Continuous Integration is the practice of integrating code changes frequently, typically multiple times a day. This means you should check your code multiple times a day and keep your main branch deployable. Continuous Integration is a prerequisite for Continuous Delivery.

The name “Continuous Integration” provides solid hints about the crucial parts of the practice. Everyone should integrate their code into a shared branch (feature branches don’t count) and this should be done continuously, which means you’re doing it all the time; at least once a day, but ideally more often.

You’ll often speak to developers who want to stretch the definition of Continuous Integration, but you can’t escape those foundations. Merging the main branch into a long-lived branch feels like Continuous Integration, but you’ll notice no changes come back for ages until someone finally merges to main. Then you have to perform a large, complex merge, which you should avoid.

The DORA research on Continuous Delivery includes the capabilities of Continuous Integration and trunk-based development. The statistics suggest you can get similar benefits as long as you limit yourself to 3 (or fewer) short-lived branches (less than a day old).

Watch the episode

You can watch the episode below, or read on to find some of the key discussion points.

Watch Continuous Delivery Office Hours Ep.3

The worst branching strategy

Since the ability to branch code was invented, developers have applied a great deal of creativity to how to use branches. The most common approach is feature branching, where each feature gets a branch of main that evolves separately until the feature is complete, and it’s merged back into main. Release branching allows development to continue on main by taking a cut of the main branch that will be released. This allows hotfixes to be applied to the release branch without further destabilizing it.

The utility of branching strategies is often eroded by the coordination overhead of maintaining the separate branches and merging different changes back together. The more complex the branching strategy, the more likely it is that you’ll have merge conflicts and lost bug fixes. For example, you might fix a release branch and forget to merge the fix back to main, so the next release reintroduces the bug.

This is why the worst branching strategy is Gitflow. This is a complicated branching strategy that creates dedicated branches for features, releases, and hotfixes alongside permanent main and develop branches. The overhead of Gitflow vastly outweighs its benefits.

This is where trunk-based development shines, as it removes unnecessary complexity.

The best strategy is trunk-based development

Trunk-based development is the process of making all commits directly to the main branch. This is complemented by out-of-band reviews that don’t block merging and by feature toggles that decouple deployments from releases. It should be possible to deploy your software from the main branch at all times, even if features aren’t complete.

The DORA research allows up to 3 short-lived branches, which can be useful for teams working remotely (like open-source project teams), who can use branches and pull requests to coordinate their work. Even so, the goal is to keep branches short-lived and to merge frequently.

Trunk-based development is complemented by automated builds and checks that run when code is committed to the main branch. If a problem is found during these checks, the team should prioritize the fix over other development work.

Elite performance comes from small batches

Teams with the best software delivery performance work in small steps. Trunk-based development and Continuous Integration are crucial practices for controlling batch size. Problems are discovered sooner and are easier to fix when you only have a small amount of change to reason about.

Making frequent commits makes it easy to back out a bad change. If a test fails, you can discard changes since the last commit and try again, instead of trying to debug the problem. This is especially true when using AI coding assistants or other code generation techniques.

Ultimately, for trunk-based development to succeed without friction, the entire team must be aligned on the process. It doesn’t work if only some of the team are on board.

Happy deployments!

In this post, I’ll show you how to proactively manage the risk associated with dependencies and supply chain attacks by running daily security scans of a Software Bill of Materials (SBOM) associated with the production deployment of your applications.

You can complete the steps in this post in around 30 minutes.

Prerequisites

Sign up for a free trial of Octopus Cloud at https://octopus.com/start. The cloud-hosted version of Octopus is the easiest way to get started, as it doesn’t require any additional configuration to work with the Octopus AI Assistant.

Then install the Octopus AI Assistant Chrome extension from the Chrome Web Store.

Creating the sample application

To demonstrate the process of proactively managing and securing your application, we’ll create one of the sample applications provided by the AI Assistant.

Open the AI Assistant and click the Community Dashboards... link:

Click the Octopus Easy Mode link:

Octopus Easy Mode provides the ability to create sample projects based on best practices. We’ll create the sample Kubernetes project. Select the Kubernetes item and click the Execute button:

Once you review and approve the changes, this results in a project called My K8s WebApp being created in your space, along with all supporting resources like feeds, targets, environments, lifecycles, and accounts.

This sample project demonstrates proactive dependency management, and it starts with lifecycles and environments.

Security environment and lifecycles

The AI Assistant created four environments: Development, Test, Production, and Security.

The first three environments represent the typical infrastructure used to host application deployments. The Security environment is a specialized environment that will host our dependency scanning and vulnerability management steps:

We then have a DevSecOps lifecycle that has four phases, one for each environment. Deployments are executed automatically to the Development and Security environments. This means when a deployment to the Production environment succeeds, it automatically starts a deployment in the Security environment. This will be important later on:

The deployment process

The deployment process for the sample application involves scanning the SBOM for a given application version. The final step, called Scan for Vulnerabilities, accepts a package containing an SBOM file and scans it with an open-source dependency-scanning tool.

Notably, the steps that deploy the application (Deploy a Kubernetes Web App via YAML in this example) skip the Security environment. This means deployments to all environments perform the security scan, but deployments to the Security environment only scan the SBOM file:

The end result of this deployment process is that every deployment to every environment performs an SBOM security scan, and once a deployment to the Production environment succeeds, a deployment is immediately triggered in the Security environment.

This initial sequence of a deployment to Production followed by a deployment to Security is not particularly useful, as it is unlikely that a new vulnerability was detected in the seconds between the deployments.

However, the deployment to the Security environment can then be rerun as part of a trigger.

Rerunning the security scan as a trigger

The sample project also includes a Daily Security Scan trigger. This trigger reruns the deployment in the Security environment once per day:

This results in a daily scan of the dependencies that contributed to the version of your application in the Production environment.

This demonstrates how a Continuous Deployment (CD) tool like Octopus complements Continuous Integration (CI) tools to implement DevSecOps. Because Octopus knows exactly which versions of your applications are currently in production (as opposed to the state of a dependency lock file in Git, which may not reflect code deployed to production), it can scan application dependencies to catch vulnerabilities as soon as they are discovered.

You can then automatically respond to any vulnerability reports with custom steps like email alerts or messages sent to a chat platform, and proactively address any issues in a predictable and controlled manner.

What just happened?

By following along with this post, you created a sample Kubernetes application with:

• SBOM security scanning steps
• Environments and lifecycles that support proactive security management
• A trigger that performs a daily security scan of the dependencies in your production application

This pattern provides DevOps teams with a proactive process to respond to known dependency vulnerabilities and complements other security practices such as SAST/DAST scanning at CI-time, dependency management, and prioritization.

This is part 5 of the series. In the previous post, you created a project structure that supports a shared responsibility model, with multiple teams owning different stages of the deployment process.

In this post, you’ll learn about policies, which provide guardrails for projects to ensure they are compliant with organizational standards.

Prerequisites

Sign up for a free trial of Octopus Cloud at https://octopus.com/start. The cloud-hosted version of Octopus is the easiest way to get started, as it doesn’t require any additional configuration to work with the Octopus AI Assistant.

Then install the Octopus AI Assistant Chrome extension from the Chrome Web Store.

Exploring the sample policy

The mock Git repo shares sample policies that you can apply to your projects. Open Platform Hub, click Policies, and click the Manual Intervention Required policy:

This sample policy requires that any deployment include a manual intervention step. To activate the policy, it must be published and set to active:

To trigger a policy violation, you must delete the manual intervention step from the deployment process. Open the process for the K8s Web App project, delete the Manual Intervention step, and save the project:

Save the changes and deploy a release. The deployment will fail because the process doesn’t include a manual intervention step, which violates the policy you just published:

This demonstrates how platform teams can enforce organizational standards and provide guardrails for projects using policies. Policies are another example of architectural decisions shared and maintained at scale through Platform Hub to support DevOps teams.

The Suggest a fix button can be used by teams that may have encountered an error due to a policy violation. This feature scans the deployment logs, passes the content to an LLM, and provides guidance on resolving the issue:

What just happened?

