code-dot-org · snickell · Mar 23, 2026
diff --git a/apps/codeai/README.md b/apps/codeai/README.md
@@ -1,3 +1,8 @@
 This app's deployment definitions live under `deployments/`.
 
-Docker image tag writeback is done by the GitHub Actions workflow [`k8s-commit-image-ref-to-argocd.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-image-ref-to-argocd.yml).
+`main` holds deployment metadata and Helm values inputs. Argo CD deploys rendered
+output from the `stage/<deployment>` branches at
+`apps/codeai/deployments/<deployment>/deploy/`.
+
+Kargo now renders from the matching OCI release capsule instead of mutating
+`values.yaml` on `main`.
diff --git a/apps/codeai/applicationset.yaml b/apps/codeai/applicationset.yaml
@@ -18,18 +18,10 @@ spec:
         kargo.akuity.io/project: kargo-project-codeai
     spec:
       project: default
-      sources:
-        - repoURL: https://github.com/code-dot-org/code-dot-org.git
-          targetRevision: '{{sourceRevision}}'
-          path: k8s/helm
-          helm:
-            releaseName: '{{path.basename}}'
-            valueFiles:
-              - $values/apps/codeai/envTypes/{{envType}}.values.yaml
-              - $values/apps/codeai/deployments/{{path.basename}}/values.yaml
-        - repoURL: https://github.com/code-dot-org/k8s-gitops.git
-          targetRevision: main
-          ref: values
+      source:
+        repoURL: https://github.com/code-dot-org/k8s-gitops.git
+        targetRevision: stage/{{path.basename}}
+        path: apps/codeai/deployments/{{path.basename}}/deploy
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{namespace}}'
@@ -38,4 +30,5 @@ spec:
           prune: true
           selfHeal: true
         syncOptions:
+          - CreateNamespace=true
           - ServerSideApply=true
diff --git a/apps/codeai/deployments/levelbuilder/deployment.yaml b/apps/codeai/deployments/levelbuilder/deployment.yaml
@@ -0,0 +1,3 @@
+envType: levelbuilder
+namespace: levelbuilder
+branch: levelbuilder
diff --git a/apps/codeai/deployments/levelbuilder/deployment.yaml.disabled b/apps/codeai/deployments/levelbuilder/deployment.yaml.disabled
diff --git a/apps/codeai/deployments/levelbuilder/values.yaml b/apps/codeai/deployments/levelbuilder/values.yaml
@@ -1,4 +1,3 @@
-image: ghcr.io/code-dot-org/code-dot-org:replace-me
 autoscaling:
   maxReplicas: 1
 locals.yml:

diff --git a/apps/codeai/deployments/production/deployment.yaml b/apps/codeai/deployments/production/deployment.yaml
@@ -0,0 +1,3 @@
+envType: production
+namespace: production
+branch: production
diff --git a/apps/codeai/deployments/production/deployment.yaml.disabled b/apps/codeai/deployments/production/deployment.yaml.disabled
diff --git a/apps/codeai/deployments/production/values.yaml b/apps/codeai/deployments/production/values.yaml
@@ -1,4 +1,3 @@
-image: ghcr.io/code-dot-org/code-dot-org:production
 autoscaling:
   minReplicas: 1
   maxReplicas: 1

diff --git a/apps/codeai/deployments/staging/values.yaml b/apps/codeai/deployments/staging/values.yaml
@@ -1,6 +1,4 @@
-image: ghcr.io/code-dot-org/code-dot-org:staging # updated by k8s-commit-image-ref-to-argocd.yml
 autoscaling:
   maxReplicas: 1
 locals.yml:
   stack_name: staging
-# argocd-detect-probe: k8s-gitops run 10 at 2026-03-22T10:10:09Z
diff --git a/apps/codeai/deployments/test/deployment.yaml b/apps/codeai/deployments/test/deployment.yaml
@@ -1,5 +1,3 @@
 envType: test
 namespace: test
-# FIXME: for quicker testing, avoid waiting on DTTs and DTPs, let alone DTLs.
