Skip to content

Production Readiness Checklist

Date: 2026-03-04

Validation Snapshot (2026-03-06)

  • [x] Item 6 (CI/CD and contract safety) validated in local CI-parity run.
  • [x] Item 7 (staging smoke workflow execution path) validated with scripts/staging_smoke.py.
  • [x] Item 8 (production security config validation rules) verified via runtime config tests.
  • [x] Item 9 (webhook signature + replay hardening) verified via targeted API tests.
  • [x] Item 10 (metrics + alert config preflight) validated with /metrics and infra/k8s rule files.
  • [x] Item 11 (backup/recovery and retention spot-check) validated via operational smoke and admin metrics.
  • Evidence: docs/release-readiness-2026-03-06.md

Security

  • [ ] DIFFVER_AUTH_REQUIRED=1 enabled in production.
  • [ ] Tenant/admin API keys rotated and stored in secret manager.
  • [ ] DIFFVER_ENV=production and non-deterministic signer mode configured.
  • [ ] Webhook signature validation enabled (DIFFVER_GITHUB_WEBHOOK_SECRET).
  • [ ] Webhook replay window enabled (DIFFVER_GITHUB_WEBHOOK_MAX_AGE_SECONDS).
  • [ ] Rate limits configured (DIFFVER_*RATE_LIMIT* vars).

Signing and Evidence

  • [ ] KMS key policy reviewed and least-privilege access applied.
  • [ ] aws-kms signer integration smoke run passed.
  • [ ] Artifact verification endpoint validated against staging artifacts.
  • [ ] Signing-config update and verification failure audit events visible.

Reliability and Operations

  • [ ] Worker retention scheduler configured (DIFFVER_RETENTION_CLEANUP_EVERY_SECONDS).
  • [ ] Retention thresholds set (DIFFVER_RETENTION_FULL_MODE_DAYS).
  • [ ] Retention runbook reviewed: docs/retention-operations.md.
  • [ ] /metrics endpoint scraped by telemetry stack.
  • [ ] Alerts configured from infra/k8s/prometheus-rules.diffver.yaml and routed to on-call.

CI/CD and Contract Safety

  • [ ] CI route/spec contract check passing.
  • [ ] Typed OpenAPI client generation step passing.
  • [ ] Integration tests passing with required skips expected.
  • [ ] Staging smoke workflow runnable with configured secrets.

Rollback and Recovery

  • [ ] Rollback procedure documented for API and worker deployments.
  • [ ] Data recovery procedure validated for artifact/diff storage backends (docs/backup-recovery.md).
  • [ ] On-call escalation path and runbooks linked.

Go/No-Go

  • [ ] Cross-functional sign-off (Platform, AppSec, SRE).
  • [ ] Release tag cut and deployment window approved.