At the end of this post, you have:

• Published a policy that requires all deployment processes to include a manual intervention step.
• Modified the deployment process for the K8s Web App project to intentionally violate the policy.
• Attempted to deploy a release, which failed because the deployment process violated the policy.
• Used the Suggest a fix button to resolve the policy violation.

What’s next?

Congratulations! You have completed the blog series.

By following along with the series, you have built a hands-on Internal Developer Platform (IDP) using Octopus Deploy. You have also experienced how the strong opinions baked into Platform Hub complement the traditional role of CI servers, enabling platform teams to share and maintain architectural decisions at scale.

This is part 4 of the series. In the previous post, you pushed changes to a shared process template in Platform Hub and saw how those changes were automatically consumed by the project that used the template.

In this post, you’ll build a project that supports a shared responsibility model, with multiple teams owning different stages of a deployment.

Prerequisites

Sign up for a free trial of Octopus Cloud at https://octopus.com/start. The cloud-hosted version of Octopus is the easiest way to get started, as it doesn’t require any additional configuration to work with the Octopus AI Assistant.

Then install the Octopus AI Assistant Chrome extension from the Chrome Web Store.

Updating the project structure

Open the process for the K8s Web App project. You already have the Platform PreDeploy Hook step template as the first step. This effectively means the platform team owns the start of the deployment process.

:::div{.hint} You must publish process templates before they can be used in a project. See the second post for an example of publishing process templates. :::

Add the Security PreDeploy Hook process template next. This gives the security team the opportunity to implement any security checks or processes that must be run before the deployment can proceed.

Add the Security PostDeploy Hook and Platform PostDeploy Hook process templates as the final two steps. This allows the security and platform teams to implement any checks or processes that must run after the deployment completes.

All process template steps default to the name Run a Process Template, but must have a unique name to save the process. Rename each of the process template steps under the Settings tab and define a new name in the Name field:

You must also configure the worker pool parameter for each of the process templates.

With these steps in place, you have modelled your project to support the cross-cutting concerns of both the platform and security teams. This embraces Conway’s law, which posits that organizations design systems that mirror their own communication structure. Conway’s law is sometimes seen as an unintended consequence arising in organizations, but regardless, it is a common pattern that must be supported by platform teams.

By wrapping deployment processes in shared templates like an onion, each team can own and maintain their part of the process. Combine this approach with the Git based workflows for managing changes to process templates, and using SemVer for quantifying the impact of changes to those templates, and you have a powerful combination of features that allow you to manage process templates at scale:

The onion model is just one example of how process templates can be used. You are, of course, free to create process templates defining more general deployment processes that don’t necessarily fit the pre/post-hook model. The key point is that process templates provide a powerful mechanism for sharing and maintaining architectural decisions, and Platform Hub provides strong opinions to support platform teams in managing those architectural decisions at scale.

What just happened?

At the end of this post, you have:

• Updated the project structure to support a shared responsibility model, with multiple teams owning different stages of the deployment process.

What’s next?

You are 80% done with the series. In the next and final post, you’ll explore policies, which provide guardrails for projects to ensure they are compliant with organizational standards.

This is part 3 of the series. In the previous post, you configured a Kubernetes deployment project and began exploring the features of Platform Hub.

In this post, you’ll modify a shared process template in Platform Hub, publish the changes, and consume those changes in your project.

Prerequisites

Sign up for a free trial of Octopus Cloud at https://octopus.com/start. The cloud-hosted version of Octopus is the easiest way to get started, as it doesn’t require any additional configuration to work with the Octopus AI Assistant.

Then install the Octopus AI Assistant Chrome extension from the Chrome Web Store.

Updating a shared template

Open up Platform Hub, select the Platform PreDeploy Hook process template, edit the script step, and click the Commit Only button:

This commits your changes to Git. By default, your commits go to the main branch, but you can create or select a different branch to commit your changes to. This allows you to implement Git based workflows for managing changes to your shared templates.

Leaning into Git based workflows is an example of a strong opinion implemented by Platform Hub. Any team that has reached the point of defining and distributing shared templates has already implemented Git and is comfortable with pull/merge requests, branching strategies, and so on. By using Git as the underlying mechanism for managing changes to shared templates, Platform Hub allows teams to leverage existing knowledge and workflows instead of forcing them to learn a new system for managing changes:

You must publish your changes to make them available to projects that wish to consume the shared template.

The use of the SemVer versioning scheme to quantify the impact of changes to shared templates is another strong opinion Platform Hub provides for platform teams. It requires that you quantify the impact of the change by categorizing it as a major, minor, or patch change.

If you recall from the previous blog post, the K8s Web App project is configured to consume either minor or patch updates to the Platform PreDeploy Hook template. In this example, you’ll publish a patch change, which means the change is non-breaking and is safe to apply to all projects.

Click the Publish button, select the Patch option, and click the Publish button:

Once published, the new version of the step template is automatically consumed by the K8s Web App project:

Although this example only applied the updates to a process template in a single project, the workflow scales to any number of projects across any number of spaces. This demonstrates the core requirement of an IDP: to provide a repository of architectural decisions (in the form of process templates) and distribute them at scale.

Platform Hub also demonstrates the value of a dedicated CD platform, like Octopus, when paired with traditional CI platforms, offering strong opinions that support platform teams as they create, distribute, and maintain architectural decisions.

What just happened?

At the end of this post, you have:

• Updated a shared process template in Platform Hub and published the changes.
• Verified that the changes appear in the project that consumes the shared template.
• Noted the strong opinions that Platform Hub provides to support platform teams in managing shared templates.
• Learned how Platform Hub complements traditional CI platforms.

What’s next?

You are 60% done with the series. In the next post, you’ll structure the process templates exposed by Platform Hub in a project to support multiple teams that own different parts of the deployment process.

This is part 2 of the series. In the previous post, you set up your Octopus instance and learned about the core concepts we’ll be using throughout the series.

In this post, you’ll create a simple Kubernetes deployment project and begin exploring the features of Platform Hub.

Prerequisites

Sign up for a free trial of Octopus Cloud at https://octopus.com/start. The cloud-hosted version of Octopus is the easiest way to get started, as it doesn’t require any additional configuration to work with the Octopus AI Assistant.

Then install the Octopus AI Assistant Chrome extension from the Chrome Web Store.

What is the AI Assistant?

The AI Assistant is an extension of Octopus that enables several AI-powered features. You’ll use the AI Assistant to build a sample Kubernetes project and configure Platform Hub against a mock Git repository.

Creating the project

Click the AI Assistant icon in the bottom right-hand corner of the screen to open the AI Assistant chat. Then paste the following prompt into the chat and run it:

Create a Kubernetes project called "K8s Web App", and then:
* Use client side apply in the Kubernetes step (the mock Kubernetes cluster only supports client side apply).
* Disable verification checks in the Kubernetes steps (the mock Kubernetes cluster doesn't support verification checks).
* Enable retries on the K8s deployment step.

---

Create a token account called "Mock Token".

---

Create a feed called "Docker Hub" pointing to "https://index.docker.io" using anonymous authentication.

---

Create a Kubernetes target with the tag "Kubernetes", the URL https://mockk8s.octopus.com, using the health check container image "octopusdeploy/worker-tools:6.5.0-ubuntu.22.04" from the "Docker Hub" feed, using the token account, and the "Hosted Ubuntu" worker pool.

You can review the changes that the AI Assistant is proposing to make to your Octopus instance before approving them. Once you approve the changes, the AI Assistant will create a new project called K8s Web App in your Octopus instance with the specified configuration.

The mock Kubernetes cluster at https://mockk8s.octopus.com exposes just enough of the Kubernetes API to allow Octopus to complete a deployment. No actual Kubernetes resources are created, and the server resets itself every few minutes. This allows you to explore Octopus’s Kubernetes deployment features without needing access to a real Kubernetes cluster.

Configuring Platform Hub

Enter this prompt into the AI Assistant to configure Platform Hub with a mock Git repository:

Configure the Platform Hub git repo to point to https://mockgit.octopus.com/repo/platformhubrepo using the ".octopus" base path.

