WF-15 — Software Release
Process map for promoting a release candidate to production: tests/scans → migration rehearsal → UAT → approve → deploy → observe. Owner: Technology Owner · every release carries a change record, feature-flag plan and tested rollback per §19.3 definition of done.
WF-15
Process map — happy pathVersion 2.4 · active since 12 Apr 2026
Release candidate tagged→
Automated tests & security scans→
Migration rehearsal on masked prod copy→
UAT sign-off (business owners)→
Change approval (CAB · change record)→
Deploy — canary, flags dark→
Observe — error budget & golden signals→
Flags ramped 100% · release closed
SoD: the engineer who builds is never the approver or the sole deployer. New behavior ships dark behind flags in Feature Flags & Entitlements; ramp-up is a business decision, not a deploy step.
Exception paths3 defined recoveries
Tests / scans / UAT gate→
Gate failed (defect or critical CVE)→
Return to development · fix & re-tag→
Candidate withdrawn · change record annotated
Observe→
Error budget burn / failed health checks→
Rollback decision (Technology Owner)→
Flags off → deploy previous build → migration down-script→
Rolled back · post-incident review opened
| Exception | Detection | Recovery | Evidence retained |
|---|---|---|---|
| Failed gate | CI red, SAST/DAST critical finding, UAT defect S1/S2, unmet DoD item | Block promotion; return to dev; re-run full gate on new candidate (no partial waivers without approved exception) | Gate report, defect list, waiver approval if any |
| Rollback | Golden-signal regression, migration failure, flag-guarded feature faulting | Kill-switch flags off in < 5 min; redeploy previous build; run rehearsed down-migration; verify data reconciliation | Rollback timeline, down-migration log, reconciliation totals |
| Post-incident review | Any rollback or Sev-1/2 incident within 72h of deploy | Blameless review within 5 business days; actions tracked to closure; release notes and runbooks updated | PIR document, action items, owner sign-off |
Owner & definition (§8.3 standard)
- Workflow ID
- WF-15 · Software Release
- Owner
- Technology Owner
- Version
- 2.4 · approved 08 Apr 2026 · effective 12 Apr 2026
- Trigger
- Release candidate tagged from main (signed build)
- Preconditions
- Change record opened; DoD checklist attached; rollback plan and down-migrations rehearsed; feature-flag plan approved
- States
- Candidate → Tested → Rehearsed → UAT-approved → Change-approved → Deployed → Observing → Closed / Rolled back
- Terminal outcomes
- Released (flags 100%) Rolled back Withdrawn
- Required evidence
- Change record CHG-####, gate reports, UAT sign-off, approver identities, deploy + rollback logs, observation summary
- Approval snapshot
- CAB authority resolved from policy snapshot at submission (§8.3)
Controls (Table 14, expanded)Change management
| Control | Implementation | Checked at |
|---|---|---|
| Change record | Every release links CHG-#### with scope, risk class, DoD evidence (§19.3), go/no-go and residual risk recorded by sponsor | Candidate → Close |
| Feature flags | New behavior dark-launched; per-tenant/branch ramp; kill switch independent of deploy; flag changes audited | Deploy → Ramp |
| Rollback | Previous build retained; down-migrations rehearsed on masked prod copy; rollback criteria pre-agreed in change record | Rehearsal + Observe |
| SoD | Builder ≠ approver ≠ production deployer; production access just-in-time and logged | Approve + Deploy |
| Config safety | Required configuration has an approved active version or explicit non-applicability before go-live (§19.3) | Change approval |
Timers & escalation (§8.3)
| Timer | Calendar | Warning | Breach | Escalation |
|---|---|---|---|---|
| UAT window | Business (UAE, Sun–Thu) | Day 2 of 3 | > 3 business days | Reminder to business owners → Technology Owner reschedules |
| Change approval pending | Business | > 1 day | > 2 business days | Escalate to CAB chair; candidate may go stale (re-test rule) |
| Canary observation | 24×7 | Any S3 regression | Error budget burn > 2× | Auto page on-call → rollback decision within 30 min |
| Candidate freshness | Calendar | > 7 days old | > 14 days | Full gate re-run required before deploy |
Screens involved
| Step | Screen | Role |
|---|---|---|
| Flag plan, dark launch, ramp, kill switch | Feature Flags & Entitlements | Technology Owner / product |
| Observe deploy health & golden signals | Runtime Observability | On-call engineer |
| Config readiness before go-live | RPT-27 Deployment Configuration Readiness | Config Admin (Vikram Nair) |
| Release / change audit trail | Audit Explorer | Auditor (Grace Okafor) |
| Degraded-mode behavior during deploy | Error & Degraded States | All users |
Worked instance — release R-2026.07.2 “Client-money module GA”Closed · flags at 100% · 17 Jul 2026
- 13 Jul 2026 · 09:40Candidate tagged — build 2026.07.2-rc1 · change record CHG-2026-0412
- 13 Jul · 11:05Gate 1 passed — tests & scans
- 14 Jul · 08:30Migration rehearsal on masked prod copy
- 15 Jul · 16:20UAT sign-off
- 16 Jul · 10:00Change approved — CAB
- 16 Jul · 22:14Deployed — canary 5%, flags dark
- 17 Jul · 09:00Observation clean — flag ramp started
- 17 Jul · 13:30Release closed
Static render mockup — no live data. Source: ERP Modern Development Specification v2.0 (§8.2 Table 14, §8.3, §19.3) · Covers: WF-15.