Oh, you are absolutely correct here. I checked out the relevant part of the code and it looks like the deploy hook only gets called if there’s no pre-existing lineage (defined by --cert-name) present. I’ll bring this issue up with the rest of the team, and we’ll decide if we should update our documentation or file an issue regarding this.
So the current behavior regardless of documentation is: If --cert-name is defined on the command line, and a certificate lineage with that name exists, deploy hooks do not get called. This is definitely unintended, and we’ll figure out the best way to fix the issue. Thanks everyone for digging in to this!