The mock Git repository at https://mockgit.octopus.com/repo/platformhubrepo provides a pre-configured repository with sample Platform Hub resources. The repository contents are reset periodically, allowing you to explore Platform Hub’s features without setting up your own Git repository or providing credentials.

Exploring process templates

Open Platform Hub from the left-hand menu:

You will then be taken to the list of sample process templates preconfigured in the mock Git repository. Open the Platform PreDeploy Hook process template:

You’ll explore the patterns around these sample process templates in a subsequent post. For now, you’ll experience the process of publishing and sharing a template.

Click the Publish button to publish the process template to your Octopus instance:

The first version of a template is always 1.0.0. Click the Publish button to publish the template with the selected version:

Templates must also be shared with a space, or all spaces, before projects can consume them. Click the kebab menu and then click the Share button:

Select the spaces you wish to share the template with (you can select all spaces if you wish), and then click the Share button:

Your process template is now published, shared, and ready to be consumed in a deployment process.

Open the K8s Web App project that you created earlier, and click the Process tab. Click the Add a step button, click Process Templates under the filter category, and click the Add Template button on the Platform PreDeploy Hook template that you just published:

You are prompted to select the changes you wish to opt into automatically. Select Accept minor changes to accept any change to the y and z components of the x.y.z SemVer version scheme used by Platform Hub. Alternatively, you can select Accept patches to only accept changes to the z component.

The ability to automatically opt into new versions of a process template is a strong opinion of Platform Hub. It allows platform teams to update and distribute architectural decisions, in the form of process templates, at scale with the click of a button:

The process template exposes a parameter called PostDeployHook.WorkerPool that defines the worker pool on which the step is run. Assign the Hosted Ubuntu worker pool to this parameter:

Because this was a template designed to be run at the start of a deployment process, the order of the steps will have to be changed to place the new step before the Deploy Kubernetes YAML step:

Save the changes to the project, create a release, and deploy it to see the new step in action.

What just happened?

At the end of this post, you have:

• Created a new Kubernetes deployment project using the AI Assistant.
• Configured Platform Hub against a mock Git repository containing sample resources.
• Published a process template from Platform Hub and shared it with the default space.
• Added a step to your deployment process using the shared process template.

What’s next?

You are 40% done with the series. In the next post, you’ll explore how to update and maintain shared resources in Platform Hub by making changes to the process template in the mock Git repository, publishing the changes with versioning, and consuming those changes in your project.

These blog posts can be completed during your lunch break, with each post taking about 30 minutes. Notably, you don’t need any passwords or any other platforms beyond a free trial instance of Octopus.

By the end of the series, you’ll have a fully functional IDP that you can use as a reference for building your own Platform Engineering solutions.

In this introductory post, we’ll set up the basic prerequisites and introduce some of the core concepts we’ll use throughout the series.

Getting an Octopus instance

Sign up for a free trial of Octopus Cloud at https://octopus.com/start. The cloud-hosted version of Octopus is the easiest way to get started, as it doesn’t require any additional configuration to work with the Octopus AI Assistant.

Then install the Octopus AI Assistant Chrome extension from the Chrome Web Store.

Defining common terms

We’ll need a common language to discuss the concepts we’ll use throughout the series.

What is DevOps?

This is perhaps a controversial opinion, but DevOps has lost its meaning. Any term that becomes the target of Search Engine Optimization (SEO) ceases to be a useful term. DevOps is unfalsifiable - literally any practice, tool, or process used by technical teams can be labelled as DevOps.

So I’ll use DevOps as a broad term referring to teams and processes that work with technology.

What is Platform Engineering?

Platform Engineering is the practice of scaling architectural decisions.

That’s it.

I like this definition of architecture from “Objects, Components, and Frameworks With UML: The Catalysis Approach” by Desmond D’Souza and Alan Wills, which defines “architecture” as:

The set of design decisions about any system (or smaller component) that keeps its implementors and maintainers from exercising needless creativity.

More simply, Platform Engineering provides common solutions to common problems so your teams can focus on solving valuable problems.

What is an Internal Developer Platform (IDP)?

An Internal Developer Platform (IDP) comprises the tools, systems, and processes you use to distribute and maintain architectural decisions.

That’s it.

It can be a wiki, a set of scripts in a shared repository, or a fully fledged self-service portal. The specific implementation doesn’t matter, as long as it provides a way to share and maintain architectural decisions.

We’ll use Octopus as a repository for architectural decisions that can be updated and distributed to DevOps teams.

How does Platform Engineering relate to CI/CD?

Continuous Integration and Continuous Delivery (CI/CD) focuses on delivering software to consumers. Platform Engineering streamlines CI/CD processes by providing a common set of tools and processes for building, testing, and deploying software. This allows teams to focus on delivering value to customers rather than building and maintaining every aspect of their CI/CD pipelines.

How does Octopus support Platform Engineering?

Octopus provides Platform Hub, which is an opinionated solution for defining, maintaining, and distributing shared processes and policies to support the delivery and maintenance of software.

Platform Hub is based on Git and uses Git based workflows to enable the development, testing, and approval of changes to shared processes and policies.

Platform Hub resources are versioned using SemVer and distributed to consumers in accordance with the semantic meanings of major, minor, and patch versions. Consumers can choose to automatically consume the latest version of a resource or manually update to new versions when they are released.

These features allow Platform Hub to define a set of architectural decisions (in the form of process templates and policies) that are maintained and distributed to consumers at scale.

What just happened?

At the end of this post, you have:

• Created a trial Octopus instance and installed the Octopus AI Assistant Chrome extension.
• Learned the basic concepts of DevOps, Platform Engineering, and Internal Developer Platforms (IDPs).
• Learned the relationship between Platform Engineering and CI/CD.

What’s next?

You are 20% done with the series. You now have a trial instance of Octopus, the AI Assistant Chrome extension, and an understanding of the core concepts we’ll be using throughout the series.

In the next post, you’ll create a simple Kubernetes deployment project and begin exploring the features of Platform Hub.

Step verification

Previously, Octopus would consider a step complete once changes were pushed to Git.

There are some new options in the step editor now that allow you to customize the behavior. The options are listed under step Verification:

• Direct commit: Progress to the next step once changes are pushed to Git (this is the existing behavior)
• Pull request merged: Progress to the next step once pull requests are merged, or fail the step if pull requests are closed or abandoned. This option results in a no-op if changes are committed directly without a pull request (see Git commit method)
• Argo CD application is healthy: Progress to the next step once all the Argo CD applications have synced the new changes and the applications are in a healthy state. Choosing this setting means your Octopus dashboard will accurately reflect the version and status of your applications deployed to the cluster

The task is paused while Octopus waits for pull requests to be merged or for Argo CD applications to be healthy. This means the task does not count towards your instance task cap.

Trigger sync

Turning on this option will trigger Argo CD to explicitly sync applications with the changes committed to Git by this same step.

If the application has auto-sync turned off, then triggering sync ensures Argo CD will look at the latest changes in Git when verifying application health.

If the application has auto-sync turned on, then triggering sync speeds up the deployment because Octopus does not have to wait for the next Argo CD refresh loop.

When is the application synced and healthy?

When verifying that the application is healthy after a change, we first need to check whether it references the changes we just made. Unfortunately, we can’t rely on Argo CD’s sync status alone, since Argo CD doesn’t know what Octopus’s intended changes are.

Let’s go through a few scenarios:

Scenario 1: All synced

1. Octopus commits 97A2
2. Argo CD refreshes to 97A2 and syncs the changes to the cluster

Sync status:

• Argo CD: In sync
• Octopus: In sync

This is the simplest scenario where all parties are looking at the same commit, so everyone is In sync.

Scenario 2: Out of sync

1. Octopus commits 97A2
2. Argo CD refreshes to 97A2 but has yet to sync the changes to the cluster

Sync status:

• Argo CD: Out of sync
• Octopus: Out of sync

Even though Octopus and Argo CD are looking at the same commit, the changes have not yet been applied to the cluster, so Octopus still shows Out of sync.

