code-dot-org · snickell · Mar 23, 2026 · Mar 23, 2026
diff --git a/README.md b/README.md
@@ -24,18 +24,24 @@ k8s-gitops/
       repos.yaml                  # configure application.yaml to load $app_name/*
 
     codeai/
-      applicationset.yaml         # define argocd apps for codeai deployments: deployments/*/deployment.yaml
+      applicationset.yaml         # generate Argo apps from deployments/*/deployment.yaml on main
 
       deployments/
         levelbuilder/             # codeai deployment levelbuilder
           deployment.yaml         # envType=levelbuilder, branch=levelbuilder
-          values.yaml             # values.yaml for this deployment: dashboard_workers=27, RAILS_ENV=levelbuilder, etc
+          deploy/                 # rendered output on stage/levelbuilder branch
+          values.yaml             # legacy Helm-era values kept for compatibility during migration
         ...
 
       envTypes/
         levelbuilder.values.yaml  # base values.yaml for all envType=levelbuilder
         ...
 
+      kargo/
+        templates/
+          deploy/
+            kustomization.yaml    # copied into temp render workdirs before kustomize-build
+
     kargo/
       application.yaml            # argocd app for kargo itself
       values.yaml                 # helm values for kargo install
@@ -44,13 +50,18 @@ k8s-gitops/
       application.yaml            # argocd app for kargo project codeai
       project.yaml                # kargo project for codeai
       project-config.yaml         # kargo projectconfig for codeai
-      warehouse.yaml              # kargo warehouse for codeai
+      warehouse.yaml              # git build-lock warehouse for codeai
       stages/
         levelbuilder.yaml         # kargo stage for codeai deployment levelbuilder
+        review-infra-changes.yaml # opens a PR with rendered production manifests
         ...
+
+  warehouses/
+    codeai/
+      builds/                     # thin build-lock Freight records
+      legacy-gitflow/             # merge facts used for downstream promotion gates
 ```
 
 ## Bootstrap Cluster
 
 kubectl apply -f apps/app-of-apps/applicationset.yaml
-
diff --git a/apps/codeai/README.md b/apps/codeai/README.md
@@ -1,3 +1,8 @@
-This app's deployment definitions live under `deployments/`.
+This app's authored deployment metadata lives under `deployments/`.
 
-Docker image tag writeback is done by the GitHub Actions workflow [`k8s-commit-image-ref-to-argocd.yml`](https://github.com/code-dot-org/code-dot-org/blob/staging/.github/workflows/k8s-commit-image-ref-to-argocd.yml).
+Rendered deploy output is written by Kargo into `stage/<deployment>` branches at
+`apps/codeai/deployments/<deployment>/deploy/`, and Argo CD deploys directly from
+those rendered branches.
+
+Build publication now writes thin build-lock Freight records under
+`warehouses/codeai/builds/` instead of editing deployment `values.yaml` files.
diff --git a/apps/codeai/applicationset.yaml b/apps/codeai/applicationset.yaml
@@ -19,17 +19,9 @@ spec:
     spec:
       project: default
       sources:
-        - repoURL: https://github.com/code-dot-org/code-dot-org.git
-          targetRevision: '{{sourceRevision}}'
-          path: k8s/helm
-          helm:
-            releaseName: '{{path.basename}}'
-            valueFiles:
-              - $values/apps/codeai/envTypes/{{envType}}.values.yaml
-              - $values/apps/codeai/deployments/{{path.basename}}/values.yaml
         - repoURL: https://github.com/code-dot-org/k8s-gitops.git
-          targetRevision: main
-          ref: values
+          targetRevision: stage/{{path.basename}}
+          path: apps/codeai/deployments/{{path.basename}}/deploy
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{namespace}}'

diff --git a/apps/codeai/deployments/levelbuilder/deployment.yaml b/apps/codeai/deployments/levelbuilder/deployment.yaml
@@ -0,0 +1,3 @@
+envType: levelbuilder
+namespace: levelbuilder
+branch: levelbuilder
diff --git a/apps/codeai/deployments/levelbuilder/deployment.yaml.disabled b/apps/codeai/deployments/levelbuilder/deployment.yaml.disabled
diff --git a/apps/codeai/deployments/production/deployment.yaml b/apps/codeai/deployments/production/deployment.yaml
@@ -0,0 +1,3 @@
+envType: production
+namespace: production
+branch: production
diff --git a/apps/codeai/deployments/production/deployment.yaml.disabled b/apps/codeai/deployments/production/deployment.yaml.disabled
diff --git a/apps/codeai/deployments/test/deployment.yaml b/apps/codeai/deployments/test/deployment.yaml
@@ -1,5 +1,3 @@
 envType: test
 namespace: test
-# FIXME: for quicker testing, avoid waiting on DTTs and DTPs, let alone DTLs.
