'%20fill='%23fff'%3e%3cpath%20d='M24%20364.337V24h141.909c25.481%200%2046.833%203.601%2064.056%2010.803%2017.222%207.191%2030.183%2017.279%2038.882%2030.24s13.049%2027.972%2013.049%2045.041c0%2012.961-2.72%2024.513-8.148%2034.645-5.429%2010.142-12.906%2018.534-22.431%2025.174-9.526%206.651-20.548%2011.299-33.069%2013.953v3.325c13.732.661%2026.451%204.383%2038.134%2011.134%2011.684%206.762%2021.077%2016.155%2028.168%2028.17%207.092%2012.025%2010.638%2026.231%2010.638%2042.628%200%2018.281-4.647%2034.601-13.952%2048.939-9.305%2014.35-22.762%2025.648-40.381%2033.908-17.607%208.248-38.992%2012.377-64.143%2012.377H24zm82.258-200.414h45.534c8.975%200%2016.947-1.497%2023.929-4.493s12.432-7.312%2016.374-12.961c3.931-5.65%205.902-12.466%205.902-20.439%200-11.409-4.041-20.384-12.135-26.926-8.082-6.53-18.995-9.801-32.738-9.801h-46.866v74.62zm0%20134.109h50.853c17.839%200%2030.987-3.381%2039.466-10.131%208.479-6.762%2012.708-16.178%2012.708-28.247%200-8.755-2.049-16.309-6.145-22.686-4.096-6.365-9.922-11.298-17.443-14.789-7.532-3.491-16.561-5.231-27.089-5.231h-52.339v81.095l-.011-.011zM388.865%2024v340.337h-81.256V24h81.256zm181.618%20230.159V109.082h81.091v255.255h-77.435v-47.529h-2.665c-5.649%2015.616-15.263%2028.004-28.829%2037.145-13.578%209.14-29.941%2013.71-49.102%2013.71-17.398%200-32.683-3.986-45.864-11.97-13.181-7.973-23.433-19.14-30.745-33.489s-11.023-31.165-11.133-50.437V109.082h81.256v146.739c.11%2013.854%203.766%2024.767%2010.968%2032.74s17.002%2011.96%2029.413%2011.96c8.082%200%2015.372-1.795%2021.847-5.407%206.486-3.601%2011.628-8.865%2015.45-15.781%203.821-6.927%205.737-15.318%205.737-25.174h.011zm224.376%20115.002c-26.704%200-49.718-5.286-69.044-15.869-19.337-10.583-34.181-25.703-44.532-45.371-10.362-19.668-15.537-43.069-15.537-70.215s5.208-49.445%2015.614-69.212c10.418-19.779%2025.096-35.174%2044.037-46.197s41.261-16.53%2066.962-16.53c18.17%200%2034.787%202.83%2049.851%208.48s28.08%2014.007%2039.048%2025.086%2019.501%2024.734%2025.591%2040.966%209.14%2034.81%209.14%2055.756v20.273H694.145v-47.199h146.226c-.11-8.633-2.159-16.342-6.145-23.104s-9.448-12.047-16.374-15.869-14.866-5.726-23.841-5.726-17.233%202.015-24.424%206.057c-7.202%204.052-12.906%209.537-17.112%2016.452-4.207%206.927-6.431%2014.757-6.652%2023.512v48.025c0%2010.417%202.049%2019.525%206.145%2027.332s9.911%2013.876%2017.454%2018.193c7.532%204.317%2016.506%206.486%2026.924%206.486%207.201%200%2013.731-1.002%2019.612-2.995%205.869-1.993%2010.912-4.923%2015.119-8.81%204.206-3.876%207.367-8.645%209.47-14.294l74.616%202.158c-3.105%2016.728-9.889%2031.264-20.361%2043.62s-24.182%2021.937-41.129%2028.743c-16.947%206.816-36.559%2010.219-58.825%2010.219l.011.033z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='A'%3e%3cpath%20fill='%23fff'%20transform='translate(24%2024)'%20d='M0%200h892v345.161H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
How We Ship Every Day
Three engineers. No staging environment. 946 commits to production in 30 days. How we made shipping safe enough to do constantly.
