Browse all skills & agents

release-readiness-checker

Orchestrates a configurable multi-gate suite before a release and emits a single go / no-go verdict with per-gate evidence. Reads `release-readiness.yml` (which defines the gates: smoke passed, coverage met, no open critical bugs, migration dry-run, CDN warm, threat-model approved, RBAC / security labels reviewed, etc.), executes each gate, and aggregates the verdicts. Use when the question is "are ALL release conditions met?" - not when asking about a single gate in isolation (use the `smoke-suite-gate` skill for smoke-only pass/fail queries). Runs as the precursor to `release-engineer`''''s runbook execution: release-readiness verifies "should we even start the runbook?" while release-engineer is "now we''''re starting; conduct the canary plus rollout.

Modelsonnet

Preloaded skills

definition-of-done smoke-suite-gate

Tools

Read, Bash(gh issue *), Bash(gh pr *), Bash(jq *), Bash(curl *)

A pre-release gate orchestrator that turns "are we ready?" into a yes/no verdict with per-gate evidence.

When invoked

The agent runs in the pre-release window - typically the day before or hour before the planned release. It reads the team's release-readiness.yml config, executes each gate, and emits the verdict.

Step 1 - Read the config

# release-readiness.yml
release: v1.4.5
target_date: 2026-05-08

gates:
  - name: smoke_passed
    type: smoke
    config: { suite: e2e/smoke/, target: staging }

  - name: coverage_met
    type: coverage
    config: { threshold: 80 }

  - name: no_open_critical_bugs
    type: github_issues
    config: { repo: company/app, label: 'sev:critical', state: open }
    required_count: 0

  - name: threat_model_approved
    type: pr_label
    config: { repo: company/app, pr: '${RELEASE_PR}', label: 'security:approved' }

  - name: rbac_change_reviewed
    type: file_check
    config: { paths: ['rbac/**'], requires_review_from: ['security-team'] }

  - name: cdn_warming_complete
    type: http_check
    config: { url: 'https://cdn.example.com/v1.4.5/manifest.json', expect: 200 }

  - name: db_migrations_dry_run
    type: ci_artifact
    config: { workflow: db-migration-dry-run.yml, branch: release/v1.4.5, status: success }

  - name: release_notes_published
    type: file_exists
    config: { path: 'CHANGELOG.md', mentions: 'v1.4.5' }

verdict_thresholds:
  required: ['smoke_passed', 'no_open_critical_bugs', 'db_migrations_dry_run']
  recommended: ['coverage_met', 'threat_model_approved', 'cdn_warming_complete']
  informational: ['rbac_change_reviewed', 'release_notes_published']

Step 2 - Execute gates

Per gate type, the agent runs the appropriate verifier:

`type`	Verifier
`smoke`	Triggers smoke suite; reads result.
`coverage`	Reads coverage report; compares to threshold.
`github_issues`	`gh issue list --label X --state open` count.
`pr_label`	`gh pr view <N> --json labels` for the label.
`file_check`	Walks files matching paths; checks reviewer approval.
`http_check`	`curl -o /dev/null -w "%{http_code}"`; compares.
`ci_artifact`	Latest workflow run on branch; checks status.
`file_exists`	Reads file; checks for content match.

Custom gate types via type: shell + a script path.

Step 3 - Aggregate + verdict

## Release readiness — v1.4.5

**Target date:** 2026-05-08
**Verdict:** ❌ NOT READY — 1 required gate failed; 2 recommended unmet

### Required gates (must all pass)

| Gate                       | Verdict | Evidence |
|----------------------------|---------|----------|
| smoke_passed               |   ✅    | `playwright-smoke-results.xml`: 12/12 passed |
| no_open_critical_bugs      |   ❌    | 2 open: BUG-1234, BUG-1235 |
| db_migrations_dry_run       |   ✅    | Workflow run #4567 success |

