Skip to content

Stage: deploy-qa

The deploy-qa stage is where promotion becomes earned. The Fides change-gate (verdict + risk score from the trail evidence) advises; ServiceNow decides the approval. A compliant change flows through automatically; a risky one stops at the gate and waits for a human. The decision is driven by recorded evidence, not a glance at a dashboard.

Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.

flowchart TD
  WAIT{"Fides change-gate + servicenow:cr:wait-qa<br/>Fides verdict/risk advises · SN decides<br/>auto-approve if compliant,<br/>else poll for CAB approval<br/>(allow_failure: false — real gate)"}
  DEPLOY["deploy:helm:qa<br/>deployment gate -> karc-qa<br/>(podtato-head synced by ArgoCD)"]
  ATT["fides:attest:deploy:qa<br/>deploy attestation + DORA"]
  SMOKE["smoke:portal — post-deploy HTTP check"]

  WAIT -->|approved| DEPLOY --> ATT
  DEPLOY --> SMOKE
  WAIT -->|rejected / timeout| FAIL["pipeline fails"]

  class WAIT gate
  class DEPLOY qa
  class ATT attest
  class SMOKE smoke
  class FAIL fail
  classDef qa fill:#d29922,stroke:#8a6500,color:#ffffff
  classDef attest fill:#2da44e,stroke:#116329,color:#ffffff
  classDef gate fill:#9a6700,stroke:#5c3d00,color:#ffffff
  classDef smoke fill:#1b7c83,stroke:#0f4a4e,color:#ffffff
  classDef fail fill:#b62324,stroke:#6e0f10,color:#ffffff
JobWhat it doesWhy
servicenow:cr:wait-qaPolls the CR for approval (1h timeout, 30s interval), auto-approving when the Fides change-gate reports the change compliant (SN_AUTO_APPROVED=true). allow_failure: false.The real promotion gate — a rejection or timeout fails the pipeline. Fides advises via the risk score; ServiceNow decides; compliant changes auto-approve, risky ones wait for the CAB.
deploy:helm:qaDeployment gate into karc-qa: ensures the namespace + gitlab-registry pull secret and emits deploy.env for the CR-close/attestation chain. It no longer runs helm upgradepodtato-head is synced by ArgoCD (tag bumped onto the gitops branch by promote.sh), and karc-portal is dev-only.Promotes podtato to qa via GitOps once the gate clears, while keeping the compliance evidence anchored in CI.
fides:attest:deploy:qaWrites the qa deploy attestation + DORA metrics.Keeps the evidence trail complete through qa.
smoke:portalA short HTTP check against the deployed portal.Confirms qa actually serves traffic after deploy.

This is the policy gate that makes “compliant changes ship fast, risky ones get reviewed” automatic and evidence-driven. The auto-approve decision comes from the Fides change-gate — the verdict + risk score computed in attest — not from a human eyeballing the change.


Stages: dastdeploy-qadeploy-prod · all stages