In the last 30 days, we pushed 946 commits to production across Blue’s core repositories — that’s one code change going to customers every 46 minutes, averaged across the full month. We have three engineers, 19,000+ companies running their operations on the product, no staging environment, and no feature flag service. Every line of code we write is one git push away from customers using it.
This post is about how we made that safe. Not how we made it fast — shipping fast is easy if you don’t care about the consequences. We care a lot about the consequences. What follows is the set of guardrails that let us ship at this cadence without burning the platform down.
Why shipping frequency matters
A bug reported to a small team on Monday morning can ship that afternoon. The same bug reported to a large engineering organization ships in the next release window — often two weeks later, sometimes a month. Multiply that delta across every interaction a user has with the product, and after a year the higher-cadence team has absorbed dramatically more real-world friction: obscure edge cases fixed, small frustrations smoothed, wording clarified, flows shortened.
The compounding effect is the whole argument. It’s not that any single change is more impactful. It’s that when the cost of shipping approaches zero, the threshold for “is this worth fixing?” also approaches zero — and a thousand small improvements are what distinguishes a product people tolerate from one they recommend.
The interesting question isn’t whether high shipping frequency is valuable. It obviously is. The interesting question is: what does it take to do this safely?
The pipeline
Blue runs on dedicated servers at Hetzner, not on AWS. We wrote about why we left the cloud. The deployment pipeline is Disco — an open-source tool built on top of Docker Swarm.
Here’s what happens when I push a commit to main on the frontend repo:
- GitHub webhook fires.
- The Disco daemon running on our production server receives the push event via the GitHub App.
- Disco pulls the commit and builds a Docker image using the repo’s
Dockerfile. - Docker Swarm rolls the new service version — new container comes up, health checks pass, old container drains.
- Caddy reverse-proxies traffic to whichever container is healthy.
Total time from git push to production: 3-5 minutes.
The Disco configuration is literally this file, disco.json, in the frontend repo:
{
"version": "1.0",
"services": {
"web": {
"port": 3000
}
}
}Five lines. That’s it. No pipeline YAML with a hundred steps. No Jenkinsfile. No Kubernetes manifests. No Helm charts. Swarm handles the rolling update, Caddy handles routing, Disco orchestrates the build. The backend GraphQL API uses the same config with one additional flag for Docker networking. Multiple deploys per day, using a file that fits on a Post-it.
There is no branch strategy to describe. We work on main. There’s no release branch, no sprint cut, no dev branch that gets promoted to prod. Pull requests exist — we use them for code review — but they land in main the same day they’re opened, usually within hours of being opened.
How the codebase is organized
Before talking about the pipeline, it’s worth talking about what feeds into it. The shape of the codebase is a big part of why daily shipping is sustainable at our size.
Blue isn’t a single monorepo. Each major service — the GraphQL API, the frontend rewrite, the legacy frontend, the forms app, the file service, the collaboration server, the CLI, the infrastructure definitions, the Python SDK — lives in its own Git repository. That separation fits the shape of the team: services have independent release cycles, independent dependencies, and independent owners-of-the-moment.
What’s less common is the meta-repo sitting above them. We keep a separate repo called blue/ that’s dedicated entirely to orchestration. It contains no production code. What it contains is the connective tissue that makes the rest of the platform feel like one thing:
scripts/setup.sh— clones every service repo as a sibling directory inside the meta-repo, idempotently. Safe to run on a fresh machine or to refresh an existing checkout. A new engineer goes from nothing to a full platform checkout withgit clone blue && ./scripts/setup.sh.compose.yml— a three-line file using Docker Compose’sinclude:directive to stitch together each service’s own compose file. One command from the meta-repo —docker compose up— brings up the entire stack: API, frontend, MySQL 8, Redis, Stripe CLI in listen mode, Firebase emulator, LocalStack for S3. No per-engineer README, no bespoke scripts, no “works on my machine” mystery.docs/— around 30 markdown files covering platform-wide concerns that don’t belong to any single service: the deployment pipeline, the records architecture, the permissions model, the frontend cache strategy, the testing approach, the style guide, the infrastructure overview. Cross-cutting knowledge lives here in one place, not scattered across per-repo READMEs that go stale.plans/— our active and completed initiatives as markdown. Every non-trivial piece of engineering work on Blue begins as a plan file: context, tradeoffs, approach, open questions. When it ships, the file moves toplans/completed/. We have 69 active plans right now and 55 in completed. There is no Jira instance, no Linear workspace, no Notion database behind this. Planning and shipping live in the same tool.git log plans/is our decision history.CLAUDE.md— an orientation document at the root, written for both human engineers and AI coding agents. It describes what each repo is, where docs and plans live, and how pieces fit together.
