37-6 · Chapter 37 · 5 min read

Stop Treating Governance as a Separate Ticket System

You've just finished a feature. The code is built, tests are green, and the staging deployment looks healthy. Now what? In many teams, the next step is to

Stop Treating Governance as a Separate Ticket System

You've just finished a feature. The code is built, tests are green, and the staging deployment looks healthy. Now what? In many teams, the next step is to open a ticket, send an email to a change advisory board, and wait. Maybe hours, maybe days. The pipeline sits idle while people chase approvals through a completely separate system.

This separation between technical work and governance creates friction. Developers context-switch out of their tools. Approvers review changes without seeing the test results or the deployment history. Audit trails get scattered across email threads, ticket comments, and chat messages. Everyone feels the process is slow, but no one wants to remove the checks entirely.

The solution is not to eliminate governance. It is to embed governance directly into the pipeline where the work already happens.

The Manual Approval Step: Simple and Auditable

The most straightforward integration is a manual approval gate in your pipeline. After automated builds and tests pass in staging, the pipeline pauses. It waits for a human to review the evidence and click approve before proceeding to production.

The following diagram contrasts the old approach with the new one:

flowchart TD subgraph Old[Old: Separate Ticket System] A[Code ready] --> B[Open ticket in external system] B --> C[Wait for CAB review] C --> D[Manual deploy] end subgraph New[New: Approval Gate in Pipeline] E[Code ready] --> F[Automated tests pass] F --> G[Pipeline pauses for approval] G --> H[Reviewer sees test results & diff] H --> I[Approve / Reject] I --> J[Deploy to production] end Old -.->|More friction| New

This pattern works well for normal changes that need human judgment but do not require a full CAB meeting. The reviewer can see the test results, the diff, and the deployment status all in one place. They do not need to open a separate ticket or search for context in chat logs.

Here is a minimal GitHub Actions example that pauses the pipeline for a manual approval before deploying to production:

name: Deploy to Production

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment:
      name: production
      url: https://example.com
    steps:
      - uses: actions/checkout@v4
      - name: Run tests
        run: make test
      - name: Deploy
        run: make deploy

When this workflow runs, GitHub Actions creates a deployment to the production environment. If that environment requires a reviewer, the pipeline pauses and waits for approval before executing the Deploy step. The reviewer sees the commit, the test results, and the diff in the GitHub interface.

The critical detail is that the approval step must log who approved, when, and what was approved. This becomes the audit trail. Tools like GitLab CI/CD, Jenkins, and GitHub Actions all support this natively. You configure which roles can approve production deployments -- typically senior engineers or tech leads -- and the pipeline enforces it.

But manual approval is not the right answer for every change. If every pull request requires a human to click a button, you slow down low-risk updates that should flow through automatically.

Policy-as-Code: Let the Pipeline Decide

For standard changes with predictable risk, manual approval becomes a bottleneck. This is where policy-as-code comes in. Instead of writing governance rules in a document that people have to remember, you write them as code that the pipeline evaluates automatically.

A policy-as-code rule might say: "Changes that only touch frontend configuration files can deploy to production without human review, as long as all tests pass." Or: "Any change that adds a column to a database table must receive approval from a DBA before proceeding."

You store these rules in a file inside your repository, just like application code. The pipeline reads the rules, evaluates the current change against them, and decides whether to pause for review or continue automatically. If a rule is violated, the pipeline fails with a clear message: "This change adds a column to the users table, but no DBA approval was found."

The team does not have to guess whether their change is safe. The pipeline tells them, and it enforces the rule consistently every time.

Combining Both Approaches

Manual approval steps and policy-as-code are not mutually exclusive. They work best together. Policy-as-code handles the routine decisions automatically. Manual approval gates catch the changes that need human judgment.

For example, your pipeline might have these rules:

Changes to documentation or static assets: deploy automatically after tests pass.
Changes to application code with full test coverage and no database migrations: deploy automatically after staging validation.
Changes that modify database schemas: pause and require DBA approval.
Changes to authentication or payment logic: pause and require security team approval.
Changes during a freeze period (end of quarter, holiday season): pause and require engineering manager approval.

The pipeline evaluates the change, applies the matching rules, and either continues or pauses. The team never has to remember which changes need what approval. The pipeline knows.

Why This Makes Auditing Easier

When governance lives inside the pipeline, auditing becomes straightforward. An auditor does not need to collect screenshots from email threads or search through ticket comments. They look at the pipeline history for a specific change. The record shows:

Who made the change
What was changed
Which tests ran and whether they passed
Which policies were evaluated
Who approved the change and when
When the change reached production

Everything is in one place. Every decision is timestamped and attributed. There is no gap between what the team claims happened and what the pipeline recorded.

A Practical Checklist for Integrating Governance into Your Pipeline

Before you start adding approval gates and policy rules, run through this checklist with your team:

List the types of changes your team makes (config, schema, application code, infrastructure, etc.)
For each type, decide the risk level: low, medium, or high
For low-risk changes, write policy-as-code rules that allow automatic deployment
For medium-risk changes, add a manual approval step with clear criteria for approval
For high-risk changes, require multiple approvals or a documented exception process
Configure who can approve each level of change in your pipeline tool
Test the pipeline with a real change to confirm the gates work as expected
Review the audit trail after the first few deployments to verify completeness

Governance Is Not an Add-On

When governance is integrated into the pipeline, it stops feeling like an extra process that slows everyone down. It becomes part of the normal flow, like running tests or building artifacts. The team moves fast for low-risk changes and gets the right level of review for high-risk ones. The audit trail is automatic and complete.

The next time someone asks for approval, do not open a ticket. Make the pipeline ask for it instead.