Skip to content

Container Build & Registry Strategy

Image philosophy

Each service is packaged as a separate Docker image: - API service, - Celery worker, - Airflow components, - auxiliary services.

Images are immutable once built.

Build process

  • images are built in CI using pinned dependencies,
  • build context is minimal,
  • no secrets are baked into images.

Dependency versions are derived from: - pdm.lock, - exported requirements-*.txt.

Registry

  • images are pushed to GitLab Container Registry,
  • access is restricted via scoped tokens,
  • image tags include commit or release identifiers.

Promotion model

  • the same image artifact is promoted across environments,
  • no rebuilds between staging and production.

This ensures artifact integrity.