CI/CD Pipeline Diagram Explained: From Commit to Production
CI/CD Pipeline Diagram Explained: From Commit to Production
Most CI/CD diagrams floating around the internet are useless: blue boxes connected by arrows, no information about what each step actually checks. This walkthrough fixes that. We will trace a single change β a developer fixes a typo in an API response β through every gate in a real production pipeline, naming the tools, the artifacts, and the failure modes at each step.
The Pipeline We Will Trace
The example is a Python FastAPI microservice deployed on Kubernetes. Source lives in GitHub, CI runs in GitHub Actions, container images go to GitHub Container Registry, manifests live in a separate config repo, and ArgoCD reconciles the cluster. This is the most common architecture we see across cloud-native engineering organisations in 2026.
The high-level flow has eight nodes:
- Developer pushes commit to a feature branch and opens a pull request
- CI workflow triggers on PR open β lint, type-check, unit tests
- Reviewer approves; PR merges to main
- Main-branch CI workflow runs β build container, run integration tests, scan image
- Image pushed to registry with immutable SHA tag
- CI bot opens a follow-up PR to the config repo, bumping the image tag
- Config-repo PR merges; ArgoCD detects the change
- ArgoCD reconciles the cluster, performs a canary rollout, and reports back
Stage 1: Source β Webhook from GitHub
The pipeline begins with a Git event. When the developer runs git push, GitHub fires a webhook to the GitHub Actions backend within 1-3 seconds. The webhook payload includes the commit SHA, branch, and event type (push, pull_request, etc.). This is the cheapest stage in the pipeline and the one with the lowest variance β Git event delivery is essentially free.
Failure modes here are rare but exist: webhook delivery delays during GitHub incidents, repository permission misconfiguration, or branch-protection rules that block the trigger. When pipelines feel "stuck" before they even start, this is usually where to look.
Need expert help with ci/cd pipeline diagram explained: from commit to production?
Our cloud architects can help you with ci/cd pipeline diagram explained: from commit to production β from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Stage 2: Build β From Source to Immutable Artifact
The runner checks out the code, restores cached dependencies, and produces an artifact. For our Python service that means: pip install -r requirements.txt, then docker build. The output is a container image tagged with the commit SHA β never :latest, never a mutable tag, because immutability is the only way to guarantee that what you tested is what you deployed.
Build cache strategy is where teams get most of their wall-clock-time wins. A cold build of a typical Python service takes 4-6 minutes. With a warm dependency cache (BuildKit cache mounts, GitHub Actions cache action) the same build runs in 30-60 seconds. The investment in cache plumbing pays back inside the first month.
Stage 3: Test β Where Pipelines Live or Die
The longest stage in almost every real pipeline. Three test layers run in parallel where possible:
- Unit tests β fast (sub-2 minutes), no external dependencies, run on every commit
- Integration tests β slower (5-15 minutes), spin up dependencies in containers, run on PRs to main
- Contract tests β verify provider/consumer compatibility against pinned contract versions, run on schedule and on release branches
A pipeline that takes 25 minutes is not a pipeline; it is a daily inconvenience. The standard goals are: PR feedback in under 10 minutes, full main-branch validation in under 20. Hitting those numbers requires test parallelisation, hermetic test environments (testcontainers, ephemeral databases), and a ruthless quarantine policy for flaky tests.
Stage 4: Security and Quality Gates
Security gates run after tests pass. The four most common are:
- SAST (Semgrep, CodeQL) β scans source for vulnerable code patterns
- SCA (Snyk, Dependabot, Trivy) β scans dependencies and container layers for known CVEs
- Container scanning (Trivy, Grype) β scans the built image for OS-package vulnerabilities
- Policy gates (Open Policy Agent, Conftest) β enforces organisational rules (e.g., "no images may run as root")
The hard part here is calibrating severity thresholds. Failing the pipeline on every CRITICAL CVE is correct; failing it on every LOW CVE creates pipeline-fatigue and gets the gate disabled. Most mature teams fail builds on HIGH and CRITICAL with documented exceptions tracked in a vulnerability register.
Stage 5: Package and Publish
The validated image is signed (cosign, Sigstore) and pushed to the registry. The signature creates an audit-grade chain from the commit SHA through the test results to the deployed artifact β a control that is increasingly required for SLSA Level 3 attestations and EU Cyber Resilience Act compliance.
Stage 6 and 7: Manifest Update and ArgoCD Sync
This is where push-based CI hands off to pull-based CD. The CI workflow opens a small PR against the config repo, changing one line: the image tag. A reviewer (or, in lower environments, an auto-merge bot) merges it. ArgoCD, which polls or watches the config repo, detects the change within 30-60 seconds.
The architectural advantage of this handoff is that the cluster credentials never leave the cluster. CI doesn't need kubectl access to production. The only thing CI can do is open a PR. ArgoCD, running inside the cluster, has the credentials it needs to reconcile state. This is the security property that makes how Opsio delivers argocd gitops the dominant CD pattern on Kubernetes.
Stage 8: Reconcile β From Manifest to Running Pod
ArgoCD compares the new declared state to the live cluster state and starts a sync. With Argo Rollouts in place, the rollout proceeds as a canary: 5% of traffic for 5 minutes, then 25%, then 100%, with health checks at each step. If error rates spike or latency degrades, the rollout aborts and reverts. The full deployment, from PR-merge to 100% traffic, runs unattended in 15-25 minutes for a typical service.
How Opsio Helps
Opsio designs and operates the full pipeline shown above. Our Opsio's pipeline services cover GitHub Actions or GitLab CI for CI, image signing and policy gates, GitOps with ArgoCD, and progressive delivery with Argo Rollouts. Customers in regulated sectors also leverage our request an ISO certification readiness review evidence pack, which maps each pipeline gate to ISO 27001 Annex A controls so audit prep takes hours instead of weeks.
For hands-on delivery, see managed cloud adoption.
For hands-on delivery, see managed mlops services.
About the Author
CTO at Opsio
Technology leadership, cloud architecture, and digital transformation strategy
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence β we recommend solutions based on technical merit, not commercial relationships.