Deployment Bot Safety

Slack-bot deploys are convenient. Safeguards.

What deployment bots do

Slack-driven deploys (Hubot-style), GitHub Actions on chat ops triggers, or self-service portals.

Convenient: anyone can deploy without learning the CLI.

Risky: unbounded automation in a chat channel is a foothold.

Required controls

Authentication: bot calls require SSO; not Slack identity alone (Slack accounts get phished).

Authorization: per-service deploy permissions. Engineer A cannot deploy service B without approval.

Audit: every bot action logged with actor, timestamp, command, output.

Guardrails

Rate limit: max 10 deploys per hour per service. Prevents runaway loops.

Hours: high-risk deploys (payments, auth) blocked outside business hours unless explicit override.

Approval: tier-1 services require a second engineer to approve before the bot runs.

Bot in incidents

Disable bot deploys during active sev1 incidents. Forces a human-driven path.

Bot logs are part of incident timelines. Audit log goes into the postmortem doc.

Build a kill switch. A single command disables all bot deploys; useful when the bot itself is compromised.

How to deploy safely

Add SSO + RBAC before allowing chat-driven deploys.

Start with low-risk services. Expand to high-risk only with the guardrails in place.

Quarterly audit of bot logs. Look for unusual patterns: night-time deploys, deploys by unfamiliar accounts.