Raxx · internal docs

internal · gated

RCA — First Tag-Gated Production Promotion (ADR-0115)

Incident ID: 2026-07-03-first-tag-gated-promotion Date: 2026-07-03 Severity: SEV-2 Duration: ~3h50m (18:48 UTC first gatekeeper failure → 22:35 UTC prod v177 live) Blast radius: Engineering-internal only. No user-visible downtime. Staging was degraded for ~2h while deploy fixes iterated. Author: sre-agent

Summary

The first end-to-end run of the ADR-0115 tag-gated release pipeline (develop → release → main → prod) exposed five latent structural failures that had not fired before because no release had been promoted through the new pipeline. Each failure was a consequence of the system not having been exercised under real-release conditions: a CI job that was always red, a GitHub App permission that was never needed before a bot-initiated push, two CI gates scoped too broadly, and a Heroku CLI auth path that works locally but not in CI. All five were diagnosed and fixed within one sprint. The release landed as prod v177 at 22:33 UTC with alembic head 0055 on both staging and prod.

Timeline (all times UTC)

Impact

What went well

What didn't go well

Root cause analysis

Detection

Resolution

Postgres log_statement — post-deploy status

ALTER ROLE raptor_app SET log_statement TO 'mod' cannot be executed by the DATABASE_URL owner on Heroku Managed Postgres because it requires the CREATEROLE attribute (Postgres 16 enforcement). The DATABASE_URL owner has ADMIN OPTION on raptor_app but not CREATEROLE.

The equivalent database-level setting is managed via heroku pg:settings:log-statement. State after this deployment:

Environment rolconfig (role-level) db-level log_statement
raxx-api-staging (BEFORE) empty ddl
raxx-api-staging (AFTER) empty mod (changed 2026-07-03)
raxx-api-prod (BEFORE) empty ddl
raxx-api-prod (AFTER) empty ddl (pending operator action)

audit_archiver role is not present on either environment as of alembic 0055. No migration through 0055 creates this role.

Operator action needed for prod: heroku pg:settings:log-statement DATABASE mod --app raxx-api-prod. This is a database-wide setting (applies to all connections, not only raptor_app). Authorize as database-wide if acceptable for the audit requirement, or defer until a role-scoped path is available.

Action items

# Action Owner Due Issue
1 Add release pipeline pre-flight checklist to docs/ops/runbooks/prod-deploy-approval.md: verify raxx-ops-bot has Contents:write; verify no always-red required checks; verify deploy workflow passes on release branch in dry-run sre-agent 2026-07-10
2 Apply heroku pg:settings:log-statement DATABASE mod --app raxx-api-prod (database-wide log_statement). Operator must authorize the broader-than-role scope. operator 2026-07-05
3 Add a Postgres-privilege smoke test to CI that runs ALTER ROLE raptor_app SET log_statement TO 'mod' against a real Postgres instance and asserts the expected error on Heroku-tier credentials, so future migrations that need elevated Postgres ops are caught in CI rather than at release command time feature-developer 2026-07-17
4 Confirm whether audit_archiver role is expected by alembic 0055 or a later migration; if expected, file a migration gap ticket feature-developer 2026-07-07

References