I am Lino
May 19, 2026

A Combat Manual for Shipping Changes Without Breaking Everything

Posted on May 19, 2026  •  12 minutes  • 2449 words
Table of contents

Never deploy on Fridays.

In many companies, that rule isn’t written anywhere — but it surfaces in the back of anyone’s head who has ever watched a deployment go sideways.

And around that fear, layers have piled up: extra environments, meetings, approvals… all to avoid making the front page of “Production Down Again” on Monday at 9:01 AM.

The problem is that the business doesn’t care about superstitions. It wants changes. New features, new flows, new integrations, bug fixes, performance improvements. It wants the application to move.

And you’re stuck in the middle, trying to juggle: changing things without breaking everything.

This article aims to be the manual that was missing for not breaking everything.

It’s not abstract theory — it’s a walkthrough of tools and patterns that exist precisely so you can touch production without burning incense or making sacrifices to your favorite deity: feature flags, canary releases , blue/green, the strangler pattern , safe refactors, and those CI/CD approval circuits that, when used right, save careers.

From “big bang” to “one piece at a time, please”

Not that long ago, the default strategy for making changes was the big bang: rewrite the whole system or component, hard-cut on a specific date, and cross your fingers.

The pattern was always the same: months of parallel work, war-room energy in the week of the deployment, a total code freeze, and a “D-day” that, if it went south, left half the team running around like headless chickens trying to execute an emergency rollback.

Martin Fowler put it calmly: a “rewrite everything from scratch” has a dangerously high probability of failure. His alternative was the now-famous Strangler Fig Pattern .

The metaphor is beautiful and brutal at the same time: just like a strangler fig grows around a tree until it replaces it, the idea is to build the new system around the old one, piece by piece, gradually rerouting traffic until the old system can “die” in peace.

Today, there are modern modernization guides that apply this same principle to code: create a routing layer or facade, hang the new behavior there, redirect only a fraction of traffic, observe, adjust… and repeat.

No all-or-nothing: micro-cuts, alternate paths, the ability to roll back without burning everything down.

That’s the spirit of this manual: small, reversible, and observable changes — not one-time heroics.

Feature flags: the panic button (and the control lever)

Feature flags have changed the way we deploy more than almost any other tool.

Before, “shipping a feature” meant deploying new code. Now, in many teams, code gets deployed before it’s active, and it gets turned on or off with a flag.

The whole point of a flag is that it separates two moments: pushing code to production and exposing behavior to users. You can have the new logic deployed, tested with internal traffic, maybe enabled for just a tiny percentage of users… without needing a new release every time you tweak something.

Good articles on flags insist that the key isn’t just using them — it’s using them in the right place.

A classic example: when you’re replacing a large component, instead of littering the codebase with if (flag) branches all over the implementation, you put the flag right at the entry point and decide there whether to call the new code or the old. That way, when the migration is done, you can delete the flag and all the old code in one clean sweep, instead of living with zombie conditionals for years.

The dark side (of the Force) is easy to picture: if you don’t manage the lifecycle of your flags carefully, your codebase turns into an archaeological dig. Poorly maintained feature flags can make code harder to maintain, not easier. But used with discipline — flags with expiration dates, regular cleanup, clear naming — they’re one of the best safety nets you have for shipping changes without getting burned.

Canary and blue/green: testing with real users — just not all of them

If feature flags control what runs, canary and blue/green deployments control where and for whom. They’re close cousins with different personalities, but share one core idea: never again should it be “100% of users or nobody.”

A canary release is the literal application of sending the canary into the coal mine first. You deploy the new version to a small slice of instances or traffic (1%, 5%) and watch what happens: errors, latencies, business metrics. If it holds up, you expand; if it breaks, you roll back without having blown up the world.

Tools like Flagger or Argo Rollouts automate this whole dance: they deploy, shift a trickle of traffic, monitor metrics (error rate, response time, etc.), pause or revert if the numbers go sideways, and only promote the new version if it has survived that small controlled inferno. It’s like having a paranoid robot staring at the dashboard for you.

The blue/green approach is another variation: you keep two identical environments, one serving traffic (blue), one in the shadows (green). You deploy the new version to green, run your tests there, and when you’re confident, you flip the pointer (DNS, load balancer) so everyone goes to green. If something breaks, you switch back to blue, which is still intact.

Both strategies share an idea that FinOps and SRE folks repeat often: risk goes down when you reduce the blast radius.

There’s a big difference between catching a bug in a canary at 5% versus catching it after your entire user base is already screaming on the internet.

The strangler pattern and safe refactors: killing legacy without botching the rewrite

In any story about migration done right, one pattern comes up again and again: the strangler fig. AWS , Azure , architecture blogs… everyone has their version of the Strangler Fig Pattern, and for good reason — the “rewrite and pray” approach has burned too many people .

