code-dot-org · snickell · Mar 23, 2026
diff --git a/apps/codeai/README.md b/apps/codeai/README.md
@@ -1,3 +1,4 @@
-This app's deployment definitions live under `deployments/`.
+`main` keeps deployment metadata, env policy, and the Kargo temp-wrapper templates.
 
-Docker image tag writeback is done by the GitHub Actions workflow [`k8s-commit-image-ref-to-argocd.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-image-ref-to-argocd.yml).
+Rendered manifests live on `stage/<deployment>` branches at `apps/codeai/deployments/<deployment>/deploy/`.
+Argo CD deploys those rendered paths directly; Kargo promotion is responsible for rehydrating the OCI release capsule and writing them.
diff --git a/apps/codeai/applicationset.yaml b/apps/codeai/applicationset.yaml
@@ -9,7 +9,10 @@ spec:
         repoURL: https://github.com/code-dot-org/k8s-gitops.git
         revision: main
         files:
-          - path: apps/codeai/deployments/*/deployment.yaml
+          - path: apps/codeai/deployments/staging/deployment.yaml
+          - path: apps/codeai/deployments/test/deployment.yaml
+          - path: apps/codeai/deployments/levelbuilder/deployment.yaml
+          - path: apps/codeai/deployments/production/deployment.yaml
   template:
     metadata:
       name: codeai-{{path.basename}}
@@ -19,17 +22,9 @@ spec:
     spec:
       project: default
       sources:
-        - repoURL: https://github.com/code-dot-org/code-dot-org.git
-          targetRevision: '{{sourceRevision}}'
-          path: k8s/helm
-          helm:
-            releaseName: '{{path.basename}}'
-            valueFiles:
-              - $values/apps/codeai/envTypes/{{envType}}.values.yaml
-              - $values/apps/codeai/deployments/{{path.basename}}/values.yaml
         - repoURL: https://github.com/code-dot-org/k8s-gitops.git
-          targetRevision: main
-          ref: values
+          targetRevision: stage/{{path.basename}}
+          path: apps/codeai/deployments/{{path.basename}}/deploy
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{namespace}}'

diff --git a/apps/codeai/deployments/levelbuilder/deploy/README.md b/apps/codeai/deployments/levelbuilder/deploy/README.md
@@ -0,0 +1,2 @@
+Rendered output is committed on `stage/levelbuilder`.
+`main` keeps only this placeholder so the branch-local path exists before first render.
diff --git a/apps/codeai/deployments/levelbuilder/deployment.yaml b/apps/codeai/deployments/levelbuilder/deployment.yaml
@@ -0,0 +1,3 @@
+envType: levelbuilder
+namespace: levelbuilder
+branch: levelbuilder
diff --git a/apps/codeai/deployments/production/deploy/README.md b/apps/codeai/deployments/production/deploy/README.md
@@ -0,0 +1,2 @@
+Rendered output is committed on `stage/production`.
+`main` keeps only this placeholder so the branch-local path exists before first render.
diff --git a/apps/codeai/deployments/production/deployment.yaml b/apps/codeai/deployments/production/deployment.yaml
@@ -0,0 +1,3 @@
+envType: production
+namespace: production
+branch: production
diff --git a/apps/codeai/deployments/staging/deploy/README.md b/apps/codeai/deployments/staging/deploy/README.md
@@ -0,0 +1,2 @@
+Rendered output is committed on `stage/staging`.
+`main` keeps only this placeholder so the branch-local path exists before first render.
diff --git a/apps/codeai/deployments/test/deploy/README.md b/apps/codeai/deployments/test/deploy/README.md
@@ -0,0 +1,2 @@
+Rendered output is committed on `stage/test`.
+`main` keeps only this placeholder so the branch-local path exists before first render.
