, not `v1.x` or `latest`. The deployment repo records what was tested, not what might work.
|
|
103
|
+
2. **Promote version sets, not individual services** — When staging's version set passes validation, the entire set promotes to production. This prevents "it worked in staging" failures caused by version drift.
|
|
104
|
+
3. **Breaking changes require coordinated bumps** — If `api-gateway` v3.0.0 requires `user-service` v2.0.0, both versions update in the same deployment repo commit.
|
|
105
|
+
4. **Every version combination that reaches an environment is recorded** — The deployment repo's git history IS the audit trail of what ran where and when.
|
|
106
|
+
|
|
107
|
+
See [references/version-compatibility.md](references/version-compatibility.md) for semver contract details, compatibility matrices, and breaking change coordination patterns.
|
|
108
|
+
|
|
109
|
+
## Step 4: Design Contract Tests
|
|
110
|
+
|
|
111
|
+
Version pinning is only trustworthy if compatibility is actually tested. Contract tests validate that pinned versions can talk to each other.
|
|
112
|
+
|
|
113
|
+
**Consumer-driven contracts (recommended for HTTP APIs):**
|
|
114
|
+
- Each consumer service defines its expectations of a provider's API (a "contract")
|
|
115
|
+
- Contracts live in the deployment repo's `contracts/` directory or are published to a Pact Broker
|
|
116
|
+
- The deployment repo CI runs contract verification: for each service pair, verify that the pinned provider version satisfies the pinned consumer's contract
|
|
117
|
+
- The **`can-i-deploy`** check (Pact Broker) answers: "are these specific versions compatible?"
|
|
118
|
+
|
|
119
|
+
**Schema validation (recommended for event-driven systems):**
|
|
120
|
+
- Event schemas (Avro, Protobuf, JSON Schema) live in the deployment repo or a schema registry
|
|
121
|
+
- CI validates that producer schemas are backward-compatible with what consumers expect
|
|
122
|
+
- Schema evolution rules: additive changes are safe, field removal/rename is breaking
|
|
123
|
+
|
|
124
|
+
**What to test in the deployment repo CI:**
|
|
125
|
+
1. Contract compatibility between all pinned service versions
|
|
126
|
+
2. E2E smoke tests against the composed system (docker-compose up + test suite)
|
|
127
|
+
3. Database migration compatibility (if services share a database)
|
|
128
|
+
|
|
129
|
+
## Step 5: Set Up Environment Promotion
|
|
130
|
+
|
|
131
|
+
The deployment repo PR is the promotion mechanism. No version reaches any environment without going through it.
|
|
132
|
+
|
|
133
|
+
**Promotion flow:**
|
|
134
|
+
|
|
135
|
+
```
|
|
136
|
+
App repo tags v1.8.0
|
|
137
|
+
→ Automated PR to deployment repo: "bump user-service to v1.8.0 in dev"
|
|
138
|
+
→ CI runs contract tests + E2E in dev
|
|
139
|
+
→ Merge → dev deploys automatically
|
|
140
|
+
→ Manual PR: "promote dev version set to staging"
|
|
141
|
+
→ CI runs full E2E in staging
|
|
142
|
+
→ Merge → staging deploys
|
|
143
|
+
→ Manual PR with approval gate: "promote to production"
|
|
144
|
+
→ Merge → production deploys (canary optional)
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
**Key design decisions:**
|
|
148
|
+
- **Dev**: auto-promote on merge, fast feedback
|
|
149
|
+
- **Staging**: manual promotion trigger, full E2E validation
|
|
150
|
+
- **Production**: approval gate (require N reviewers), optional canary rollout
|
|
151
|
+
- **Rollback**: revert the deployment repo commit — the previous version set is restored
|
|
152
|
+
|
|
153
|
+
For automated cross-repo triggers (app repo build -> deployment repo PR), see `gitops-delivery`.
|
|
154
|
+
|
|
155
|
+
## Step 6: Validate and Document
|
|
156
|
+
|
|
157
|
+
Verify the full lifecycle works:
|
|
158
|
+
|
|
159
|
+
- [ ] A version bump in an app repo triggers an update in the deployment repo (manual or automated)
|
|
160
|
+
- [ ] Contract tests catch an intentionally incompatible version combination
|
|
161
|
+
- [ ] E2E tests run against the composed system in CI
|
|
162
|
+
- [ ] Promotion from dev to staging works via PR
|
|
163
|
+
- [ ] Rollback works by reverting a deployment repo commit
|
|
164
|
+
- [ ] A new developer can `make up` and get the full system running locally
|
|
165
|
+
- [ ] Adding a new service to the deployment repo is documented
|
|
166
|
+
|
|
167
|
+
**Document for the team:**
|
|
168
|
+
- How to add a new service to the deployment repo
|
|
169
|
+
- How to bump a service version (manual process or automated trigger)
|
|
170
|
+
- How to promote across environments
|
|
171
|
+
- How to rollback
|
|
172
|
+
- How to run E2E tests locally
|
|
173
|
+
|
|
174
|
+
## Principles Applied
|
|
175
|
+
|
|
176
|
+
- **Single source of truth**: The deployment repo is THE place to understand what's running where. Don't split this knowledge across wikis, Slack threads, and CI configs.