Secrets live next to the code, but encrypted. Each service repo’s environment files (.env.development, .env.production, etc.) are encrypted at rest with git-crypt. They travel through git like any other file, but without a GPG key they’re opaque. Onboarding a new engineer to secrets is one git-crypt add-gpg-user command — not a dance of 1Password shares, Slack DMs, and .env.example files that drift from reality.
The practical effect of all of this is that every engineer on the team has an identical local setup. Same directory structure, same services running, same compose file, same docs, same plans. When someone joins or comes back from a break, they’re not reconstructing a personal environment from memory; they’re running the same script everyone else runs.
It also means every piece of context — production code, documentation, architectural decisions, active plans, deployment configs, even encrypted secrets — is reachable with a single git grep from one working directory. A change that spans the API and the frontend (most of them do) doesn’t require jumping between tools. You’re already sitting at the root of everything.
None of this is groundbreaking on its own. Monorepo-ish layouts, Docker Compose includes, docs-in-git, plans-in-git — they’re all well-trodden ideas. The compounding effect is what matters. Each piece removes a specific type of friction — environment drift, tool-switching, onboarding time, stale documentation, secret sprawl. Take them all away and the cost of making a change drops to the point where making changes casually becomes reasonable. That’s the precondition for shipping every day.
No staging environment
This is the part that sounds the most reckless. We don’t have a staging environment.
A lot of teams will read that and assume we’re cowboys. The reasoning usually goes: you need staging to catch bugs before they hit users. But staging environments have a well-known failure mode — they drift from production. Staging runs on different data, different traffic patterns, sometimes different versions of services. Bugs that only surface under production load don’t get caught in staging anyway, and the bugs that do get caught were usually bugs a reasonable test or type-check would have caught.
More importantly, staging adds a human-scale delay to every change: deploy to staging, open the app, click around, file a ticket, fix the thing, deploy to staging again. That cycle — which feels like caution — is the exact thing that kills shipping velocity. It’s what turns three-engineer-speed into two-hundred-engineer-speed.
We went the other direction. Production is the only environment. What keeps that safe isn’t hope — it’s a stack of guardrails that each do a specific job.
The guardrails
TypeScript, end to end. Both our frontend (app-next, Vue 3) and backend (api, Node.js 22) run TypeScript strict mode. GraphQL types are code-generated from the schema. Prisma types are code-generated from the database. A meaningful share of the bugs a staging environment would catch are caught by tsc on my laptop before I push.
A large, real-database test suite. Our API repo has 320 test files, including 150 integration tests that run against a real MySQL 8 database in Docker. Our frontend has another 128 test files. We don’t mock databases, Redis, or queues — we’ve been burned before by mocked tests passing while production broke. Test services spin up with docker compose -f compose.test.yml up -d, and CI runs the full suite on every PR that touches the affected code. Writing tests is not an afterthought for us — it’s the thing that makes the rest of this model viable.
Infrastructure as code. Every piece of our production infrastructure is defined in Ansible playbooks, checked into Git. Not “mostly” — everything. The MySQL configuration, ProxySQL routing rules, Replication Manager failover logic, the XtraBackup scripts, the cron schedules, the fencing logic that prevents split-brain, the Loki log shipper, the Prometheus exporters — all of it lives in ansible/playbooks/. Nobody SSHes into a server and edits a config file. A change is a git commit and a playbook run. If both database servers disappeared tomorrow, we could provision two new Hetzner boxes and run the playbooks; the entire stack would be back in under an hour, configured identically. We wrote more about this in our database backups post.
