惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
阮一峰的网络日志
阮一峰的网络日志
S
Secure Thoughts
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Threat Research - Cisco Blogs
P
Privacy & Cybersecurity Law Blog
The Hacker News
The Hacker News
H
Heimdal Security Blog
W
WeLiveSecurity
L
LINUX DO - 热门话题
Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
The Last Watchdog
The Last Watchdog
Hugging Face - Blog
Hugging Face - Blog
博客园 - 【当耐特】
D
DataBreaches.Net
I
Intezer
Webroot Blog
Webroot Blog
C
Cisco Blogs
AWS News Blog
AWS News Blog
博客园 - 聂微东
T
The Blog of Author Tim Ferriss
V
Vulnerabilities – Threatpost
罗磊的独立博客
Google DeepMind News
Google DeepMind News
N
Netflix TechBlog - Medium
Schneier on Security
Schneier on Security
宝玉的分享
宝玉的分享
博客园 - 叶小钗
PCI Perspectives
PCI Perspectives
D
Docker
Scott Helme
Scott Helme
NISL@THU
NISL@THU
J
Java Code Geeks
B
Blog RSS Feed
Google Online Security Blog
Google Online Security Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
AI
AI
美团技术团队
Cloudbric
Cloudbric
月光博客
月光博客
P
Proofpoint News Feed
T
Tailwind CSS Blog
Google DeepMind News
Google DeepMind News
小众软件
小众软件
www.infosecurity-magazine.com
www.infosecurity-magazine.com
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

Graphite blog

Introducing Code Tours: a new way to review Introducing Cursor Cloud Agents in Graphite Building the future of software development with Cursor Reimagining the PR Page: Designing for speed and focus Graphite changelog [11-20-2025] Graphite changelog [11-04-2025] Graphite changelog [10-16-2025] The future of engineering is collaborative (and already here) Meet Graphite Agent: the next evolution of AI code review Introducing frozen branches: A safer way to build on your teammates’ work Graphite changelog [09-17-2025] How we sped up code search for Graphite Chat Introducing Graphite Chat AI is writing code—here's why it also needs to review that code How I got Claude to write code I could actually ship How we built the first stack-aware merge queue (and why it matters) How we organize our monorepo to ship fast Graphite brings stacking to Tower Code review tooling: Should you build or buy? Making AI code review available to everyone Introducing: The new Graphite + Linear integration Graphite raises $52M and launches Diamond to reimagine code review for the age of AI Why AI will never replace human code review How stacked PRs unblock distributed development teams Graphite is going to Developer Week 2025 Beating the end of year code freeze How Graphite’s eng team ships code remarkably fast Why we chose Anthropic's Claude to power Graphite Reviewer AI code generation will remain fragmented How we redesigned Graphite's landing page in-house Introducing Graphite Reviewer: your AI code review companion How AI code review reduces review cycles to improve developer productivity What if you could get instant feedback on your code? The new developer toolchain Not Rocket Science - How Bors and Google’s TAP inspired modern merge queues Graphite's State of code review 2024 How Google migrated billions of lines of code from Perforce to Piper Going from 0 to 1: How to write better unit tests when there are none Speed up your merges: Parallel CI is now generally available for teams using Graphite’s merge queue BitKeeper, Linux, and licensing disputes: How Linus wrote Git in 14 days Graphite is now free for startups and open source projects Launch week wrap-up (May 2024) Reduce CI costs for Buildkite and GitHub Actions Cheaper CI & faster merging with batching How Google does code review The technical learning curve at a startup is gentler than you might think Graphite will now automatically rebase your partially-merged stacks Multiple engineers can now seamlessly collaborate on the same stack of PRs Do you ever outgrow GitHub? From the 80's to 2024 - how CI tests were invented and optimized Graphite changelog [4/10/2024] 🎺 Graphite changelog [4/25/2024] 🐸 How Stack Overflow replaced Experts Exchange How GitHub monopolized code hosting Graphite changelog [3/27/2024] 🤝 The core principles of building a good AI feature Onboarding roulette: deleting our employee accounts daily Graphite changelog [3/13/2024] 🚁 Why Facebook doesn’t use Git How to recreate the Phabricator code review workflow Types of code reviews: Improve performance, velocity, and quality What's the best GitHub pull request merge strategy? Phabricator vs GitHub vs Graphite: How do they stack up? Improving team velocity through better pull request practices Moving fast breaks things: the importance of a staging environment Building trust as a software engineer Keeping code simple: moving fast by avoiding over-engineering What's better than GitHub pull request filters? The Graphite pull request inbox 7 Best Phabricator alternatives for PR stacking + code review [2024] Accurate eng estimations: predicting and negotiating the future Tracking and understanding GitHub PR stats: A step-by-step guide 8 pull request best practices for optimal engineering What’s next for Graphite Graphite Q1 Launch week: Stacking with the tools you love Graphite Q1 Launch week: Making stacking seamless Accelerating code review The Mom Test How to use stacked PRs to unblock your entire team Graphite Q1 launch week 2024 The practical and philosophical problems with AI code review Empirically sup code review best practices Call site attribution: how to pinpoint rogue SQL queries throttling your performance Every engineer should understand git reflog Post mortem: we took 124 seconds from you, here's 378 back Your GitHub pull request workflow is slowing everyone down Optimizing CI/CD workflows for trunk-based development Why we use AWS instead of Vercel to host our Next.js app How large pull requests slow down development 3 key lessons in application server optimization Trunk-based development: why you should stop using feature branches Git was built in 5 days Why large companies and fast-moving startups are banning merge commits How long should your CI take? Experimenting with AI code review CRA to AppRouter in 5 Steps: A case study with Graphite Graphite Changelog [10/18/2023] The comprehensive guide to writing the best PR title of all time How 10,000 Developers All Contribute to the same Repo
Down for less than four minutes a month: how AWS deploys code
Nicholas Yan · 2024-05-29 · via Graphite blog