Scenario 3: Octopus is ahead of Argo CD

1. Octopus commits 8DEF
2. Argo CD has yet to refresh, so it still considers 97A2 to be the latest

Sync status:

• Argo CD: In sync
• Octopus: Git drift

In this scenario, Octopus has made a change that Argo CD doesn’t see yet. Here we introduce a concept called Git drift - this means even though everything looks up to date from Argo CD’s perspective, the changes made by Octopus aren’t in the cluster.

Scenario 4: External change overwrites Octopus-generated changes

1. Octopus commits 97A2
2. Another process commits 1123 with contents overwriting Octopus-generated changes
3. Argo CD refreshes to 1123 and syncs the changes to the cluster

Sync status:

• Argo CD: In sync
• Octopus: Git drift

This scenario also results in Git drift because a later commit overwrites Octopus’s changes - an example would be the user updating image tags that Octopus updated.

Scenario 5: External change is unrelated to Octopus-generated changes

1. Octopus commits 97A2
2. Another process commits 1124 with contents unrelated to Octopus-generated changes
3. Argo CD refreshes to 1124 and syncs the changes to the cluster

Sync status:

• Argo CD: In sync
• Octopus: In sync

This scenario is similar to the previous one, but here the later commit only contains unrelated changes - an example would be the user updating the replica count after Octopus updates the image tags. Since Octopus-generated changes made are still in the cluster, it displays In sync.

How does Octopus know what changes are intended?

Since Octopus pushed the changes to the Git repository, it can keep track of the intended changes.

The two Argo CD steps have different functionality, so the way they record the intended changes is different.

Update Argo CD Application Image Tags

This step updates the image tags in the manifests. To track changes, Octopus records JSON patches for the files it updates.

When detecting whether these changes have been overwritten later on:

1. Octopus checks out the Git repository files for the commit that Argo CD is looking at
2. Octopus re-applies the JSON patches to the files it previously updated
3. If the files have any changes, then it means Octopus’s changes have been overwritten

Note that JSON patches have limitations, so if the manifest has been significantly restructured, you might see an unexpected Git drift status. Simply redeploy to remove this false positive.

Update Argo CD Application Manifests

This step generates the manifests that go into the application’s repository. To track changes, Octopus records the file hashes it generates.

When detecting whether these changes have been overwritten later on:

1. Octopus checks out the Git repository files for the commit that Argo CD is looking at
2. Octopus checks if the file contents have changed by comparing the hashes of the files it generated
3. If the files have any changes, then it means Octopus’s changes have been overwritten

Does Octopus inspect the Git tree?

While planning this feature, we initially went down the route of inspecting the Git tree to figure out whether Argo CD was including the latest changes deployed by Octopus. We soon realised that we would need to inspect file contents anyway because a later commit could easily overwrite Octopus’s changes.

Other than some small optimizations to skip file comparisons when the commit SHA matches between Octopus and Argo CD, Octopus only looks at the file contents in Git; it doesn’t care whether the commit is in the Git history.

How to try it out

The step verification functionality is currently available to all customers starting with 2026.1. Pull request merged verification is available from 2026.2 (rolling out in Octopus Cloud).

There’s nothing extra required to enable the feature. Simply open the Argo CD Instances section under Infrastructure, and connect one of your Argo CD instances to Octopus. From there, you can start modelling deployments that combine GitOps and Continuous Delivery out of the box.

Conclusion

Argo CD is a powerful GitOps tool for Kubernetes, but it wasn’t built to manage the full software delivery lifecycle. Octopus complements Argo CD by adding environment promotions, orchestration across diverse workloads, fine-grained RBAC, and centralized visibility across clusters.

With Argo CD integration, Octopus lets teams combine the strengths of GitOps and Continuous Delivery without building custom automations. You get the reliability of Git-driven deployments and the safety, governance, and flexibility of a full CD platform—all in one place.

Learn more on our use-case page.

Happy deployments!

What we ask in return is that you set yourself up to do your best work. Invest in your brain, bytes, back, and buns, as Scott Hanselman put it. The essential idea behind this is that when you win, Octopus wins. We all win!

Yet you can throw a soggy cat at a conference, and the chances are it will splash someone from an organization with a completely different approach to developer experience. One that doesn’t value the sustainable delivery of their people’s best work. Why is that?

A fork stuck in the road

As we’ve seen in the software industry, silos are the source of all kinds of chaos. DevOps was created when someone realized the scale of the problem caused by having two teams with conflicting goals working on opposite sides of the same problem. Leaders whipped developers up for feature throughput and wanted to hold operations teams to account for reliability.

In hindsight, it’s obvious that this isn’t going to work, but we did it for decades. You can get halfway to DevOps just by aligning the goals. When both teams share the same target, they’ll work out how to get you the rest of the way.

If we zoom out on our organization, we’re likely to find a similar silo/goal conflict between engineering managers and the finance team. We ask the engineering manager to build a high-performing team, while we direct finance to spend as little money as possible. This structural incentive problem leads developers to get laptops and tools that someone has negotiated to be “good enough,” and trust me, they aren’t.

When you look at developer experience through a FinBoss lens, where finance and engineering managers align around the return on investment, you’ll find the optimal spend on developer tools shifts right rapidly.

FinCost organizations reduce costs through standardization, commoditization, and by delaying kit refreshes for as long as possible. They often spend less than $1,000 on a laptop without realizing the true cost of an under-spec’d machine. Meanwhile, FinBoss organizations are seeking the $30,000 annual return on a $3,000 investment.

To achieve this ROI, finance and engineering leadership work together to design policies that allow engineers to choose from a set of well-designed options. The combination of investment in great tools and individual choice in building the right setup is the path to success.

Tiny visible costs

FinCost organizations are driving decisions based on small, visible costs. Where there’s a paper trail, there are savings to make: the purchase of a laptop, the training budget, and the conference invoice. These are part of the legible model, so there is no guesswork or experimental method needed to cost them. The numbers are right there on the page.

Once you’re managing costs, it’s not uncommon to dial up the control, too. You limit options, standardize across the organization, and negotiate in bulk on everything to drive costs even lower. Compared to competitors, you could be spending 75% less on laptops, and just look at the savings from those pesky licenses and SaaS tools various teams were using. Hooray.

Instead of letting engineers attend conferences they find relevant to their work, the organization negotiates a bulk purchase for a single conference. Instead of teams buzzing with diverse ideas and approaches, they all sit and watch the same talk. It’s cheaper that way.

A wooden fence encloses my garden. A fence lasts a long time if you give it a protective coat of wood preserver every once in a while. A tin of wood preserve costs about $20 and a few hours of mindful application each year. Over 5 years, I can save $100 by skipping the treatment. If I do this, my fence lasts about 10 years instead of 30.

The cost of a tin of wood preserver is immediate and visible. The cost of replacing the fence is far higher, but it won’t be visible for years. Additionally, if the fence provides value beyond privacy, like keeping a goat out of my vegetable garden, the cost of the fence failing could be the cost of my whole crop, which is even less legible to my cost control mindset.

If you’re creating software, it’s likely to be more valuable than a fence. In fact, it should be giving you returns multiple times your investment. It’s like a golden goose. You feed it well, and you get regular, valuable deliveries. If you had a golden goose, you wouldn’t try to save on food costs if it reduced the flow of golden eggs.

The same logic plays out with training. A FinCost organization cuts the training budget because the line item is visible and the return isn’t. Individual engineers stop attending relevant courses, and teams miss out on the steady accumulation of skill that comes from ongoing, targeted learning. Nobody raises a purchase order for “capability that didn’t grow this year.”

Then something goes wrong. Delivery is slow, the codebase is a mess, or a competitor pulls ahead. Someone decides the answer is transformation, and that means Scaled Agile, or whatever flavor of desperation is in fashion in exec suites at the time.