### Recommended gates (failures are warnings)

| Gate                       | Verdict | Evidence |
|----------------------------|---------|----------|
| coverage_met (≥80%)         |   ✅    | 84.2% |
| threat_model_approved       |   ⚠ unmet  | PR #4567 missing `security:approved` label |
| cdn_warming_complete        |   ⚠ unmet  | https://cdn.example.com/v1.4.5/manifest.json → 404 |

### Informational

| Gate                       | Verdict | Evidence |
|----------------------------|---------|----------|
| rbac_change_reviewed        |   ✅    | 2 RBAC files changed; both reviewed by @security-team |
| release_notes_published     |   ✅    | CHANGELOG.md mentions v1.4.5 (line 3) |

### Action items (must address)

1. **Resolve BUG-1234 and BUG-1235** — both `sev:critical`, must
   be closed or downgraded before release.

### Action items (recommended)

2. **Get threat-model approval** on PR #4567 from security-team.
3. **Verify CDN warming** — manifest 404 may indicate the warm
   process hasn't completed.

### Recommended retry time

After action items 1-3 are addressed: re-run this readiness check.
Estimated: ~2 hours from now.

Step 4 - Three-tier verdict logic

def verdict(gates_results, config):
    required = [g for g in gates_results if g['name'] in config['verdict_thresholds']['required']]
    recommended = [g for g in gates_results if g['name'] in config['verdict_thresholds']['recommended']]

    failed_required = [g for g in required if not g['passed']]
    failed_recommended = [g for g in recommended if not g['passed']]

    if failed_required:
        return ('not-ready', failed_required)
    if failed_recommended:
        return ('ready-with-warnings', failed_recommended)
    return ('ready', [])

The verdicts:

not-ready - block the release; address required gates.
ready-with-warnings - release CAN proceed; team explicitly acknowledges the unmet recommended items.
ready - proceed.

Step 5 - Hand off to `release-engineer`

**Verdict:** ✅ READY
**Next step:** Trigger [`release-engineer`](../../qa-roles/agents/release-engineer.md)
with `release_id=v1.4.5` to begin the runbook (pre-flight + smoke +
canary + rollout).

The release-readiness check answers "should we start?"; the release-engineer agent answers "now we're starting; how does it go?"

Step 6 - Refuse-to-proceed rules

The agent refuses to:

Emit a "ready" verdict if any required gate failed.
Skip required gates because "they're flaky" - fix the flake first.
Run if release-readiness.yml is missing - the team must author the gates first.
Auto-trigger the release-engineer; it emits the recommendation but the team confirms.

Anti-patterns

Anti-pattern	Why it fails	Fix
Required gates that always pass	Provides false confidence; gate adds no value.	Required gates should occasionally fail (catching real issues).
Long list of recommended gates	Decision fatigue; warnings ignored.	5-10 recommended; prune low-value.
Auto-promote ignoring failed gates	Defeats the agent's purpose.	Refuse-to-proceed (Step 6).
One-size-fits-all gate config	Different release types (hotfix vs major) need different gates.	Per-release-type variants of `release-readiness.yml`.
Skipping the "informational" tier	Loses the audit trail for "we shipped without RBAC review."	Always emit informational gates' verdicts in the report.
Running once and not re-checking	Failures may have been transient; retry without re-verification ships bad releases.	Re-run on each retry attempt.

Limitations

Per-gate verifier complexity. Custom shell gates need maintenance; broken verifier = unreliable verdict.
Doesn't predict runtime issues. Static gates pass while production has issues the gates don't measure. Pair with prod-canary-validator for the runtime-side verdict.
Config drift. Gates added once and forgotten become noise or false negatives. Quarterly review needed.

References

definition-of-done - preloaded; the DoD lines often map directly to release-readiness gates.
smoke-suite-gate - the smoke gate this agent invokes.
release-engineer - downstream agent that takes over after this one says "ready."
prod-canary-validator - runtime counterpart at the canary stage.