Case studySoftware FactorySterling Health Systems

GitHub Actions Guardrails for Regulated Releases

Required checks, artifact signing, and environment gates — pipelines auditors could trace without shadow IT scripts.

Project overview

Teams shipped through ad-hoc Jenkins jobs; auditors could not tie commits to binaries running in prod.

GitHub Actions workflows with OIDC to cloud, reproducible builds, SBOM attachments, and protected environments matching change advisory windows.

100%

PRs with signed artifacts

Policy checks enforced

Manual prod deploy keys

45min

Mean approval cycle

Reusable workflows per language; centralized composite actions for scanning; deployment runners isolated per tier.

Blueprint
Mapped evidence artifacts each control required—not one-size boilerplate.
Pilot service
First app path hardened end-to-end before rolling templates.
Template library
Org-wide starter workflows with escape hatches documented.
Audit views
Dashboards linking commit → build → deploy → ticket IDs.

Release anxiety dropped: engineers kept velocity while compliance stopped chasing screenshots every quarter.

Dry-run deployments on Fridays caught policy drift before Monday audits—cheap insurance compared to emergency freezes.