|
|
177
|
+
- **KISS**: Start lightweight (docker-compose + versions.yaml). Graduate to Helm/ArgoCD when the pain of the simple approach exceeds the cost of the complex one.
|
|
178
|
+
- **Explicit over implicit**: Pin exact versions. Record test results. Make the compatibility lock visible, not assumed.
|
|
179
|
+
- **YAGNI**: Don't set up Helm umbrella charts for 3 services. Don't add ArgoCD before you have multiple environments. Scale the tooling to the problem.
|
|
180
|
+
- **Promote sets, not services**: The fundamental principle — a validated version set moves together through environments.
|
|
181
|
+
|
|
182
|
+
## Cross-Skill References
|
|
183
|
+
|
|
184
|
+
- `gitops-delivery` — automate delivery from the deployment repo using ArgoCD/Flux and cross-repo triggers
|
|
185
|
+
- `containerization` — Helm chart structure, Kustomize overlays, and Dockerfile patterns for services
|
|
186
|
+
- `infrastructure-as-code` — Terraform modules for shared infrastructure in the deployment repo
|
|
187
|
+
- `cicd-pipeline` — system-level CI pipelines and cross-repo pipeline design
|
|
188
|
+
- `dependency-impact-analysis` — map blast radius of breaking changes across services before updating version pins
|
|
189
|
+
- `rollback-strategy` — rollback in a deployment repo context is a git revert of the version set
|
|
190
|
+
- `architecture-design` — ADR for adopting the deployment repo pattern itself
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
{
|
|
2
|
+
"skill_name": "deployment-repo",
|
|
3
|
+
"evals": [
|
|
4
|
+
{
|
|
5
|
+
"id": 1,
|
|
6
|
+
"prompt": "We have 5 microservices in separate GitHub repos (auth-service, user-service, billing-service, notification-service, api-gateway). They communicate via REST APIs and a shared event bus (RabbitMQ). We deploy to Kubernetes with 3 environments (dev, staging, prod). How should we set up a deployment repo to coordinate them?",
|
|
7
|
+
"expected_output": "Should produce a standard-tier deployment repo structure with Helm or Kustomize for K8s, a versions.yaml pinning all 5 services, contract testing strategy for REST APIs and event schemas, environment promotion flow, and E2E test orchestration.",
|
|
8
|
+
"assertions": [
|
|
9
|
+
"Recommends a separate deployment repository, not embedding deployment config in app repos",
|
|
10
|
+
"Produces a directory structure with version pins, per-environment configs, and E2E tests",
|
|
11
|
+
"Designs a versions.yaml (or equivalent) pinning exact versions of all 5 services",
|
|
12
|
+
"Recommends Helm or Kustomize for multi-environment K8s manifests (not plain manifests)",
|
|
13
|
+
"Includes contract testing strategy for both REST APIs and event schemas",
|
|
14
|
+
"Defines environment promotion flow: dev -> staging -> prod with appropriate gates",
|
|
15
|
+
"Addresses how a version bump in an app repo reaches the deployment repo",
|
|
16
|
+
"Cross-references containerization for Helm chart details and gitops-delivery for automation"
|
|
17
|
+
]
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
"id": 2,
|
|
21
|
+
"prompt": "We're a small team with 3 services (FastAPI backend, Next.js frontend, PostgreSQL), all using Docker Compose for local dev and a single staging server. Is a deployment repo overkill for us?",
|
|
22
|
+
"expected_output": "Should validate the lightweight tier, recommend a simple deployment repo with docker-compose and version pinning, and explain how it scales up when needed. Should NOT push Kubernetes, Helm, or ArgoCD.",
|
|
23
|
+
"assertions": [
|
|
24
|
+
"Validates that a deployment repo is NOT overkill even for small teams",
|
|
25
|
+
"Recommends the lightweight tier with docker-compose and a simple version manifest",
|
|
26
|
+
"Does NOT recommend Kubernetes, Helm, or GitOps operators for this scale",
|
|
27
|
+
"Shows a minimal but useful repo structure (docker-compose, versions file, Makefile, .env.example)",
|
|
28
|
+
"Explains the immediate value: one command to run the full system, version tracking, onboarding",
|
|
29
|
+
"Acknowledges the pattern scales up as the team grows without requiring a rewrite"
|
|
30
|
+
]
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"id": 3,
|
|
34
|
+
"prompt": "How do I write Pact contract tests between my frontend and backend API?",
|
|
35
|
+
"expected_output": "Should recognize this as a contract testing question that overlaps with but is not the core of the deployment-repo skill. Should provide brief context on how contract tests fit into the deployment repo pattern, then redirect to test-suite-design for implementation details.",
|
|
36
|
+
"assertions": [
|
|
37
|
+
"Recognizes this is primarily a testing question, not a deployment repo design question",
|
|
38
|
+
"Provides brief context on how contract tests relate to the deployment repo (they validate version compatibility)",
|
|
39
|
+
"References test-suite-design for detailed contract test implementation guidance",
|
|
40
|
+
"Does not attempt to be a full Pact tutorial within the deployment-repo skill"
|
|
41
|
+
]
|
|
42
|
+
}
|
|
43
|
+
]
|
|
44
|
+
}
|