Wiki/Engineering/Deploy runbook

Deploy runbook

By Maya ReynoldsUpdated 2 days ago14 min readv4.2
engineeringrunbookproduction

This is the canonical runbook for deploying any service in the Vault monorepo to production. Read it before your first deploy, then keep it bookmarked. Updates are reviewed monthly by the platform team.

๐Ÿ“˜ Before you start

You'll need aws-cli & vault-cli set up. New here? Run brew bundle in the repo root โ€” it installs both.

1. The short version

If you're shipping a hotfix and don't have time to read the rest:

  1. Open a PR ยท merge to main only after one approval
  2. CI runs lint + tests + security audit ยท automatic
  3. Once green, push the tag: ./scripts/release.sh v4.X.Y
  4. Watch the deploy in Beacon โ€” link auto-posts to #deploys
  5. If anything goes red, run ./scripts/rollback.sh immediately

2. The long version

Read this on your first three deploys until it's muscle memory.

3. Rollback in under 90 seconds

โš  When things go wrong

Don't try to fix forward. Roll back first, debug second. The on-call rotation expects this.

# From any laptop with vault-cli installed:
./scripts/rollback.sh --service vault-api --to-tag v4.2.1

# Verify rollback completed:
./scripts/check-deploys.sh --service vault-api
Related pages