Observability across every service. We see what’s happening in production in real time. Dozzle gives us Docker logs across every container as a searchable web UI — no SSH required. A full Grafana stack sits behind it: Loki for log aggregation, Prometheus for metrics, Promtail shipping from every server, Node Exporter on each box, 30-day retention on both logs and metrics. If something looks off after a deploy, we know within minutes, not the next business day. Telegram alerts fire for backup failures, replication lag, and failover events, straight into the team channel — the things we’d otherwise miss.
Docker Swarm rolling updates. When a new version deploys, Swarm brings up the new container, runs health checks, routes traffic, then drains the old one. If the new container fails its health check, old traffic keeps flowing. Nothing goes down. A broken build is a deploy that silently doesn’t ship — not an outage.
Instant rollback. A bad deploy is one Disco command away from being reverted. We’ve done it a handful of times in the last year. Mean time to recovery when a regression does hit production is measured in minutes, not hours.
We use our own product. Blue runs on Blue. Every commit to main is a commit I’m about to use myself, five minutes from now. That’s a better incentive than any QA checklist.
Each of those guardrails does one specific thing. Together, they replace what staging would have caught — and they do it without adding a two-hour delay between finishing a change and shipping it.
The daily texture
Here’s what shipping daily actually looks like from the inside.
On April 2, we pushed 77 commits to production — a pricing-page rework, a database migration, and a handful of fixes, all in one day. Even quiet days look like this: on April 18, a Saturday, we shipped 8. This morning before lunch: 14. Over the last 90 days, there has not been a single calendar day on which we deployed zero commits.
Across the last 30 days, we averaged around seven distinct deploy events per day. That’s not seven commits — that’s seven separate build-and-rollout cycles. Features, fixes, content changes, migrations, refactors, all rolling into production while customers are using the app.
To put it in absolute terms: the Blue platform codebase is around 1.85 million lines across 15,173 commits. We shipped 6% of our total commit history in the last 30 days alone. The frontend rewrite (app-next) turned five months old this week and has accumulated 3,275 commits in that time — an average of about 22 commits a day, every day, from a team of three.
What this means for customers
Most of the benefit of daily shipping is invisible from the outside. A bug reported against a product with a quarterly release cycle disappears into a queue; by the time the fix lands, the customer has either built a workaround or churned. A bug reported against Blue is typically fixed the same day. A feature request that would normally enter a roadmap backlog often ships within days or weeks.
The second-order effect is the one that matters. When shipping is nearly free, the bar for “is this worth fixing?” drops to whatever a reasonable engineer decides in the moment. Hundreds of small improvements that a slower-shipping team would defer indefinitely get made, quietly, over the course of a year. That’s the real product difference.
Trade-offs and limits
This model works for us, but it isn’t the right fit for every team. A few honest observations on where it breaks down.
It requires a small team where every engineer is fully trusted to reason about consequences. The moment you have engineers whose commits you wouldn’t personally review before a deploy, you need scaffolding we don’t have — a review gate, a staging environment, a cautious release schedule. That scaffolding isn’t a sign of dysfunction; it’s a reasonable response to scale.
It requires a product where most changes are low-risk relative to a rollback. Frontend tweaks, bug fixes, content updates, incremental feature work — these are safe to ship continuously because their blast radius is contained and rollback is cheap. Irreversible operations — schema migrations that drop data, changes to billing logic, anything involving money movement — get handled with more care. Those changes get extra review, staged in phases, and shipped at low-traffic hours, even in our setup.
It requires investing up front in the guardrails. None of the tooling above is exotic, but it takes time to wire up and maintain. A team that wants to ship daily without this stack is not shipping daily; it’s gambling daily.
Closing
When we talk internally about why the three of us can build a product that competes with much larger teams, the answer isn’t that we’re more productive per engineer. It’s that we’ve structured the work so that what each of us produces reaches users faster. The difference between “the fix ships this afternoon” and “the fix ships next quarter” compounds across every interaction.
The investment that makes this possible is mostly removing things, not adding them. No staging, no release train, no feature flag service, no change review board. What’s left is a short path between a decision and a deployed change, and a stack of guardrails that make that path safe to travel.
None of this is novel. Trunk-based development, continuous deployment, infrastructure as code — the practices are well-documented and the tooling is mostly open source. The interesting part isn’t the techniques. It’s the discipline to keep the path short as the team grows, and the honesty to admit when it needs to stop being short.
— Manny