Phase 4 · Deploy pipeline

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Phase 4 · Deploy pipeline
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 4
- est_time: 6–10 hr
- description: Stand up everything that makes deployment possible — Deployer for zero-downtime releases, subdomains + SSL, production .env, and (recommended) CI, DNS email records, and a CDN — so `dep deploy staging` just works.
- tags: codecanyon, laravel, deploy

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Phase 4 · Deploy pipeline

Build the **machinery** that ships your app. After this phase, `dep deploy staging` produces a working site — because the deployer, server access, domains, SSL, and the production `.env` all exist and are verified.

<StageFlow
  title="Phase 4 — from runnable app to deployable pipeline"
  caption="Three MUST pages unblock deployment. Four SHOULD pages (CI/ServerSync, DNS email, CDN, release + incident response) harden it and can follow the first deploy."
  stages={[
    { label: 'Deployer', sub: 'Page 1 · MUST', tone: 'core' },
    { label: 'Subdomains + SSL', sub: 'Page 2 · MUST', tone: 'core' },
    { label: 'Production .env', sub: 'Page 3 · MUST', tone: 'core' },
    { label: 'CI · DNS · CDN · Release', sub: 'Pages 4–7 · SHOULD', tone: 'good' },
  ]}
/>

:::note[Gate]
Deployer configured and SSH verified, subdomains + SSL active, production `.env` in place — and you can confidently say **"this can deploy."**
:::

Clearing that gate safely is exactly what the warning below is about.

:::caution[This phase touches real remotes]
You're configuring live servers and DNS. Run AI assistance in a cautious mode, keep secrets **server-side** (never in the repo), and verify SSH access before any task that assumes it.
:::

## This phase, page by page

<CardGrid>
  <LinkCard title="1 · Deployer (zero-downtime)" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="MUST. Install Deployer and author deploy.php — atomic releases, shared storage/.env, hooks, server PHP paths, SSH dry run." />
  <LinkCard title="2 · Subdomains + SSL" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/" description="MUST. Point staging + production at the server, provision certs, and get HTTPS green with a five-check verification." />
  <LinkCard title="3 · Production .env" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/" description="MUST. Assemble the env as a Deployer shared file — bidirectional drift check, Git-history secret scan, production caches." />
  <LinkCard title="4 · CI + ServerSync" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/04-ci-serversync/" description="SHOULD. GitHub Actions deploy + ServerSync — secrets, clear_paths ↔ GIT_ONLY_PATHS symmetry, actionlint." />
  <LinkCard title="5 · DNS email records" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/" description="SHOULD. SPF / DKIM / DMARC (+ MX) for deliverable transactional mail; CAA deferred to Phase 7." />
  <LinkCard title="6 · Cloudflare CDN" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/" description="SHOULD. Free-plan edge — Full (Strict) SSL, HSTS, WAF, rate limiting, cache rules, DNSSEC. Rocket Loader OFF." />
  <LinkCard title="7 · Release + incident response" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/" description="SHOULD. Changelog + version bump + release tag, then an incident runbook wired dev-only into the repo." />
</CardGrid>

## Next

A working pipeline means you can do a **real, observed deploy** — that's **[Phase 5 · Deploy to staging](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/)**, where the app goes live on a server for the first time.

---

> **Source:** distilled from the Phase 4 deploy-pipeline reference (Tasks 35–42). Exact `deploy.php`, DNS, and CDN configs live in the reference set.

# Phase 4 · Deploy pipeline

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/

Build the **machinery** that ships your app. After this phase, `dep deploy staging` produces a working site — because the deployer, server access, domains, SSL, and the production `.env` all exist and are verified.

<StageFlow
  title="Phase 4 — from runnable app to deployable pipeline"
  caption="Three MUST pages unblock deployment. Four SHOULD pages (CI/ServerSync, DNS email, CDN, release + incident response) harden it and can follow the first deploy."
  stages={[
    { label: 'Deployer', sub: 'Page 1 · MUST', tone: 'core' },
    { label: 'Subdomains + SSL', sub: 'Page 2 · MUST', tone: 'core' },
    { label: 'Production .env', sub: 'Page 3 · MUST', tone: 'core' },
    { label: 'CI · DNS · CDN · Release', sub: 'Pages 4–7 · SHOULD', tone: 'good' },
  ]}
/>

:::note[Gate]
Deployer configured and SSH verified, subdomains + SSL active, production `.env` in place — and you can confidently say **"this can deploy."**
:::

Clearing that gate safely is exactly what the warning below is about.

