How to Enforce Policies Without Blocking Hotfixes
Source: Dev.to
The Nature of Hotfixes
- Urgent – production is already impacted.
- Small – the goal is to stop the bleeding, not redesign the system.
- High‑risk – they touch live systems under pressure.
- High‑impact – even a one‑line change can affect thousands or millions of users.
Many teams still apply the same rules to a large feature PR with weeks of context and a one‑line production fix at 2 AM during an incident. This mismatch creates friction and eventually policy violations.
The “Tag to Skip Checks” Anti‑Pattern
Most organizations feel this pain, leading to a common workaround: introducing manual tags such as skip-ci, emergency, or hotfix that disable required checks. These tags are often undocumented conventions known only to senior engineers.
On paper, this looks like speed. In practice, it’s silent policy erosion.
When skipping checks becomes normal:
- Accountability drops
- Audits become painful
- Security teams lose trust in CI signals
- “Emergency” becomes a habit, not an exception
The problem isn’t the desire for speed—it’s that tags remove guardrails instead of reshaping them.
Two‑Stage Pipeline Checks
Modern engineering systems rely on a Git‑based workflow where even hotfixes flow through Pull Requests (PRs) protected by required checks. To avoid blocking urgent fixes, many organizations split validation into two deliberate stages:
Pre‑merge Checks
Fast, lightweight checks that validate the change does not immediately break tests or violate basic policies.
Pre‑checkin
Once pre‑merge checks pass, developers can proceed with pre‑checkin. A successful pre‑checkin automatically merges the PR, removing manual delays while still ensuring every hotfix follows a controlled, auditable path.
In most companies, merging a change requires passing both Pre‑merge checks and Pre‑checkin checks. For hotfixes, pre‑merge checks can be made more reliable using Rulesets or branch protection rules.
What a Good Hotfix Ruleset Looks Like
- Pull request still required (no direct pushes)
- Fewer, faster required checks (unit, smoke, secret scanning)
- Approvals required, but limited to on‑call / release owners
- Force pushes still blocked
- Bypass allowed only to a very small group, and always logged