code-dot-org · snickell · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/README.md b/README.md
@@ -28,12 +28,14 @@ k8s-gitops/
 
       deployments/
         levelbuilder/             # codeai deployment levelbuilder
-          deployment.yaml         # envType=levelbuilder, branch=levelbuilder
-          values.yaml             # values.yaml for this deployment: dashboard_workers=27, RAILS_ENV=levelbuilder, etc
+          deployment.yaml         # deployment metadata: envType=levelbuilder, namespace=levelbuilder
+          deploy/
+            kustomization.yaml    # machine-owned deploy wrapper pinned to a code-dot-org commit
         ...
 
       envTypes/
-        levelbuilder.values.yaml  # base values.yaml for all envType=levelbuilder
+        levelbuilder/
+          kustomization.yaml      # envType component consumed by deployment wrappers
         ...
 
     kargo/
@@ -44,7 +46,7 @@ k8s-gitops/
       application.yaml            # argocd app for kargo project codeai
       project.yaml                # kargo project for codeai
       project-config.yaml         # kargo projectconfig for codeai
-      warehouse.yaml              # kargo warehouse for codeai
+      warehouse.yaml              # kargo warehouse watching warehouses/codeai/builds
       stages/
         levelbuilder.yaml         # kargo stage for codeai deployment levelbuilder
         ...
@@ -53,4 +55,3 @@ k8s-gitops/
 ## Bootstrap Cluster
 
 kubectl apply -f apps/app-of-apps/applicationset.yaml
-
diff --git a/apps/codeai/README.md b/apps/codeai/README.md
@@ -1,3 +1,12 @@
 This app's deployment definitions live under `deployments/`.
 
-Docker image tag writeback is done by the GitHub Actions workflow [`k8s-commit-image-ref-to-argocd.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-image-ref-to-argocd.yml).
+Each deployment now has:
+
+- `deployment.yaml`: metadata only, currently `envType` and `namespace`
+- `deploy/kustomization.yaml`: the machine-owned wrapper that pins the remote
+  `code-dot-org//k8s/kustomize/base` path to an exact commit and rewrites the
+  immutable image tag
+
+Release metadata writeback is done by the GitHub Actions workflow
+[`k8s-commit-image-ref-to-argocd.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-image-ref-to-argocd.yml),
+which writes thin build-lock records under `warehouses/codeai/`.
diff --git a/apps/codeai/applicationset.yaml b/apps/codeai/applicationset.yaml
@@ -19,17 +19,9 @@ spec:
     spec:
       project: default
       sources:
-        - repoURL: https://github.com/code-dot-org/code-dot-org.git
-          targetRevision: '{{sourceRevision}}'
-          path: k8s/helm
-          helm:
-            releaseName: '{{path.basename}}'
-            valueFiles:
-              - $values/apps/codeai/envTypes/{{envType}}.values.yaml
-              - $values/apps/codeai/deployments/{{path.basename}}/values.yaml
         - repoURL: https://github.com/code-dot-org/k8s-gitops.git
           targetRevision: main
-          ref: values
+          path: apps/codeai/deployments/{{path.basename}}/deploy
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{namespace}}'

