feat: scaffold gitops tenant plumbing#1
Merged
Conversation
Initial content for the GitOps tenant template: framework-agnostic, stack-neutral CI/CD plumbing for apps that run on the devantler-tech platform. Template-owned (kept in sync across tenants): - .github/workflows/cd.yaml — calls publish-app.yaml on v* tags (build, digest-pin, push + cosign-sign the manifests OCI artifact) - .github/workflows/release.yaml — semantic-release on main - .github/workflows/template-sync.yaml — weekly template-sync PR - AGENTS.md / CLAUDE.md — shared tenant conventions Scaffolding (tenant-owned; listed in each tenant's .templatesyncignore): example ci.yaml, dependabot baseline (actions + docker), .releaserc, Dockerfile, .sops.yaml, .gitignore, and a deploy/ skeleton (Deployment, Service, HTTPRoute, optional CNPG Cluster, example secret). cd.yaml and release.yaml are self-guarded so the template repo itself stays inert; they run only in tenants created from it. template-sync.yaml is pinned to the commit that introduces the reusable workflow (devantler-tech/reusable-workflows#261) and must be re-pinned to the released tag once that PR ships. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Scaffolds the initial gitops-tenant-template repository used to create new GitOps tenant repos on the devantler-tech platform, including shared CI/CD plumbing (via reusable workflows + template-sync) and stack-neutral deployment manifests.
Changes:
- Add template-owned GitHub Actions workflows for release/CD and weekly template synchronization.
- Add tenant scaffolding:
deploy/Kustomize resources, placeholderDockerfile, baseline dependabot config, SOPS rules, and repo hygiene files. - Add agent conventions via
AGENTS.md(+CLAUDE.mdindirection) and expand README documentation for tenant usage.
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Expanded template documentation, ownership split, and local validation steps. |
| LICENSE | Adds Apache 2.0 license text. |
| Dockerfile | Placeholder container build file for tenant replacement. |
| deploy/kustomization.yaml | Kustomize entrypoint wiring the scaffolded resources. |
| deploy/deployment.yaml | PodSecurity-restricted-friendly Deployment skeleton with digest-pinning convention. |
| deploy/service.yaml | Service exposing the app port mapping. |
| deploy/httproute.yaml | Gateway API HTTPRoute skeleton for external access. |
| deploy/cluster.yaml | Optional CloudNativePG Cluster example for tenants needing a DB. |
| deploy/secret.example.yaml | Example Secret workflow + SOPS encryption guidance (not included in kustomization). |
| CLAUDE.md | Claude Code entrypoint including AGENTS.md. |
| AGENTS.md | Centralized agent/assistant conventions for tenant repos created from the template. |
| .sops.yaml | SOPS creation rules for encrypting deploy/*.enc.yaml secrets. |
| .releaserc | Stack-neutral semantic-release configuration baseline. |
| .gitignore | Baseline ignores emphasizing not committing decrypted secrets. |
| .github/dependabot.yml | Dependabot baseline for GitHub Actions + Docker updates. |
| .github/workflows/template-sync.yaml | Weekly template-sync job calling the reusable workflow. |
| .github/workflows/release.yaml | Release workflow (semantic-release via reusable workflow) for tenant repos. |
| .github/workflows/cd.yaml | Tag-driven publish workflow calling the reusable publish workflow. |
| .github/workflows/ci.yaml | Example CI workflow with required-check aggregation scaffold. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Rebase the template's shared plumbing on the tenants' CURRENT main (the earlier draft was based on stale pinned submodule commits): - cd.yaml: add `name: Publish` to match the tenants' job shape (already uses publish-app.yaml @ v5.2.0 with a generic app-name). - Add zizmor.yml — the GitHub Actions pinning policy both tenants already share; now template-owned and kept in sync. - AGENTS.md is now correctly a TENANT-OWNED scaffold (each tenant has a project-specific overview), not a synced file. Rewrote it as a generic scaffold and moved it to the ignore list. - Ship the `maintain` skill as a (tenant-owned) scaffold. - README: corrected the owned-vs-synced split — synced = cd.yaml, release.yaml, template-sync.yaml, CLAUDE.md, zizmor.yml; everything else (incl. AGENTS.md and the maintain skill) is tenant-owned. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Tenants no longer use SOPS for their own app secrets — they source them from OpenBao via External Secrets. Replace the SOPS scaffolding with the platform's enforced tenant pattern: - Remove .sops.yaml and the SOPS-encrypted secret example. - Add deploy/secretstore.yaml — a namespaced SecretStore (the Kyverno policy restrict-tenant-secret-stores blocks tenants from the shared ClusterSecretStore) authenticating via a tenant-scoped Vault role limited to secret/data/apps/<tenant>/*. - Add deploy/externalsecret.yaml — materializes the app Secret from OpenBao. - Drop .sops.yaml from the ignore list; update AGENTS.md/.gitignore. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The reusable template-sync workflow is now released (v5.3.0). Re-pin off the pre-release commit onto the tag. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![botantler[bot]](https://avatars.githubusercontent.com/in/1025824?s=60&v=4){kind=small}
…fold The alpine placeholder ran as root and exited immediately, conflicting with deploy/deployment.yaml's runAsNonRoot + HTTP probes on 3000 — a tenant that tagged before replacing it would publish an unstartable image. Serve a non-root HTTP placeholder on port 3000 so the scaffold deploys cleanly as-is. Addresses the Copilot review note. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Initial content for
gitops-tenant-template— a framework-agnostic, stack-neutral template for GitOps tenants on the devantler-tech platform. New tenants are created with "Use this template"; the shared CI/CD plumbing is kept current in every tenant via template-sync.Public, flagged as a template repository, with the org's required custom properties (
Type=Application, …).Template-owned (kept in sync across tenants)
.github/workflows/cd.yamlv*tag →publish-app.yaml(build, digest-pin, push + cosign-sign),app-name = repo name.github/workflows/release.yamlmain.github/workflows/template-sync.yamlCLAUDE.md@AGENTS.mdshim (identical across tenants)zizmor.ymlcd.yaml/release.yaml/template-sync.yamlare self-guarded (if: github.repository != '…/gitops-tenant-template') so this repo stays inert.Tenant-owned scaffolding (each tenant lists these in
.templatesyncignore)AGENTS.md(tenant-specific project overview),.claude/skills/maintain/SKILL.md, exampleci.yaml, dependabot baseline (github-actions + docker), stack-neutral.releaserc,Dockerfile,.sops.yaml,.gitignore, and adeploy/skeleton (Deployment, Service, HTTPRoute, optional CNPG Cluster, example secret).Pins (current latest)
publish-app.yaml/create-release.yaml→ reusable-workflows v5.2.0 (the tenants currently pin the olderv3.2.0/v3.1.4/@main; sync bumps them).aggregate-job-checks→ actions v5.1.0.Validation
actionlintclean ·zizmor --config zizmor.ymlclean ·kubectl kustomize deploy/builds.template-sync.yamlreferences the new reusable workflow from reusable-workflows#261, not yet released. It is pinned to that PR's head commit (733557c); re-pin to the released tag once #261 merges. Promote #261 first.🤖 Generated with Claude Code