CRITICALQualitysmallCI/CD & DevOps

Run Tests Before Deploy

CI must run the full test suite and block deployment on failure. Without gate checks, a broken commit reaches production, users experience bugs, and you spend hours debugging under pressure instead of catching it in CI for free.

Why This Matters

Without CI gate checks, every commit is a gamble. A broken test that would have caught a regression in 3 minutes instead becomes a production incident that takes hours to diagnose, fix, and deploy — plus the user trust damage and potential revenue loss during the outage.

Related Rules

Pin Dependency Versions

Security

HIGH

Use Environment Variables for Config

Security

HIGH

Catch this automatically on every PR

BeforeMerge scans your pull requests against this rule and 4+ others. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Why this matters

Tests exist to catch regressions before they reach users. But tests only protect you if they actually run before deployment and block broken code from shipping. A test suite that runs "optionally" or "when developers remember to" provides zero protection.

Every production incident that would have been caught by an existing test is a process failure, not a code failure. The test was written, the test was correct, but the pipeline allowed broken code to bypass it.

The cost difference is dramatic: a test failure in CI costs 3 minutes of pipeline time and a notification. The same bug in production costs hours of incident response, user-facing downtime, hotfix deployment, and post-mortem meetings.

The rule

CI must run the complete test suite (unit, integration, and E2E) on every push to a deployable branch. Deployment must be blocked if any test fails. No manual overrides, no "skip tests" flags, no deploying from local machines.

Bad example

# .github/workflows/deploy.yml — tests run but don't block deploy
name: Deploy
on:
  push:
    branches: [main]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: npm test
    # Test failures don't block deployment!
 
  deploy:
    runs-on: ubuntu-latest
    # No dependency on test job — deploys regardless
    steps:
      - run: ./deploy.sh

Good example

# .github/workflows/deploy.yml — tests gate deployment
name: Deploy
on:
  push:
    branches: [main]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
      - run: npm run test
      - run: npm run test:e2e
 
  deploy:
    runs-on: ubuntu-latest
    needs: [test]  # Blocked until tests pass
    steps:
      - run: ./deploy.sh

How to detect

Review your CI/CD configuration:

Check if deploy jobs have needs: [test] dependencies
Check if branch protection rules require status checks to pass
Verify there is no way to deploy without passing tests (manual deploy scripts, SSH access, etc.)

Remediation

Add needs: [test] to your deploy job so it depends on test success
Enable branch protection on main requiring all status checks to pass
Remove any "skip CI" escape hatches for deployable branches
Ensure E2E tests run against a staging environment before production deploy
Set up deployment notifications so the team knows when a deploy is blocked by test failure