The approach is deliberately boring: you put a routing layer in front of the legacy system — an API gateway, a reverse proxy, a piece of middleware — and from there you decide which routes keep going to the old code and which ones start going to the new.

You refactor or reimplement one piece: the orders module, billing, report generation. You hang it on the new system, redirect only those requests, compare results with shadow traffic, measure… and only when you’re confident, you stop calling the old one.

In practice: every step is small, reversible, and local. If something fails, you send requests back to the old monolith and regroup. There’s no “day of reckoning” — just a sequence of small, contained bets. And if one day you need to stop the modernization because business priorities have shifted, you can do it without being left halfway through an unusable mess.

The same principle applies to internal refactors without an architecture change. People who talk about zero-downtime refactoring tend to recommend similar patterns: introduce new data models in parallel first, temporarily support two read/write paths, use dual writes to validate behavior, and only when the numbers line up, shut down the old path.

It’s more work than “change a couple of things and hope for the best,” but also a lot less exciting in production.

Boring and predictable: exactly what you want.

CI/CD with brains: gates, approvals, and not shipping garbage

Everyone wants to ship fast. Nobody wants to ship garbage.

Between those two poles lives the permanent tension of CI/CD approval circuits : if they’re too loose, people start talking about “shipping crap”; if they’re too rigid, PRs pile up and the team loses all appetite for change.

Modern CI/CD guides push for a distinction between two layers: automated gates and human approvals.

Automated gates are everything a machine can verify without opinions: tests, linters, static analysis, security scanners, policy-as-code checks (no secrets in the repo, infrastructure resources meeting certain rules, etc.).

If any of those checks fails, the change shouldn’t even enter the conversation: it doesn’t deploy, full stop. It’s the objective hard block — no debates. It’s what pipeline best-practices articles call always-on gates: nobody has to remember, the system simply won’t move forward if the minimum quality bar isn’t met.

On top of that foundation, it does make sense to add human approvals where they actually add value: solution design, business impact, review of critical changes. That’s where code owners come in, senior review for sensitive modules, or a manual sign-off before deploying to production in regulated environments.

The important thing is that these approvals don’t turn into an endless signing ceremony. Keeping the approval chain short, limiting who needs to say yes, automating notifications, and having fast-track paths for hotfixes is what keeps the process from killing your velocity.

Done right, these circuits aren’t bureaucracy: they’re a way to make sure what breaks in production is never something a machine could have caught earlier.

Shadow IT, experiments, and how not to blow up the old while testing the new

Finally, there’s the gray area of what we sometimes call shadow IT: new things that creep in through the back door.

That script someone spins up in their personal cloud account “just for a quick test,” that SaaS tool that starts collecting real data because it solved an immediate problem, that parallel microservice a team launches to work around bottlenecks in the official system.

A good chunk of innovation is born right there, in those small experiments.

The nightmare starts when those experiments collide uncontrolled with the existing system: duplicate sources of truth, fragile integrations, flows that nobody knows anymore whether they go through the official path or the shortcut someone cobbled together on a Friday .

Patterns like the strangler, canaries, and feature flags offer a less reckless path: you can build new things in parallel, using shadow traffic to compare them against existing behavior, without cutting the cord on the original system. You can route just a subset of users — internal teams, beta testers, very patient customers — to the new path, while everyone else keeps using what they know.

The difference between dangerous shadow IT and healthy experimentation usually comes down to three things: visibility, reversibility, and clear boundaries. If everyone knows a given flow is experimental, if there’s a switch to go back to the old path, and if someone has thought at least a little about how it coexists with the rest of the system — you’re experimenting with a safety net.

If, on the other hand, you one day discover that your billing depends on a Lambda function written by someone who left two years ago, in an AWS account with no tags and no monitoring — you weren’t shipping changes without breaking things. You were playing Russian roulette with your cluster.

At its core, this manual isn’t about isolated patterns — it’s about a mindset: changes aren’t events; they’re a continuous stream, and the only way to survive without living in “never deploy on Fridays” mode is to design with that stream in mind.

Feature flags to control what gets turned on, canaries and blue/green to control who sees it first, the strangler pattern to migrate without incidents , refactoring with a safety net, and pipelines that stop what isn’t ready — without needing last-minute heroes.

With all that, shipping changes without breaking everything stops being a matter of luck and starts looking more like what it always should have been: a craft.

Less heroic, fewer war stories to tell… and, oddly enough, a lot more compatible with actually sleeping at night.

Quick glossary

The vocabulary around these patterns gets confusing fast. Here’s the rundown.

Sources and references

Others paid for this knowledge in blood, sweat, and production incidents. Use it before it’s your turn.

Follow me

I write and share opinions about technology, software development and whatever crosses my mind.