GitOps CI/CD Pipeline Integration

The Missing Piece: From Code to Production

I had GitOps working perfectly. ArgoCD watched my manifests repo and deployed changes automatically.

But there was a gap:

Developer pushes code → ??? → Manifests updated → ArgoCD deploys
                         ↑
                    Missing piece!

The questions:

How does the Docker image get built?
How does the image tag get updated in Git?
How do we test before deploying?
How do we promote dev → staging → production?

The answer: CI/CD pipeline integrated with GitOps.

The Complete GitOps Workflow

Flow:

Developer pushes code to app repo
CI builds Docker image
CI pushes image to registry
CI updates image tag in config repo ← Key step
ArgoCD detects config change
ArgoCD deploys new version

Repository Structure

Two repositories (separation of concerns):

Application Repository (Code)

my-app/ (github.com/mycompany/my-app)
├── src/
│   ├── index.ts
│   └── server.ts
├── Dockerfile
├── package.json
└── .github/
    └── workflows/
        └── ci.yaml  ← CI pipeline

Config Repository (Manifests)

my-app-config/ (github.com/mycompany/my-app-config)
├── base/
│   ├── deployment.yaml
│   └── service.yaml
└── overlays/
    ├── dev/
    │   └── kustomization.yaml
    ├── staging/
    │   └── kustomization.yaml
    └── production/
        └── kustomization.yaml

GitHub Actions CI Pipeline

Goal: Build image, push to registry, update config repo.

Complete CI Workflow

.github/workflows/ci.yaml:

name: CI Pipeline

on:
  push:
    branches:
      - main
      - develop
  pull_request:
    branches:
      - main

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    
    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '20'
        cache: 'npm'
    
    - name: Install dependencies
      run: npm ci
    
    - name: Run tests
      run: npm test
    
    - name: Run lint
      run: npm run lint
  
  build-and-push:
    needs: test
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    permissions:
      contents: read
      packages: write
    
    outputs:
      image-tag: ${{ steps.meta.outputs.tags }}
      short-sha: ${{ steps.vars.outputs.short-sha }}
    
    steps:
    - uses: actions/checkout@v4
    
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
    
    - name: Log in to Container Registry
      uses: docker/login-action@v3
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    
    - name: Extract metadata
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
        tags: |
          type=ref,event=branch
          type=sha,prefix={{branch}}-
          type=semver,pattern={{version}}
    
    - name: Set short SHA
      id: vars
      run: echo "short-sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
    
    - name: Build and push Docker image
      uses: docker/build-push-action@v5
      with:
        context: .
        push: true
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha
        cache-to: type=gha,mode=max
  
  update-gitops-repo:
    needs: build-and-push
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    
    steps:
    - name: Checkout config repo
      uses: actions/checkout@v4
      with:
        repository: mycompany/my-app-config
        token: ${{ secrets.GITOPS_REPO_TOKEN }}
        path: config
    
    - name: Update image tag in dev overlay
      working-directory: config
      run: |
        cd overlays/dev
        # Update image tag using kustomize
        kustomize edit set image \
          ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-${{ needs.build-and-push.outputs.short-sha }}
    
    - name: Commit and push changes
      working-directory: config
      run: |
        git config user.name "GitHub Actions"
        git config user.email "[email protected]"
        git add overlays/dev/kustomization.yaml
        git commit -m "Update dev image to main-${{ needs.build-and-push.outputs.short-sha }}"
        git push

What this does:

Run tests
Build Docker image
Push to GitHub Container Registry
Update config repo with new image tag
ArgoCD syncs automatically

Creating Personal Access Token

For GITOPS_REPO_TOKEN:

Go to GitHub Settings → Developer settings → Personal access tokens
Generate new token (classic)
Scopes: repo (full control)
Copy token
Add to app repo secrets: Settings → Secrets → Actions → GITOPS_REPO_TOKEN

Environment Promotion Workflow

Dev → Staging → Production

Strategy: Use Pull Requests for staging/production.

Workflow:

# After dev deployment succeeds
# Manually create PR to promote to staging

# 1. Create branch
git checkout -b promote-staging-v1.2.3

# 2. Update staging overlay
cd overlays/staging
kustomize edit set image myapp/api:v1.2.3

# 3. Commit
git commit -am "Promote v1.2.3 to staging"

# 4. Push and create PR
git push origin promote-staging-v1.2.3
# Create PR on GitHub

# 5. Review → Approve → Merge
# ArgoCD auto-syncs staging

Automated Promotion with GitHub Actions

.github/workflows/promote-staging.yaml (in config repo):

name: Promote to Staging

on:
  workflow_dispatch:
    inputs:
      image-tag:
        description: 'Image tag to promote'
        required: true

jobs:
  promote:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    
    - name: Update staging overlay
      run: |
        cd overlays/staging
        kustomize edit set image myapp/api:${{ github.event.inputs.image-tag }}
    
    - name: Create Pull Request
      uses: peter-evans/create-pull-request@v5
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: "Promote ${{ github.event.inputs.image-tag }} to staging"
        branch: promote-staging-${{ github.event.inputs.image-tag }}
        title: "Promote to staging: ${{ github.event.inputs.image-tag }}"
        body: |
          Promote image to staging environment
          
          Image: `${{ github.event.inputs.image-tag }}`
          
          Please review and approve.

