GitOps Delivery with Argo CD and GitHub Actions
The Case for GitOps
Declarative, version-controlled infrastructure deployments eliminate the ambiguity of imperative scripts and manual kubectl commands. GitOps treats a Git repository as the single source of truth for what should run in every environment. When the desired state in Git diverges from the actual state in the cluster, the reconciliation engine corrects the drift automatically. This model provides an immutable audit trail, simplified rollbacks through git revert, and a deployment workflow that every developer already understands.
The critical distinction lies in push-based versus pull-based deployment models. Traditional CI/CD pipelines push changes to clusters using credentials stored in the CI system. Pull-based GitOps inverts this: an agent running inside the cluster watches the Git repository and pulls changes when detected. This approach eliminates the need to expose cluster credentials to external systems, reducing the attack surface and simplifying network security.
Architecture
Argo CD serves as the reconciliation engine, continuously comparing the desired state defined in Git against the live state in each Kubernetes cluster. GitHub Actions handles the CI pipeline: building container images, running tests, generating SBOMs, signing images with Cosign, and updating the image tags in the GitOps repository. Kustomize provides environment overlays that allow a single base manifest to be adapted for development, staging, and production without duplication. Each environment overlay adjusts replica counts, resource limits, feature flags, and ingress configurations while sharing the same application definition.
ApplicationSets for Multi-Tenancy
ApplicationSets extend Argo CD by templating multiple Application resources from a single manifest definition. Using the Git generator pattern, each directory in the repository represents a tenant, and ApplicationSets automatically create the corresponding Argo CD Applications with the correct namespace, RBAC bindings, and resource quotas. When a new tenant directory is added to the repository, the ApplicationSet controller detects the change and provisions the full environment within minutes. This pattern scales horizontally: adding the 50th tenant requires the same effort as adding the first, a single directory with a configuration file.
Security in the Pipeline
Every container image is signed with Cosign using keyless signing backed by Fulcio and Rekor from the Sigstore project. Software Bills of Materials (SBOMs) are generated in SPDX format and attached to each image as OCI artefacts. Trivy scans images for known vulnerabilities against multiple databases, and results are uploaded to GitHub Security for centralised triage. OPA policy gates evaluate images before promotion to production, verifying that signatures are valid, no critical CVEs exist, and the image was built from an approved base. Pull requests that fail any gate are blocked from merging.
Delivery Checklist
- Automated promotion workflows between development, staging, and production.
- Reusable GitHub Actions composite actions for linting, scanning, and signing.
- Argo CD ApplicationSets for multi-tenant environment templating.
- Drift detection and automated chat-ops approvals for production changes.
- Cosign image signing and Trivy vulnerability scanning in every pipeline.
With GitOps, the deployment process becomes transparent and repeatable. Every change is traceable to a commit, every rollback is a revert, and the cluster state always converges to what the team has approved in version control. The combination of Argo CD's reconciliation with GitHub Actions' flexibility creates a delivery platform that is both secure and developer-friendly.
Recent Posts