diff --git a/apps/codeai/deployments/k8s-adhoc/deploy/kustomization.yaml b/apps/codeai/deployments/k8s-adhoc/deploy/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: adhoc-k8s-adhoc
+resources:
+  - github.com/code-dot-org/code-dot-org//k8s/kustomize/base?ref=d072d04a9e345ffd5716cd5f1c86f92d8bc5ab47&timeout=120s
+components:
+  - ../../../envTypes/staging
+images:
+  - name: code-dot-org
+    newName: ghcr.io/code-dot-org/code-dot-org
+    newTag: git-d072d04a9e345ffd5716cd5f1c86f92d8bc5ab47
diff --git a/apps/codeai/deployments/k8s-adhoc/deployment.yaml b/apps/codeai/deployments/k8s-adhoc/deployment.yaml
@@ -1,3 +1,2 @@
 envType: staging
 namespace: adhoc-k8s-adhoc
-branch: k8s/adhoc
diff --git a/apps/codeai/deployments/levelbuilder/deploy/kustomization.yaml b/apps/codeai/deployments/levelbuilder/deploy/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: levelbuilder
+resources:
+  - github.com/code-dot-org/code-dot-org//k8s/kustomize/base?ref=8e63b725457dee9f56342b5c6bdd0c04789c08b7&timeout=120s
+components:
+  - ../../../envTypes/levelbuilder
+images:
+  - name: code-dot-org
+    newName: ghcr.io/code-dot-org/code-dot-org
+    newTag: git-8e63b725457dee9f56342b5c6bdd0c04789c08b7
diff --git a/apps/codeai/deployments/levelbuilder/deployment.yaml b/apps/codeai/deployments/levelbuilder/deployment.yaml
@@ -0,0 +1,2 @@
+envType: levelbuilder
+namespace: levelbuilder
diff --git a/apps/codeai/deployments/production/deploy/kustomization.yaml b/apps/codeai/deployments/production/deploy/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: production
+resources:
+  - github.com/code-dot-org/code-dot-org//k8s/kustomize/base?ref=bcb0ae45b61e70b12b63c49f3e7b82c65d4edec0&timeout=120s
+components:
+  - ../../../envTypes/production
+images:
+  - name: code-dot-org
+    newName: ghcr.io/code-dot-org/code-dot-org
+    newTag: git-bcb0ae45b61e70b12b63c49f3e7b82c65d4edec0
diff --git a/apps/codeai/deployments/production/deployment.yaml b/apps/codeai/deployments/production/deployment.yaml
@@ -0,0 +1,2 @@
+envType: production
+namespace: production
diff --git a/apps/codeai/deployments/staging/deploy/kustomization.yaml b/apps/codeai/deployments/staging/deploy/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: staging
+resources:
+  - github.com/code-dot-org/code-dot-org//k8s/kustomize/base?ref=d072d04a9e345ffd5716cd5f1c86f92d8bc5ab47&timeout=120s
+components:
+  - ../../../envTypes/staging
+images:
+  - name: code-dot-org
+    newName: ghcr.io/code-dot-org/code-dot-org
+    newTag: git-d072d04a9e345ffd5716cd5f1c86f92d8bc5ab47
diff --git a/apps/codeai/deployments/staging/deployment.yaml b/apps/codeai/deployments/staging/deployment.yaml
@@ -1,3 +1,2 @@
 envType: staging
 namespace: staging
-branch: staging
diff --git a/apps/codeai/deployments/test/deploy/kustomization.yaml b/apps/codeai/deployments/test/deploy/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: test
+resources:
+  - github.com/code-dot-org/code-dot-org//k8s/kustomize/base?ref=0ecc81111eb1e349451f9ebed2e509e2b0af738e&timeout=120s
+components:
+  - ../../../envTypes/test
+images:
+  - name: code-dot-org
+    newName: ghcr.io/code-dot-org/code-dot-org
+    newTag: git-0ecc81111eb1e349451f9ebed2e509e2b0af738e
diff --git a/apps/codeai/deployments/test/deployment.yaml b/apps/codeai/deployments/test/deployment.yaml
@@ -1,5 +1,2 @@
 envType: test
 namespace: test
-# FIXME: for quicker testing, avoid waiting on DTTs and DTPs, let alone DTLs.
-# branch: test
-branch: staging
diff --git a/apps/codeai/envTypes/levelbuilder/deployment.patch.yaml b/apps/codeai/envTypes/levelbuilder/deployment.patch.yaml
@@ -7,7 +7,6 @@ spec:
     spec:
       containers:
         - name: dashboard
-          image: ghcr.io/code-dot-org/code-dot-org:replace-me
           env:
             - name: RAILS_ENV
               value: levelbuilder

