Files
pikasTech-unidesk/config/cicd-gitea-actions-poc.yaml
T
2026-07-05 06:27:25 +00:00

332 lines
11 KiB
YAML

# SPEC: GH-1548 Gitea mirror/Actions visibility and controlled Docker builder POC
apiVersion: unidesk.pikapython.com/v1alpha1
kind: CicdGiteaActionsPoc
metadata:
id: gitea-actions-builder-poc
owner: UniDesk
issue: https://github.com/pikasTech/unidesk/issues/1548
specRef: GH-1548
version: draft-2026-07-05-p0-gitea-actions-builder-poc
spec:
scope:
phase: p1-spec-p2-poc
productionFollowerReplacement: false
rolloutEnabled: false
rolloutMode: diagnostic-only
preferredTarget: agentrun-jd01-v02
decisionGate: env-reuse-must-pass-before-replacement
migration:
issue: https://github.com/pikasTech/unidesk/issues/1549
primaryEntrypoint: bun scripts/cli.ts cicd gitea-actions-poc plan
replacementTarget: gitea-actions-driven-cicd
branchFollower:
status: deprecated
mode: migration-only
reason: self-maintained branch observation and controller state machine are being replaced by Gitea mirror and Gitea Actions.
allowedDuringMigration:
- read-only-status
- debug-migration-evidence
- existing-production-controller-until-cutover
frozenCapabilities:
- new-controller-loop-features
- new-self-maintained-branch-observer
- source-commit-driven-big-loop-debugging
- new-fallbacks-around-gitea-actions
finalDisposition: remove-apply-run-once-or-convert-to-readonly-archive-after-cutover
sourceAuthority:
mode: immutable-snapshot-ref
allowMutableBranchAsCiSource: false
allowHostWorktree: false
existingMirrorRef: config/cicd-branch-followers.yaml#followers.agentrun-jd01-v02.nativeStatus.source.gitMirrorReadUrl
giteaMirror:
enabledForPoc: true
role: internal-github-upstream-mirror
namespace: devops-infra
serviceName: gitea-http
internalBaseUrl: http://gitea-http.devops-infra.svc.cluster.local:3000
snapshotRefPrefix: refs/unidesk/snapshots/gitea-actions/agentrun-v0.2
mirrorLagStatus: required
forceSyncEntry: gitea-ui-or-controlled-cli
repositories:
- key: agentrun
repository: pikasTech/agentrun
upstreamBranch: v0.2
gitopsBranch: jd01-v0.2-gitops
- key: unidesk
repository: pikasTech/unidesk
upstreamBranch: master
actions:
enabledForPoc: true
role: visibility-and-event-orchestration
workflowSource:
repository: pikasTech/agentrun
path: .gitea/workflows/unidesk-agentrun-jd01-v02.yaml
runner:
mode: dedicated-act-runner
trustBoundary: internal-only
label: unidesk-ci-builder
credentialsRef:
sourceRef: cicd/gitea-actions-runner.env
targetKey: token
allowRuntimeNamespaceToken: false
trigger:
primary: actions-to-tekton-eventlistener
fallback: actions-to-unidesk-controlled-api
payloadMustInclude:
- sourceCommit
- snapshotRef
- repository
- branch
- reusePlanArtifactRef
logPolicy:
defaultBoundedSummary: true
fullLogRequiresDrillDown: true
secretRedaction: sourceRef-presence-fingerprint-only
runtimePlane:
dockerAllowed: false
buildAllowed: false
dockerSocketAllowed: false
hostWorktreeAllowed: false
sourceAuthority: immutable-snapshot-ref
deployMode: gitops-argo-pull-built-image
statusAuthority:
- argo-application
- kubernetes-workload-status
- runtime-health
- provenance-artifact
buildPlane:
dockerAllowed: true
buildAllowed: true
dockerScope: ci-build-plane-only
mode: controlled-docker-or-buildkit-builder
engineCandidates:
- native-docker-daemon
- buildkit
selectedEngineForPoc: buildkit
forbidMasterServer: true
forbidRuntimeNode: true
endpoint:
kind: buildkit
ref: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.buildkitImage
registry:
ref: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.registryPrefix
credentials:
registry:
sourceRef: cicd/registry-builder.env
targetKey: REGISTRY_AUTH
builder:
sourceRef: cicd/buildkit-builder.env
targetKey: BUILDKIT_AUTH
cache:
policyRef: config/cicd-gitea-actions-poc.yaml#spec.buildPlane.cache
mode: yaml-first-buildkit-cache
gcRequired: true
provenance:
required: true
fields:
- sourceCommit
- snapshotRef
- envIdentity
- imageDigest
- recipeHash
- baseImageDigest
- reuseDecision
- builderId
- actionsRunId
- pipelineRunName
reuse:
p0NoRegression: true
sourceTruth: gitops/reuse.ymal
sourceRead: immutable-snapshot
existingParser: scripts/src/cicd-reuse-config.ts
existingAgentRunPlanner: scripts/src/cicd-agentrun-reuse.ts
ciConsumptionRequired: true
requiredDecisions:
- skipImageBuild
- reuseEnvImage
requiredArtifacts:
- affectedServices
- buildServices
- reusedServices
- skipImageBuild
- reuseEnvImage
- artifactProvenanceAudit
noRegressionChecks:
- runtime-reuse-hit-skips-rollout
- env-unchanged-skips-env-image-build
- ci-builder-consumes-reuse-plan
- runtime-status-links-env-image-provenance
tekton:
enabledForPoc: true
triggerMode: eventlistener-or-controlled-pipelinerun
eventListener:
