Quality Gates
Definition
Pre-defined criteria a release must pass before deploy.
Common gates per stage
Pre-commit
- Lint pass.
- Format check.
- Unit test pass.
Build
- Compile success.
- Build size budget.
CI integration
- All tests pass.
- Code coverage > threshold.
- Static analysis clean.
Staging deploy
- E2E smoke pass.
- Performance regression < 10%.
- Security scan clean (no high).
Pre-production
- UAT sign-off.
- Performance test pass.
- Pen test no critical.
Production deploy
- Canary 5% pass for 30 min.
- Error rate < baseline + 0.1%.
Sign-off matrix
| Gate | Owner | Tool |
|---|
| Unit/Integration | Dev | CI |
| E2E | QA | CI + Manual |
| Security | AppSec | SAST/DAST |
| Performance | QE | k6 |
| UAT | PM / Client | Manual |
| Compliance | Legal | Checklist |
Auto vs Manual gates
- Auto: regression suite, static check, performance.
- Manual: UAT, exec sign-off for marketing-sensitive release.
Anti-pattern
- Too many manual gates → release delayed weeks.
- Skip gate "this once" → habit forms.
- Gate without owner → falls through cracks.
Best practice
- < 5 manual gates per release.
- Each gate owner clear.
- Bypass requires written justification + lead approval.
- Audit log of bypass.
VN context
Banking: 10+ formal gates (SBV, compliance, security). Startup: 2-3 gates pragmatic.
Release readiness review (RRR)
30-min meeting before deploy:
- QA report: test results, known issues.
- Dev report: technical readiness.
- PM: business readiness.
- Decision: GO / NO-GO / GO WITH RISK.