Quick take: A build pipeline should produce an artifact once and promote it through environments. The artifact registry is the single source of truth for what can be deployed.
A team rebuilt their Docker image in every environment because each stage had its own build script. Images differed between staging and production, making debugging impossible. Moving to a single artifact registry with immutable tags meant the same image promoted from dev to prod, and rollbacks were just a tag change.
The problem it solves
Without a central artifact registry, teams rebuild, lose track of versions and deploy inconsistent binaries. A registry solves this by storing immutable artifacts and controlling how they move between environments.
Core concepts
| Concept | What it is |
|---|---|
| Artifact registry | A repository for Docker images, Helm charts, npm packages, etc. |
| Immutable tag | A tag that cannot be overwritten once pushed. |
| Promotion | Moving an artifact from one environment to another. |
| Vulnerability scan | Checking an artifact for known security issues. |
| Retention policy | Rules for deleting old artifacts. |
Architecture
How it works
The CI pipeline builds and publishes an artifact with a unique version. Staging and production pull the same artifact. Immutability guarantees that what was tested is what runs in production.
Tags like latest are dangerous because they change. Use semantic versions or build IDs instead.
Real-world scenario
The team’s registry workflow:
- CI builds a Docker image tagged with the Git commit SHA.
- The image is pushed to Artifact Registry.
- A vulnerability scan runs on the image.
- Staging deploys the image and runs tests.
- Production deploys the exact same image after approval.
- Retention policy deletes images older than 90 days.
Deploys became reproducible and debugging became easier.
Advantages
- Consistency across environments.
- Faster rollbacks to known-good artifacts.
- Security scanning before deployment.
- Reduced build time in downstream stages.
Disadvantages
- Storage costs can grow without retention policies.
- Registry access must be secured.
- Immutable tags require good version discipline.
When to use it (and when not)
Use an artifact registry for any CI/CD pipeline. Version every artifact and promote rather than rebuild.
Do not use latest tags in production. Do not store build artifacts in source control.
Best practices
- Use immutable tags and semantic versioning.
- Scan artifacts for vulnerabilities before promotion.
- Apply least-privilege access to registries.
- Set retention policies to control cost.
- Sign container images for supply-chain integrity.
The artifact registry is the handoff point between build and deploy. Treat it with care.