Build Once, Promote Everywhere (Artifacts)

Build once and promote the same artifact across environments to prevent drift and reduce release risk.

On this page

Build Once, Promote Everywhere

One immutable artifact per commit (image, zip, jar, etc.).
Promote by reference (digest/version), not by rebuilding.
Environment differences come from config, not code rebuilds.

Image Digest Promotion (Example)

# build and push
docker build -t registry.example.com/app:git-$SHA .
docker push registry.example.com/app:git-$SHA

# resolve digest
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' registry.example.com/app:git-$SHA)
echo "$DIGEST" > artifact.ref

# deploy using digest (immutable)
# kubernetes manifest would reference: image: registry.example.com/app@sha256:...

Metadata You Must Store

commit SHA, build time, builder image, dependency lockfile hash
artifact digest, SBOM pointer, signatures/attestations

Failure Modes

Rebuild per environment → drift and heisenbugs.
Mutable tags (latest) → impossible incident forensics.

← CI Pipeline Architecture

Testing Strategy: unit→integration→e2e →