-# branch: test
-branch: staging
+branch: test
diff --git a/apps/codeai/envTypes/levelbuilder/deployment.patch.yaml b/apps/codeai/envTypes/levelbuilder/deployment.patch.yaml
@@ -7,7 +7,7 @@ spec:
     spec:
       containers:
         - name: dashboard
-          image: ghcr.io/code-dot-org/code-dot-org:replace-me
+          image: code-dot-org:replace-me
           env:
             - name: RAILS_ENV
               value: levelbuilder

diff --git a/apps/codeai/envTypes/staging/deployment.patch.yaml b/apps/codeai/envTypes/staging/deployment.patch.yaml
@@ -7,7 +7,7 @@ spec:
     spec:
       containers:
         - name: dashboard
-          image: ghcr.io/code-dot-org/code-dot-org:replace-me
+          image: code-dot-org:replace-me
           env:
             - name: RAILS_ENV
               value: staging

diff --git a/apps/codeai/kargo/templates/deploy/kustomization.yaml b/apps/codeai/kargo/templates/deploy/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources: []
+components: []
+images:
+  - name: code-dot-org
+    newName: ghcr.io/code-dot-org/code-dot-org
+    newTag: replace-me
diff --git a/apps/kargo-project-codeai/project-config.yaml b/apps/kargo-project-codeai/project-config.yaml
@@ -9,7 +9,9 @@ spec:
       autoPromotionEnabled: true
     - stage: test
       autoPromotionEnabled: false
-    - stage: production
-      autoPromotionEnabled: false
     - stage: levelbuilder
       autoPromotionEnabled: false
+    - stage: review-infra-changes
+      autoPromotionEnabled: false
+    - stage: production
+      autoPromotionEnabled: false
diff --git a/apps/kargo-project-codeai/stages/levelbuilder.yaml b/apps/kargo-project-codeai/stages/levelbuilder.yaml
@@ -7,33 +7,121 @@ spec:
   requestedFreight:
     - origin:
         kind: Warehouse
-        name: kargo-project-codeai
+        name: codeai-builds
       sources:
         stages:
           - test
+  vars:
+    - name: gitopsRepo
+      value: https://github.com/code-dot-org/k8s-gitops.git
+    - name: imageRepo
+      value: ghcr.io/code-dot-org/code-dot-org
+    - name: targetBranch
+      value: stage/${{ ctx.stage }}
+    - name: legacyEnv
+      value: levelbuilder
   promotionTemplate:
     spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/code-dot-org/k8s-gitops.git
       steps:
         - uses: git-clone
           config:
             repoURL: ${{ vars.gitopsRepo }}
             checkout:
+              - commit: ${{ commitFrom(vars.gitopsRepo, warehouse('codeai-builds')).ID }}
+                path: ./freight
               - branch: main
-                path: ./gitops
+                path: ./meta
+              - branch: ${{ vars.targetBranch }}
+                create: true
+                path: ./out
+        - uses: yaml-parse
+          as: build-lock
+          config:
+            path: ./freight/warehouses/codeai/builds/current.yaml
+            outputs:
+              - name: releaseId
+                fromExpression: releaseId
+              - name: gitCommit
+                fromExpression: gitCommit
+              - name: sourceRepo
+                fromExpression: packaging.sourceRepo
+              - name: sourcePath
+                fromExpression: packaging.sourcePath
+        - uses: yaml-parse
+          as: legacy-merge
+          config:
+            path: ./meta/warehouses/codeai/legacy-gitflow/${{ vars.legacyEnv }}/merged/${{ outputs['build-lock'].releaseId }}.yaml
+            outputs:
+              - name: revision
+                fromExpression: revision
+              - name: tag
+                fromExpression: tag
+              - name: mergedAt
+                fromExpression: mergedAt
+        - uses: yaml-parse
+          as: deployment-meta
+          config:
+            path: ./meta/apps/codeai/deployments/${{ ctx.stage }}/deployment.yaml
+            outputs:
+              - name: envType
+                fromExpression: envType
+              - name: namespace
+                fromExpression: namespace
+        - uses: git-clone
+          config:
