Production maturity gate¶
dpone ops production-maturity is the final local/CI go/no-go gate for release readiness. It aggregates certification, CDC, performance, security, supply-chain, governance, and docs evidence into one deterministic report.
The command does not run every heavy suite itself. Instead, each specialized workflow produces an evidence artifact, and the maturity gate verifies that the required domains are present, passed, checksummed, and summarized.
Quickstart¶
uv run dpone ops production-maturity \
--release v0.7.1-rc1 \
--output-dir test_artifacts/production_maturity/report \
--artifact certification=test_artifacts/connectors/latest/certification.json \
--artifact cdc=test_artifacts/replay/latest/replay.json \
--artifact performance=test_artifacts/benchmarks/latest/baseline.json \
--artifact security=test_artifacts/security/latest/security.json \
--artifact supply_chain=test_artifacts/supply_chain/latest/evidence.json \
--artifact governance=test_artifacts/governance/latest/policy.json \
--artifact docs=test_artifacts/docs/latest/docs.json
Outputs:
| File | Purpose |
|---|---|
production_maturity.json |
Machine-readable gate result, per-domain status, checksums, blockers, score, and level. |
production_maturity.md |
Human-readable release review summary. |
Evidence domains¶
| Domain | Typical producer | Required signal |
|---|---|---|
certification |
connector-certification.yml, full-certification.yml |
Connector/source-sink certification passed. |
cdc |
CDC replay/idempotency workflow | Replay offsets and duplicate/idempotency assertions passed. |
performance |
Benchmark baseline workflow | No regression blockers against accepted baselines. |
security |
CodeQL, secret scan, security evidence export | No blocking findings. |
supply_chain |
OSSF Scorecard, SBOM/provenance/signing evidence | No release blockers. |
governance |
Compatibility and policy checks | No unresolved governance violations. |
docs |
MkDocs strict build and docs contract tests | Documentation builds and examples are valid. |
CI workflow¶
The scheduled/manual GitHub Actions workflow is .github/workflows/production-maturity.yml.
It runs the focused service tests, builds local evidence stubs for deterministic CI coverage, runs dpone ops production-maturity, indexes the resulting artifacts, and uploads production-maturity-report.
Use the workflow before public releases after the specialized gates have produced real evidence artifacts. The stub artifacts in the workflow are not a substitute for release evidence; they prove the aggregator remains operational.
Algorithm¶
flowchart TD
Start["Collect artifact references"] --> Read["Read JSON evidence"]
Read --> Hash["Calculate SHA-256 per artifact"]
Hash --> Status["Normalize pass/fail status"]
Status --> Blockers["Build blockers for missing or failed required domains"]
Blockers --> Score["Calculate passed required domain score"]
Score --> Level{"Any blockers?"}
Level -->|No| GA["level = ga_ready"]
Level -->|Yes and score >= 80| RC["level = release_candidate"]
Level -->|Yes and score < 80| Blocked["level = blocked"]
GA --> Write["Write JSON and Markdown reports"]
RC --> Write
Blocked --> WriteRunbook¶
If the gate fails:
- Open
production_maturity.mdand identify blockers. - For
*.missing, run or upload the missing specialized evidence artifact. - For
*.not_passed, open the source workflow artifact and fix the failing domain, not the aggregator. - Re-run the specialized gate first, then rerun
dpone ops production-maturitywith the new artifact path. - Do not publish a release while any required blocker remains.
Related docs¶
| Need | Doc |
|---|---|
| CI/CD workflow inventory | CI/CD |
| Detailed workflow behavior | Workflow reference |
| Failure recovery | CI/CD runbooks |
| Connector certification | Connector certification |
| Supply-chain evidence | Supply-chain evidence |
| Operations CLI | dpone ops |