332 lines
11 KiB
YAML
332 lines
11 KiB
YAML
# SPEC: GH-1548 Gitea mirror/Actions visibility and controlled Docker builder POC
|
|
apiVersion: unidesk.pikapython.com/v1alpha1
|
|
kind: CicdGiteaActionsPoc
|
|
metadata:
|
|
id: gitea-actions-builder-poc
|
|
owner: UniDesk
|
|
issue: https://github.com/pikasTech/unidesk/issues/1548
|
|
specRef: GH-1548
|
|
version: draft-2026-07-05-p0-gitea-actions-builder-poc
|
|
|
|
spec:
|
|
scope:
|
|
phase: p1-spec-p2-poc
|
|
productionFollowerReplacement: false
|
|
rolloutEnabled: false
|
|
rolloutMode: diagnostic-only
|
|
preferredTarget: agentrun-jd01-v02
|
|
decisionGate: env-reuse-must-pass-before-replacement
|
|
|
|
migration:
|
|
issue: https://github.com/pikasTech/unidesk/issues/1549
|
|
primaryEntrypoint: bun scripts/cli.ts cicd gitea-actions-poc plan
|
|
replacementTarget: gitea-actions-driven-cicd
|
|
branchFollower:
|
|
status: deprecated
|
|
mode: migration-only
|
|
reason: self-maintained branch observation and controller state machine are being replaced by Gitea mirror and Gitea Actions.
|
|
allowedDuringMigration:
|
|
- read-only-status
|
|
- debug-migration-evidence
|
|
- existing-production-controller-until-cutover
|
|
frozenCapabilities:
|
|
- new-controller-loop-features
|
|
- new-self-maintained-branch-observer
|
|
- source-commit-driven-big-loop-debugging
|
|
- new-fallbacks-around-gitea-actions
|
|
finalDisposition: remove-apply-run-once-or-convert-to-readonly-archive-after-cutover
|
|
|
|
sourceAuthority:
|
|
mode: immutable-snapshot-ref
|
|
allowMutableBranchAsCiSource: false
|
|
allowHostWorktree: false
|
|
existingMirrorRef: config/cicd-branch-followers.yaml#followers.agentrun-jd01-v02.nativeStatus.source.gitMirrorReadUrl
|
|
giteaMirror:
|
|
enabledForPoc: true
|
|
role: internal-github-upstream-mirror
|
|
namespace: devops-infra
|
|
serviceName: gitea-http
|
|
internalBaseUrl: http://gitea-http.devops-infra.svc.cluster.local:3000
|
|
snapshotRefPrefix: refs/unidesk/snapshots/gitea-actions/agentrun-v0.2
|
|
mirrorLagStatus: required
|
|
forceSyncEntry: gitea-ui-or-controlled-cli
|
|
repositories:
|
|
- key: agentrun
|
|
repository: pikasTech/agentrun
|
|
upstreamBranch: v0.2
|
|
gitopsBranch: jd01-v0.2-gitops
|
|
- key: unidesk
|
|
repository: pikasTech/unidesk
|
|
upstreamBranch: master
|
|
|
|
actions:
|
|
enabledForPoc: true
|
|
role: visibility-and-event-orchestration
|
|
workflowSource:
|
|
repository: pikasTech/agentrun
|
|
path: .gitea/workflows/unidesk-agentrun-jd01-v02.yaml
|
|
runner:
|
|
mode: dedicated-act-runner
|
|
trustBoundary: internal-only
|
|
label: unidesk-ci-builder
|
|
credentialsRef:
|
|
sourceRef: cicd/gitea-actions-runner.env
|
|
targetKey: token
|
|
allowRuntimeNamespaceToken: false
|
|
trigger:
|
|
primary: actions-to-tekton-eventlistener
|
|
fallback: actions-to-unidesk-controlled-api
|
|
payloadMustInclude:
|
|
- sourceCommit
|
|
- snapshotRef
|
|
- repository
|
|
- branch
|
|
- reusePlanArtifactRef
|
|
logPolicy:
|
|
defaultBoundedSummary: true
|
|
fullLogRequiresDrillDown: true
|
|
secretRedaction: sourceRef-presence-fingerprint-only
|
|
|
|
runtimePlane:
|
|
dockerAllowed: false
|
|
buildAllowed: false
|
|
dockerSocketAllowed: false
|
|
hostWorktreeAllowed: false
|
|
sourceAuthority: immutable-snapshot-ref
|
|
deployMode: gitops-argo-pull-built-image
|
|
statusAuthority:
|
|
- argo-application
|
|
- kubernetes-workload-status
|
|
- runtime-health
|
|
- provenance-artifact
|
|
|
|
buildPlane:
|
|
dockerAllowed: true
|
|
buildAllowed: true
|
|
dockerScope: ci-build-plane-only
|
|