:::caution[This phase touches real remotes]
You're configuring live servers and DNS. Run AI assistance in a cautious mode, keep secrets **server-side** (never in the repo), and verify SSH access before any task that assumes it.
:::

## This phase, page by page

<CardGrid>
  <LinkCard title="1 · Deployer (zero-downtime)" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="MUST. Install Deployer and author deploy.php — atomic releases, shared storage/.env, hooks, server PHP paths, SSH dry run." />
  <LinkCard title="2 · Subdomains + SSL" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/" description="MUST. Point staging + production at the server, provision certs, and get HTTPS green with a five-check verification." />
  <LinkCard title="3 · Production .env" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/" description="MUST. Assemble the env as a Deployer shared file — bidirectional drift check, Git-history secret scan, production caches." />
  <LinkCard title="4 · CI + ServerSync" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/04-ci-serversync/" description="SHOULD. GitHub Actions deploy + ServerSync — secrets, clear_paths ↔ GIT_ONLY_PATHS symmetry, actionlint." />
  <LinkCard title="5 · DNS email records" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/" description="SHOULD. SPF / DKIM / DMARC (+ MX) for deliverable transactional mail; CAA deferred to Phase 7." />
  <LinkCard title="6 · Cloudflare CDN" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/" description="SHOULD. Free-plan edge — Full (Strict) SSL, HSTS, WAF, rate limiting, cache rules, DNSSEC. Rocket Loader OFF." />
  <LinkCard title="7 · Release + incident response" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/" description="SHOULD. Changelog + version bump + release tag, then an incident runbook wired dev-only into the repo." />
</CardGrid>

## Next

A working pipeline means you can do a **real, observed deploy** — that's **[Phase 5 · Deploy to staging](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/)**, where the app goes live on a server for the first time.

---

> **Source:** distilled from the Phase 4 deploy-pipeline reference (Tasks 35–42). Exact `deploy.php`, DNS, and CDN configs live in the reference set.

Build the machinery that ships your app. After this phase, dep deploy staging produces a working site — because the deployer, server access, domains, SSL, and the production .env all exist and are verified.

Phase 4 — from runnable app to deployable pipeline

Three MUST pages unblock deployment. Four SHOULD pages (CI/ServerSync, DNS email, CDN, release + incident response) harden it and can follow the first deploy.

Clearing that gate safely is exactly what the warning below is about.

This phase, page by page

1 · Deployer (zero-downtime) MUST. Install Deployer and author deploy.php — atomic releases, shared storage/.env, hooks, server PHP paths, SSH dry run.

2 · Subdomains + SSL MUST. Point staging + production at the server, provision certs, and get HTTPS green with a five-check verification.

3 · Production .env MUST. Assemble the env as a Deployer shared file — bidirectional drift check, Git-history secret scan, production caches.

4 · CI + ServerSync SHOULD. GitHub Actions deploy + ServerSync — secrets, clear_paths ↔ GIT_ONLY_PATHS symmetry, actionlint.

5 · DNS email records SHOULD. SPF / DKIM / DMARC (+ MX) for deliverable transactional mail; CAA deferred to Phase 7.

6 · Cloudflare CDN SHOULD. Free-plan edge — Full (Strict) SSL, HSTS, WAF, rate limiting, cache rules, DNSSEC. Rocket Loader OFF.

7 · Release + incident response SHOULD. Changelog + version bump + release tag, then an incident runbook wired dev-only into the repo.

A working pipeline means you can do a real, observed deploy — that’s Phase 5 · Deploy to staging, where the app goes live on a server for the first time.

Source: distilled from the Phase 4 deploy-pipeline reference (Tasks 35–42). Exact deploy.php, DNS, and CDN configs live in the reference set.

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Phase 4 · Deploy pipeline
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 4
- est_time: 6–10 hr
- description: Stand up everything that makes deployment possible — Deployer for zero-downtime releases, subdomains + SSL, production .env, and (recommended) CI, DNS email records, and a CDN — so `dep deploy staging` just works.
- tags: codecanyon, laravel, deploy

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Phase 4 · Deploy pipeline

Build the **machinery** that ships your app. After this phase, `dep deploy staging` produces a working site — because the deployer, server access, domains, SSL, and the production `.env` all exist and are verified.

<StageFlow
  title="Phase 4 — from runnable app to deployable pipeline"
  caption="Three MUST pages unblock deployment. Four SHOULD pages (CI/ServerSync, DNS email, CDN, release + incident response) harden it and can follow the first deploy."
  stages={[
    { label: 'Deployer', sub: 'Page 1 · MUST', tone: 'core' },
    { label: 'Subdomains + SSL', sub: 'Page 2 · MUST', tone: 'core' },
    { label: 'Production .env', sub: 'Page 3 · MUST', tone: 'core' },
    { label: 'CI · DNS · CDN · Release', sub: 'Pages 4–7 · SHOULD', tone: 'good' },
  ]}
/>

:::note[Gate]
Deployer configured and SSH verified, subdomains + SSL active, production `.env` in place — and you can confidently say **"this can deploy."**
:::

Clearing that gate safely is exactly what the warning below is about.

