# SPEC: GH-1548 Gitea mirror/Actions visibility and controlled Docker builder POC apiVersion: unidesk.pikapython.com/v1alpha1 kind: CicdGiteaActionsPoc metadata: id: gitea-actions-builder-poc owner: UniDesk issue: https://github.com/pikasTech/unidesk/issues/1548 specRef: GH-1548 version: draft-2026-07-05-p0-gitea-actions-builder-poc spec: scope: phase: p1-spec-p2-poc productionFollowerReplacement: false rolloutEnabled: false rolloutMode: diagnostic-only preferredTarget: agentrun-jd01-v02 decisionGate: env-reuse-must-pass-before-replacement migration: issue: https://github.com/pikasTech/unidesk/issues/1549 primaryEntrypoint: bun scripts/cli.ts cicd gitea-actions-poc plan replacementTarget: gitea-actions-driven-cicd branchFollower: status: deprecated mode: migration-only reason: self-maintained branch observation and controller state machine are being replaced by Gitea mirror and Gitea Actions. allowedDuringMigration: - read-only-status - debug-migration-evidence - existing-production-controller-until-cutover frozenCapabilities: - new-controller-loop-features - new-self-maintained-branch-observer - source-commit-driven-big-loop-debugging - new-fallbacks-around-gitea-actions finalDisposition: remove-apply-run-once-or-convert-to-readonly-archive-after-cutover sourceAuthority: mode: immutable-snapshot-ref allowMutableBranchAsCiSource: false allowHostWorktree: false existingMirrorRef: config/cicd-branch-followers.yaml#followers.agentrun-jd01-v02.nativeStatus.source.gitMirrorReadUrl giteaMirror: enabledForPoc: true role: internal-github-upstream-mirror namespace: devops-infra serviceName: gitea-http internalBaseUrl: http://gitea-http.devops-infra.svc.cluster.local:3000 snapshotRefPrefix: refs/unidesk/snapshots/gitea-actions/agentrun-v0.2 mirrorLagStatus: required forceSyncEntry: gitea-ui-or-controlled-cli repositories: - key: agentrun repository: pikasTech/agentrun upstreamBranch: v0.2 gitopsBranch: jd01-v0.2-gitops - key: unidesk repository: pikasTech/unidesk upstreamBranch: master actions: enabledForPoc: true role: visibility-and-event-orchestration workflowSource: repository: pikasTech/agentrun path: .gitea/workflows/unidesk-agentrun-jd01-v02.yaml runner: mode: dedicated-act-runner trustBoundary: internal-only label: unidesk-ci-builder credentialsRef: sourceRef: cicd/gitea-actions-runner.env targetKey: token allowRuntimeNamespaceToken: false trigger: primary: actions-to-tekton-eventlistener fallback: actions-to-unidesk-controlled-api payloadMustInclude: - sourceCommit - snapshotRef - repository - branch - reusePlanArtifactRef logPolicy: defaultBoundedSummary: true fullLogRequiresDrillDown: true secretRedaction: sourceRef-presence-fingerprint-only runtimePlane: dockerAllowed: false buildAllowed: false dockerSocketAllowed: false hostWorktreeAllowed: false sourceAuthority: immutable-snapshot-ref deployMode: gitops-argo-pull-built-image statusAuthority: - argo-application - kubernetes-workload-status - runtime-health - provenance-artifact buildPlane: dockerAllowed: true buildAllowed: true dockerScope: ci-build-plane-only mode: controlled-docker-or-buildkit-builder engineCandidates: - native-docker-daemon - buildkit selectedEngineForPoc: buildkit forbidMasterServer: true forbidRuntimeNode: true endpoint: kind: buildkit ref: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.buildkitImage registry: ref: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.registryPrefix credentials: registry: sourceRef: cicd/registry-builder.env targetKey: REGISTRY_AUTH builder: sourceRef: cicd/buildkit-builder.env targetKey: BUILDKIT_AUTH cache: policyRef: config/cicd-gitea-actions-poc.yaml#spec.buildPlane.cache mode: yaml-first-buildkit-cache gcRequired: true provenance: required: true fields: - sourceCommit - snapshotRef - envIdentity - imageDigest - recipeHash - baseImageDigest - reuseDecision - builderId - actionsRunId - pipelineRunName reuse: p0NoRegression: true sourceTruth: gitops/reuse.ymal sourceRead: immutable-snapshot existingParser: scripts/src/cicd-reuse-config.ts existingAgentRunPlanner: scripts/src/cicd-agentrun-reuse.ts ciConsumptionRequired: true requiredDecisions: - skipImageBuild - reuseEnvImage requiredArtifacts: - affectedServices - buildServices - reusedServices - skipImageBuild - reuseEnvImage - artifactProvenanceAudit noRegressionChecks: - runtime-reuse-hit-skips-rollout - env-unchanged-skips-env-image-build - ci-builder-consumes-reuse-plan - runtime-status-links-env-image-provenance tekton: enabledForPoc: true triggerMode: eventlistener-or-controlled-pipelinerun eventListener: namespace: agentrun-ci name: gitea-actions-agentrun-jd01-v02 serviceAccountRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.serviceAccountName pipeline: namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.namespace nameRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipeline runPrefixRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipelineRunPrefix sourceParameters: - sourceCommit - snapshotRef - reusePlanArtifactRef argo: enabledForPoc: true role: runtime-closeout namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoNamespace applicationRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoApplication statusOnlyFromNativeObjects: true budgets: endToEndSeconds: 120 sourceSyncSeconds: 20 actionsDispatchSeconds: 20 reusePlanSeconds: 20 buildOrReuseSeconds: 70 gitopsArgoCloseoutSeconds: 50 statusSeconds: 35 targets: - id: agentrun-jd01-v02 enabled: true repository: pikasTech/agentrun branch: v0.2 node: JD01 lane: jd01-v02 baseline: currentBranchFollowerSeconds: 105.7 budgetRef: config/cicd-gitea-actions-poc.yaml#spec.budgets.endToEndSeconds source: branchRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.source.branch snapshotRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.source.sourceSnapshot.stageRefPrefix currentMirrorReadUrlRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitMirror.readUrl actions: workflowRef: config/cicd-gitea-actions-poc.yaml#spec.actions.workflowSource tekton: pipelineRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipeline pipelineRunPrefixRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipelineRunPrefix argo: applicationRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoApplication runtime: namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.runtime.namespace workload: Deployment/agentrun-mgr closeout: healthPath: /health requiredEvidence: - sourceCommit - snapshotRef - actionsRunId - pipelineRunName - builderJobName - gitopsRevision - argoHealth - runtimeTargetSha - imageDigest - envIdentity - reuseDecision stages: - id: mirror-sync owner: gitea-mirror statusAuthority: gitea-repository-and-snapshot-ref output: immutableSnapshotRef - id: actions-dispatch owner: gitea-actions statusAuthority: actions-run-api output: actionsRunId - id: reuse-plan owner: unidesk-cli statusAuthority: reuse-plan-artifact output: affectedServices-buildServices-reusedServices - id: build-or-reuse owner: controlled-builder-plane statusAuthority: provenance-artifact output: imageDigest-or-reuseDecision - id: tekton-pipelinerun owner: tekton statusAuthority: pipelineRun-taskRun-status output: pipelineRunName - id: gitops-publish owner: unidesk-cli-or-tekton statusAuthority: gitops-commit output: gitopsRevision - id: argo-closeout owner: argo-cd statusAuthority: argo-application output: sync-health - id: runtime-provenance owner: unidesk-status statusAuthority: k8s-native-status-and-health output: runtimeTargetSha-health-provenance componentSurvey: - component: gitea-mirror role: internal-source-mirror maturity: candidate directReuse: yes-for-visible-pull-mirror docs: https://docs.gitea.com/usage/repo-mirror risk: must-map-existing-snapshot-and-flush-semantics - component: gitea-actions role: visibility-event-orchestration maturity: production-capable-candidate directReuse: yes-as-visibility-layer-not-final-truth docs: https://docs.gitea.com/usage/actions/overview risk: github-actions-compatibility-gaps-and-runner-trust-boundary - component: tekton-triggers role: actions-to-pipelinerun-bridge maturity: candidate directReuse: yes-for-eventlistener-to-pipelinerun docs: https://tekton.dev/docs/triggers/eventlisteners/ risk: eventlistener-rbac-and-ingress-exposure-must-be-bounded - component: argo-cd role: gitops-runtime-closeout maturity: existing-production-component directReuse: keep-existing docs: https://argo-cd.readthedocs.io/en/stable/core_concepts/ risk: actions-must-not-parse-human-argo-output statusProjection: mode: bounded-summary defaultOutputMustNotDump: true requiredFields: - target - sourceCommit - snapshotRef - giteaMirrorLag - actionsRunId - pipelineRunName - builderJobName - buildServices - reusedServices - skipImageBuild - reuseEnvImage - imageDigest - gitopsRevision - argoSync - argoHealth - runtimeTargetSha - health - elapsedSeconds drillDown: actionsRun: gitea-actions-run tekton: cicd-pipelinerun builder: cicd-builder-job argo: argo-application runtime: cicd-runtime next: plan: bun scripts/cli.ts cicd gitea-actions-poc plan status: bun scripts/cli.ts cicd gitea-actions-poc status existingFollowerStatus: bun scripts/cli.ts cicd branch-follower status --follower agentrun-jd01-v02 pocIssue: https://github.com/pikasTech/unidesk/issues/1548