The build pipeline
When you run git push managed <branch>, managed.dev turns your repository into a
running site through a fixed, auditable pipeline: detect what the repo is,
build it in an isolated sandbox, content-address and sign the resulting
artifact, then roll that artifact onto the target environment. You never touch
Docker, a registry, or a deploy key — those are platform internals, and the whole
sequence runs on a dedicated builders pool that is kept off your site hosts.
This page walks the pipeline end to end. For how the target environment is chosen from your branch name, see branch routes; for what each detected profile builds and serves, see runtimes & site profiles.
The four stages
Section titled “The four stages”-
Detect. managed.dev inspects the pushed commit and resolves a site profile —
bedrock,vanilla, orstatictoday. Detection keys off the repository shape (acomposer.jsonwith the Bedrock layout, a WordPress tree, or a static-output directory). The chosen profile decides which build steps run and how the result is served. See runtimes & site profiles for the full matrix. -
Build. The profile’s build runs in an isolated, egress-restricted sandbox. The sandbox has no open path to the internet; package managers reach their registries through a managed build proxy with a CONNECT allowlist (npm, Composer/Packagist, PyPI, and the like). This is what lets
composer installandnpm ciwork without giving build code arbitrary outbound network access. -
Sign. The build output is content-addressed — its identity is the hash of its bytes, so an identical input always yields the same artifact id — and then cryptographically signed. The signature is checked again at rollout, so only artifacts this platform built can ever be deployed.
-
Roll. The signed artifact is rolled onto the target environment — production, staging, or a preview — resolved from your branch via branch routes. The previous release is retained, so a rollback is a pointer move, not a rebuild.
What happens on a push
Section titled “What happens on a push”~/acme-store ❯ git push managed feature/checkout managed.dev ▸ detected profile: bedrock (composer.json) managed.dev ▸ building in sandbox (composer install, asset build) managed.dev ▸ artifact sha256:9f2c… signed managed.dev ▸ rolling onto preview environment managed.dev ✓ deploy completehttps://acme-store-feature-checkout-a1b2c3.preview.managed.dev
Build logs stream live
Section titled “Build logs stream live”Build output is streamed over server-sent events while the build runs, so you
watch composer install or an asset bundle scroll in real time rather than polling
for a final blob. The dashboard tails the same stream the public API
exposes: a build is a job, and a job carries a links.stream you can GET as SSE.
Targets: live, staging, preview, ignore
Section titled “Targets: live, staging, preview, ignore”The branch you push decides where the artifact lands. Your default branch (for
example main) maps to production; other branches map to staging,
preview, or ignore through branch routes.
An ignore route means the push is accepted but no environment is built — useful for
branches like dependabot/* that you don’t want to spend a build on.
| Target | Typical branch | Result |
|---|---|---|
live (production) |
main |
Built and rolled onto production. |
staging |
staging, release/* |
Built and rolled onto the shared staging environment. |
preview |
feature branches | Built and rolled onto an isolated, per-branch preview environment with its own URL. |
ignore |
dependabot/* and similar |
Push accepted; no build, no environment. |
Why you never see Docker
Section titled “Why you never see Docker”Customers don’t manage images, registries, or deploy keys because the platform owns all three. The build proxy, the content-addressed artifact store, and the signing keys are operated for you; the only contract you depend on is git push in, running site out. That separation is also a security boundary: build code runs egress-restricted and unprivileged, and the signature gate means a rollout can only ever apply an artifact the platform itself produced.