mode: controlled-docker-or-buildkit-builder
|
|
engineCandidates:
|
|
- native-docker-daemon
|
|
- buildkit
|
|
selectedEngineForPoc: buildkit
|
|
forbidMasterServer: true
|
|
forbidRuntimeNode: true
|
|
endpoint:
|
|
kind: buildkit
|
|
ref: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.buildkitImage
|
|
registry:
|
|
ref: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.registryPrefix
|
|
credentials:
|
|
registry:
|
|
sourceRef: cicd/registry-builder.env
|
|
targetKey: REGISTRY_AUTH
|
|
builder:
|
|
sourceRef: cicd/buildkit-builder.env
|
|
targetKey: BUILDKIT_AUTH
|
|
cache:
|
|
policyRef: config/cicd-gitea-actions-poc.yaml#spec.buildPlane.cache
|
|
mode: yaml-first-buildkit-cache
|
|
gcRequired: true
|
|
provenance:
|
|
required: true
|
|
fields:
|
|
- sourceCommit
|
|
- snapshotRef
|
|
- envIdentity
|
|
- imageDigest
|
|
- recipeHash
|
|
- baseImageDigest
|
|
- reuseDecision
|
|
- builderId
|
|
- actionsRunId
|
|
- pipelineRunName
|
|
|
|
reuse:
|
|
p0NoRegression: true
|
|
sourceTruth: gitops/reuse.ymal
|
|
sourceRead: immutable-snapshot
|
|
existingParser: scripts/src/cicd-reuse-config.ts
|
|
existingAgentRunPlanner: scripts/src/cicd-agentrun-reuse.ts
|
|
ciConsumptionRequired: true
|
|
requiredDecisions:
|
|
- skipImageBuild
|
|
- reuseEnvImage
|
|
requiredArtifacts:
|
|
- affectedServices
|
|
- buildServices
|
|
- reusedServices
|
|
- skipImageBuild
|
|
- reuseEnvImage
|
|
- artifactProvenanceAudit
|
|
noRegressionChecks:
|
|
- runtime-reuse-hit-skips-rollout
|
|
- env-unchanged-skips-env-image-build
|
|
- ci-builder-consumes-reuse-plan
|
|
- runtime-status-links-env-image-provenance
|
|
|
|
tekton:
|
|
enabledForPoc: true
|
|
triggerMode: eventlistener-or-controlled-pipelinerun
|
|
eventListener:
|
|
namespace: agentrun-ci
|
|
name: gitea-actions-agentrun-jd01-v02
|
|
serviceAccountRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.serviceAccountName
|
|
pipeline:
|
|
namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.namespace
|
|
nameRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipeline
|
|
runPrefixRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipelineRunPrefix
|
|
sourceParameters:
|
|
- sourceCommit
|
|
- snapshotRef
|
|
- reusePlanArtifactRef
|
|
|
|
argo:
|
|
enabledForPoc: true
|
|
role: runtime-closeout
|
|
namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoNamespace
|
|
applicationRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoApplication
|
|
statusOnlyFromNativeObjects: true
|
|
|
|
budgets:
|
|
endToEndSeconds: 120
|
|
sourceSyncSeconds: 20
|
|
actionsDispatchSeconds: 20
|
|
reusePlanSeconds: 20
|
|
buildOrReuseSeconds: 70
|
|
gitopsArgoCloseoutSeconds: 50
|
|
statusSeconds: 35
|
|
|
|
targets:
|
|
- id: agentrun-jd01-v02
|
|
enabled: true
|
|
repository: pikasTech/agentrun
|
|
branch: v0.2
|
|
node: JD01
|
|
lane: jd01-v02
|
|
baseline:
|
|
currentBranchFollowerSeconds: 105.7
|
|
budgetRef: config/cicd-gitea-actions-poc.yaml#spec.budgets.endToEndSeconds
|
|
source:
|
|
branchRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.source.branch
|
|
snapshotRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.source.sourceSnapshot.stageRefPrefix
|
|
currentMirrorReadUrlRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitMirror.readUrl
|
|
actions:
|
|
workflowRef: config/cicd-gitea-actions-poc.yaml#spec.actions.workflowSource
|
|
tekton:
|
|
pipelineRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipeline
|
|
pipelineRunPrefixRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.ci.pipelineRunPrefix
|
|
argo:
|
|
applicationRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.gitops.argoApplication
|
|
runtime:
|
|
namespaceRef: config/agentrun.yaml#controlPlane.lanes.jd01-v02.runtime.namespace
|
|
workload: Deployment/agentrun-mgr
|
|
closeout:
|
|
healthPath: /health
|
|
requiredEvidence:
|
|
- sourceCommit
|
|
- snapshotRef
|
|
- actionsRunId
|
|
- pipelineRunName
|
|
- builderJobName
|
|
- gitopsRevision
|
|
- argoHealth
|
|
- runtimeTargetSha
|
|
- imageDigest
|
|
- envIdentity
|
|
- reuseDecision
|
|
|
|
stages:
|
|
- id: mirror-sync
|
|
owner: gitea-mirror
|
|
statusAuthority: gitea-repository-and-snapshot-ref
|
|
output: immutableSnapshotRef
|
|
- id: actions-dispatch
|
|
owner: gitea-actions
|
|
statusAuthority: actions-run-api
|
|
output: actionsRunId
|
|
- id: reuse-plan
|
|
owner: unidesk-cli
|
|
statusAuthority: reuse-plan-artifact
|
|
output: affectedServices-buildServices-reusedServices
|
|
- id: build-or-reuse
|
|
owner: controlled-builder-plane
|
|
statusAuthority: provenance-artifact
|
|
output: imageDigest-or-reuseDecision
|
|
- id: tekton-pipelinerun
|
|
owner: tekton
|
|
statusAuthority: pipelineRun-taskRun-status
|
|
output: pipelineRunName
|
|
- id: gitops-publish
|
|
owner: unidesk-cli-or-tekton
|
|
statusAuthority: gitops-commit
|
|
output: gitopsRevision
|
|
- id: argo-closeout
|
|
owner: argo-cd
|
|
statusAuthority: argo-application
|
|
output: sync-health
|
|
- id: runtime-provenance
|
|
owner: unidesk-status
|
|
statusAuthority: k8s-native-status-and-health
|
|
output: runtimeTargetSha-health-provenance
|
|
|
|
componentSurvey:
|
|
- component: gitea-mirror
|
|
role: internal-source-mirror
|
|
maturity: candidate
|
|
directReuse: yes-for-visible-pull-mirror
|
|
docs: https://docs.gitea.com/usage/repo-mirror
|
|
risk: must-map-existing-snapshot-and-flush-semantics
|
|
- component: gitea-actions
|
|
role: visibility-event-orchestration
|
|
maturity: production-capable-candidate
|
|
directReuse: yes-as-visibility-layer-not-final-truth
|
|
docs: https://docs.gitea.com/usage/actions/overview
|
|
risk: github-actions-compatibility-gaps-and-runner-trust-boundary
|
|
- component: tekton-triggers
|
|
role: actions-to-pipelinerun-bridge
|
|
maturity: candidate
|
|
directReuse: yes-for-eventlistener-to-pipelinerun
|
|
docs: https://tekton.dev/docs/triggers/eventlisteners/
|
|
risk: eventlistener-rbac-and-ingress-exposure-must-be-bounded
|
|
- component: argo-cd
|
|
role: gitops-runtime-closeout
|
|
maturity: existing-production-component
|
|
directReuse: keep-existing
|
|
docs: https://argo-cd.readthedocs.io/en/stable/core_concepts/
|
|
risk: actions-must-not-parse-human-argo-output
|
|
|
|
statusProjection:
|
|
mode: bounded-summary
|
|
defaultOutputMustNotDump: true
|
|
requiredFields:
|
|
- target
|
|
- sourceCommit
|
|
- snapshotRef
|
|
- giteaMirrorLag
|
|
- actionsRunId
|
|
- pipelineRunName
|
|
- builderJobName
|
|
- buildServices
|
|
- reusedServices
|
|
- skipImageBuild
|
|
- reuseEnvImage
|
|
- imageDigest
|
|
- gitopsRevision
|
|
- argoSync
|
|
- argoHealth
|
|
- runtimeTargetSha
|
|
- health
|
|
- elapsedSeconds
|
|
drillDown:
|
|
actionsRun: gitea-actions-run
|
|
tekton: cicd-pipelinerun
|
|
builder: cicd-builder-job
|
|
argo: argo-application
|
|
runtime: cicd-runtime
|
|
|
|
next:
|
|
plan: bun scripts/cli.ts cicd gitea-actions-poc plan
|
|
status: bun scripts/cli.ts cicd gitea-actions-poc status
|
|
existingFollowerStatus: bun scripts/cli.ts cicd branch-follower status --follower agentrun-jd01-v02
|
|
pocIssue: https://github.com/pikasTech/unidesk/issues/1548
|