Feature Flags for Gradual Rollout
Engineering

Feature Flags for Gradual Rollout: Ship the Code, Gate the Blast Radius

Deploy and release are different events. Feature flags let you ship code to production and enable it for 1% of users, then 10%, then everyone. Here's how Prismatic gates risky changes without branching hell.

Apr 09, 2026 Β· 6 min read Β· TomΓ‘Ε‘ Korcak (korczis)

β€œDeploy” and β€œrelease” used to be the same word. They should not be. Deploying code is moving bytes to a server. Releasing a feature is enabling it for users. Collapsing the two into one event means every risky change is an all-or-nothing gamble. Feature flags separate them, and the separation is where safe rollouts actually start.

#The shape of a flag check

defmodule PrismaticDD.Decision do
  def run(case_id) do
    if Flags.enabled?(:new_reconciliation_loop, user_id: current_user()) do
      NewReconciliation.run(case_id)
    else
      LegacyReconciliation.run(case_id)
    end
  end
end

Two code paths. Both fully tested. The flag picks which one runs per user. Flip the flag off and the rollback is instant β€” no redeploy, no revert PR.

#The four kinds of flag

Not all flags are the same, and mixing them is how flags become an unmanaged mess:

  1. Release flags. β€œIs this feature on?” β€” short-lived, deleted once the feature reaches 100%.
  2. Experiment flags. β€œWhich variant does this user see?” β€” lives for the experiment, then deleted.
  3. Ops flags. β€œIs the degraded-mode circuit tripped?” β€” long-lived, controlled by ops, not product.
  4. Permission flags. β€œDoes this tenant have access?” β€” long-lived, part of the access control model.

Only the first two should be temporary. The last two are not flags in the rollout sense β€” they are permission and control surfaces. Treating them as rollout flags is how they never get cleaned up.

#Gradual rollout strategies

  • Percentage β€” 1% β†’ 10% β†’ 50% β†’ 100% over days. Simplest. Fits most features.
  • Allowlist β€” specific user ids. Use for internal testers or a single partner who opted in.
  • Segment β€” tenants in the EU, or accounts created after date X. Use when the feature’s risk is correlated with a user property.

Every strategy needs telemetry on both the β€œflag on” and β€œflag off” paths so you can compare error rates, latency, and outcomes. A flag rollout without a side-by-side metric is superstition.

#The three-week rule

No flag lives longer than three weeks unless it is an ops or permission flag.

After three weeks, the flag is either at 100% (delete it + delete the old path) or it is at 0% (delete it + delete the new path). A flag left at 25% for six months is a liability β€” two code paths, both rotting, both claiming ownership. Kill them.

#Where to go next

Deploy is not release. Separate them, flag the risky changes, delete the flags on schedule, and bad rollouts stop being outages.

Share X LinkedIn HN
#feature-flag #rollout #deployment #patterns #elixir

Glossary

Continue reading

Browse all β†’
Engineering

Mix Releases for Zero-Surprise Deploys: What Ships Is What You Tested

A Mix release is a sealed artifact. Build it once, test it, ship the exact bytes to production. Here's the pipeline β€” and the three mistakes that make releases lie about what's running.

Apr 09, 2026 Β· 7 min read Β· TomΓ‘Ε‘ Korcak (korczis)
mix release deployment +2
Architecture

Configuration Management in a Large Elixir Umbrella

Managing configuration across a 94-app umbrella: compile-time vs runtime config, environment variables, application-specific settings, and avoiding common pitfalls.

Mar 24, 2026 Β· 9 min read Β· Tomas Korcak (korczis)
elixir configuration umbrella +2
Architecture

CI/CD Pipeline Architecture for a 94-App Umbrella

GitLab CI/CD pipeline design for the Prismatic Platform: multi-stage compilation, doctrine validation, deploy gates, artifact management, and production deployment.

Mar 16, 2026 Β· 9 min read Β· Tomas Korcak (korczis)
ci-cd gitlab deployment +2