Registry, Tags, and CI/CD
After we build an image, it needs somewhere to be stored and distributed — that is the registry, the trust boundary between the build step and the deploy step. In this lesson we see why you build an image once and promote that exact unit across environments, and why a commit-SHA tag beats latest whe
A registry is a warehouse with labeled shelves. latest is a sticky note someone keeps moving to a different shelf, but a commit-SHA label always points to the exact same box.
- registry
- A service that stores and distributes images, acting as the trust boundary between whoever builds an image and whoever pulls and runs it in production.
- tag
- A human-readable alias pointing to a specific image, for example myapp:latest. A tag is a movable alias — it can be repointed to a different image.
- digest
- An immutable sha256 fingerprint of the image content. Unlike a tag, a digest always points to the exact same content and cannot be moved.