-# branch: test
-branch: staging
+branch: test
diff --git a/apps/codeai/deployments/test/values.yaml b/apps/codeai/deployments/test/values.yaml
@@ -1,4 +1,3 @@
-image: ghcr.io/code-dot-org/code-dot-org:test # updated by k8s-commit-image-ref-to-argocd.yml
 autoscaling:
   maxReplicas: 1
 locals.yml:

diff --git a/apps/kargo-project-codeai/stages/levelbuilder.yaml b/apps/kargo-project-codeai/stages/levelbuilder.yaml
@@ -16,24 +16,110 @@ spec:
       vars:
         - name: gitopsRepo
           value: https://github.com/code-dot-org/k8s-gitops.git
+        - name: imageRepo
+          value: ghcr.io/code-dot-org/code-dot-org
+        - name: capsuleRepo
+          value: ghcr.io/code-dot-org/codeai-release-capsule
+        - name: renderDeployment
+          value: levelbuilder
+        - name: envType
+          value: levelbuilder
+        - name: renderPath
+          value: apps/codeai/deployments/levelbuilder/deploy
+        - name: targetBranch
+          value: stage/levelbuilder
+        - name: legacyEnv
+          value: levelbuilder
       steps:
         - uses: git-clone
           config:
             repoURL: ${{ vars.gitopsRepo }}
             checkout:
               - branch: main
-                path: ./gitops
-        - uses: yaml-update
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: yaml-parse
+          as: legacy-gate
           config:
-            path: ./gitops/apps/codeai/deployments/levelbuilder/values.yaml
-            updates:
+            path: ${{ './src/warehouses/codeai/legacy-gitflow/' + vars.legacyEnv + '/merged/' + imageFrom(vars.imageRepo).Tag + '.yaml' }}
+            outputs:
+              - name: revision
+                fromExpression: revision
+              - name: tag
+                fromExpression: tag
+              - name: mergedAt
+                fromExpression: mergedAt
+        - uses: oci-download
+          config:
+            imageRef: ${{ vars.capsuleRepo + '@' + imageFrom(vars.capsuleRepo).Digest }}
+            outPath: ./release-capsule.tar.gz
+        - uses: untar
+          config:
+            inPath: ./release-capsule.tar.gz
+            outPath: ./capsule
+        - uses: yaml-parse
+          as: release
+          config:
+            path: ./capsule/release.yaml
+            outputs:
+              - name: gitCommit
+                fromExpression: gitCommit
+              - name: imageRepoURL
+                fromExpression: image.repoURL
+              - name: imageTag
+                fromExpression: image.tag
+              - name: imageDigest
+                fromExpression: image.digest
+              - name: packageKind
+                fromExpression: package.kind
+              - name: packagePath
+                fromExpression: package.path
+              - name: sbomPath
+                fromExpression: metadata.sbomPath
+              - name: provenancePath
+                fromExpression: metadata.provenancePath
+        - uses: copy
+          config:
+            inPath: "${{ outputs.release.imageRepoURL == vars.imageRepo && outputs.release.imageTag == imageFrom(vars.imageRepo).Tag && outputs.release.imageDigest == imageFrom(vars.imageRepo).Digest && outputs.release.gitCommit == outputs['legacy-gate'].revision && outputs['legacy-gate'].tag == imageFrom(vars.imageRepo).Tag && outputs.release.packageKind == 'helm' && outputs.release.packagePath == 'package/helm' && imageFrom(vars.capsuleRepo).Tag == imageFrom(vars.imageRepo).Tag && imageFrom(vars.imageRepo).Tag == 'git-' + outputs.release.gitCommit ? './capsule/release.yaml' : './capsule/__validation_failed__' }}"
+            outPath: ./validated-release.yaml
+        - uses: copy
+          config:
+            inPath: ${{ './capsule/' + outputs.release.provenancePath }}
+            outPath: ./validated-provenance.json
+        - uses: copy
+          config:
+            inPath: ${{ './capsule/' + outputs.release.sbomPath }}
+            outPath: ./validated-sbom.json
+        - uses: yaml-merge
+          config:
+            inFiles:
+              - ${{ './src/apps/codeai/envTypes/' + vars.envType + '.values.yaml' }}
+              - ${{ './src/apps/codeai/deployments/' + vars.renderDeployment + '/values.yaml' }}
+            outFile: ./values.yaml
+        - uses: git-clear
+          config:
+            path: ${{ './out/' + vars.renderPath }}
+        - uses: helm-template
+          config:
+            path: ${{ './capsule/' + outputs.release.packagePath }}
+            outPath: ${{ './out/' + vars.renderPath }}
+            outLayout: flat
+            releaseName: ${{ vars.renderDeployment }}
+            valuesFiles:
+              - ./values.yaml
+            setValues:
               - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
+                value: ${{ outputs.release.imageRepoURL + '@' + outputs.release.imageDigest }}
+                literal: true
         - uses: git-commit
+          as: commit
           config:
-            path: ./gitops
+            path: ./out
             message: |
-              Promote levelbuilder to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
+              Render ${{ vars.renderDeployment }} from capsule ${{ imageFrom(vars.capsuleRepo).Tag }} [skip ci]
         - uses: git-push
           config:
-            path: ./gitops
+            path: ./out
+            targetBranch: ${{ vars.targetBranch }}
diff --git a/apps/kargo-project-codeai/stages/production.yaml b/apps/kargo-project-codeai/stages/production.yaml
