Faster, safer, and more compliant releases for regulated clients

Manual checks slowed down delivery

ROLLIN is a "small but mighty development agency," as Sam Rollin, CEO and Managing Director, puts it. Headquartered in Canada, with operations in Quebec, Halifax, and a small office in New York, the team specializes in building and maintaining digital platforms for government and healthcare, where precision, compliance, and security are essential.

Before integrating Upsun, ROLLIN relied heavily on manual deployment validation. Each release involved time-consuming checks for code quality, vulnerabilities, and accessibility compliance. These repetitive tasks slowed delivery and increased the risk of human error, especially on sensitive client projects where mistakes could have serious consequences.

They needed a lightweight, reliable pipeline that could:

• Consistently validate code quality for Drupal and PHP projects;
• Flag vulnerabilities before deployment;
• Identify accessibility issues early without delaying critical releases;
• Integrate cleanly with GitHub branches and Upsun environments.

Three-stage approach for faster, safer testing


Upsun integrates directly to their GitHub repository, deploying changes in code to dynamically generated environments. Developers could now test changes in realistic conditions, including live services, routing, and databases, before merging.

They set up a three-stage workflow in GitHub Action, each stage focuses on a specific aspect of software quality.

1. Code quality

• Coder (PHP CodeSniffer): Enforces Drupal and PHP coding standards using the Drupal Coder package
• PHPStan: Performs static analysis to catch type errors and regressions before they reach production

These automated checks run on every push to their develop, staging, and main branches, helping developers maintain consistent code quality while reducing review overhead.

2. Security

• Composer audit: Identifies vulnerable dependencies;
• OWASP Dependency-Check: Adds a configurable second layer of security scanning across packages.

The team runs both tools in sequence within the security stage. They also add an optional email notification that triggers workflow failure to alert the team.

3. Accessibility and compliance

• Pa11y: Runs headless via Puppeteer and Chrome to crawl the Upsun staging environment, reporting accessibility issues, contrast, ARIA labels, and form semantics.

Accessibility is vital to ROLLIN's public-sector clients. These reports provide immediate visibility without blocking deployments.

"The accessibility check won't stop the deployment,” Rollin explained. “But it gives us great visibility. It's good information for developers to know what can be improved.”

Connecting it all with Upsun


ROLLIN configured their GitHub repository so GitHub Actions run before any deployment to Upsun. Each project’s routing and services live in code, which keeps every environment reproducible and version controlled. 

When the Actions pipeline passes, the Upsun deployment runs independently of GitHub Actions. It targets the appropriate environment and generates a review URL for stakeholders. 

This clear separation gives the team reliable pre-deploy gates without coupling deployments to CI job state. As Sam Rollin put it: “That dynamic environment is really powerful. You can hand that URL to a client and show them tangible results.” This aligns with how Upsun fits into Git workflows: branch based reviews, live URLs, and production-like previews so teams can test changes in realistic conditions before merge.

Speed, safety, and repeatability


With Upsun embedded in the CI and CD flow, ROLLIN turned repetitive checks into a lightweight and reliable framework. Automated standards and audits reduce manual effort and lower the chance of human error. Developers get fast feedback on quality, security, and accessibility from GitHub Actions. Upsun review URLs improve collaboration and sign off. 

Consistent checks run on the branches that matter for releases, specifically develop, staging, and main in this workflow. The YAML based setup and open source tools make the pattern easy to reuse across new Drupal projects.

Scaling confidence and simplicity


ROLLIN continues to refine its workflow, adapting small variations for each client's use case while keeping the core workflow simple and dependable. 

Each successful deployment produces a live Upsun environment with a shareable URL for testing and client review. The team can iterate quickly without sacrificing quality. New Drupal projects start on the same foundation of automation, reliability, and trust. 

As Rollin summed up:
"Everything passes, it deploys automatically, that's where the magic comes in."