A deployment that succeeds at the infrastructure level can still break login, payment processing, or core data flows — the CI/CD pipeline passes, but users hit errors. Without automated post-deployment smoke tests (NIST SA-11, SSDF PW.8), the first signal of a broken deployment is a user support ticket. ISO 25010 reliability.maturity requires that production changes be verified as correct after deployment, not just before it. A 3-minute automated smoke test covering the critical user journey is the difference between a 5-minute rollback and a 45-minute incident.
Info because smoke tests are a post-deployment safety net rather than a preventive control — their absence extends time-to-detect when a deployment breaks production flows.
Add automated post-deployment smoke tests using Playwright. Run them immediately after the production deployment step in CI/CD.
npm install --save-dev @playwright/test
// tests/smoke.spec.ts
import { test, expect } from '@playwright/test';
test('homepage loads', async ({ page }) => {
await page.goto(process.env.BASE_URL!);
await expect(page).toHaveTitle(/my app/i);
});
test('login flow completes', async ({ page }) => {
await page.goto(`${process.env.BASE_URL}/login`);
await page.fill('[name=email]', process.env.SMOKE_TEST_EMAIL!);
await page.fill('[name=password]', process.env.SMOKE_TEST_PASSWORD!);
await page.click('[type=submit]');
await expect(page).toHaveURL(/\/dashboard/);
});
# .github/workflows/deploy.yml
- name: Deploy to production
run: npm run deploy:prod
- name: Run smoke tests
run: npx playwright test tests/smoke.spec.ts
env:
BASE_URL: https://your-app.com
SMOKE_TEST_EMAIL: ${{ secrets.SMOKE_TEST_EMAIL }}
SMOKE_TEST_PASSWORD: ${{ secrets.SMOKE_TEST_PASSWORD }}
ID: deployment-readiness.environment-configuration.smoke-tests
Severity: info
What to look for: Enumerate every relevant item. Look for post-deployment test scripts in CI/CD workflow (typically after deployment step). Check for documented smoke test procedures in README or DEPLOYMENT.md. Smoke tests should verify key user flows: login, core features, payment processing (if applicable).
Pass criteria: Smoke tests are automated in the CI/CD pipeline after production deployment, OR documented and regularly executed. Tests verify critical user flows.
Fail criteria: No smoke tests found, or tests exist but are not automated or documented.
Skip (N/A) when: The project is API-only with no user flows.
Detail on fail: "No smoke tests found after deployment step in CI/CD pipeline." or "Smoke test runbook exists but is not automated."
Remediation: Add automated smoke tests. For Next.js with Playwright:
npm install --save-dev @playwright/test
Create tests/smoke.spec.ts:
import { test, expect } from '@playwright/test';
test.describe('Smoke Tests', () => {
test('homepage loads and login visible', async ({ page }) => {
await page.goto('https://your-app.com');
await expect(page.locator('text=Login')).toBeVisible();
});
test('user can login', async ({ page }) => {
await page.goto('https://your-app.com/login');
await page.fill('input[name=email]', 'test@example.com');
await page.fill('input[name=password]', 'password');
await page.click('button[type=submit]');
await expect(page).toHaveURL(/.*dashboard/);
});
});
Then add to CI/CD after deployment:
# .github/workflows/deploy.yml
- name: Deploy to production
run: npm run deploy:prod
- name: Smoke tests
run: npx playwright test tests/smoke.spec.ts