The trick is to be able to route users traffic to different deployments. You can run two versions of your application concurrently, and have a dial to progressively shift traffic to the new version, as soon as you notice anything wrong you shift it back to the previous version which wasn't stopped at all.

After 100% of the traffic is in the new version, and no customer complaints for 1h then you can shut down the old version.

Google App Engine had all of this at least 5 or 6 years ago.