The app patching should be done as part of your standard CI/CD process, with appropriate control gates managed by humans at the Dev versus QA versus Prod environment interfaces. But that should really just be a button click, after human discussion has occurred and the appropriate level of consensus and approval is given.
Containers should be patched in a similar fashion. But the tooling might be somewhat different for containers versus apps.
You also need a CI/CD process to patch the OS on your servers, but again the tooling might be different again for OS versus containers versus apps.