diff --git a/apps/codeai/envTypes/levelbuilder/kustomization.yaml b/apps/codeai/envTypes/levelbuilder/kustomization.yaml
@@ -9,6 +9,5 @@ labels:
     includeTemplates: true
 patches:
   - path: deployment.patch.yaml
-  # TODO: enable these when gitops envType values start setting dashboard_workers again.
-  # - path: locals.yml.patch.yaml
-  # - path: deployment.resources.patch.yaml
+  - path: locals.yml.patch.yaml
+  - path: deployment.resources.patch.yaml
diff --git a/apps/codeai/envTypes/production/kustomization.yaml b/apps/codeai/envTypes/production/kustomization.yaml
@@ -11,6 +11,5 @@ labels:
     includeTemplates: true
 patches:
   - path: deployment.patch.yaml
-  # TODO: enable these when gitops envType values start setting dashboard_workers again.
-  # - path: locals.yml.patch.yaml
-  # - path: deployment.resources.patch.yaml
+  - path: locals.yml.patch.yaml
+  - path: deployment.resources.patch.yaml
diff --git a/apps/codeai/envTypes/staging/deployment.patch.yaml b/apps/codeai/envTypes/staging/deployment.patch.yaml
@@ -7,7 +7,6 @@ spec:
     spec:
       containers:
         - name: dashboard
-          image: ghcr.io/code-dot-org/code-dot-org:replace-me
           env:
             - name: RAILS_ENV
               value: staging