+            repoURL: ${{ outputs['build-lock'].sourceRepo }}
+            checkout:
+              - commit: ${{ outputs['build-lock'].gitCommit }}
+                path: ./src
+                sparse:
+                  - ${{ outputs['build-lock'].sourcePath }}
+        - uses: git-clear
+          config:
+            path: ./out/apps/codeai/deployments/${{ ctx.stage }}/deploy
+        - uses: copy
+          config:
+            inPath: ./src/${{ outputs['build-lock'].sourcePath }}
+            outPath: ./work/deployments/source
+        - uses: copy
+          config:
+            inPath: ./meta/apps/codeai/envTypes/${{ outputs['deployment-meta'].envType }}
+            outPath: ./work/deployments/envTypes/${{ outputs['deployment-meta'].envType }}
+        - uses: copy
+          config:
+            inPath: ./meta/apps/codeai/envTypes/components
+            outPath: ./work/deployments/envTypes/components
+        - uses: copy
+          config:
+            inPath: ./meta/apps/codeai/kargo/templates/deploy
+            outPath: ./work/deployments/${{ ctx.stage }}/deploy
         - uses: yaml-update
           config:
-            path: ./gitops/apps/codeai/deployments/levelbuilder/values.yaml
+            path: ./work/deployments/${{ ctx.stage }}/deploy/kustomization.yaml
             updates:
-              - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
+              - key: namespace
+                value: ${{ outputs['deployment-meta'].namespace }}
+              - key: resources
+                value:
+                  - ../../source/base
+              - key: components
+                value:
+                  - ../../envTypes/${{ outputs['deployment-meta'].envType }}
+        - uses: kustomize-set-image
+          config:
+            path: ./work/deployments/${{ ctx.stage }}/deploy
+            images:
+              - image: code-dot-org
+                newName: ${{ vars.imageRepo }}
+                tag: ${{ outputs['build-lock'].releaseId }}
+        - uses: kustomize-build
+          config:
+            path: ./work/deployments/${{ ctx.stage }}/deploy
+            outPath: ./out/apps/codeai/deployments/${{ ctx.stage }}/deploy
         - uses: git-commit
           config:
-            path: ./gitops
-            message: |
-              Promote levelbuilder to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
+            path: ./out
+            message: Render ${{ ctx.stage }} for ${{ outputs['build-lock'].releaseId }}
         - uses: git-push
           config:
-            path: ./gitops
+            path: ./out
+            branch: ${{ vars.targetBranch }}
diff --git a/apps/kargo-project-codeai/stages/production.yaml b/apps/kargo-project-codeai/stages/production.yaml
@@ -7,33 +7,12 @@ spec:
   requestedFreight:
     - origin:
         kind: Warehouse
-        name: kargo-project-codeai
+        name: codeai-builds
       sources:
         stages:
-          - test
+          - review-infra-changes
+  # Production deploy truth is the reviewed render merged into stage/production.
+  # This stage models the final approved hop after the PR merge updates that branch.
   promotionTemplate:
     spec:
-      vars:
-        - name: gitopsRepo
-          value: https://github.com/code-dot-org/k8s-gitops.git
-      steps:
-        - uses: git-clone
-          config:
-            repoURL: ${{ vars.gitopsRepo }}
-            checkout:
-              - branch: main
-                path: ./gitops
-        - uses: yaml-update
-          config:
-            path: ./gitops/apps/codeai/deployments/production/values.yaml
-            updates:
-              - key: image
-                value: ghcr.io/code-dot-org/code-dot-org:${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }}
-        - uses: git-commit
-          config:
-            path: ./gitops
-            message: |
-              Promote production to ${{ imageFrom("ghcr.io/code-dot-org/code-dot-org").Tag }} [skip ci]
-        - uses: git-push
-          config:
-            path: ./gitops
+      steps: []