99.9% Uptime

One of the most impressive parts of Amazon Web Services is its commitment to uptime. For each of their offerings, AWS commits to a “Monthly Uptime Percentage” and if they miss the mark, a service credit is granted.

Here, for example, is the SLA for Amazon Simple Storage Service. Note that if S3 falls below 99.9% uptime — less than just four minutes and 20 seconds of downtime per month — AWS starts issuing partial refunds:

Scanning through the SLAs, 99.9% is most common but in a few cases AWS goes even higher. At the top? The DynamoDB Global Tables SLA and the AWS Key Management Service SLA which each commit to five nines, 99.999% — less than five seconds of downtime per month.

To consider how truly impressive this is, consider your team’s current deployment infrastructure. How long would it take you to rollback a bad change completely? How long does it typically take for you tend to detect a bad release? Would you be able to do both of these consistently, spending no more than four minutes and 20 seconds cumulatively over the course of the month?

Automation to the rescue

It’s easy to think about incident management as manual heroics. An oncall jumps in, debugs some cryptic error, and finds a deep hidden behavior in the system.

The reality of AWS’s tight SLAs, however, mean that there’s no time for manual action at all; if you only have four minutes and 20 seconds to respond cumulatively over a month, in order to respond in time, everything must be automated.

In a 2021 interview, Clare Liguori, a Principal Engineer at AWS mentioned, “when an alarm goes off and the on-call gets engaged, usually if it's a problem caused by a deployment, the pipeline has already rolling back that change before the on-call engineer is even logged in and started looking at what's going on.”

Liguori’s earlier 2020 blog post, “Automating safe, hands-off deployments”, explains how much of this works.

The post has inspired us at Graphite to think more deeply about our own CodePipeline instance — and in the spirit of learning, I want to highlight some of the key principles here.

Idea 1: Automated rollbacks

At the core of AWS’s automated deployment pipeline is the ability to conduct automated rollbacks.

This shortcuts the toil of requiring an engineer watch each and every deploy going out, the risk that engineers conduct the right set of rollback steps, and ensures this all happens with near-immediate speed.

At multiple steps, as the pipeline rolls out changes to its pre-production environment, a new Availability Zone, or a new Region, the pipeline monitors a set of metrics (some custom to the service and others core vitals like CPU and memory usage). If any of these take a dip, the pipeline halts the pipeline, automatically rolls back the changes, and notifies the oncall.

ALARM("FrontEndApiService_High_Fault_Rate") OR

ALARM("FrontEndApiService_High_P50_Latency") OR

ALARM("FrontEndApiService_High_P90_Latency") OR

ALARM("FrontEndApiService_High_P99_Latency") OR

ALARM("FrontEndApiService_High_Cpu_Usage") OR

ALARM("FrontEndApiService_High_Memory_Usage") OR

ALARM("FrontEndApiService_High_Disk_Usage") OR

ALARM("FrontEndApiService_High_Errors_In_Logs") OR

ALARM("FrontEndApiService_High_Failing_Health_Checks")

One other interesting idea mentioned: the deployment pipeline monitors not just the metrics of the service under deployment, but its upstream and downstream dependencies as well — the idea here being that the freshly deployed service can be placing extra load causing its dependencies to dip.

