Pipeline

Put the gate after build and before promotion.

Start in shadow mode, validate evidence quality, then move to advisory or enforce when the team trusts the signal.

Recommended position

Run Release Passport after build, test, image push, and manifest render, but before production promotion. The pipeline should already know source SHA, artifact digest, release ID, target environment, and service name. Release Passport adds environment evidence and policy context before the promotion step proceeds.

Pipeline examples

.github/workflows/release.yaml

- name: Release Passport gate
  env:
    RELEASEPASSPORT_TOKEN: ${{ secrets.RELEASEPASSPORT_TOKEN }}
  run: |
    releasepassport gate \
      --api-url https://release-passport.example.com/releasepassport/v1 \
      --token "$RELEASEPASSPORT_TOKEN" \
      --mode shadow \
      --service checkout-api \
      --environment production \
      --namespace apps-checkout \
      --source-sha "$GITHUB_SHA" \
      --artifact "$IMAGE_DIGEST" \
      --release-id "$GITHUB_RUN_ID" \
      --fail-on block

.gitlab-ci.yml

releasepassport_gate:
  stage: pre_deploy
  image: alpine:3.20
  before_script:
    - test -x ./releasepassport || (echo "Install the Release Passport CLI through the portal token-first installer before CI gate execution." >&2; exit 1)
  script:
    - releasepassport gate
      --api-url "$RELEASEPASSPORT_API_URL"
      --token "$RELEASEPASSPORT_TOKEN"
      --mode shadow
      --service checkout-api
      --environment production
      --namespace apps-checkout
      --source-sha "$CI_COMMIT_SHA"
      --artifact "$IMAGE_DIGEST"
      --release-id "$CI_PIPELINE_ID"
      --fail-on block

Jenkinsfile

stage('Release Passport gate') {
  environment {
    RELEASEPASSPORT_TOKEN = credentials('releasepassport-token')
    RELEASEPASSPORT_API_URL = 'https://release-passport.example.com/releasepassport/v1'
  }
  steps {
    sh '''
      releasepassport gate \
        --api-url "$RELEASEPASSPORT_API_URL" \
        --token "$RELEASEPASSPORT_TOKEN" \
        --mode shadow \
        --service checkout-api \
        --environment production \
        --namespace apps-checkout \
        --source-sha "$GIT_COMMIT" \
        --artifact "$IMAGE_DIGEST" \
        --release-id "$BUILD_TAG" \
        --fail-on block
    '''
  }
}

Rollout mode guidance

PhaseInitial install

CLI modeshadow

Suggested --fail-onblock

GoalRecord evidence and identify blockers without interrupting normal deploy flow except hard blocks if configured.

PhaseEvidence tuning

CLI modeshadow

Suggested --fail-onblock

GoalFix service names, namespaces, connector freshness, policies, and noisy thresholds.

PhaseOperator adoption

CLI modeadvisory

Suggested --fail-onblock

GoalWarn teams and build habit of reading passports before promotions.

PhaseProduction enforcement

CLI modeenforce

Suggested --fail-onhold or block

GoalStop unsafe promotions based on trusted evidence and policy.

Phase	CLI mode	Suggested --fail-on	Goal
Initial install	shadow	block	Record evidence and identify blockers without interrupting normal deploy flow except hard blocks if configured.
Evidence tuning	shadow	block	Fix service names, namespaces, connector freshness, policies, and noisy thresholds.
Operator adoption	advisory	block	Warn teams and build habit of reading passports before promotions.
Production enforcement	enforce	hold or block	Stop unsafe promotions based on trusted evidence and policy.