Streamline Multi‑Environment Docker Image Promotion with Flow Pipelines

Background and Goal

Effective management of container image artifacts is essential for fast, safe, and reliable software deployment. In a typical application development lifecycle, code moves through testing, pre‑release, and production environments, and the goal is to ensure that the image deployed to production is exactly the one that passed pre‑release validation (“what you ship is what you test”).

Typical Development Stages

Testing stage: Feature branches are built and deployed to a test environment via the pipeline.

Pre‑release stage: After testing, the feature branch is merged into master, a new image is built from the mainline, and the pre‑release environment is deployed for acceptance testing.

Production stage: Once the pre‑release image passes acceptance, the same image is promoted directly to production, guaranteeing consistency.

Practice 1 – Retrieve Images via Flow Pipeline Source

In this approach, the production pipeline references the pre‑release pipeline as its source.

Configure the pre‑release pipeline to build the image from the master branch, push it to the image registry, and deploy to the pre‑release environment.

After acceptance, manually confirm “verification passed”.

In the production pipeline, add a Flow pipeline source and select the pre‑release pipeline. By default the pipeline uses the last successful execution as the image version.

Use a Kubernetes image upgrade task (or similar) to deploy the selected image to production.

Run the production pipeline, selecting the last successful pre‑release version, confirm the manual approval, and let the deployment task pull the verified image.

Practice 2 – Retrieve Images via ACR Artifact Source

This method fetches the image directly from Alibaba Cloud Container Registry (ACR).

Configure the pre‑release pipeline to build the image from master and push it to ACR. The image tag can be set via an environment variable (e.g., R_VERSION).

After acceptance, confirm “verification passed”.

In the production pipeline, add an artifact source , select the ACR repository, and specify a default version.

Use a Kubernetes image upgrade task to deploy the selected ACR image. Both public and VPC‑internal addresses are supported.

During production execution, choose the desired image version, approve the manual checkpoint, and let the deployment task pull the specified image.

Optionally enable a version‑filter rule (e.g., only tags matching myapp‑V*) to prevent accidental selection of incorrect images.

Advanced Practice – Integrate ACR Image Scanning

To add security compliance, integrate an image‑scanning tool that automatically scans images before or after they are pushed to ACR.

Configure the pre‑release CI pipeline to build the image and push it to ACR.

Configure the pre‑release CD pipeline with an ACR artifact source and enable artifact‑source trigger for the event Image Scan Completed .

In the ACR console, create an event‑notification rule that triggers on Image Scan Completed (or Image Push Completed ) and optionally filter by a regular‑expression tag pattern.

Set the notification method to HTTP and provide the generated webhook URL to the Flow pipeline.

When the CI pipeline pushes the image, ACR automatically scans it; upon successful scan, the webhook triggers the pre‑release CD pipeline, which deploys the image for validation.

Key Takeaways

By linking pipelines through Flow sources or ACR artifact sources, teams can ensure that only images verified in pre‑release are promoted to production, while the optional scanning step adds a layer of security compliance.