namespace: agentrun-ci
name: gitea-actions-agentrun-jd01-v02
serviceAccountRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.serviceAccountName
pipeline:
namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.namespace
nameRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipeline
runPrefixRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipelineRunPrefix
sourceParameters:
- sourceCommit
- snapshotRef
- reusePlanArtifactRef
argo:
enabledForPoc: true
role: runtime-closeout
namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoNamespace
applicationRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoApplication
statusOnlyFromNativeObjects: true
budgets:
endToEndSeconds: 120
sourceSyncSeconds: 20
actionsDispatchSeconds: 20
reusePlanSeconds: 20
buildOrReuseSeconds: 70
gitopsArgoCloseoutSeconds: 50
statusSeconds: 35
targets:
- id: agentrun-jd01-v02
enabled: true
repository: pikasTech/agentrun
branch: v0.2
node: JD01
lane: jd01-v02
baseline:
currentBranchFollowerSeconds: 105.7
budgetRef: config/cicd-gitea-actions-poc.yaml#spec.budgets.endToEndSeconds
source:
branchRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.source.branch
snapshotRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.source.sourceSnapshot.stageRefPrefix
currentMirrorReadUrlRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitMirror.readUrl
actions:
workflowRef: config/cicd-gitea-actions-poc.yaml#spec.actions.workflowSource
tekton:
pipelineRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipeline
pipelineRunPrefixRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipelineRunPrefix
argo:
applicationRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoApplication
runtime:
namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.runtime.namespace
workload: Deployment/agentrun-mgr
closeout:
healthPath: /health
requiredEvidence:
- sourceCommit
- snapshotRef
- actionsRunId
- pipelineRunName
- builderJobName
- gitopsRevision
- argoHealth
- runtimeTargetSha
- imageDigest
- envIdentity
- reuseDecision
stages:
- id: mirror-sync
owner: gitea-mirror
statusAuthority: gitea-repository-and-snapshot-ref
output: immutableSnapshotRef
- id: actions-dispatch
owner: gitea-actions
statusAuthority: actions-run-api
output: actionsRunId
- id: reuse-plan
owner: unidesk-cli
statusAuthority: reuse-plan-artifact
output: affectedServices-buildServices-reusedServices
- id: build-or-reuse
owner: controlled-builder-plane
statusAuthority: provenance-artifact
output: imageDigest-or-reuseDecision
- id: tekton-pipelinerun
owner: tekton
statusAuthority: pipelineRun-taskRun-status
output: pipelineRunName
- id: gitops-publish
owner: unidesk-cli-or-tekton
statusAuthority: gitops-commit
output: gitopsRevision
- id: argo-closeout
owner: argo-cd
statusAuthority: argo-application
output: sync-health
- id: runtime-provenance
owner: unidesk-status
statusAuthority: k8s-native-status-and-health
output: runtimeTargetSha-health-provenance
componentSurvey:
- component: gitea-mirror
role: internal-source-mirror
maturity: candidate
directReuse: yes-for-visible-pull-mirror
docs: https://docs.gitea.com/usage/repo-mirror
risk: must-map-existing-snapshot-and-flush-semantics
- component: gitea-actions
role: visibility-event-orchestration
maturity: production-capable-candidate
directReuse: yes-as-visibility-layer-not-final-truth
docs: https://docs.gitea.com/usage/actions/overview
risk: github-actions-compatibility-gaps-and-runner-trust-boundary
- component: tekton-triggers
role: actions-to-pipelinerun-bridge
maturity: candidate
directReuse: yes-for-eventlistener-to-pipelinerun
docs: https://tekton.dev/docs/triggers/eventlisteners/
risk: eventlistener-rbac-and-ingress-exposure-must-be-bounded
- component: argo-cd
role: gitops-runtime-closeout
maturity: existing-production-component
directReuse: keep-existing
docs: https://argo-cd.readthedocs.io/en/stable/core_concepts/
risk: actions-must-not-parse-human-argo-output
statusProjection:
mode: bounded-summary
defaultOutputMustNotDump: true
requiredFields:
- target
- sourceCommit
- snapshotRef
- giteaMirrorLag
- actionsRunId
- pipelineRunName
- builderJobName
- buildServices
- reusedServices
- skipImageBuild
- reuseEnvImage
- imageDigest
- gitopsRevision
- argoSync
- argoHealth
- runtimeTargetSha
- health
- elapsedSeconds
drillDown:
actionsRun: gitea-actions-run
tekton: cicd-pipelinerun
builder: cicd-builder-job
argo: argo-application
runtime: cicd-runtime
next:
plan: bun scripts/cli.ts cicd gitea-actions-poc plan
status: bun scripts/cli.ts cicd gitea-actions-poc status
existingFollowerStatus: bun scripts/cli.ts cicd branch-follower status --follower agentrun-jd01-v02
pocIssue: https://github.com/pikasTech/unidesk/issues/1548