Release management

Build once. Promote everywhere.

Same binary across every environment. crane copies at the registry level, digest verified after every promotion.

1 · Pipeline architecture

Forge uses a split pipeline. CI builds and pushes to Dev ECR. Classic Release handles promotion. Argo CD reconciles the cluster from the Ledger.

YAML CI pipeline

Version-controlled in Git (Conveyor repo). Builds, runs Trivy scans (filesystem + image), pushes to Dev ECR with an immutable Build.BuildId tag. No latest.

Classic Release

Azure DevOps UI (not in Git — accepted trade-off). Visual stage promotion: Dev → QA → Prod. One-click rollback. Approval gates per stage. Calls version-controlled scripts from conveyor/scripts/.

GIT

Argo CD · GitOps sync

Per-cluster Argo CD watches the Ledger. When the pipeline updates image.tag, Argo CD syncs automatically (dev/QA) or waits for manual sync (prod).

Component	Type	In Git?	Purpose
`application-ci-pipeline.yml`	YAML template	Yes	Build, Trivy scan, push to Dev ECR
Classic Release pipeline	ADO UI	No	Promote artifacts: Dev → QA → Prod
`copy-artifact.sh`	Script	Yes	Cross-account image copy via crane
`update-ledger.sh`	Script	Yes	Update image.tag in Ledger manifest
`ec2-deploy-pipeline.yml`	YAML template	Yes	EC2 deployment via SSM (Dagster, etc.)

2 · Promotion flow

Build

CI build

Developer pushes to main. Trivy filesystem scan → language build (.NET / Python) → Docker build → Trivy image scan → push to Dev ECR with tag Build.BuildId.

Dev · auto

Dev stage

Classic Release auto-triggers. Runs update-ledger.sh on the dev manifest. Argo CD syncs within 30 seconds.

QA · click-to-promote

QA stage

Runs copy-artifact.sh to copy the image from Dev ECR to QA ECR via crane (digest verified). Then update-ledger.sh on the QA manifest. Argo CD syncs.

Prod · manual + approval

Prod stage

Requires platform-engineer approval (no self-approve). Copies artifact to Prod ECR, updates Ledger. Argo CD does not auto-sync — engineer manually syncs after verification.

Same binary everywhere: the Docker image built once in CI is the exact binary that runs in all environments. crane copies at the registry level — no Docker daemon, no re-build. Digest is verified after every copy (SOC 2 compliant).

3 · Key policies

Immutable tags

Build.BuildId only. No latest. ECR repos configured with immutable tags. The CI template enforces this — no override.

No ECR auto-create

ECR repos are provisioned by the Platform team via Blueprint. Pipeline fails with a clear error pointing developers to #platform-support.

Ledger as source of truth

The Ledger contains Argo CD Application manifests for every service in every environment. Pipeline updates image.tag via update-ledger.sh with optimistic locking and retry.

OIDC authentication

No static credentials. Pipelines authenticate via OIDC to a hub role in security-tooling, then assume ConveyorDeployRole-<env> in the target account.

4 · Environment configuration

5 · EC2 deployments

Environment	CI trigger	Promotion	Approval	Argo CD sync
Dev	Push to main	Automatic	None	Auto
QA	—	Click-to-promote or auto	Optional (QA lead)	Auto
Prod-Wealth	—	Manual + approval	Required (no self-approve)	Manual only

EC2 services (e.g. Dagster) use ec2-deploy-pipeline.yml instead of Ledger / Argo CD:

EC2s are targeted by tag (e.g. forge:dagster-enabled=true). No SSH — all operations go through SSM.

6 · Rollback strategy

EKS services

Method	Speed	Use when
Classic Release: redeploy previous stage	Minutes	Standard rollback
Argo CD UI: click Rollback	Seconds	Emergency — prod has no auto-sync, stays rolled back
Ledger PR: revert `image.tag`	Minutes	Formalise the rollback in Git
`git revert` on Ledger	Minutes	Nuclear — revert an entire promotion