code-freeze
What Is a Code Freeze? A Practical Guide for Engineering Teams
A code freeze temporarily halts merges and deployments during high-risk windows. Here is what it is, when to use one, and how to run it without blocking your team.
A code freeze is a planned period during which a team stops merging code or deploying changes to production, usually to protect a system during a window of elevated risk. It is not a punishment or a sign that something is broken. It is a deliberate trade: you give up shipping speed for a few hours or days in exchange for stability when the cost of an incident is highest.
If you have ever been told "no deploys until after the holidays" or watched a release manager lock main the night before a big launch, you have lived through a code freeze. This guide covers what a code freeze actually is, the different forms it takes, when calling one is worth it, and how to run one that protects production without grinding your whole engineering org to a halt.
What is a code freeze, exactly?
A code freeze restricts changes to a codebase or its deployed environments for a defined window. During the freeze, normal merges and deploys are paused. Only changes that meet a higher bar, typically critical bug fixes or incident response, are allowed through, and usually only with explicit approval.
Freezes come in a few flavors, and the words people use are often loose:
- Full code freeze. No merges to protected branches and no deployments, across every repository. The strictest option, used for company-wide events.
- Partial or scoped freeze. Only certain repositories, branches, or environments are frozen. For example, you freeze the payments service and the checkout frontend during a sale but leave internal tools open.
- Deployment freeze. Merging continues as normal, but nothing ships to production. Work keeps flowing into
main; it just queues up behind the freeze instead of going live. - Soft freeze. A social agreement ("please don't deploy on Friday") with no technical enforcement. Cheap to declare, easy to violate.
The distinction that matters most in practice is between a freeze you announce in Slack and a freeze that is actually enforced by your tooling. A soft freeze depends on everyone reading the message, remembering it at 6pm on a Friday, and choosing to comply. An enforced freeze fails the merge or blocks the deploy automatically, so a tired engineer cannot accidentally undo it.
Code freeze vs. change freeze vs. deployment freeze
These terms get used interchangeably, but they describe slightly different scopes.
| Term | What it stops | Typical use |
|---|---|---|
| Code freeze | Merges into protected branches (and often deploys too) | Holiday windows, major releases |
| Change freeze | Any production change, including config, infra, and feature flags | Compliance windows, audits, peak events |
| Deployment freeze | Releases to one or more environments; merging continues | Release trains, staged rollouts |
| Release freeze | Cutting or shipping new versions; development continues | Stabilizing a release candidate |
In casual conversation, "code freeze" is the umbrella term most engineers reach for. When you plan one, be explicit about which of these you actually mean, because "we're frozen" means very different things to a backend engineer, an SRE, and a release manager.
When should you call a code freeze?
Call a freeze when the cost of an outage during a specific window is much higher than the cost of pausing changes. The clearest cases:
- Peak business periods. Retail during Black Friday and the December holidays, tax software in early April, ticketing before a major on-sale. Revenue is concentrated and an outage is unusually expensive.
- Holiday and weekend coverage gaps. When half the team is offline, a bad deploy can sit broken for hours because the people who could fix it are unreachable. Many year-end freezes exist for this reason alone.
- Incident response. During an active incident, freezing unrelated changes keeps the variable count low so responders can reason about cause and effect.
- Major launches and migrations. A database migration, a large cutover, or a marketing-driven traffic spike. You want the system in a known-good state going in.
- Compliance and audit windows. Some regulated environments require demonstrable change control during certain periods, with an auditable record of what was and was not allowed.
A freeze is not free. It delays features, lets work pile up, and can create a risky surge of deploys the moment it lifts. Calling one for a low-stakes Tuesday is overkill. Reserve freezes for windows where the math genuinely favors stability over speed.
How long should a code freeze last?
As short as the risk window, and no longer. A freeze with no end date is the most common way teams accumulate resentment and a dangerous backlog. Tie the freeze to the event: a holiday freeze ends when on-call coverage returns, a launch freeze ends when the launch is verified stable.
If you find yourself extending a freeze repeatedly, that is a signal. Either the underlying risk is structural (your deploys are not safe enough to trust on a normal day) or the freeze has become a habit rather than a decision. Both are worth addressing directly instead of leaving the freeze on indefinitely.
How to run a code freeze without blocking your whole team
The difference between a freeze that protects production and one that just frustrates people comes down to six things.
1. Scope it as narrowly as the risk
Freeze the systems that are actually exposed, not the entire org out of habit. If the risk is in checkout, freeze checkout and its dependencies. Leave internal dashboards and unrelated services open so most of the team keeps moving.
2. Enforce it in tooling, not just in Slack
A freeze that relies on people remembering an announcement will be violated. Enforce it where changes actually happen: a required status check that fails on frozen branches, or a deployment protection rule that blocks releases to frozen environments. The enforcement should be impossible to forget and annoying to bypass by accident.
3. Define the emergency path before you need it
Production will break during some freezes. Decide in advance how a genuine emergency fix gets through: who can request an override, who approves it, and how it is recorded. An override that requires a second person's approval keeps the bar high while still letting you ship a critical fix in minutes.
4. Communicate the what, why, and when
Announce the scope (which repos and environments), the reason, the start and end times, and the override process. People comply with freezes they understand. "No deploys, figure it out" breeds workarounds.
5. Plan for the thaw
When a long freeze lifts, every held-back change wants to ship at once. That surge is its own risk. Stagger the backlog, deploy the highest-risk changes first while the team is fresh and watching, and avoid lifting a freeze right before everyone logs off.
6. Keep an audit trail
Record when the freeze started and ended, what was blocked, and every override and who approved it. You will want this for the postmortem if something goes wrong, and you may need it for compliance regardless.
Common code freeze mistakes
- Freezing everything when only one service is at risk. Maximum disruption for minimal extra safety.
- Relying on a Slack message as the only enforcement. It will be missed.
- No defined override path, so the first real emergency turns into a scramble to find someone with admin rights.
- No end date, so the freeze quietly becomes permanent and the backlog becomes a wall.
- Lifting the freeze with no plan, triggering a chaotic flood of deploys.
- Not recording anything, so the postmortem and the auditor both come up empty.
How NoShip handles code freezes
NoShip is a GitHub App built specifically for running freezes the right way. It blocks merges through required status checks and blocks deployments through GitHub deployment protection rules, so a freeze is enforced automatically rather than by reminder. You can scope a freeze to specific repositories, branches, or environments, schedule recurring freezes (such as every December or every Friday afternoon) with RRULE-based rules, and capture emergency overrides behind a dual-approval workflow. Every action lands in an audit trail. NoShip requests no access to your source code, so it can govern merges and deploys without ever reading what you ship.
If you want the deeper mechanics, the core concepts guide covers freeze windows, rules, scoping patterns, and overrides in detail.
A good freeze is quiet. It protects the window that matters, lets everyone else keep working, and lifts cleanly when the risk passes. Get the scope and enforcement right and a code freeze stops being the thing the team dreads and becomes a routine, boring safety control, which is exactly what it should be.