Deployment Standard
Define quality gates, requirements, and checklists for governed deployment of workspace projects
Tags
Overview
Purpose
Define quality gates, requirements, and checklists for governed deployment of workspace projects
Rules
DEPLOY-001: Every deployable project MUST have a docker-compose.prod.yml checked into Git
The compose file IS the deployment contract — deterministic, versioned, reviewable
DEPLOY-002: Every deployed service MUST expose a /health endpoint returning 200 when healthy
Health checks are the only reliable way to verify deployment success
DEPLOY-003: Rollback MUST be achievable within 120 seconds of detecting a failed deployment
Bounded rollback time limits the blast radius of bad deployments
DEPLOY-004: Each application MUST use its own SA token — never share OP_SERVICE_ACCOUNT_TOKEN across apps
Per Decision
DEPLOY-005: Deployed service ports MUST match the server's port registry allocation
Port conflicts cause silent failures. Registry is source of truth.
DEPLOY-006: Secrets MUST be injected via environment variables or op:// references — never hardcoded in compose files or code
Secrets in Git = security vulnerability. Use 1Password op:// references.
DEPLOY-007: All production services MUST use restart policy "unless-stopped"
Services must survive container crashes and host reboots
DEPLOY-008: All production services SHOULD define memory and CPU limits
Unbounded resource usage can crash the host and affect other services
DEPLOY-009: Production builds MUST use Dokploy compose-from-Git — no pre-built images from GHCR
Simplified pipeline — Dokploy pulls repo, builds images, deploys. No registry overhead.
DEPLOY-010: Every service in docker-compose.prod.yml MUST have a healthcheck section
Docker health checks enable Dokploy to detect and respond to unhealthy containers