coulomb/railiance-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
railiance-forge/docs/ci-runner-actions-gitops-ownership.md
tegwick 19ee47fe82
Some checks failed
Forge Runner Smoke / compatibility-smoke (push) Has been cancelled
Details
Implement Gitea Actions runner substrate
2026-06-08 00:31:06 +02:00

187 lines
9.1 KiB
Markdown
Raw Permalink Blame History

# CI Runner, Actions, And GitOps Ownership
Last reviewed: 2026-06-07
Status: contract v1. This document defines ownership and handoffs only; it
does not authorize a live runner deployment, credential change, GitOps controller
change, or Gitea-to-Forgejo cutover.
## Purpose
Railiance uses forge-hosted automation to build, test, publish, and verify
workloads. The automation path crosses several repos, so this contract separates
runner substrate, reusable workflow templates, app-specific checks, and GitOps
operation.
The short version:
- `railiance-forge` owns the runner substrate and forge automation runtime.
- `railiance-enablement` owns reusable workflow templates and paved paths.
- Source and app repos own their repo-specific workflows and build scripts.
- `railiance-apps` owns S5 app-release checks and deployment evidence.
- Lower layers own the cluster, platform services, and runtime secret custody
that runners consume through approved handoffs.
## Ownership Matrix
| Concern | Owner | Contract |
| --- | --- | --- |
| Gitea/Forgejo Actions runner deployment and registration | `railiance-forge` | Defines how runners are installed, registered, upgraded, drained, replaced, and removed. |
| Runner labels, placement, and capacity | `railiance-forge` | Publishes stable capability labels and placement rules. Consumers reference labels, not hostnames. |
| Runner registration tokens and runtime credentials | `railiance-forge` with secret custody from `railiance-platform` | References secret names and approved delivery paths only; no decrypted values or tokenized URLs in Git. |
| Reusable CI/CD and GitOps workflow templates | `railiance-enablement` | Defines generic build, test, publish, scan, promote, and GitOps review patterns that consume forge labels and credentials. |
| App-specific workflows and build scripts | Source repo or app repo | Owns language build details, package metadata, image build definitions, and repo-local test behavior. |
| S5 app-release dry-run checks | `railiance-apps` | Owns checks for app Helm charts, app values, app runbooks, and deployment guardrails. |
| Runner prerequisites for S5 checks | `railiance-forge` plus lower-layer providers | Forge owns runner label and health evidence; cluster/platform own API reachability, CRDs, kubeconfig delivery, and secret custody. |
| ArgoCD and GitOps controller operation | `railiance-cluster` for current addon operation, with patterns from `railiance-enablement` | Forge hosts source and executes checks, but does not own the desired state controller. |
| Artifact publish evidence | `railiance-forge` | Captures source repo, commit SHA, artifact identity, package/image version, runner identity, and publish result. |
| Deployment and smoke evidence | `railiance-apps` | Captures S5 manifest change, server-side dry-run result, deployment result, and app smoke result. |
| Gitea-to-Forgejo automation cutover | `railiance-forge` | Preserves semantic runner labels and evidence contracts while moving the automation runtime. |
## Runner Label Contract
Runner labels are the public interface between forge-owned substrate and
workflow consumers. Labels should describe capability and trust level, not the
machine that happens to run the job.
Recommended label categories:
- OS/runtime: `linux`, `container-runtime`.
- Build capability: `container-build`, `python-build`, `node-build`.
- Publication capability: `registry-publish`, `package-publish`.
- Cluster access: `cluster-read`, `cluster-dry-run`.
- Release posture: `s5-release-check`, `trusted-secrets`.
Rules:
- `railiance-forge` is the only repo that defines and changes the label
contract.
- `railiance-enablement` templates may require labels from this contract.
- Source and app workflows may use labels only when the workflow purpose matches
the capability.
- Labels that imply secrets or cluster access require a named credential path
and a human-reviewed purpose.
- Workflow files should not hard-code runner hostnames, local paths, or
registration-token details.
## Placement And Secret Access
Runner placement is a security boundary. Treat a runner with publish credentials
or cluster access as a privileged execution environment.
- Registry/package publish jobs should run only on runners intended for trusted
publication.
- Server-side manifest dry-run jobs should run only on runners approved for
representative cluster API access.
- General build jobs should not receive cluster credentials or broad package
publication tokens.
