CDX-301c · Module 3

Deployment Gates & Quality Checks

4 min read

Deployment gates are CI checks that must pass before code reaches production. Codex adds an AI-powered layer to your existing gate system: after unit tests pass, after integration tests pass, and after linting passes, Codex performs a final review that catches issues traditional tools miss. Common gate checks include: no hardcoded credentials in the diff, no breaking changes to public APIs without a major version bump, no database migrations that could lock tables in production, and no TODO comments without linked issue numbers.

The gate should be fast and deterministic. Codex reviews should complete within 2 minutes for a typical PR. If the review takes longer, the diff is too large — enforce PR size limits (under 400 lines of changed code) to keep gate times predictable. Determinism is harder: the same diff reviewed twice should produce the same verdict. Achieve this by using low temperature settings, specific prompt templates, and objective rules. Subjective checks ("is this code good?") produce non-deterministic results and do not belong in deployment gates.

name: Deployment Gate
on:
  pull_request:
    branches: [main, release/*]

jobs:
  traditional-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
      - run: npm run typecheck
      - run: npm test
      - run: npm run lint

  codex-gate:
    needs: traditional-checks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: npm install -g @openai/codex
      - name: AI Deployment Gate
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          codex --profile ci --approval full-auto \
            "Review this diff for deployment readiness.
             FAIL if any of these are true:
             1. Hardcoded secrets or credentials
             2. Breaking API changes without version bump
             3. Database migrations with ALTER TABLE on large tables
             4. Console.log/debug statements in production paths
             5. Missing error handling on new async functions
             Output JSON: {ready: boolean, blockers: string[]}" \
            < <(git diff origin/${{ github.base_ref }}...HEAD) \
            > gate-result.json
          
          READY=$(jq -r '.ready' gate-result.json)
          if [ "$READY" != "true" ]; then
            echo "DEPLOYMENT BLOCKED:"
            jq -r '.blockers[]' gate-result.json
            exit 1
          fi
  1. Define gate criteria List the deployment blockers that traditional tools miss. Each becomes a Codex gate check. Keep the list under 10 items for speed and reliability.
  2. Configure as required check Add the Codex gate as a required status check in GitHub branch protection. This prevents merging PRs that fail the gate.
  3. Track gate performance Measure gate execution time, pass/fail rate, and false positive rate weekly. Adjust criteria to keep false positives below 5% and execution time below 2 minutes.