@@ -16,24 +16,123 @@ spec:
       vars:
         - name: gitopsRepo
           value: https://github.com/code-dot-org/k8s-gitops.git
+        - name: imageRepo
+          value: ghcr.io/code-dot-org/code-dot-org
+        - name: capsuleRepo
+          value: ghcr.io/code-dot-org/codeai-release-capsule
+        - name: renderDeployment
+          value: production
+        - name: envType
+          value: production
+        - name: renderPath
+          value: apps/codeai/deployments/production/deploy
+        - name: targetBranch
+          value: stage/production
+        - name: legacyEnv
+          value: production
       steps:
         - uses: git-clone
           config:
             repoURL: ${{ vars.gitopsRepo }}
             checkout:
               - branch: main
-                path: ./gitops
-        - uses: yaml-update
+                path: ./src
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: yaml-parse
+          as: legacy-gate
           config:
-            path: ./gitops/apps/codeai/deployments/production/values.yaml
-            updates:
+            path: ${{ './src/warehouses/codeai/legacy-gitflow/' + vars.legacyEnv + '/merged/' + imageFrom(vars.imageRepo).Tag + '.yaml' }}
+            outputs:
+              - name: revision
+                fromExpression: revision
+              - name: tag
+                fromExpression: tag
+              - name: mergedAt
+                fromExpression: mergedAt
+        - uses: oci-download
+          config:
+            imageRef: ${{ vars.capsuleRepo + '@' + imageFrom(vars.capsuleRepo).Digest }}
+            outPath: ./release-capsule.tar.gz
+        - uses: untar
+          config:
+            inPath: ./release-capsule.tar.gz
+            outPath: ./capsule
+        - uses: yaml-parse
+          as: release
+          config:
+            path: ./capsule/release.yaml
+            outputs:
+              - name: gitCommit
+                fromExpression: gitCommit
+              - name: imageRepoURL
+                fromExpression: image.repoURL
+              - name: imageTag
+                fromExpression: image.tag
+              - name: imageDigest
+                fromExpression: image.digest
+              - name: packageKind
+                fromExpression: package.kind
+              - name: packagePath
+                fromExpression: package.path
+              - name: sbomPath
+                fromExpression: metadata.sbomPath
+              - name: provenancePath
+                fromExpression: metadata.provenancePath
+        - uses: copy
+          config:
+            inPath: "${{ outputs.release.imageRepoURL == vars.imageRepo && outputs.release.imageTag == imageFrom(vars.imageRepo).Tag && outputs.release.imageDigest == imageFrom(vars.imageRepo).Digest && outputs.release.gitCommit == outputs['legacy-gate'].revision && outputs['legacy-gate'].tag == imageFrom(vars.imageRepo).Tag && outputs.release.packageKind == 'helm' && outputs.release.packagePath == 'package/helm' && imageFrom(vars.capsuleRepo).Tag == imageFrom(vars.imageRepo).Tag && imageFrom(vars.imageRepo).Tag == 'git-' + outputs.release.gitCommit ? './capsule/release.yaml' : './capsule/__validation_failed__' }}"
+            outPath: ./validated-release.yaml
+        - uses: copy
+          config:
+            inPath: ${{ './capsule/' + outputs.release.provenancePath }}
+            outPath: ./validated-provenance.json
+        - uses: copy
+          config:
+            inPath: ${{ './capsule/' + outputs.release.sbomPath }}
+            outPath: ./validated-sbom.json
+        - uses: yaml-merge
+          config:
+            inFiles:
+              - ${{ './src/apps/codeai/envTypes/' + vars.envType + '.values.yaml' }}
+              - ${{ './src/apps/codeai/deployments/' + vars.renderDeployment + '/values.yaml' }}
+            outFile: ./values.yaml
+        - uses: git-clear
+          config:
+            path: ${{ './out/' + vars.renderPath }}
+        - uses: helm-template
+          config:
+            path: ${{ './capsule/' + outputs.release.packagePath }}
+            outPath: ${{ './out/' + vars.renderPath }}
+            outLayout: flat
+            releaseName: ${{ vars.renderDeployment }}
+            valuesFiles:
+              - ./values.yaml
+            setValues:
               - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
+                value: ${{ outputs.release.imageRepoURL + '@' + outputs.release.imageDigest }}
+                literal: true
         - uses: git-commit
+          as: commit
           config:
-            path: ./gitops
+            path: ./out
             message: |
-              Promote production to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
+              Review ${{ vars.renderDeployment }} render from capsule ${{ imageFrom(vars.capsuleRepo).Tag }} [skip ci]
         - uses: git-push
+          as: push
+          config:
+            path: ./out
+            generateTargetBranch: true
+        - uses: git-open-pr
+          as: open-pr
           config:
-            path: ./gitops
+            repoURL: ${{ vars.gitopsRepo }}
+            createTargetBranch: true
+            sourceBranch: ${{ outputs['push'].branch }}
+            targetBranch: ${{ vars.targetBranch }}
+            title: Review ${{ vars.renderDeployment }} render for ${{ imageFrom(vars.capsuleRepo).Tag }}
+        - uses: git-wait-for-pr
+          config:
+            repoURL: ${{ vars.gitopsRepo }}
+            prNumber: ${{ outputs['open-pr'].pr.id }}