OrchStep for mid-market companies
Enough teams that consistency matters, not so many that you have a platform org. Here's how OrchStep encodes a golden path every team can follow — with the checks, rollback, and audit trail built in.
Mid-market is the awkward middle. You have enough teams that every one doing things its own way is a real cost, but not enough scale to fund a platform org that hands down paved roads. Each squad has its own pipeline, its own pre-deploy checklist, its own idea of what "done" means. When something breaks, the first ten minutes go to figuring out how this particular team even deploys.
What you want at this stage is a golden path: one workflow that bakes in the checks everyone is supposed to run, the rollback nobody remembers under pressure, and the audit record compliance keeps asking for — packaged so a team adopts it by copying a file, not reading a wiki. That's a sweet spot for OrchStep, because the golden path is just an orchstep.yml a team can read, run locally, and run in CI unchanged.
What automation looks like at this stage
The checks already exist somewhere — lint, tests, a SAST scan, a license scan — but they're scattered across each team's pipeline config, applied inconsistently. The mid-market move is to lift those into a single workflow that iterates over the required checks, then builds, deploys, and always records the outcome. Make the safe path the easy path, and teams take it because it's less work than their bespoke script.
A golden-path pipeline
The required checks are a list, so adding a new mandatory gate is a one-line change that every team inherits. The deploy carries its own catch: rollback and a finally: that records to the audit log whether the deploy succeeded or failed — the part teams forget exactly when it matters most.
name: goldenpath
defaults:
service: payments
tier: standard
checks:
- lint
- test
- sast
- license-scan
tasks:
# orchstep run pipeline --var service=billing
pipeline:
steps:
- name: gate
func: shell
do: echo "running {{ loop.item }} for {{ vars.service }}"
loop:
items: '{{ vars.checks }}' # every team runs the same checklist
- name: build
func: shell
do: echo "building {{ vars.service }} ({{ vars.tier }} tier)"
- name: deploy
func: shell
do: echo "deploying {{ vars.service }} via golden path"
catch:
- name: rollback
func: shell
do: echo "rolling back {{ vars.service }}"
finally:
- name: record
func: shell
do: echo "recorded deploy of {{ vars.service }} to audit log"A team adopts this by setting one variable:
orchstep run pipeline --var service=billingThe checklist runs in full because it's a loop over a shared list, not four steps a team can quietly delete. The rollback is structural — a catch: block, not a || someone forgot. And the finally: audit step runs on success and failure, so the record compliance wants exists no matter how the deploy ended.
Governance without a platform team
The reason this works mid-market is that the golden path is legible. When a new check becomes mandatory, you add one line to checks: and every team that uses the workflow inherits it. When an auditor asks "how do you know every deploy ran the license scan," the answer is a file in version control and a dry-run that proves it:
orchstep run pipeline --var service=billing --dry-runThat printed plan — every check, the rollback, the audit record — is a control you can show, not a policy you hope teams follow.
What you gained
| Concern | Per-team pipelines | One golden path |
|---|---|---|
| Required checks | scattered, inconsistent | one shared checks: list |
| Adding a mandatory gate | edit every team's config | one line, inherited everywhere |
| Rollback under pressure | forgotten | catch: block, always present |
| Audit record | manual, sometimes | finally: runs on pass or fail |
| Onboarding a team | read a runbook wiki | set one --var, run the task |
| Proving compliance | screenshots and trust | --dry-run prints the controls |
Where OrchStep is not the answer
If you already run an internal developer platform — Backstage with scaffolded pipelines, a real golden-path service — keep it; OrchStep isn't a replacement for that investment. Its fit is the stage before you can fund one, or the layer underneath it: the concrete, runnable workflow the platform hands teams. And if your compliance needs signed, immutable evidence rather than a log line, treat the audit step here as the hook, not the system of record. Be clear about which you have.
Where to go next
- Loops — iterate over a shared list of checks
- Error Handling — catch, finally, and rollback
- Variables & Outputs — per-service overrides
- Previewing with Dry Run — show the controls before running
One golden path, every team. Encode the checks once and let teams adopt them with a single --var.
curl -fsSL https://orchstep.dev/install.sh | sh