Usage:

Go to Actions tab
Select "Promote to Staging"
Click "Run workflow"
Enter image tag
PR created automatically
Review → Merge → ArgoCD syncs

Image Promotion Patterns

Pattern 1: Manual Promotion (Safest)

# Dev: Auto-deploy on push
syncPolicy:
  automated:
    prune: true
    selfHeal: true

# Staging: Auto-sync after manual image update
syncPolicy:
  automated:
    prune: true
    selfHeal: true

# Production: Manual sync only
syncPolicy: {}  # No auto-sync

Process:

Dev: Auto-deployed
Staging: Create PR → Merge → Auto-synced
Production: Create PR → Merge → Manual sync via ArgoCD UI

Pattern 2: Approval-Based Auto-Promotion

Use GitHub Environments:

# .github/workflows/deploy-production.yaml
name: Deploy to Production

on:
  pull_request:
    paths:
    - 'overlays/production/**'
    types:
      - closed

jobs:
  deploy:
    if: github.event.pull_request.merged == true
    runs-on: ubuntu-latest
    environment:
      name: production  # Requires approval
      url: https://api.example.com
    
    steps:
    - name: Trigger ArgoCD sync
      run: |
        argocd app sync api-production --auth-token ${{ secrets.ARGOCD_TOKEN }}

Setup GitHub Environment:

Repo Settings → Environments → New environment: "production"
Add required reviewers
PR to production → Auto-triggers after approval

Pattern 3: Time-Based Auto-Promotion

# .github/workflows/scheduled-promotion.yaml
name: Scheduled Staging Promotion

on:
  schedule:
    - cron: '0 9 * * MON'  # Every Monday at 9 AM

jobs:
  promote:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    
    - name: Get latest dev image
      id: get-image
      run: |
        # Extract image from dev
        IMAGE=$(cd overlays/dev && kustomize edit view | grep newTag | awk '{print $2}')
        echo "image=$IMAGE" >> $GITHUB_OUTPUT
    
    - name: Update staging
      run: |
        cd overlays/staging
        kustomize edit set image myapp/api:${{ steps.get-image.outputs.image }}
    
    - name: Create PR
      uses: peter-evans/create-pull-request@v5
      with:
        title: "Automated staging promotion"
        body: "Weekly automated promotion to staging"

Rollback Strategy

Git-Based Rollback

# Rollback to previous commit
git revert HEAD
git push

# Or checkout previous version
git log overlays/production/kustomization.yaml
git checkout abc1234 overlays/production/kustomization.yaml
git commit -m "Rollback production to v1.2.2"
git push

# ArgoCD auto-syncs the rollback

ArgoCD UI Rollback

Open application
Click "History and Rollback"
Select previous sync
Click "Rollback"

Note: This doesn't update Git! You should still commit the rollback.

Automated Rollback on Test Failure

# Post-deployment test
apiVersion: batch/v1
kind: Job
metadata:
  name: post-deploy-test
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
  template:
    spec:
      containers:
      - name: test
        image: curlimages/curl
        command:
        - sh
        - -c
        - |
          # Test API
          if ! curl -f http://api-service/health; then
            echo "Health check failed!"
            exit 1
          fi
          
          # Test critical endpoint
          if ! curl -f http://api-service/api/users; then
            echo "Users endpoint failed!"
            exit 1
          fi
          
          echo "All tests passed!"
      restartPolicy: Never
  backoffLimit: 3

If test fails:

Sync fails
SyncFail hooks trigger
Alert sent to Slack
Manually rollback

Complete Example: Production Pipeline

App Repo CI

# my-app/.github/workflows/ci.yaml
name: Production CI/CD

on:
  push:
    branches: [main]
    tags: ['v*']

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: actions/setup-node@v4
      with:
        node-version: '20'
    - run: npm ci
    - run: npm test
    - run: npm run lint
  
  build:
    needs: test
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    
    - uses: docker/setup-buildx-action@v3
    
    - uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    
    - id: meta
      uses: docker/metadata-action@v5
      with:
        images: ghcr.io/${{ github.repository }}
        tags: |
          type=ref,event=branch
          type=semver,pattern={{version}}
          type=sha
    