So the whole department gets booked onto an external SAFe course. Not one or two people who need it. Everyone. The invoice lands, and it’s eye-watering: many times what a thoughtful, ongoing training program would have cost across the same period. The organization that was too cautious to spend $500 on a course people wanted just spent $50,000 on one nobody asked for.

This is the hidden tax of FinCost thinking. Small, visible costs get cut. The problems that those small costs would have prevented quietly compound. Eventually, the pressure releases all at once, in an expensive, rushed, and hard-to-argue-against way, because now there’s a crisis with a visible price tag.

The tin of wood preserver was the right investment all along.

The invisible people-hours

Developers work around 40 hours a week. Stripe’s Developer Coefficient found that productivity friction can eat up roughly half of those hours. That’s the time that evaporates before a single line of useful code is written. Across the global developer workforce, Stripe put a number on that loss: $300 billion. It’s worth noting that only $85 billion of this is attributable to bad code. The rest is pure friction: slow tools, broken environments, waiting for builds, wrestling with under-spec’d machines. Productivity means more than writing code faster.

That friction has a texture. It’s a developer losing flow because their laptop is thrashing memory, and they’ve lost the thread of what they were thinking.

It’s waiting 10 minutes for a build that would have completed in 2 minutes on a faster machine. It’s the workarounds you built because the approved tool wasn’t good enough, which obliterates hours of your week for maintenance. It’s the skilled engineers who start looking for a new role because the environment makes them feel like you don’t take their work seriously.

None of this appears on a purchase order. None of it shows up in a variance report. It just quietly drains the value your software could be creating.

There’s also an upside case, not just a loss case. Software that ships faster captures more market share. Developers who stay in flow write better code with fewer bugs, which means less rework and fewer incidents. A high-performing team attracts other high performers. The return on investing in developer experience isn’t just “we lose less time”; it’s sales opportunities, reduced churn, higher product quality, and a compounding advantage over competitors who are still buying $800 laptops and calling it responsible.

When you focus on cost control, there’s a ceiling on how much you can save. When you look for return on investment, there’s no equivalent ceiling on how much you can gain.

The CFO lens

When I asked Sammy, our CFO, about why we invest in people, powerful machines, and great tools, he said: “At Octopus, we think about equipment as a productivity tool. Developers are one of our most expensive and constrained resources. If spending a few extra thousand dollars on a fast machine and proper screen space saves time, reduces cognitive load, or keeps someone in flow more often, it pays for itself very quickly.”

That means our finance team doesn’t ask “What’s the cheapest laptop we can buy?” Instead, they ask, “What setup helps this person do their best work?” From a finance perspective, this is about a high-ROI spend, not indulgence.

Octopus is running the FinBoss playbook, which aligns finance and leadership in empowering employees to do their best work. That means expanding what you’re willing to measure so that you can balance the visible costs with traditionally invisible returns.

The responsibility for providing this environment for employees rests with all leaders, including Sammy, and is part of the deal employees have with the company; we’ll give you the best environment and tools if you give us the greatest work of your career.

The reckoning

If we’ve ever met, I’ve likely mentioned DORA’s research. I’m a super-fan of their State of DevOps reports, because they provide us techniques, practices, and outcomes that are all linked through complex relationships. The model shows that transformational leadership, lean product management, and Continuous Delivery drive software delivery performance and organizational outcomes.

While many of the capabilities in the DORA model are technical, many others relate to leadership. Particularly relevant to developer experience are generative organizational culture, transformational leadership, empowering teams to choose tools, team experimentation, and a learning culture. You can read about these and more on the DORA website. Together, they back up the FinBoss concept with tens of thousands of survey samples that support the case.

The question is: Which organization are you now, and which do you want to be? Is it FinCost, operating myopically against the bottom line, or FinBoss, sharing the responsibility for developer experience and employee productivity? The fork in the road was never a choice. We know FinCost is a dead end, and the benefits of FinBoss aren’t soft claims; they’re measurable outcomes.

Happy deployments!

Starter Policies are designed to change that.

How it works

A guided wizard takes the guesswork out of writing your first policy. When you add a new policy in Platform Hub, you’ll find a library of starter policies built around common compliance use cases we see across our community.

Open Platform Hub, head to Policies, and select a starter policy that matches your goal. Give it a name, and Octopus takes it from there. It generates the boilerplate code with the name, scope, and conditions already filled in.

From there, it’s yours to customize. The editor includes Rego syntax highlighting to make the logic easier to read, and inline comments explain exactly which parts to modify for your team.

Governance in Platform Hub

Starter policies are a new addition to the Policies feature in Platform Hub, available on the Enterprise tier.

Platform Hub is your central home for software delivery, insights, and governance in Octopus. If you’re on Enterprise, you can use Policies to define and enforce standards at scale across all your deployments and Runbook runs. This includes things like ensuring production deployments always have an approval workflow, or preventing deployments from using outdated package versions.

Starter policies make it easier to get started with all of this, regardless of how familiar you are with Rego.

Learning by doing

We want you to understand the code, not just copy it. Each starter policy includes inline comments explaining how the Rego logic works, highlighting the specific sections you need to modify to customize the policy for your team.

This gives you something you can run immediately, not just read. Direct links to the policy schema are built into the editor too, so if you want to go deeper, the reference material is already there.

To see this in practice, here is a real-world example: enforcing an approval workflow for all deployments and runbook runs in your Production environments.

This policy is made up of two parts.

The policy scope defines when the policy applies. In this case, it targets any Environment named Production.

package require_manual_intervention

# Default: Do not evaluate unless conditions are met
default evaluate := false

evaluate if {
  input.Environment.Name == "Production"
}

The default evaluate := false line is worth noting. Unlike a policy that applies everywhere by default, this one’s off unless the condition input.Environment.Name == "Production" is met. Scoping it to Production means the approval requirement only activates in environments with that name, leaving other environments unaffected.

The policy conditions define what is enforced. It checks that at least one manual intervention step exists in the Deployment or Runbook run, and that none of those steps are being bypassed:

package require_manual_intervention

# Default: Deny all
default result := {"allowed": false}

# Helper: True if any manual intervention step is present in the skipped steps list
manual_intervention_skipped if {
  some step in input.Steps
  step.Id in input.SkippedSteps
  step.ActionType == "Octopus.Manual"
}

# Allow: Manual intervention steps exist and none are being bypassed
result := {"allowed": true} if {
  some step in input.Steps
  step.ActionType == "Octopus.Manual"
  not manual_intervention_skipped
}

# Deny: Block Deployment if manual intervention is bypassed
result := {
  "allowed": false,
  "reason": "Manual intervention steps cannot be skipped in this Environment"
} if {
  manual_intervention_skipped
}

There are three possible outcomes this policy can produce:

• Deny by default: If no manual intervention step is present, the policy is non-compliant. The default result := {"allowed": false} line ensures this is the baseline behavior.
• Allowed: A manual intervention step exists and has not been skipped. The approval workflow is intact, and the Deployment or Runbook run proceeds.
• Non-compliant with a reason: A manual intervention step exists but has been explicitly skipped. Octopus surfaces the reason to the team: “Manual intervention steps cannot be skipped in this Environment.”

Violation actions

How Octopus responds to a non-compliant policy (the first and third outcomes above) depends on the configured Violation Action:

• Block (default): The Deployment or Runbook run is stopped from progressing until the issue is resolved.
• Warning: The execution continues, but the team is shown a warning so the non-compliance is visible without being a hard stop.

The right violation action will depend on your team’s processes and how strictly you need to enforce compliance in an Environment. Either way, the outcome is recorded. Every policy evaluation is captured in your audit log, including the policy name, verdict, action taken, and the reason. When something is blocked, your team can see exactly why and what needs to change.

Get started

Starter policies are available now. Head over to the Platform Hub section of your Octopus instance and start building out your guardrails.

We’re continuing to expand policy management in Platform Hub, and your feedback shapes what we build next. If you have suggestions, share them on the Octopus Deploy Roadmap.

Happy deployments!

Watch the episode

You can watch the episode with Piotr below.

