Evolution and Practice of Vivo CICD Artifact Management in DevOps

Introduction In DevOps, artifact management is essential for delivering high‑quality, reliable software quickly. The article introduces Vivo's CICD artifact management, describing its evolution and practical implementation to share experience and ideas.

Evolution Stages Vivo CICD artifact management has progressed through four phases: manual management, script‑based management, Platform 1.0, and Platform 2.0. The manual stage required manual uploads and deployments, the script stage introduced automation via Jenkins and shell scripts, Platform 1.0 added a Jenkins‑Spinnaker based pipeline, and Platform 2.0 now provides version control, storage, promotion, and security features.

Advantages of Platform 2.0 The current platform supports multiple artifact types (Generic, Maven, NPM, PyPI, Docker, Helm), unified management, traceability, security scanning, reduced operational cost, and rapid multi‑region distribution.

Core Functions

1. Unified Artifact Management Includes metadata management, unified storage, artifact generation, promotion, deployment, scanning, aging, and permission control.

2. Metadata Management Tracks artifact name, version, type, size, source, author, description, aging status, etc., enabling full‑lifecycle visibility.

3. Unified Storage Artifacts are stored according to their categories in appropriate storage back‑ends.

4. Artifact Generation Artifacts can originate from manual upload, pipeline build, or external sources.

5. Artifact Promotion Artifacts move through environments (development, testing, pre‑release, production) based on defined promotion rules and security checks.

6. Artifact Deployment Supports three deployment modes: one‑click build‑deploy, selection from the artifact repository, and deployment via approved release tickets.

7. Security Scanning Performs comprehensive vulnerability and compliance scans on source code, dependencies, files, and images, integrating results into artifact metadata for gating promotions.

8. Artifact Aging Implements automated cleanup based on retention policies (e.g., 60 days for offline, 90 days for online artifacts) with whitelist and recovery mechanisms.

9. Permission Control Enforces identity‑based access, project isolation, and fine‑grained artifact permissions to reduce security risks.

Dependency Management and Traceability Artifacts and their dependencies are scanned, classified into safe or vulnerable knowledge bases, and support forward/backward tracing to understand component evolution.

Conclusion and Outlook Vivo's artifact management has become a mature platform that improves development efficiency, delivery quality, and reduces operational costs. Future work will focus on intelligent analysis, tighter CI/CD integration, enhanced security scanning, and more standardized governance.