Beyond Migration: How We Engineered a Secure & Intelligent Delivery Platform with Harness CICD
February 19, 2026·4 min read

Beyond Migration: How We Engineered a Secure & Intelligent Delivery Platform with Harness CICD

devsecopsharnessarchitecturedevopscicd

Our Harness migration became the turning point — not because of the tool, but because of the architecture we built around it.

TABLE OF CONTENTS

  1. Introduction
  2. Executive Outcomes
  3. Phase 1 — Redesigning Identity
  4. Phase 2 — Delegate Architecture Redesign
  5. Phase 3 — Deterministic Execution
  6. Phase 4 — Governance as Code
  7. Phase 5 — Immutable Artifact Lifecycle
  8. Phase 6 — Progressive Delivery and Feature Flags
  9. Capabilities Most Teams Never Operationalize
  10. Migration vs Modernization
  11. Conclusion

Introduction:

Most organizations treat CI/CD migration as a tooling upgrade.

Replace Jenkins, TeamCity, GitHub Actions etc.
Adopt Harness.
Recreate pipelines.
But migration only upgrades tools.
Modernization upgrades architecture.

When we moved to Harness, I knew that simply shifting pipelines would not reduce risk, improve reliability, or strengthen governance. Carrying forward our existing trust and execution model would only scale our weaknesses.

So instead of treating this as a CI/CD replacement, we approached it as Secure Delivery Platform Engineering — redesigning identity, governance, execution boundaries, artifact flow, and reliability as first‑class platform concerns.

CI/CD is not automation.

It is a privileged control plane.
If engineered casually, it scales risk.
If engineered intentionally, it scales safety and velocity.

🔎 Executive Results

  • 🔐 100% removal of static cloud credentials — 37 IAM keys eliminated with OIDC
  • 📉 ~40% reduction in pipeline inconsistencies through deterministic execution
  • 🚫 Zero unapproved production deployments after policy‑as‑code enforcement
  • ~30% throughput improvement with delegate segmentation + scaling
  • 🛡 ~50% reduction in deployment‑related risk using feature flags & progressive delivery
  • 📦 100% artifact traceability via build‑once, promote‑everywhere
  • 📊 Stronger audit posture and reduced governance review overhead

These were not cosmetic improvements.
They were architectural corrections.

Phase 1 — Redesigning Identity, Not Just Pipelines

Our first challenge: credential sprawl.

  • 37 static IAM access keys across pipelines
  • Shared service accounts
  • Cross‑environment permissions

We replaced static credentials with OIDC‑based role assumption:

  • Pipelines assumed short‑lived scoped roles
  • Environment‑specific access
  • Long‑lived secrets eliminated

Impact:

  • Entire category of credential leakage risk removed
  • 90% reduction in credential rotation
  • Stronger audit traceability

CI/CD became identity‑aware execution infrastructure.

Phase 2 — Treating Delegates as Privileged Control Plane Infrastructure

Delegates perform:

  • Infrastructure provisioning
  • Cluster operations
  • Secret access
  • Production deployments
They are not background agents.
They are privileged systems.

We redesigned delegate architecture:

  • Dedicated delegate groups per environment
  • Enforced delegate selectors in pipelines
  • Production delegates placed in private subnets
  • Restricted outbound egress

Impact:

  • Reduced cross‑environment execution risk
  • Contained blast radius
  • Clear execution boundaries

Trust became intentional, not shared.

Phase 3 — Deterministic Execution Using Containerized Toolchains

Instead of manual tool installation on delegates, we built versioned CI images containing:

  • Terraform, TFLint, Checkov
  • kubectl, Helm
  • AWS CLI, AZ CLI
  • OPA, Cosign
  • Internal validation scripts

Pipelines executed inside these containers.

Impact:

  • Zero delegate drift
  • ~40% fewer pipeline inconsistencies
  • Easy tool upgrades via image versioning

Tooling became deterministic and reproducible.

Phase 4 — Governance as Code, Not Process

Security guidance without enforcement is optional.

We enforced governance at platform level:

  • Organization‑level reusable templates
  • Mandatory scanning and validation steps
  • Policy‑as‑code enforcement (OPA)
  • Approval logic encoded in pipelines
  • Registry restrictions and disallowed “latest” tags

Impact:

  • Zero bypassed production governance
  • Standardized patterns across teams
  • Faster compliance cycles

Governance became automated, not manual.

Phase 5 — Immutable Artifact Lifecycle

We eliminated rebuild‑per‑environment patterns.

Instead:

  • Build once
  • Sign artifact
  • Promote Dev → QA → Prod
  • Verify signatures before deploy

Impact:

  • 100% artifact traceability
  • Less drift and fewer surprises
  • Strong rollback confidence

Production became a promotion environment, not a rebuild environment.

Phase 6 — Progressive Delivery & Feature Flags

The biggest risk reduction came from feature flags:

  • Canary rollouts
  • Gradual traffic exposure
  • Instant rollback via flag toggle
  • Environment‑based flag policies

Impact:

  • ~50% reduction in deployment incidents
  • Faster mitigation
  • Higher deployment frequency with lower risk

Deployment and exposure were decoupled.

Capabilities Most Teams Never Operationalize

Most teams adopt Harness.
Few operationalize its full platform capabilities.

Here’s what we embedded:

A. Git‑Based Pipeline Change Governance

  • PR‑based updates
  • No UI editing
  • Full traceability

Pipelines became infrastructure‑as‑code.

B. Monitoring‑Driven Automated Rollback

  • Canary vs baseline checks
  • Automated anomaly detection
  • Auto‑rollback triggers

Deployments became self‑validating.

C. Delegate Auto‑Scaling

  • Kubernetes‑based scaling
  • Elastic execution
  • Reduced idle costs

CI/CD became elastic infrastructure.

D. Error Budget–Aware Deployment Gating

  • SLO health checks
  • Deployment restrictions during instability

Delivery became reliability‑aware.

E. Chaos‑Validated Rollbacks

  • Rollback paths tested through chaos engineering

Resilience became provable.

F. Centralized Connector Governance

  • No team‑owned connectors
  • Centralized authentication patterns

Credential sprawl dropped significantly.

G. Developer Experience Uplift

  • Faster troubleshooting
  • Reusable templates
  • Safer experimentation
  • Predictable deployments

Developers gained safe autonomy.

Migration vs. Modernization

Migration moves pipelines.
Modernization redesigns the delivery platform.

Modernization means:

  • Identity redesign
  • Shared‑nothing execution boundaries
  • Governance as code
  • Deterministic toolchains
  • Immutable artifacts
  • Progressive delivery
  • Reliability‑aware deployment gates
Many organizations migrate.
Few modernize.

Conclusion:

Harness did not modernize our ecosystem.
Architectural intent did.

By redesigning identity, segmentation, deterministic execution, governance, artifact flow, and reliability, we transformed CI/CD from automation into a secure delivery platform.

CI/CD is not just a pipeline.
It is a privileged control plane.

When engineered deliberately, it becomes the foundation of safe, scalable, high‑trust delivery.

Tools don’t create maturity.
Architecture does.
Intent does.
Design does.

Harness was the canvas.
Secure Delivery Platform Engineering was the art.

DevSecOps — Community 🚀

Thank you for being a part of the DevSecOps — Community community! Before you go:

Beyond Migration: How We Engineered a Secure & Intelligent Delivery Platform with Harness CICD was originally published in devsecops-community on Medium, where people are continuing the conversation by highlighting and responding to this story.

— Sai Cherukuri —← More Articles