Inside Platform Engineering with Piotr Szwed

The shift from automation to autonomy

For most of its history, infrastructure automation has been about reducing human toil. Scripting repetitive tasks, templating deployments, and codifying what engineers do by hand. Piotr argues that this framing is now outdated and suggests the goal shouldn’t be to automate your platform team’s work; it should be to build systems that manage themselves. Self-healing, autoscaling, and continuously reconciling their own state without human intervention. This is the core idea behind the Kubernetes operator pattern, and it represents a significant mindset shift for teams that have always reached for automation scripts and manual processes when something needs to change. The difference may seem subtle, but it has profound implications for how you design, build, and staff a platform.

Is Terraform keeping up with Platform Teams’ needs?

Piotr was one of Terraform’s earliest power users, with his teams building over 20 custom providers in its early days. That history gives weight to his argument that Terraform is struggling to keep pace with the modern infrastructure landscape. The number of cloud services and APIs is growing faster than providers can track, and the reconciliation loop that teams bolt on through Jenkins jobs or cron-triggered pipelines is, in his view, one of the biggest anti-patterns in the industry. Teams doing this are essentially rebuilding the Kubernetes controller pattern in a much more fragile way, simulating something that Kubernetes provides for free, while adding the complexity of maintaining yet another layer of tooling around it.

His recommendation isn’t to throw everything out overnight, but to understand that operators support import and read-only modes, making a gradual, non-destructive migration far more achievable than most teams assume.

Reference architectures are making the path clearer

One of the practical barriers to adopting API-first, Kubernetes-centric platforms has been the lack of a clear blueprint. That’s changing. Piotr points to a growing set of well-resourced reference architectures, CNOE from Amazon and Cisco, ApeiroRA from SAP, and Google’s KCC with Kro, as evidence that the industry has reached a turning point. Importantly, these aren’t monolithic frameworks that need to be adopted wholesale. They’re designed more like Lego blocks, where teams can cherry-pick the components that fit their organization and swap out the pieces that don’t.

What they all share is more important than their differences: each is API-first and built on the Kubernetes operator pattern. That consistency across hyperscalers and vendors is itself a strong signal that the industry is converging around a direction. With major players now publishing and backing these blueprints, the “we don’t know where to start” barrier is lower than ever.

Where does this leave platform teams?

The conversation with Piotr covers a lot of ground, but the underlying message is consistent throughout. The move to API-first, autonomous systems isn’t just something Piotr is chasing as the newest, shiniest solution in our field, but he is instead focusing on building platforms that can keep pace with the speed at which cloud services, AI capabilities, and business requirements are evolving.

The good news, depending on how you look at it, is that the ecosystem is maturing quickly. Reference architectures are documented, communities are active, and migration paths exist that don’t require starting from scratch. For teams that see the value in what Piotr is putting forward, starting incrementally now is a much more comfortable place to be than waiting until the shift feels unavoidable and finding yourself staring down another major platform migration.

Happy Deployments!

By choosing to do work that returns software to a deployable state ahead of any other kinds of work, like feature development, you’ll avoid the toxicity of tangled work batches. Instead, you can smoothly flow changes between test and production and get the feedback you need to be confident that your software works.

Crucially, if you discover a high-severity bug or security problem, there are no roadblocks to getting fixes into production. You don’t need a special “expedited lane” for these changes, which means you don’t skip steps that let bad changes into your codebase.

Let’s take a look at problem indicators that will help you identify and fix common deployability issues. The goal of answering the deployability question is a mile marker, not the destination, but if you can’t answer the question, you’re going to waste time looking for landmarks!

Watch the episode

You can watch the episode below, or read on to find some of the key discussion points.

Watch Continuous Delivery Office Hours Ep.2

The awkward silence problem

When you ask your team, “Are we ready to deploy?”, the correct answer is either “absolutely” or “no way”. The worst possible answer is silence or confusion. If the team doesn’t know whether they can deploy, they’re missing the deployment pipeline that would generate the answer.

When you commit a code change, build errors should be returned to you within a couple of minutes. At the end of 5 minutes from your commit, a suite of fast-running tests should tell you if you’ve broken functionality or the quality attributes of your application. Dependency checks, code scanning, and other static analysis tools should have told you if you have a problem. If you have long-running tests or tests that depend on the new software version being deployed to a test environment, you should know in another 5-20 minutes if they’ve detected a problem.

After all these checks, you should have a version of your software running in a test environment that you have high confidence in. If someone asked you whether you’re ready to deploy, you’d answer “absolutely”.

Deployment automation makes sure the deployment is a non-event. It guarantees the same process is used to deploy to all environments, and makes it trivial to deploy on demand. A solid deployment pipeline contains all the checks you need to know whether you can deploy.

Manual testing is a ceiling, not a floor

Teams often treat manual testing as a foundation for verifying that a software version works. In reality, it acts more like a ceiling, limiting your ability to flow changes to production. As your software becomes more complex, the ceiling descends as the testing takes longer.

Long test cycles make you subvert your process to the speed at which you can test. You’ll notice when this happens because you’ll keep looping back to fix bugs and restart the test process. From the earliest change you make, through each bug list and all the re-testing, right through to the final software version, you are not deployable.

Automating your tests is the real foundation for your software. This raises the ceiling and moves the constraint away from the test cycle.

Your old code wasn’t written to be tested

If your application is successful, it will have some history. Part of that history is often that it wasn’t written with test automation in mind. That means you need to identify where your risk is, work out how to find the seams that will make it testable, and start adding characterizing tests.

Once some old code is wrapped with tests, it becomes far easier to change the code design, because the tests will fail if you break something.

Automation is living documentation

When developers move on, a portion of your institutional knowledge goes with them. High-quality documentation can help teams distribute this knowledge and reduce its loss, and the best kind of documentation is test automation.

Well-written automation, like tests, deployment automation, and infrastructure as code, performs useful functions while effortlessly documenting them. Because you make all changes through the living documentation, it is always up to date.

The hidden cost of undocumented knowledge becomes painfully clear when you have to deploy without the person who normally handles it. You follow their checklist carefully, confirm every step, and everything looks right; yet the deployment still fails. What you didn’t know is that the checklist stopped being accurate months ago, because the person doing the deployments stopped consulting it. All the new steps they introduced lived in their head, not on paper.

The living documentation built into automation tools is especially valuable when onboarding new developers. Rather than relying on tribal knowledge passed down through conversations and shadowing, a new team member can read the test suite and understand not just what the software does, but what it’s supposed to do and why certain behaviors matter. That’s documentation that keeps pace with the code because it is the code.

The value of long-term sustainability

Like its Agile predecessors, Continuous Delivery values long-term sustainability. That means you invest a little more effort up front to constrain maintenance costs over the long term. Writing tests may mean a feature takes 20-25% more time to implement, but the defect density can be 91% lower than similar features not guided by tests (Microsoft VS).

You could reduce 40 hours of bug fixing to just 3.6 hours by guiding feature development with tests, and you also save on other overheads caused by escaped bugs, like reputational damage, customer churn, support costs, pinpointing and debugging, test cycles, and feature delay.

Conclusion

While it takes some effort to set up a strong deployment pipeline, knowing whether a software version is deployable pays dividends. Technical practices like test-driven development and pair programming are needed to keep software economically viable in the long term, even though they require a little more effort up front.

If you can’t answer the question “Is your software deployable?”, you’re sure to run into trouble.

Happy deployments!

If you’ve used Octopus Deploy for tenanted deployments, you know how valuable tags can be. Tags help segment customers and provide more granular control when deploying. We’ve expanded tag sets to help solve a wider range of problems

• Filtering your dashboard to view the projects you care about
• Tagging environments for specific compliance requirements or cloud providers
• Organize runbooks for different operational scenarios

What’s changed?

From 2026.1.6552

In addition to tenants, you can now apply tags to:

• Projects
• Environments
• Runbooks

There are three types of tag sets that can be created:

• MultiSelect: Allows selecting multiple predefined tags from the tag set. This is the standard behavior and works for most scenarios.
• SingleSelect: Allows selecting only one predefined tag from the tag set. Use this when you need to ensure just one option is chosen - like a cloud provider or deployment tier.
• FreeText: Allows entering custom text values without requiring predefined tags. The tag set name must match exactly, but the tag value can be any arbitrary text. Use this when wanting dynamic values like region identifiers, customer IDs, or version numbers. When using free text, only one value per tag set is allowed.

