OH

WF-15 — Software Release

Process map for promoting a release candidate to production: tests/scans → migration rehearsal → UAT → approve → deploy → observe. Owner: Technology Owner · every release carries a change record, feature-flag plan and tested rollback per §19.3 definition of done.

WF-15
Feature flags Runtime observability
Process map — happy pathVersion 2.4 · active since 12 Apr 2026
Release candidate tagged Automated tests & security scans Migration rehearsal on masked prod copy UAT sign-off (business owners) Change approval (CAB · change record) Deploy — canary, flags dark Observe — error budget & golden signals Flags ramped 100% · release closed

SoD: the engineer who builds is never the approver or the sole deployer. New behavior ships dark behind flags in Feature Flags & Entitlements; ramp-up is a business decision, not a deploy step.

Exception paths3 defined recoveries
Tests / scans / UAT gate Gate failed (defect or critical CVE) Return to development · fix & re-tag Candidate withdrawn · change record annotated
Observe Error budget burn / failed health checks Rollback decision (Technology Owner) Flags off → deploy previous build → migration down-script Rolled back · post-incident review opened
ExceptionDetectionRecoveryEvidence retained
Failed gateCI red, SAST/DAST critical finding, UAT defect S1/S2, unmet DoD itemBlock promotion; return to dev; re-run full gate on new candidate (no partial waivers without approved exception)Gate report, defect list, waiver approval if any
RollbackGolden-signal regression, migration failure, flag-guarded feature faultingKill-switch flags off in < 5 min; redeploy previous build; run rehearsed down-migration; verify data reconciliationRollback timeline, down-migration log, reconciliation totals
Post-incident reviewAny rollback or Sev-1/2 incident within 72h of deployBlameless review within 5 business days; actions tracked to closure; release notes and runbooks updatedPIR document, action items, owner sign-off
Owner & definition (§8.3 standard)
Workflow ID
WF-15 · Software Release
Owner
Technology Owner
Version
2.4 · approved 08 Apr 2026 · effective 12 Apr 2026
Trigger
Release candidate tagged from main (signed build)
Preconditions
Change record opened; DoD checklist attached; rollback plan and down-migrations rehearsed; feature-flag plan approved
States
Candidate → Tested → Rehearsed → UAT-approved → Change-approved → Deployed → Observing → Closed / Rolled back
Terminal outcomes
Released (flags 100%) Rolled back Withdrawn
Required evidence
Change record CHG-####, gate reports, UAT sign-off, approver identities, deploy + rollback logs, observation summary
Approval snapshot
CAB authority resolved from policy snapshot at submission (§8.3)
Controls (Table 14, expanded)Change management
ControlImplementationChecked at
Change recordEvery release links CHG-#### with scope, risk class, DoD evidence (§19.3), go/no-go and residual risk recorded by sponsorCandidate → Close
Feature flagsNew behavior dark-launched; per-tenant/branch ramp; kill switch independent of deploy; flag changes auditedDeploy → Ramp
RollbackPrevious build retained; down-migrations rehearsed on masked prod copy; rollback criteria pre-agreed in change recordRehearsal + Observe
SoDBuilder ≠ approver ≠ production deployer; production access just-in-time and loggedApprove + Deploy
Config safetyRequired configuration has an approved active version or explicit non-applicability before go-live (§19.3)Change approval
Timers & escalation (§8.3)
TimerCalendarWarningBreachEscalation
UAT windowBusiness (UAE, Sun–Thu)Day 2 of 3> 3 business daysReminder to business owners → Technology Owner reschedules
Change approval pendingBusiness> 1 day> 2 business daysEscalate to CAB chair; candidate may go stale (re-test rule)
Canary observation24×7Any S3 regressionError budget burn > 2×Auto page on-call → rollback decision within 30 min
Candidate freshnessCalendar> 7 days old> 14 daysFull gate re-run required before deploy
Screens involved
StepScreenRole
Flag plan, dark launch, ramp, kill switchFeature Flags & EntitlementsTechnology Owner / product
Observe deploy health & golden signalsRuntime ObservabilityOn-call engineer
Config readiness before go-liveRPT-27 Deployment Configuration ReadinessConfig Admin (Vikram Nair)
Release / change audit trailAudit ExplorerAuditor (Grace Okafor)
Degraded-mode behavior during deployError & Degraded StatesAll users
Worked instance — release R-2026.07.2 “Client-money module GA”Closed · flags at 100% · 17 Jul 2026
  • 13 Jul 2026 · 09:40
    Candidate tagged — build 2026.07.2-rc1 · change record CHG-2026-0412
    Scope: FIN-13 client-money screens + subledger postings. Risk class: High (financial control). Rollback criteria pre-agreed.
  • 13 Jul · 11:05
    Gate 1 passed — tests & scans
    4,812 tests green · SAST 0 critical · dependency scan 1 medium (waived, expiry 30 Sep 2026, approver: Technology Owner).
  • 14 Jul · 08:30
    Migration rehearsal on masked prod copy
    Up-migration 4m 12s; down-migration rehearsed 3m 40s; row counts and AED control totals reconciled (Δ 0.00).
  • 15 Jul · 16:20
    UAT sign-off
    Fatima Rashid (Finance Manager) + Mariam Al Suwaidi (Legal) approved 14 scripted scenarios incl. “release to unrelated purpose is denied”.
  • 16 Jul · 10:00
    Change approved — CAB
    Approvers: Technology Owner + Fatima Rashid (business sponsor). Builder excluded from approval (SoD). Deploy window 16 Jul 22:00–23:00 GST.
  • 16 Jul · 22:14
    Deployed — canary 5%, flags dark
    Flag fin.client-money.ga OFF for all tenants; canary error rate 0.02% (baseline 0.03%).
  • 17 Jul · 09:00
    Observation clean — flag ramp started
    Ramp Dubai HQ 100% → Abu Dhabi Branch 100% by 12:00. No golden-signal regression; error budget intact.
  • 17 Jul · 13:30
    Release closed
    Runbooks + release notes published; CHG-2026-0412 closed with evidence pack; residual risk “low” recorded by sponsor.

Static render mockup — no live data. Source: ERP Modern Development Specification v2.0 (§8.2 Table 14, §8.3, §19.3) · Covers: WF-15.