Stop Breaking Production

4 CI checks your pipeline is probably missing — and how to add them in 5 minutes.

Your CI pipeline runs tests. It lints your code. Maybe it builds a Docker image. But between "all tests pass" and "production is broken," there's a gap most teams don't realize exists.

Standard CI/CD pipelines catch implementation bugs — they don't catch contract bugs, data bugs, infrastructure bugs, or configuration bugs. These four categories cause some of the most expensive production incidents:

12% of production outages are caused by API contract violations (consumers using fields you removed)
23% of security incidents involve SQL injection or misconfigured database access
15–20% of infrastructure changes cause unexpected resource modification or deletion
30% of compliance failures trace back to undetected configuration drift across environments

The Revenue Holdings CLI tools plug these exact gaps. Here's a practical CI pipeline you can add to any repo in minutes.

Check 1: API Contract Violations → API Contract Guardian

api-contract-guardian check openapi.yaml --prev main

Detects breaking changes between your current spec and the main branch baseline.

The problem: Your frontend team depends on GET /users/:id/orders returning orderDate. Your backend team renames it to createdAt because it matches their internal convention. No test fails. Nobody catches it. The frontend ships against stale types, and Monday morning's standup is tense.

The fix: Add API Contract Guardian to your CI. It compares every OpenAPI change against the baseline spec and flags breaking changes by severity:

BREAKING — removed fields, renamed endpoints, required params removed
DANGEROUS — relaxed type constraints, widened response schemas
COMPATIBLE — additive changes only

Pro tip: Gate your deploy pipeline on BREAKING changes. Set DANGEROUS to warn in PR comments. Run --format github-annotations for inline PR markup.

CI snippet:

# .github/workflows/contract-check.yml
- name: Check API contracts
  run: |
    npm install -g @revenueholdings/api-contract-guardian
    api-contract-guardian check openapi/spec.yaml \
      --prev origin/main \
      --format github-annotations \
      --fail-on breaking

Check 2: Database Seed Corruption → json2sql

json2sql seed_data.json --dialect postgres --output insert/seed.sql

Converts JSON datasets to type-safe SQL INSERT statements for any target database.

The problem: Seed data scripts are usually hand-written, rarely reviewed, and frequently contain type mismatches — a string in a DATE column, a null in a NOT NULL field, a JSON value that PostgreSQL rejects. Your integration tests pass because they just check row counts, not column types.

The fix: Generate seed SQL from structured JSON using json2sql. It infers types from the data and generates correct SQL for your dialect:

{
  "users": [
    {"id": 1, "name": "Alice", "role": "admin", "created_at": "2026-05-01"},
    {"id": 2, "name": "Bob",   "role": "editor", "created_at": "2026-05-10"}
  ]
}

Becomes clean, dialect-correct SQL — with proper quoting, type casting, and value escaping. No more INSERT INTO users VALUES (1, 'Alice') prayers.

CI snippet:

# .github/workflows/seed-check.yml
- name: Validate seed data
  run: |
    pip install git+https://github.com/Coding-Dev-Tools/json2sql.git
    json2sql test/seeds/*.json --dialect postgres \
      --check-types --output /dev/null

Check 3: Infrastructure Blast Radius → DeployDiff

deploydiff diff --from main --format summary

Shows the full cost and blast radius of every infrastructure change before you apply it.

The problem: Terraform plan output is dense, hard to read in PR reviews, and doesn't answer the one question your reviewer actually has: "what's the blast radius of this change?" A line that reads ~ resource "aws_db_instance" "main" could mean a minor config change or a full database replacement with data loss.

The fix: DeployDiff wraps any IaC tool (Terraform, CloudFormation, Pulumi) and produces a human-readable diff summary with blast radius classification:

🔴 Destruction — resources being deleted (DB, S3, load balancers)
🟡 Replacement — resources that will be destroyed and recreated
🟢 Safe update — in-place updates with zero downtime

Pro tip: Run DeployDiff in a PR workflow and auto-post the summary as a comment. Your reviewers get instant blast radius context without reading a 300-line Terraform plan.

CI snippet:

# .github/workflows/infra-diff.yml
- name: Infrastructure diff
  run: |
    pip install git+https://github.com/Coding-Dev-Tools/deploydiff.git
    terraform plan -out=tfplan
    deploydiff diff --plan tfplan \
      --format markdown \
      --summary > /tmp/diff.md

Check 4: Configuration Drift → ConfigDrift

configdrift check --baseline prod --target staging

Compares configurations across environments and flags drift before it breaks production.

The problem: Someone tweaks a config value on staging to test something. Two weeks later, production has different values for 30% of your config keys. The deploy that "tested fine on staging" breaks immediately in production because the environments diverged weeks ago. Config drift is responsible for an estimated 30% of compliance audit failures.

The fix: Run ConfigDrift on every deploy to compare your environments:

$ configdrift check --baseline prod --target staging
🔴 MISSING:   DB_POOL_SIZE (staging has 10, prod has 25)
🔴 MISSING:   CACHE_TTL (staging has 30, prod has 300)
🟡 DEPRECATED: OLD_FEATURE_FLAG (present in staging, removed in prod)
🟢 OK:        148/151 keys match between environments

CI snippet:

# .github/workflows/drift-check.yml
- name: Check config drift
  run: |
    pip install git+https://github.com/Coding-Dev-Tools/configdrift.git
    configdrift check \
      --baseline .env.production \
      --target .env.staging \
      --fail-on missing

Putting It All Together

Here's what a complete CI pipeline looks like with all four checks:

# .github/workflows/pre-deploy.yml
jobs:
  pre-deploy-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2  # needed for --prev comparisons

      - name: 1. Check API contracts
        run: api-contract-guardian check openapi.yaml --prev HEAD~1

      - name: 2. Validate seed data
        run: json2sql test/seeds/ --check-types --output /dev/null

      - name: 3. Infrastructure blast radius
        run: deploydiff diff --plan tfplan --fail-on destruction

      - name: 4. Configuration drift
        run: configdrift check --baseline .env.prod --target .env.staging

Each check runs in under 30 seconds. Each one catches a class of bug that standard test suites miss. Together, they close the gap between "CI says green" and "production stays up."

Get Started

All four tools are available on GitHub and free to use with rate limits for local development. Pro plans start at $49/mo for the full suite with CI/CD integration, unlimited checks, and custom rules.

Ready for a step-by-step walkthrough? Read the hands-on tutorial →

Get Early Access

PyPI publishing is coming soon. Leave your email and we'll notify you the moment these tools ship.

Star us on GitHub · View Pricing