Project Tags

Project tags let you assign metadata such as teams, product lines, criticality and/or technology stack to projects. You can then use these tags to configure your dashboard to show only the projects you care about.

Environment Tags

Environment tags help you mark environments as production or assign metadata such as cloud provider or region. You can filter both the deployment dashboard and environments page by using these tags. Enterprise users can also assign policies to environment tags in the platform hub. This is particularly helpful if separating out production and non-production environments.

Runbook Tags

Runbook tags help you categorize by type and specify which runbooks should be triggered by an event.
Runbook triggers have been updated, so you can now trigger specific runbooks or groups of runbooks based on their tag.

Best Practices

To help achieve the best results, our documents include guidance on how to design your tag sets. Consider what your organization wants to achieve with tags and how they can work to make filtering and management easier.

What’s Next

We’re currently working on migrating all existing target tags to be managed with tag sets. With the existing target tag design, deployment targets can be tagged, but once created, cannot be updated or deleted. We will move this functionality into the tag set space to remedy this limitation. What’s next from there is up to you. Possibilities include:

• Deployment Freezes by tag
• Scoping variables to tags
• License usage by tag

If any of these would work well for you or if you have other suggestions, let us know by completing this survey or in the comments below.

Happy deployments!

Prerequisites

• An Octopus Cloud account. If you don’t have one, you can sign up for a free trial.
• The Octopus AI Assistant Chrome extension. You can install it from the Chrome Web Store.

Creating the project

This example builds on the concepts introduced in previous posts to construct an end-to-end deployment solution to a mock Kubernetes cluster.

Paste the following prompt into the Octopus AI Assistant and run it:

Create a Kubernetes project called "K8s Web App", and then:
* Use client side apply in the Kubernetes step (the mock Kubernetes cluster only supports client side apply).
* Disable verification checks in the Kubernetes steps (the mock Kubernetes cluster doesn't support verification checks).
* Enable retries on the K8s deployment step.

---

Create a token account called "Mock Token".

---

Create a feed called "Docker Hub" pointing to "https://index.docker.io" using anonymous authentication.

---

Create a Kubernetes target with the tag "Kubernetes", the URL https://mockk8s.octopus.com, using the health check container image "octopusdeploy/worker-tools:6.5.0-ubuntu.22.04" from the "Docker Hub" feed, using the token account, and the "Hosted Ubuntu" worker pool.

This prompt creates a new project with a Kubernetes deployment step deploying a sample application to a mock Kubernetes server defined in a Kubernetes target. A deployment process defines how an application is deployed, while targets define where the application is deployed.

The mock Kubernetes server exposes just enough of the Kubernetes API to allow the deployment step to execute successfully, but it doesn’t actually create any Kubernetes resources. This allows you to test the deployment process without needing access to a real Kubernetes cluster.

All of these steps run in the Hosted Ubuntu worker pool provided as part of the Octopus cloud platform.

apiVersion: v1
kind: Config
current-context: local
clusters:
- name: default-cluster
  cluster:
    server: http://localhost:48080
users:
- name: default-user
  user:
    token: anything_will_work # the mock server accepts any token
contexts:
- name: local
  context:
    cluster: default-cluster
    user: default-user
    namespace: default

kubectl run nginx-test --image=nginx --restart=Never

kubectl get pods -A

You can now create a release and deploy it to the first environment. The Kubernetes deployment step deploys a Kubernetes deployment resource to the mock Kubernetes server. Of course, no actual Kubernetes resources are created, but Octopus interacts with the mock server as if it were a real Kubernetes API server.

You will notice that the sample Kubernetes project includes some additional steps. Specifically, it includes a step to scan the Software Bill of Materials (SBOM) associated with the sample project. The results of this scan show you if your deployment has any security vulnerabilities.

The security scan is executed daily in a dedicated environment called Security using a trigger. This means the SBOM scan result is updated to reflect any new vulnerabilities discovered after a production deployment.

Once the deployment is complete, the execution container is discarded, along with the mock server and any deployed resources.

What just happened?

You created a sample project with:

• A Kubernetes deployment step deploying raw YAML inside an execution container
• A manual intervention with step conditions to only run in the Production environment
• Using step conditions to exclude the deployment step from the Security environment
• A step to scan the SBOM associated with the sample application
• A trigger to rerun the security scan daily
• A Kubernetes target referencing the mock Kubernetes server

Prerequisites

• An Octopus Cloud account. If you don’t have one, you can sign up for a free trial.
• The Octopus AI Assistant Chrome extension. You can install it from the Chrome Web Store.

Creating the project

Paste the following prompt into the Octopus AI Assistant and run it:

Create a Script project called "13. Script App with Lifecycle", and then:
* Define a lifecycle called "Auto Deploy" that includes:
  * The "Development" phase with the "Development" environment as the first phase set to automatically deploy
  * The "Test" phase with the "Test" environment as the second phase
  * The "Production" phase with the "Production" environment as the third phase
* Define a channel to the project called "Application" that uses the "Auto Deploy" lifecycle, and make this the default channel

You can now create a release and see it automatically deployed to the Development environment as part of the Auto Deploy lifecycle. This is because the first phase of the lifecycle is set to deploy automatically.

What just happened?

You created a sample project with:

• A custom lifecycle to automatically deploy to the Development environment when a release is created, followed by the Test and Production environments.
• A new channel called Application using the Auto Deploy lifecycle as the default channel for the project.

What’s next?

The next step is to create a mock Kubernetes deployment project.

Prerequisites

• An Octopus Cloud account. If you don’t have one, you can sign up for a free trial.
• The Octopus AI Assistant Chrome extension. You can install it from the Chrome Web Store.

Creating the project

Paste the following prompt into the Octopus AI Assistant and run it:

Create a Script project called "12. Script App with Channel", and then:
* Define a lifecycle called "Hot Fix" that includes the "Production" environment as the only phase
* Add a channel to the project called "Hot Fix" that uses the "Hot Fix" lifecycle

You can now create a release and deploy it to the new “Hot Fix” channel. This channel deploys directly to the “Production” environment, skipping the earlier environments. This is useful for deploying urgent fixes directly to production without going through the standard deployment pipeline.

What just happened?

You created a sample project with:

• A new channel called Hot Fix that uses a custom lifecycle to deploy directly to the Production environment.

What’s next?

The next step is to define a custom lifecycle.

One of my favorite topics was talking with Matt about whether to do it yourself and “reinvent the wheel”, or lean on open-source and community modules for building your IaC. I can see value in both approaches and have mostly been on the side of using open source modules where possible. Your infrastructure probably isn’t that different from someone else’s. With that said, there are times when you need to consider the risks of using these modules and whether their support and community are responsive enough to meet your demands when critical changes are needed.

While the discussion focused on Matt’s specialty around IaC, I found all of the discussion points can be re-applied broadly across Platform Engineering.

Watch the episode

You can watch the episode with Matt below.

Inside Platform Engineering with Matt Gowie

Pick one tool and go deep

One of the first traps Matt sees platform teams fall into is spreading their expertise across too many IaC tools. Whether it’s Terraform, Bicep, CloudFormation, or Pulumi, the instinct to keep options open actually slows teams down and breeds inconsistency. His advice is to consolidate, but do so mindfully. Vendor-specific tools like Bicep and CloudFormation lock you into a single cloud, and the moment you need to automate something outside that ecosystem - be it a DNS provider, a monitoring tool, a SaaS platform — you’re hacking around the edges and accumulating technical debt. Pick the tool that gives you the most reach, build expertise around it, and create practices that scale.

Stop reinventing the wheel

If your platform team is writing every Terraform resource by hand, you’re burning time your competitors aren’t. Matt is a strong advocate for the open source module ecosystem and pushes back on the common instinct to build everything internally. A well-maintained, focused open-source module delivers great security defaults, community-vetted patterns, and ongoing updates that most internal teams simply can’t match.

