Skip to content

Instantly share code, notes, and snippets.

@alileza

alileza/cowboy.md

Created September 24, 2025 17:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alileza/5c56ce0afedccc8ac42e443d3e3ea0f8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alileza/5c56ce0afedccc8ac42e443d3e3ea0f8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cowboy.md

🐎 Going Cowboy

Definition

Going cowboy is when engineers bypass established processes, guardrails, or compliance gates to push code or infrastructure changes directly β€” often under pressure, urgency, or just to "get it done."

While it might seem faster in the moment, in a regulated environment (like finance) this creates high risk, including:

  • ❌ Bypassing required reviews (e.g., four-eyes principle).
  • ❌ Skipping compliance or audit checks.
  • ❌ Creating blind spots for regulators and security teams.
  • ❌ Potential fines or legal consequences if untracked changes are discovered.

βš”οΈ Platform Team as the Shield

The Platform Engineering team acts as the frontline shield protecting the company:

  • πŸ›‘ Intercepts cowboy moves before they hit production.
  • πŸ›‘ Automates compliance enforcement (GitHub rulesets, PR checks, Terraform policies).
  • πŸ›‘ Provides visibility and creates an auditable trail for every change.
  • πŸ›‘ Absorbs compliance overhead so product engineers can focus on shipping features β€” safely.

Goal: Developers feel like they’re moving fast and free, while Platform ensures
they can’t break the law (or the infrastructure).

🚨 Example Scenario: Cowboy PR vs. Shield

The Cowboy PR:

  • Developer pushes a hotfix directly to main to fix a critical bug before market open.
  • Skips approvals and process steps.
  • Commit message: 
    fix stuff real quick

Risks:

  • ❗ Violates four-eyes principle.
  • ❗ Missing incident/Jira references β†’ audit gap.
  • ❗ Potential regulatory violation β†’ fines or investigation.

The Shield Response:

  • GitHub workflow blocks the direct merge automatically.

  • Bot leaves a clear, actionable comment:

    ❌ β€œMerge blocked: Missing approval and incident reference.
    Please link Jira ticket and ensure four-eyes review is completed.”

  • Terraform policies or deployment pipeline reject non-compliant changes.

  • Every attempt is logged for audits, for example:

    [2025-09-24 18:42:03] User=dev_a attempted merge to main 
β†’ Blocked by rule: four-eyes-principle
β†’ Missing metadata: incident_id

🌡 Cowboy vs Shield – Flow Diagram

@startuml
skinparam style strict
skinparam packageStyle rectangle

actor Developer as Dev
actor Regulator as Reg

rectangle "Platform Shield" {
  [GitHub Ruleset] as GH
  [CI/CD Pipeline] as CI
  [Terraform Policies] as TF
}

Dev -> GH : Open Cowboy PR
GH --> Dev : ❌ Blocked - Missing Approval
Dev -> GH : Adds Jira ID
GH -> CI : βœ… Pass Checks
CI -> TF : Apply Infrastructure
TF --> CI : βœ… Approved
CI -> Dev : πŸš€ Deployed

Reg -> GH : Audit Logs Request
GH --> Reg : Audit Trail Export
@enduml

πŸ’¬ Summary

Going Cowboy: β€œMove fast and break laws.”
The Shield: β€œMove fast, stay safe, stay compliant.”

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment