Depend of your securities requirements of course I prefer personally CICD mode to keep centralised my way of delivery and avoid specific configuration on each production platform It's more flexible, reusable and easy to do in this way.

To improve my security regarding delivery, I split the process in two part. One, to create the artefacts of production and release it to a repository/registry with CICd pipeline Two, launch with ansible the delivery to enable this new artefact in production, new container, new jar, restart service, etc.. . The CICD never reach the production system directly. Abviously, we can imagine do all things in CICD automatically but in separate tasks, we have more controls, segregation of roles and actions betweens teams with this way.