diff --git a/apps/codeai/envTypes/staging/kustomization.yaml b/apps/codeai/envTypes/staging/kustomization.yaml
@@ -9,6 +9,5 @@ labels:
     includeTemplates: true
 patches:
   - path: deployment.patch.yaml
-  # TODO: enable these when gitops envType values start setting dashboard_workers again.
-  # - path: locals.yml.patch.yaml
-  # - path: deployment.resources.patch.yaml
+  - path: locals.yml.patch.yaml
+  - path: deployment.resources.patch.yaml
diff --git a/apps/codeai/envTypes/test/kustomization.yaml b/apps/codeai/envTypes/test/kustomization.yaml
@@ -9,6 +9,5 @@ labels:
     includeTemplates: true
 patches:
   - path: deployment.patch.yaml
-  # TODO: enable these when gitops envType values start setting dashboard_workers again.
-  # - path: locals.yml.patch.yaml
-  # - path: deployment.resources.patch.yaml
+  - path: locals.yml.patch.yaml
+  - path: deployment.resources.patch.yaml
diff --git a/apps/kargo-project-codeai/codeai-test-verification.yaml b/apps/kargo-project-codeai/codeai-test-verification.yaml
@@ -0,0 +1,56 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: codeai-test-verification
+  namespace: kargo-project-codeai
+spec:
+  args:
+    - name: gitCommit
+    - name: namespace
+    - name: deploymentName
+  metrics:
+    - name: drone-and-rollout-gate
+      provider:
+        job:
+          spec:
+            backoffLimit: 0
+            template:
+              spec:
+                restartPolicy: Never
+                containers:
+                  - name: verify
+                    image: alpine:3.20
+                    command:
+                      - sh
+                      - -ceu
+                    args:
+                      - |
+                        apk add --no-cache curl kubectl >/dev/null
+
+                        attempts=30
+                        while [ "$attempts" -gt 0 ]; do
+                          state="$(
+                            curl -fsSL "https://api.github.com/repos/code-dot-org/code-dot-org/commits/{{ args.gitCommit }}/status" |
+                            grep -m1 -o '"state":"[^"]*"' |
+                            cut -d'"' -f4
+                          )"
+                          case "$state" in
+                            success)
+                              break
+                              ;;
+                            failure|error)
+                              echo "Commit status failed: $state" >&2
+                              exit 1
+                              ;;
+                          esac
+
+                          attempts=$((attempts - 1))
+                          if [ "$attempts" -eq 0 ]; then
+                            echo "Timed out waiting for commit status success" >&2
+                            exit 1
+                          fi
+
+                          sleep 60
+                        done
+
+                        kubectl -n "{{ args.namespace }}" rollout status "deployment/{{ args.deploymentName }}" --timeout=10m
diff --git a/apps/kargo-project-codeai/project-config.yaml b/apps/kargo-project-codeai/project-config.yaml
@@ -9,7 +9,9 @@ spec:
       autoPromotionEnabled: true
     - stage: test
       autoPromotionEnabled: false
-    - stage: production
-      autoPromotionEnabled: false
     - stage: levelbuilder
       autoPromotionEnabled: false
+    - stage: review-infra-changes
+      autoPromotionEnabled: false
+    - stage: production
+      autoPromotionEnabled: false
diff --git a/apps/kargo-project-codeai/stages/levelbuilder.yaml b/apps/kargo-project-codeai/stages/levelbuilder.yaml
@@ -7,7 +7,7 @@ spec:
   requestedFreight:
     - origin:
         kind: Warehouse
-        name: kargo-project-codeai
+        name: codeai-builds
       sources:
         stages:
           - test
@@ -16,24 +16,75 @@ spec:
       vars:
         - name: gitopsRepo
           value: https://github.com/code-dot-org/k8s-gitops.git
+        - name: legacyEnv
+          value: levelbuilder
       steps:
         - uses: git-clone
           config:
             repoURL: ${{ vars.gitopsRepo }}
             checkout:
+              - commit: ${{ commitFrom('https://github.com/code-dot-org/k8s-gitops.git', warehouse('codeai-builds').ID) }}
+                path: ./freight
+              - branch: main
+                path: ./gate
               - branch: main
                 path: ./gitops
+        - uses: yaml-parse
+          as: build-lock
+          config:
+            path: ./freight/warehouses/codeai/builds/current.yaml
+            outputs:
+              - name: releaseId
+                fromExpression: releaseId
+              - name: gitCommit
+                fromExpression: gitCommit
+              - name: packagingKind
+                fromExpression: packaging.kind
+              - name: sourcePath
+                fromExpression: packaging.sourcePath
+        - uses: yaml-parse
+          as: legacy-merge
+          config:
+            path: ./gate/warehouses/codeai/legacy-gitflow/${{ vars.legacyEnv }}/merged/${{ outputs['build-lock'].releaseId }}.yaml
+            outputs:
+              - name: revision
+                fromExpression: revision
+              - name: tag
+                fromExpression: tag
+              - name: mergedAt
+                fromExpression: mergedAt
+        - uses: yaml-parse
+          as: deployment-meta
+          config:
+            path: ./gitops/apps/codeai/deployments/levelbuilder/deployment.yaml
+            outputs:
+              - name: envType
+                fromExpression: envType
+              - name: namespace
+                fromExpression: namespace
         - uses: yaml-update
           config:
-            path: ./gitops/apps/codeai/deployments/levelbuilder/values.yaml
+            path: ./gitops/apps/codeai/deployments/levelbuilder/deploy/kustomization.yaml
             updates:
-              - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
+              - key: namespace
+                value: ${{ outputs['deployment-meta'].namespace }}
+              - key: resources
+                value:
+                  - github.com/code-dot-org/code-dot-org//k8s/kustomize/base?ref=${{ outputs['build-lock'].gitCommit }}&timeout=120s
+              - key: components
+                value:
+                  - ../../../envTypes/${{ outputs['deployment-meta'].envType }}
+        - uses: kustomize-set-image
+          config:
+            path: ./gitops/apps/codeai/deployments/levelbuilder/deploy
+            images:
+              - image: code-dot-org
+                newName: ghcr.io/code-dot-org/code-dot-org
+                tag: ${{ outputs['build-lock'].releaseId }}
         - uses: git-commit
           config:
             path: ./gitops
-            message: |
-              Promote levelbuilder to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
+            message: Promote levelbuilder deploy to ${{ outputs['build-lock'].releaseId }} [skip ci]
         - uses: git-push
           config:
             path: ./gitops