Skip to content
Latchkey

Deploying a Container Image to Production

Deploying is the easy part -- deploying the exact image you tested, with a way back, is the part that matters.

The final pipeline stage takes a tested, scanned, signed image and runs it in production. The goal is a deploy that is reproducible and reversible. This lesson covers deploying by digest, rolling out safely, and rolling back.

Deploy by immutable digest

Reference the image by @sha256: digest, not a moving tag. The digest guarantees the running container is byte-for-byte the artifact that passed your pipeline, so a redeploy can never silently pull something different.

Roll out gradually with health checks

  • Use rolling or canary deploys so a bad image affects only a fraction of traffic first.
  • Define readiness and liveness checks so the platform only shifts traffic to healthy containers.
  • Watch error rate and latency during rollout and halt on regression.
  • Keep the previous version running until the new one is verified healthy.

A Kubernetes example

Set the image by digest, then let the orchestrator roll it out and wait for the rollout to succeed.

Terminal
kubectl set image deployment/myapp \
  myapp=ghcr.io/acme/myapp@${DIGEST}
kubectl rollout status deployment/myapp --timeout=120s

Always have a rollback

Because deploys reference immutable digests, rollback is just deploying the previous digest. Record the last known-good digest before each deploy so reverting is one command, not an investigation.

Key takeaways

  • Deploy by immutable digest so production runs exactly what passed the pipeline.
  • Roll out gradually with health checks and halt on regression.
  • Rollback is redeploying the previous digest -- record the last known-good one every time.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →