It depends, we run many projects, and for some, our deployment strategy looks similar to what @Innocent described. For some other projects, much older, never upgraded build/deployment procedure, we pick a deployment date. With the recently granted ISO 27001 security certificate, we now must document and deploy new releases a little bit different. More eyes must see, and more hands must approve, which forbids fresh auto deployment from changes on master - but an approval click on GitLab' CI instance. Luckily, not every project is classified dealing with protected data.