Idea 2: Progressive rollouts

One-box

At each stage where a change is pushed (pre-production stages, production), the deployment starts with the “one-box” stage where changes are deployed to just one box, “a single virtual machine, single container, or a small percentage of Lambda function invocations”.

The deployment pipeline monitors the metrics of the box specifically; as earlier, if the metrics regress, the deployment is automatically halted and rolled back.

In addition to ensuring top-line service health, this one-box approach also helps guarantee backwards and forwards compatibility; for a duration during the deploy, services will run both the old and new (the one-box) versions of code. Adding an additional layer of compatibility checks, the service under deployment also connects to other pre-production resources at some stages and production versions at others.

Waves

After one-box, deployments continue to roll out slowly in isolated portions of the service, either single Availability Zones or individual “cells” (a “service’s individual internal shards”).

The key idea here is to prevent system-wide degradation by limiting deployments to units the service can withstand losing. ”All services are scaled to withstand losing an Availability Zone in the Region, so we know that the service can still serve production load at this capacity.” By deploying to only one Availability Zone in a region at a time, even a bad deploy’s impact is contained.

In order to balance safety with speed, as confidence builds in a change through successive successful deployments, the “waves” in which it gets deployed become successively larger and larger as well (e.g. being deployed to more regions at once).

It’s also worth noting that multiple concurrent waves of deployments can contain multiple versions of deployments. A deployment from earlier in the day may be deploying in a large, later-stage wave while a deployment from later in the day begins to deploy one of the initial waves.

Idea 3: Slow rollouts (baking)

As an extra layer of redundancy, AWS waits between each wave (longer for earlier waves, shorter for later waves) to give it extended time to catch regressions highlighted by user traffic.

The “bake” period is also smart enough to require a certain volume of traffic; it “includes requirements to wait for a specific number of data points in the team’s metrics (for example, "wait for at least 100 requests to the Create API") to ensure that enough requests have occurred to make it likely that the new code has been fully exercised.”

In practice, this can add a significant amount of time to deploys: “A typical pipeline waits at least one hour after each one-box stage, at least 12 hours after the first regional wave, and at least two to four hours after each of the rest of the regional waves, with additional bake time for individual Regions, Availability Zones, and cells within each wave.”

In total this can mean “four or five business days” to deploy a typical service and even more for services that require extra careful deploys.

Idea 4: Rollouts, not just for code changes

It’s not just the obvious changes — e.g. application code — that go through pipelines; items like feature flags and configuration changes do too.

Each type of change exists in its own pipeline which adds safety (each pipeline hooks into the same infrastructure, e.g. a bad feature flag change can be automatically detected and rolled back) and also helps with velocity: for example, “Application code changes that fail integration tests and block the application pipeline don’t affect other pipelines.”

Idea 5: Deployment blockers

Sometimes the safest deployment is no deployment at all.

AWS’s pipeline can block deployments when there are active incidents or during particular time windows (e.g. outside of core business hours).

This is custom per team; some “prefer to release software when there are plenty of people who can quickly respond and mitigate an issue caused by a deployment” whereas others “prefer to release software when there is low customer traffic.”

Takeaways

At Graphite, we’ve been inspired to adopt some of these ideas: we block our deployment pipeline outside of core business hours and now bake changes for a set period of time in a pre-production environment before they release to production.

Other bits of AWS’s deployment process have been harder to adopt as-is without AWS scale and maturity. As a startup, speed is one of our strongest assets; we can’t afford to roll out changes to production over four or five days like AWS does. And for us, the key part of automated rollouts — having high-signal health metrics — is an area that is slowly improving, but still has some ways to go.

The nice part is that the ideas don’t have to be adopted in an all-or-nothing fashion. We’re now thinking about adopting one-box deployments, even if we don’t deploy later in waves across multiple days. And the core principles behind the specific AWS implementations have also led us to reflect more deeply about things we’ve historically just accepted about our incident response process — namely the opportunities for automation, even if just as a debugging tool and not yet as a tool with the authority for full rollbacks.

We might not yet be at five nines, but we dream.