CI/CD

Purpose

Lumie's CI/CD path is GitOps-adjacent rather than GitOps-exclusive: Tekton reacts to Gitea push events, builds images, pushes them to Zot, commits updated image tags back into lumie-infra, and then relies on Argo CD to perform the rollout.

This page is a reference document for developers changing build triggers, pipeline templates, image publishing, or the values-update handoff into GitOps. For Tekton controller installation, see Tekton.

Source Paths

Path	Role
`lumie-infra/applications/tekton/ci-cd/argocd.yaml`	Argo CD application for the CI/CD manifests
`lumie-infra/applications/tekton/ci-cd/manifests/triggers/eventlistener.yaml`	Gitea webhook routing and path-based trigger filters
`lumie-infra/applications/tekton/ci-cd/manifests/triggers/triggerbinding.yaml`	Maps webhook payload fields to Tekton params
`lumie-infra/applications/tekton/ci-cd/manifests/triggers/triggertemplate.yaml`	Creates `PipelineRun` objects for each repo or worker slice
`lumie-infra/applications/tekton/ci-cd/manifests/pipelines/*.yaml`	Pipeline definitions for Spring Boot, Next.js, FastAPI, Python, and React builds
`lumie-infra/applications/tekton/ci-cd/manifests/tasks/kaniko-build-push.yaml`	Clone, build, tag, and push logic
`lumie-infra/applications/tekton/ci-cd/manifests/tasks/git-update-values.yaml`	Commits image tag updates back into `lumie-infra`
`lumie-infra/applications/tekton/ci-cd/manifests/secrets/*.yaml`	Vault-backed Gitea, webhook, and Zot credentials
`lumie-infra/applications/lumie/**/common-values.yaml`	Deployment values Tekton mutates after a successful build

Runtime Flow

Public Surface

Surface	Contract
EventListener `github-listener`	Accepts only `X-Gitea-Event=push` for `refs/heads/main`
Trigger binding `github-push-binding`	Clones repos from `http://gitea-http.gitea.svc.cluster.local:3000/<org>/<repo>.git`
Pipeline result tags	`kaniko-build-push` writes the short commit SHA to `IMAGE_TAG` and the digest to `IMAGE_DIGEST`
Values updater	`git-update-values` edits one or more YAML files with `sed`, commits, and retries push or rebase up to 5 times

The handoff into GitOps is explicitly Git-based. Tekton does not patch Deployments in-cluster.

Active Pipeline Catalog

Trigger or template	Pipeline	Deploy target updated
`lumie-document-build-template`	`nextjs-build-deploy`	`applications/lumie/document/helm-values.yaml`
`lumie-frontend-build-template`	`nextjs-build-deploy`	`applications/lumie/frontend/common-values.yaml` descendants
`lumie-backend-build-template`	`lumie-springboot-build-deploy`	`applications/lumie/backend/common-values.yaml`
`lumie-grading-svc-build-template`	`fastapi-build-deploy`	`applications/lumie/worker/grading-svc/common-values.yaml` descendants
`lumie-report-svc-build-template`	`fastapi-build-deploy`	`applications/lumie/worker/report-svc/common-values.yaml` descendants
`lumie-analysis-svc-build-template`	`fastapi-build-deploy`	`applications/lumie/worker/analysis-svc/helm-values.yaml`
`lumie-chatbot-svc-build-template`	`fastapi-build-deploy`	`applications/lumie/worker/chatbot-svc/common-values.yaml` descendants
`lumie-temp-omr-grading-build-template`	`fastapi-build-deploy`	`applications/lumie/worker/temp-omr-grading/helm-values.yaml`

Two trigger definitions are present but notably narrow:

github-push-nextjs currently filters body.repository.name in [], so no repo matches it in the inspected source.
github-push-fastapi currently filters only body.repository.name in ['joossam'].

Secret And Credential Flow

Secret	Source path	Purpose
`gitea-credentials`	`manifests/secrets/gitea-credentials.yaml`	HTTP basic auth for cloning repos and pushing values updates
`github-webhook-secret`	`manifests/secrets/github-credentials.yaml`	Webhook secret stored from Vault path `tokens`
`zot-registry-credentials`	`manifests/secrets/zot-registry-credentials.yaml`	Docker config for Kaniko pushes to `zot.lumie-infra.com`

All three are VaultStaticSecret resources that resolve through the shared vault/vault-auth identity.

Operational Notes

resource-quota.yaml limits aggregate requests.memory for non-BestEffort CI pods to 16Gi.
cleanup/cronjob.yaml prunes completed PipelineRun and TaskRun resources every two hours.
PipelineRun.spec.onSuccessfulCompletion: delete keeps successful runs short-lived even before cleanup.
springboot-test, nextjs-check, and fastapi-check support informational mode for non-blocking checks, but the default behavior is still blocking.

This excerpt shows the deployment-values handoff:

- name: GIT_REPO_URL
  default: "http://gitea-http.gitea.svc.cluster.local:3000/Lumie-Edu/lumie-infra.git"
...
git commit -m "CHORE(app): update $(params.APP_NAME) image to $IMAGE_TAG"

Contract Drift

Inspected sources disagree on where GitOps deployment state lives:

Source	Claim
Root Argo CD Applications and bootstrap defaults	`lumie-infra` source repo is GitHub
`git-update-values.yaml`	`lumie-infra` updates are pushed to in-cluster Gitea
`bootstrap/gitea/helm-values.yaml`	Comments still describe `lumie-infra` remaining on GitHub and application source repos living in Gitea

The repo does not declare the synchronization path between GitHub and Gitea for lumie-infra. Keep that gap visible when modifying CI/CD.

Verification

cd lumie-infra
rg -n "github-listener|gitea-http|zot.lumie-infra.com|git-update-values|onSuccessfulCompletion" \
  applications/tekton/ci-cd

kubectl get eventlistener github-listener -n tekton-pipelines -o yaml
kubectl get pipelineruns -n tekton-pipelines
kubectl get taskruns -n tekton-pipelines

Purpose​

Source Paths​

Runtime Flow​

Public Surface​

Active Pipeline Catalog​

Secret And Credential Flow​

Operational Notes​

Contract Drift​

Verification​