    - uses: docker/build-push-action@v5
      with:
        push: true
        tags: ${{ steps.meta.outputs.tags }}
        cache-from: type=gha
        cache-to: type=gha,mode=max
    
    outputs:
      tags: ${{ steps.meta.outputs.tags }}
  
  update-dev:
    needs: build
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        repository: mycompany/my-app-config
        token: ${{ secrets.GITOPS_TOKEN }}
    
    - name: Update dev
      run: |
        cd overlays/dev
        kustomize edit set image ghcr.io/mycompany/my-app:sha-${GITHUB_SHA::7}
        git config user.name "CI Bot"
        git config user.email "[email protected]"
        git commit -am "Deploy ${GITHUB_SHA::7} to dev"
        git push
  
  create-staging-pr:
    needs: build
    if: startsWith(github.ref, 'refs/tags/v')
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        repository: mycompany/my-app-config
        token: ${{ secrets.GITOPS_TOKEN }}
    
    - name: Update staging
      run: |
        VERSION=${GITHUB_REF#refs/tags/}
        cd overlays/staging
        kustomize edit set image ghcr.io/mycompany/my-app:$VERSION
    
    - uses: peter-evans/create-pull-request@v5
      with:
        token: ${{ secrets.GITOPS_TOKEN }}
        title: "Deploy ${{ github.ref_name }} to staging"
        body: |
          ## Staging Deployment
          
          Version: `${{ github.ref_name }}`
          Commit: ${{ github.sha }}
          
          ### Changes
          - Updated image tag to ${{ github.ref_name }}
          
          Please review and approve for staging deployment.
        branch: deploy-staging-${{ github.ref_name }}

Testing in CI/CD

Unit Tests

- name: Run unit tests
  run: npm test

- name: Coverage report
  run: npm run test:coverage

- name: Upload coverage
  uses: codecov/codecov-action@v3

Integration Tests

- name: Start dependencies (Docker Compose)
  run: docker compose up -d postgres redis

- name: Run integration tests
  run: npm run test:integration

- name: Cleanup
  run: docker compose down

E2E Tests (After Deployment)

# Post-deployment E2E tests
apiVersion: batch/v1
kind: Job
metadata:
  name: e2e-tests
  annotations:
    argocd.argoproj.io/hook: PostSync
spec:
  template:
    spec:
      containers:
      - name: e2e
        image: cypress/included:latest
        env:
        - name: CYPRESS_BASE_URL
          value: http://api-service
        command:
        - npx
        - cypress
        - run
      restartPolicy: Never

Key Takeaways

Separate app and config repos
- App repo: Source code, Dockerfile, CI
- Config repo: Kubernetes manifests, ArgoCD watches this
- CI updates config repo with new image tags
CI builds and updates manifests
- Build Docker image
- Push to registry
- Update image tag in Git
- ArgoCD syncs automatically
Use PRs for promotion
- Dev: Auto-deploy
- Staging: PR → Review → Merge → Auto-sync
- Production: PR → Review → Approve → Manual sync
- Full audit trail
Rollback via Git
- git revert or git checkout
- Commit rollback to Git
- ArgoCD syncs old version
- Declarative rollback
Test at every stage
- Unit tests in CI
- Integration tests in CI
- Post-deployment tests via ArgoCD hooks
- E2E tests after sync

In the final article, we'll cover GitOps best practices: secret management, disaster recovery, monitoring, troubleshooting, and production lessons learned.

Previous: Advanced ArgoCD Features Next: GitOps Best Practices and Production Lessons

PreviousAdvanced ArgoCD Features NextGitOps Best Practices and Production Lessons

Last updated 1 month ago

hashtagThe Missing Piece: From Code to Production

hashtagThe Complete GitOps Workflow

hashtagRepository Structure

hashtagApplication Repository (Code)

hashtagConfig Repository (Manifests)

hashtagGitHub Actions CI Pipeline

hashtagComplete CI Workflow

hashtagCreating Personal Access Token

hashtagEnvironment Promotion Workflow

hashtagDev → Staging → Production

hashtagAutomated Promotion with GitHub Actions

hashtagImage Promotion Patterns

hashtagPattern 1: Manual Promotion (Safest)

hashtagPattern 2: Approval-Based Auto-Promotion

hashtagPattern 3: Time-Based Auto-Promotion

hashtagRollback Strategy

hashtagGit-Based Rollback

hashtagArgoCD UI Rollback

hashtagAutomated Rollback on Test Failure

hashtagComplete Example: Production Pipeline

hashtagApp Repo CI

hashtagTesting in CI/CD

hashtagUnit Tests

hashtagIntegration Tests

hashtagE2E Tests (After Deployment)

hashtagKey Takeaways