DEPLOY-004 critical Release Management

Production deployments tagged

Every production deployment gets a tag for traceability

Question to ask

"What's running in production right now — exact version?"

What to check

  • Production deployments have corresponding tags
  • Consistent tag naming convention (v1.2.3, etc.)
  • Tagging is automated in deployment workflow
  • Staging deployments are NOT tagged

Related items

DEPLOY-001 Clear, stable deployment workflow FLOW-005 Merge strategy preserves history

Verification guide

Severity: Critical

Check automatically:

  1. List recent tags:

    # Get recent tags sorted by date
git tag --sort=-creatordate | head -20

  2. Check tag naming pattern:

    # Analyze tag format
git tag --sort=-creatordate | head -20 | grep -E "^v[0-9]|^release|^[0-9]+\.[0-9]+"

  3. Get production deployments:

    # Get recent production deployment commits
gh api repos/{owner}/{repo}/deployments --jq '.[] | select(.environment == "production" or .environment == "prod") | {sha: .sha[0:7], created_at, environment}' | head -20

  4. Compare tags to production deployments:

    # For each production deployment SHA, check if it has a tag
# Get a production deployment SHA first
PROD_SHA=$(gh api repos/{owner}/{repo}/deployments --jq '.[] | select(.environment == "production" or .environment == "prod") | .sha' | head -1)
git tag --contains $PROD_SHA 2>/dev/null

  5. Check for automated tagging in workflow:

    # Look for tag creation in deploy workflow
grep -riE "git tag|create.*tag|actions/create-release|softprops/action-gh-release|semantic-release" .github/workflows/*.yml 2>/dev/null

  6. Verify staging is NOT tagged (should only tag production):

    # Check if staging deployments have tags (they shouldn't)
STAGING_SHA=$(gh api repos/{owner}/{repo}/deployments --jq '.[] | select(.environment == "staging") | .sha' | head -1)
git tag --contains $STAGING_SHA 2>/dev/null

Cross-reference with:

  • DEPLOY-001 (Deployment workflow)
  • FLOW-005 (Merge strategy preserves history)

Pass criteria:

  • Production deployments have corresponding tags
  • Tags follow consistent naming convention (v1.2.3, release-YYYY-MM-DD, etc.)
  • Tagging is automated in deployment workflow (not manual)
  • Staging deployments are NOT tagged (only production)

Fail criteria:

  • Production deployments without tags
  • Inconsistent or missing tag naming convention
  • Manual tagging process (prone to being skipped)
  • Tags for every environment (cluttered, meaningless)

If no automated tagging found, ask user: "No automated tagging found in deployment workflow. How are production releases tracked? Every production deployment should be tagged automatically for traceability. Consider using semantic-release or adding a tagging step to your deploy workflow."

Evidence to capture:

  • Recent tags (last 10-20)
  • Tag naming convention
  • Automated tagging mechanism (workflow step, semantic-release, etc.)
  • Production deployments with matching tags
  • Any untagged production deployments

Section

10. Deployments

Deployment & Operations

← Previous

DEPLOY-003

Build performance optimized

 Next →

ACCESS-001

Tiered access model documented and approved