The hidden cost of building it yourself

The same logic applies to the operational layer around your Platform. Many teams build their own Jenkins or GitHub Actions pipelines to run Terraform and assume it saves money because the work is done in-house. But Matt argues this rarely pencils out. At scale, managing state files, enforcing policy, handling environment-specific approvals, and maintaining all of that custom pipeline code is a significant ongoing burden, and when the person who built it leaves, that cost compounds. Matt’s take is to evaluate the vendor tooling available to solve your problem and be honest about what an engineer’s time is actually worth when measured against a vendor invoice.

Happy Deployments!

Kubernetes Agent

The Octopus Kubernetes Agent makes it easy to connect and manage clusters with Octopus. You don’t need to open firewall rules or manage complex networking. The agent uses a secure outbound connection, so setup is quick and safe. It works a lot like an Octopus Tentacle. It is small, lightweight application, and installed directly in the cluster.

Resilient Tentacle communications

Tentacle communication issues can be frustrating, especially in cloud or restricted networks. We published a blog post that explains our recent improvements to Tentacle resiliency. These changes help Tentacles stay connected, even in less-than-ideal network conditions.

Terraform Provider & OctoTerra

Infrastructure as Code users will like the Octopus Terraform provider. It lets you define and manage Octopus resources in Terraform. For even more control, take a look at OctoTerra. It can serialize your Octopus space into Terraform configuration, which makes it easier to version-control, and replicate your setup.

Octopus API examples GitHub repository

If you need to automate Octopus outside the UI, our API examples repository can help. It includes ready-to-use scripts for PowerShell, Bash, Python, and more. You’ll find examples for tasks like bulk project updates and advanced deployment automation. It’s a great place to start when building your own scripts.

Octopus Samples Instance

Want to explore Octopus features without creating your own test environment? The Octopus Samples Instance is a fully functional playground. You can click around, test deployments, and see best practices in action. It’s divided into separate spaces for different use cases. This should make it easy to find examples that match the scenarios you’re working on.

Octopus Go API client

Curious how our Go API client works behind the scenes? Or want to contribute improvements yourself? This open-source project is a great place to start: Go API client: https://github.com/OctopusDeploy/go-octopusdeploy This repository shows how the Octopus Go API client works and lets you extend, automate, or contribute to the platform.

Kubernetes YAML & GitHub Actions generators

Speed up your setup with a pair of helpful online generators from Octopus: Kubernetes YAML generator to create clean, valid Kubernetes manifests. GitHub Actions generator to generate GitHub Actions workflow for Octopus deployments. These tools save you time and help reduce errors when building or automating your CI/CD pipelines.

Conclusion

Octopus Deploy is full of hidden gems. We hope these resources spark new ideas for your automation journey.

Did we miss one of your favorites? We’d love to hear about it! Share it in the Octopus Community Slack or explore more in our documentation. Whether you’re a seasoned user or just getting started, there’s always something new to discover.

Happy deployments!

Prerequisites

• An Octopus Cloud account. If you don’t have one, you can sign up for a free trial.
• The Octopus AI Assistant Chrome extension. You can install it from the Chrome Web Store.

Creating the project

Paste the following prompt into the Octopus AI Assistant and run it:

Create a Script project called "11. Script App with Community Step Template". 
Modify the deployment process to include the community step template with the website "https://library.octopus.com/step-templates/d166457a-1421-4731-b143-dd6766fb95d5" as the first step with the name "Calculate Deployment Mode".

This adds the community step template found in the Octopus community step template library as the first step in the deployment process. Community step templates use the URL as an ID to uniquely identify them.

Community step templates are contributed by the Octopus community and can be found in the Octopus Step Template Library. They provide additional functionality that you can easily add to your projects.

You can now create a release and deploy it to the first environment. The step will print the deployment details, indicating whether it is a new or a redeployment, and other helpful information.

What just happened?

You created a sample project with:

• A step sourced from the community step template library that calculates and prints deployment mode information.

What’s next?

The next step is to define project channels.

Taking a quarter or a month to deliver new functionality puts companies behind their competition and prevents them from serving their customers. Few practices offer as much return on investment as Continuous Delivery, but many organizations continue to resist it, often making their deployment problems worse in the process.

Understanding why Continuous Delivery matters and how to implement it effectively can transform not only your deployment process but also your entire software development approach.

Watch the episode

You can watch the episode below, or read on to find some of the key discussion points.

Watch Continuous Delivery Office Hours Ep.1

What is Continuous Delivery?

At its core, Continuous Delivery means you can deploy your software at any time. A good indication of whether a team practices Continuous Delivery is whether they prioritize work that keeps software deployable. Other development styles usually continue working on features and return to deployability issues later.

That means teams must have fast, automated feedback for every change, highlighting when the software has an issue that would prevent its deployment. Deployments to all environments must be automated, with artifacts and deployment processes pinned to avoid unexpected changes between deployments.

The big three: Time, risk, and money

The longer the intervals between deployments, the more you accumulate risk, and the more you delay the value the changes will realize. If you wait six months between deployments, you’re more likely to get caught in a firefighting loop, spending more time pinpointing bug sources because of the volume of changes.

Crucially, until you place new features in users’ hands, you accumulate market risk that the changes won’t solve the underlying problem in a way users accept.

The deployment paradox

Human psychology works against us when deployments go wrong. Having waited six months to deploy, the pain of the firefighting stage and the increased risk of deploying large batches of changes mean people develop an aversion to deployments.

When a process is stressful and goes wrong, we naturally want to do it less often. You might think: “If we do fewer deployments, we’ll have less pain.” But this is precisely backwards.

Decreasing deployment frequency increases batch size, making the next deployment more likely to go wrong and cause pain. This is like avoiding the dentist after a painful checkup; the longer you leave it, the worse the next visit will be.

Risk-averse organizations have instincts that work against their goal of safety. The solution isn’t to deploy less often; it’s to deploy more frequently with smaller batches of changes.

Keeping software deployable during feature development

Another objection to Continuous Integration and Delivery is that features take time to build, so you can’t deploy while a feature is in flight. With an infinity of overlapping feature development, this would result in never deploying (or, more likely, work taking place in long-lived branches).

The solution is to separate deployments from feature release. Trunk-based development (integrating changes into the main branch every day, often many times each day) and feature toggles make it possible to work from a shared code base without making in-flight features visible to users.

There are many benefits to feature toggles beyond supporting Continuous Delivery. They also let you share features early with specific user segments or roll them out progressively rather than all at once.

Changing what deployment success means

When you separate deployment from release, you also transform how you measure deployment success. You’re no longer testing whether new functionality works during deployment. You’re only verifying that the application is running and healthy. This focus makes deployments faster and less stressful.

Feature toggles reduce the stress and burden of deployments because you’ll no longer miss deployment issues while checking functionality or miss functionality problems while monitoring deployments. Separating these concerns means each gets proper attention.

Solving dependency challenges

Feature toggles also address one of the most complex problems in microservices: deployment dependencies. Despite the promise of independently deployable services, teams often create elaborate deployment choreographies to ensure services are deployed in a specific order. Sometimes they give up entirely and deploy everything simultaneously. They accept unpredictable behavior during deployment or direct users to a holding page until it’s complete.

When deployments form a chain of dependencies, the architecture isn’t truly microservices but a distributed monolith. Real microservices should deploy independently. Feature toggles make this possible. Deploy all services when ready, then switch on functionality once dependencies are in place.

Conclusion

Continuous Delivery isn’t just about deploying more often. It’s about reducing risk through smaller changes, separating deployment from release, maintaining deployable code at all times, and giving teams the confidence to move quickly and safely.

The instinct to slow down after problems is natural, but it’s counterproductive. The path to safer deployments runs through more frequent deployments, not fewer. Organizations that embrace this counterintuitive truth gain a competitive advantage through faster feedback, lower risk, and ultimately, better software.

Happy deployments!