Deploying a Container Image to Production
Deploying is the easy part -- deploying the exact image you tested, with a way back, is the part that matters.
The final pipeline stage takes a tested, scanned, signed image and runs it in production. The goal is a deploy that is reproducible and reversible. This lesson covers deploying by digest, rolling out safely, and rolling back.
Deploy by immutable digest
Reference the image by @sha256: digest, not a moving tag. The digest guarantees the running container is byte-for-byte the artifact that passed your pipeline, so a redeploy can never silently pull something different.
Roll out gradually with health checks
- Use rolling or canary deploys so a bad image affects only a fraction of traffic first.
- Define readiness and liveness checks so the platform only shifts traffic to healthy containers.
- Watch error rate and latency during rollout and halt on regression.
- Keep the previous version running until the new one is verified healthy.
A Kubernetes example
Set the image by digest, then let the orchestrator roll it out and wait for the rollout to succeed.
kubectl set image deployment/myapp \
myapp=ghcr.io/acme/myapp@${DIGEST}
kubectl rollout status deployment/myapp --timeout=120sAlways have a rollback
Because deploys reference immutable digests, rollback is just deploying the previous digest. Record the last known-good digest before each deploy so reverting is one command, not an investigation.
Key takeaways
- Deploy by immutable digest so production runs exactly what passed the pipeline.
- Roll out gradually with health checks and halt on regression.
- Rollback is redeploying the previous digest -- record the last known-good one every time.