:::caution[This phase touches real remotes]
You're configuring live servers and DNS. Run AI assistance in a cautious mode, keep secrets **server-side** (never in the repo), and verify SSH access before any task that assumes it.
:::

## This phase, page by page

<CardGrid>
  <LinkCard title="1 · Deployer (zero-downtime)" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="MUST. Install Deployer and author deploy.php — atomic releases, shared storage/.env, hooks, server PHP paths, SSH dry run." />
  <LinkCard title="2 · Subdomains + SSL" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/" description="MUST. Point staging + production at the server, provision certs, and get HTTPS green with a five-check verification." />
  <LinkCard title="3 · Production .env" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/" description="MUST. Assemble the env as a Deployer shared file — bidirectional drift check, Git-history secret scan, production caches." />
  <LinkCard title="4 · CI + ServerSync" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/04-ci-serversync/" description="SHOULD. GitHub Actions deploy + ServerSync — secrets, clear_paths ↔ GIT_ONLY_PATHS symmetry, actionlint." />
  <LinkCard title="5 · DNS email records" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/" description="SHOULD. SPF / DKIM / DMARC (+ MX) for deliverable transactional mail; CAA deferred to Phase 7." />
  <LinkCard title="6 · Cloudflare CDN" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/" description="SHOULD. Free-plan edge — Full (Strict) SSL, HSTS, WAF, rate limiting, cache rules, DNSSEC. Rocket Loader OFF." />
  <LinkCard title="7 · Release + incident response" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/" description="SHOULD. Changelog + version bump + release tag, then an incident runbook wired dev-only into the repo." />
</CardGrid>

## Next

A working pipeline means you can do a **real, observed deploy** — that's **[Phase 5 · Deploy to staging](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/)**, where the app goes live on a server for the first time.

---

> **Source:** distilled from the Phase 4 deploy-pipeline reference (Tasks 35–42). Exact `deploy.php`, DNS, and CDN configs live in the reference set.

# Phase 4 · Deploy pipeline

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/

Build the **machinery** that ships your app. After this phase, `dep deploy staging` produces a working site — because the deployer, server access, domains, SSL, and the production `.env` all exist and are verified.

<StageFlow
  title="Phase 4 — from runnable app to deployable pipeline"
  caption="Three MUST pages unblock deployment. Four SHOULD pages (CI/ServerSync, DNS email, CDN, release + incident response) harden it and can follow the first deploy."
  stages={[
    { label: 'Deployer', sub: 'Page 1 · MUST', tone: 'core' },
    { label: 'Subdomains + SSL', sub: 'Page 2 · MUST', tone: 'core' },
    { label: 'Production .env', sub: 'Page 3 · MUST', tone: 'core' },
    { label: 'CI · DNS · CDN · Release', sub: 'Pages 4–7 · SHOULD', tone: 'good' },
  ]}
/>

:::note[Gate]
Deployer configured and SSH verified, subdomains + SSL active, production `.env` in place — and you can confidently say **"this can deploy."**
:::

Clearing that gate safely is exactly what the warning below is about.

:::caution[This phase touches real remotes]
You're configuring live servers and DNS. Run AI assistance in a cautious mode, keep secrets **server-side** (never in the repo), and verify SSH access before any task that assumes it.
:::

## This phase, page by page

<CardGrid>
  <LinkCard title="1 · Deployer (zero-downtime)" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="MUST. Install Deployer and author deploy.php — atomic releases, shared storage/.env, hooks, server PHP paths, SSH dry run." />
  <LinkCard title="2 · Subdomains + SSL" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/02-subdomains-ssl/" description="MUST. Point staging + production at the server, provision certs, and get HTTPS green with a five-check verification." />
  <LinkCard title="3 · Production .env" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/03-production-env/" description="MUST. Assemble the env as a Deployer shared file — bidirectional drift check, Git-history secret scan, production caches." />
  <LinkCard title="4 · CI + ServerSync" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/04-ci-serversync/" description="SHOULD. GitHub Actions deploy + ServerSync — secrets, clear_paths ↔ GIT_ONLY_PATHS symmetry, actionlint." />
  <LinkCard title="5 · DNS email records" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/" description="SHOULD. SPF / DKIM / DMARC (+ MX) for deliverable transactional mail; CAA deferred to Phase 7." />
  <LinkCard title="6 · Cloudflare CDN" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/" description="SHOULD. Free-plan edge — Full (Strict) SSL, HSTS, WAF, rate limiting, cache rules, DNSSEC. Rocket Loader OFF." />
  <LinkCard title="7 · Release + incident response" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/" description="SHOULD. Changelog + version bump + release tag, then an incident runbook wired dev-only into the repo." />
</CardGrid>

## Next

A working pipeline means you can do a **real, observed deploy** — that's **[Phase 5 · Deploy to staging](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/)**, where the app goes live on a server for the first time.

---

> **Source:** distilled from the Phase 4 deploy-pipeline reference (Tasks 35–42). Exact `deploy.php`, DNS, and CDN configs live in the reference set.