developer → gitlab → kargo → argo cd → dev · staging · prod
You never kubectl apply. Every change to the cluster is a commit on ecom-demo-deployment. If it isn't in git, it isn't running.
Dev auto-updates on every SHA. Staging gates on a semver VERSION bump. Prod waits for a human to click "Promote" in Kargo.
Kargo promotes by image digest, not by tag. No re-build, no re-tag, no "works on staging but broke in prod from a re-pushed tag".
Every promotion is a Kargo Promotion CR and a git commit on the deployment repo. Rollback is git revert.
Kargo → git (commits desired state). Argo CD → cluster (applies desired state). Failures in one don't corrupt the other.
Kargo's web UI is where humans approve prod rollouts. Everything else — dev & staging — is a side effect of git push.