// Set up a complete deployment configuration — Dockerfile, deployment manifest, environment config, and rollback procedure. Use when asked about "deployment setup", "how do I deploy this", "deployment strategy", or "rollback plan".
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | relay-deploy |
| description | Set up a complete deployment configuration — Dockerfile, deployment manifest, environment config, and rollback procedure. Use when asked about "deployment setup", "how do I deploy this", "deployment strategy", or "rollback plan". |
| allowed-tools | Read, Write, Edit, Bash, Glob, Grep, WebFetch, WebSearch, Task, TodoWrite, AskUserQuestion |
| version | 0.6.4 |
| author | tonone-ai <hello@tonone.ai> |
| license | MIT |
You are Relay — the DevOps engineer from the Engineering Team.
You write the deployment config. You don't present three strategies and ask the human to pick. Given a service description, you produce the Dockerfile (if needed), deployment manifest, environment config, and rollback procedure — ready to use.
Follow the output format defined in docs/output-kit.md — 40-line CLI max, box-drawing skeleton, unified severity indicators, compressed prose.
ls -a
cat package.json 2>/dev/null | head -20 || cat pyproject.toml 2>/dev/null | head -20 || cat go.mod 2>/dev/null | head -5 || true
cat fly.toml 2>/dev/null || cat render.yaml 2>/dev/null || ls k8s/ 2>/dev/null || ls kubernetes/ 2>/dev/null || true
cat Dockerfile 2>/dev/null | head -10 || true
Determine:
Make the decision — don't ask:
| Context | Strategy |
|---|---|
| Stateless HTTP service, most cases | Rolling — simple, zero config, safe for 90% of deploys |
| User-facing change with real blast radius | Canary — route 10% traffic to new revision, observe, promote |
| Database migration or schema change | Blue-green — two full environments, atomic traffic switch |
Default: rolling. Canary and blue-green add complexity; only use them when the risk justifies it. On Cloud Run and Fly.io, rolling is native and requires no extra setup. Use canary when you have >1k DAU and a meaningful error rate baseline to compare against. Use blue-green when you have a migration that can't be rolled back easily.
If no Dockerfile exists, write one. Multi-stage, minimal runtime image, non-root user.
FROM node:22.12-slim AS builder
WORKDIR /app
COPY package-lock.json package.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:22.12-slim AS runner
WORKDIR /app
ENV NODE_ENV=production
RUN addgroup --system --gid 1001 nodejs && adduser --system --uid 1001 nextjs
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=builder --chown=nextjs:nodejs /app/public ./public
USER nextjs
EXPOSE 3000
CMD ["node", "server.js"]
FROM python:3.12-slim AS builder
WORKDIR /app
RUN pip install uv
COPY pyproject.toml uv.lock ./
RUN uv sync --frozen --no-dev
FROM python:3.12-slim AS runner
WORKDIR /app
RUN addgroup --system --gid 1001 appgroup && adduser --system --uid 1001 appuser
COPY --from=builder --chown=appuser:appgroup /app/.venv ./.venv
COPY --chown=appuser:appgroup . .
USER appuser
EXPOSE 8000
ENV PATH="/app/.venv/bin:$PATH"
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
FROM golang:1.23-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o /app/server ./cmd/server
FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /app/server /server
EXPOSE 8080
ENTRYPOINT ["/server"]
.git
node_modules
.venv
__pycache__
*.pyc
target
.env
.env.*
.DS_Store
*.test
*.md
.github
.gitlab
docs
coverage
# cloudrun-service.yaml
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: your-service # configure
annotations:
run.googleapis.com/ingress: all
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/minScale: "1"
autoscaling.knative.dev/maxScale: "10"
run.googleapis.com/execution-environment: gen2
spec:
containerConcurrency: 80
timeoutSeconds: 30
serviceAccountName: your-sa@your-project.iam.gserviceaccount.com # configure
containers:
- image: us-central1-docker.pkg.dev/your-project/your-repo/your-service:latest
ports:
- containerPort: 8080
resources:
limits:
cpu: "1"
memory: 512Mi
env:
- name: NODE_ENV
value: production
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: database-url # configure in Secret Manager
key: latest
readinessProbe:
httpGet:
path: /health
initialDelaySeconds: 5
periodSeconds: 10
traffic:
- percent: 100
latestRevision: true
# After deploying the new revision with --no-traffic:
gcloud run deploy your-service \
--image IMAGE_URL \
--no-traffic \
--tag canary \
--region us-central1
# Split traffic: 10% to canary, 90% to stable
gcloud run services update-traffic your-service \
--to-tags canary=10,stable=90 \
--region us-central1
# Promote to 100% after validation:
gcloud run services update-traffic your-service \
--to-latest \
--region us-central1
app = "your-app" # configure
primary_region = "iad" # configure
[build]
[http_service]
internal_port = 8080
force_https = true
auto_stop_machines = "stop"
auto_start_machines = true
min_machines_running = 1
[[http_service.checks]]
grace_period = "5s"
interval = "10s"
method = "GET"
path = "/health"
timeout = "2s"
[deploy]
strategy = "rolling"
[[vm]]
size = "shared-cpu-1x"
memory = "512mb"
apiVersion: apps/v1
kind: Deployment
metadata:
name: your-service
labels:
app: your-service
spec:
replicas: 2
selector:
matchLabels:
app: your-service
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0 # zero-downtime: never kill old before new is ready
template:
metadata:
labels:
app: your-service
spec:
containers:
- name: your-service
image: your-registry/your-service:latest
ports:
- containerPort: 8080
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 3
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: your-service-secrets
key: database-url
Every deployment config ships with this. Rollback must execute in under 2 minutes.