diff --git a/apps/codeai/kargo/templates/deploy/kustomization.yaml b/apps/codeai/kargo/templates/deploy/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: replace-me
+resources: []
+components: []
+images:
+  - name: code-dot-org
+    newName: code-dot-org
+    newTag: latest
diff --git a/apps/codeai/kargo/templates/release-metadata.yaml b/apps/codeai/kargo/templates/release-metadata.yaml
@@ -0,0 +1,12 @@
+schemaVersion: codeai/v1alpha1
+release:
+  gitCommit: replace-me
+  image:
+    repoURL: replace-me
+    tag: replace-me
+    digest: replace-me
+  capsule:
+    repoURL: replace-me
+    tag: replace-me
+    packageKind: replace-me
+    packagePath: replace-me
diff --git a/apps/kargo-project-codeai/analysis-template-codeai-test-smoke.yaml b/apps/kargo-project-codeai/analysis-template-codeai-test-smoke.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AnalysisTemplate
+metadata:
+  name: codeai-test-smoke
+  namespace: kargo-project-codeai
+spec:
+  args:
+    - name: healthURL
+  metrics:
+    - name: wait-for-test-health
+      provider:
+        job:
+          spec:
+            backoffLimit: 0
+            template:
+              spec:
+                restartPolicy: Never
+                containers:
+                  - name: curl
+                    image: curlimages/curl:8.12.1
+                    command:
+                      - sh
+                      - -ceu
+                    args:
+                      - |
+                        for attempt in $(seq 1 60); do
+                          if curl -fsS "{{args.healthURL}}" >/dev/null; then
+                            exit 0
+                          fi
+                          sleep 10
+                        done
+                        exit 1
diff --git a/apps/kargo-project-codeai/codeai-release-verify-configmap.yaml b/apps/kargo-project-codeai/codeai-release-verify-configmap.yaml
@@ -0,0 +1,101 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: codeai-release-verify
+  namespace: kargo-project-codeai
+data:
+  server.py: |
+    import json
+    import re
+    from http.server import BaseHTTPRequestHandler, HTTPServer
+
+    TAG_PATTERN = re.compile(r"^git-([0-9a-f]{40})$")
+
+
+    def failure(reason):
+        return {
+            "ok": False,
+            "reason": reason,
+            "release": {
+                "gitCommit": "",
+                "packageKind": "",
+                "packagePath": "",
+            },
+        }
+
+
+    def validate(payload):
+        image = payload.get("image") or {}
+        capsule = payload.get("capsule") or {}
+        release = payload.get("release") or {}
+
+        image_tag = image.get("tag", "")
+        release_tag = release.get("imageTag", "")
+        release_digest = release.get("imageDigest", "")
+        release_git_commit = release.get("gitCommit", "")
+        package_kind = release.get("packageKind", "")
+        package_path = release.get("packagePath", "")
+
+        match = TAG_PATTERN.match(image_tag)
+        if not match:
+            return failure(f"image tag is not a canonical git tag: {image_tag}")
+
+        expected_commit = match.group(1)
+        if release_tag != image_tag:
+            return failure("image tag mismatch between Freight and capsule release.yaml")
+        if release_git_commit != expected_commit:
+            return failure("git commit mismatch between Freight tag and capsule release.yaml")
+        if release_digest != image.get("digest"):
+            return failure("image digest mismatch between Freight and capsule release.yaml")
+        if package_kind != "kustomize":
+            return failure("package kind must be kustomize")
+        if not package_path.startswith("package/"):
+            return failure("package path must stay under package/")
+        if capsule.get("tag") != image_tag:
+            return failure("capsule tag mismatch")
+
+        return {
+            "ok": True,
+            "reason": "",
+            "release": {
+                "gitCommit": release_git_commit,
+                "packageKind": package_kind,
+                "packagePath": package_path,
+            },
+        }
+
+
+    class Handler(BaseHTTPRequestHandler):
+        def do_GET(self):
+            if self.path == "/healthz":
+                self.respond(200, {"ok": True})
+                return
+            self.respond(404, {"ok": False, "reason": "not found"})
+
+        def do_POST(self):
+            if self.path != "/verify":
+                self.respond(404, {"ok": False, "reason": "not found"})
+                return
+
+            try:
+                content_length = int(self.headers.get("Content-Length", "0"))
+                payload = json.loads(self.rfile.read(content_length))
+                result = validate(payload)
+                self.respond(200 if result["ok"] else 422, result)
+            except Exception as exc:
+                self.respond(500, {"ok": False, "reason": f"verifier error: {exc}"})
+
+        def log_message(self, _format, *_args):
+            return
+
+        def respond(self, status_code, body):
+            data = json.dumps(body).encode("utf-8")
+            self.send_response(status_code)
+            self.send_header("Content-Type", "application/json")
+            self.send_header("Content-Length", str(len(data)))
+            self.end_headers()
+            self.wfile.write(data)
+
+
+    server = HTTPServer(("0.0.0.0", 8080), Handler)
+    server.serve_forever()
diff --git a/apps/kargo-project-codeai/codeai-release-verify-deployment.yaml b/apps/kargo-project-codeai/codeai-release-verify-deployment.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: codeai-release-verify
+  namespace: kargo-project-codeai
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: codeai-release-verify
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: codeai-release-verify
+    spec:
+      containers:
+        - name: server
+          image: python:3.12-alpine
+          command:
+            - python
+            - /app/server.py
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          volumeMounts:
+            - name: app
+              mountPath: /app
+      volumes:
+        - name: app
+          configMap:
+            name: codeai-release-verify
diff --git a/apps/kargo-project-codeai/codeai-release-verify-service.yaml b/apps/kargo-project-codeai/codeai-release-verify-service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: codeai-release-verify
+  namespace: kargo-project-codeai
+spec:
+  selector:
+    app.kubernetes.io/name: codeai-release-verify
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
diff --git a/apps/kargo-project-codeai/project-config.yaml b/apps/kargo-project-codeai/project-config.yaml
@@ -9,7 +9,9 @@ spec:
       autoPromotionEnabled: true
     - stage: test
       autoPromotionEnabled: false
-    - stage: production
-      autoPromotionEnabled: false
     - stage: levelbuilder
       autoPromotionEnabled: false
+    - stage: review-infra-changes
+      autoPromotionEnabled: false
+    - stage: production
+      autoPromotionEnabled: false
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Rendered output is committed on `stage/levelbuilder`.
		`main` keeps only this placeholder so the branch-local path exists before first render.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Rendered output is committed on `stage/production`.
		`main` keeps only this placeholder so the branch-local path exists before first render.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Rendered output is committed on `stage/staging`.
		`main` keeps only this placeholder so the branch-local path exists before first render.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Rendered output is committed on `stage/test`.
		`main` keeps only this placeholder so the branch-local path exists before first render.