- Production-like credentials must be scoped by repository, workflow purpose,
and runner label wherever the forge supports that granularity.
- Runner tokens should rotate when a runner is replaced, when a trust boundary
changes, or during a Gitea-to-Forgejo cutover.
- Documentation may reference secret names, SOPS files, OpenBao paths, and
Kubernetes Secret names, but must not include live secret values.
## GitOps Boundary
Forge automation is not the GitOps control plane.
- `railiance-forge` hosts source, runs automation, and provides run/publish
evidence.
- `railiance-enablement` defines reusable GitOps workflow patterns, such as
review gates, promotion conventions, and rollback evidence shape.
- `railiance-apps` owns app deployment declarations and S5 release guardrails.
- `railiance-cluster` currently owns ArgoCD addon operation until another
reviewed workplan moves that responsibility.
- `railiance-platform` owns shared runtime services consumed by GitOps-managed
workloads.
Automation should normally produce evidence and reviewed manifest changes.
Direct runner-driven syncs against a live GitOps controller require a separate
approval path because they couple CI credentials to deployment authority.
## S5 Server-Side Dry-Run Split
The current S5 dry-run surface belongs in `railiance-apps`:
- `.gitea/workflows/manifest-server-dry-run.yaml`
- `make k8s-server-dry-run`
- `tools/k8s-server-dry-run.sh`
- app Helm charts and app values
Forge-owned prerequisites:
- a runner label such as `cluster-dry-run` or `s5-release-check`;
- runner health evidence for that label;
- documented placement and trust posture for runners with cluster reachability;
- evidence that the runner can receive approved kubeconfig material without
exposing live values in Git.
Lower-layer prerequisites:
- `railiance-cluster` provides a representative API server and installed CRDs.
- `railiance-platform` provides approved secret delivery and shared service
dependencies required by the manifests.
If a workflow cannot find a runner with the required label or cannot access the
representative cluster, the failure should be reported as a runner/prerequisite
gap, not worked around inside the app chart.
## Gitea To Forgejo Cutover Path
The cutover from current Gitea Actions to future Forgejo automation must keep
the consumer contract stable.
Minimum path:
1. Inventory current runners, labels, credentials, repository hooks, and
workflows.
2. Define the Forgejo runner equivalent in `railiance-forge`.
3. Preserve semantic labels used by S4 templates and S5 checks unless a reviewed
migration note announces a replacement.
4. Prove a non-production workflow can run on the new runner substrate.
5. Dual-run critical publish and dry-run checks where feasible.
6. Rotate registration tokens and publish credentials during the switchover.
7. Update forge evidence docs with the new runner identity and endpoint.
8. Retire the old Gitea runner only after downstream workflows no longer depend
on it.
This cutover does not move template ownership into forge and does not move app
release checks out of S5.
## Minimum Evidence Before Enforcement
Before a workflow template or S5 check treats a runner label as required, forge
should provide:
- runner inventory with labels, placement, and trust level;
- credential scope notes by repository/workflow purpose;
- a successful sample job for each privileged label;
- package or image publish evidence for publication labels;
- representative cluster dry-run evidence for cluster-access labels;
- a rollback or disable path for a bad runner registration.
## Current Implementation Surface
`docs/gitea-actions-runner-substrate.md` defines the first supported Gitea
Actions runner model, the initial haskelseed compatibility labels, the attended
registration path, and recovery steps. `make runner-status` provides the
read-only probe entry point, and `.gitea/workflows/forge-runner-smoke.yaml`
provides the first non-production proof workflow.
The first compatibility labels are `self-hosted` and `haskelseed`, matching the
inter-hub blocker. New workflow consumers should prefer semantic labels such as
`linux`, `container-build`, and `registry-publish` once smoke evidence is
recorded.
## Open Follow-Ups
- `docs/observability-operating-evidence.md` defines the runner health and
artifact evidence signals that consumers may cite.
- `docs/gitea-actions-runner-evidence.md` records the current runner inventory,
smoke evidence, and inter-hub unblock evidence.
- WP-0006-T09 should declare runner substrate, label contracts, and evidence
edges in Railiance Fabric.
- `RAILIANCE-WP-0005-T05` should document app-side dry-run behavior once forge
runner prerequisites are ready to enforce.
Reference in New Issue View Git Blame Copy Permalink