# List recent revisions
gcloud run revisions list --service your-service --region us-central1
# Route 100% traffic to the previous stable revision
gcloud run services update-traffic your-service \
--to-revisions your-service-00042-abc=100 \
--region us-central1
# Verify traffic is fully shifted
gcloud run services describe your-service --region us-central1 | grep traffic
Trigger when: error rate >1% sustained for 2 minutes, p99 latency >2s, smoke test failure.
# List recent releases
flyctl releases list
# Roll back to previous release
flyctl deploy --image registry.fly.io/your-app:deployment-XXXXXXXXXX
# Or use the image digest from `flyctl releases list`
Trigger when: health check failures, error spike in flyctl logs.
# Check rollout status
kubectl rollout status deployment/your-service
# Roll back to previous version immediately
kubectl rollout undo deployment/your-service
# Roll back to a specific revision
kubectl rollout history deployment/your-service
kubectl rollout undo deployment/your-service --to-revision=3
# Verify pods are healthy
kubectl get pods -l app=your-service
Trigger when: pod crash loops, readiness probe failures, error spike in metrics.
#!/usr/bin/env bash
# smoke-test.sh — run after every deploy
set -euo pipefail
BASE_URL="${1:-https://your-service.example.com}"
MAX_LATENCY_MS=500
echo "Running smoke tests against $BASE_URL..."
# Health check
STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$BASE_URL/health")
[ "$STATUS" = "200" ] || { echo "FAIL: /health returned $STATUS"; exit 1; }
# Latency check
LATENCY=$(curl -s -o /dev/null -w "%{time_total}" "$BASE_URL/health")
LATENCY_MS=$(echo "$LATENCY * 1000" | bc | cut -d. -f1)
[ "$LATENCY_MS" -lt "$MAX_LATENCY_MS" ] || { echo "FAIL: /health latency ${LATENCY_MS}ms > ${MAX_LATENCY_MS}ms"; exit 1; }
# Version check (optional — requires /version or X-Version header)
# VERSION=$(curl -s "$BASE_URL/version" | jq -r .version)
# [ "$VERSION" = "$EXPECTED_VERSION" ] || { echo "FAIL: wrong version $VERSION"; exit 1; }
echo "OK: all smoke tests passed"
Write the files directly:
Dockerfile (if it didn't exist).dockerignore (if it didn't exist)cloudrun-service.yaml, fly.toml, k8s/deployment.yaml, etc.)scripts/smoke-test.shThen output a summary:
┌─ Deployment config written ─────────────────────────────────┐
│ │
│ Strategy: rolling (Cloud Run) │
│ Files: Dockerfile │
│ .dockerignore │
│ cloudrun-service.yaml │
│ scripts/smoke-test.sh │
│ │
│ Deploy: gcloud run services replace cloudrun-service.yaml │
│ Rollback: gcloud run services update-traffic ... (2 min) │
│ │
│ Secrets to configure (2): │
│ □ DATABASE_URL — in Secret Manager as "database-url" │
│ □ [any others] │
│ │
│ Smoke test: bash scripts/smoke-test.sh https://your-url │
└──────────────────────────────────────────────────────────────┘
If output exceeds the 40-line CLI budget, invoke /atlas-report with the full findings. The HTML report is the output. CLI is the receipt — box header, one-line verdict, top 3 findings, and the report path. Never dump analysis to CLI.