cartsnitch/org
12
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(skills): mirror groombook sdlc structure, split devops skill

Browse Source 
- sdlc: trim to application-repo scope with Phase 1-5 pipeline; engineer
  self-merges all branches with per-branch prerequisites; move infra,
  Flux, tofu, and operator-install content out
- devops: new skill mirroring groombook/org/skills/devops — owns
  cartsnitch/infra, Flux GitOps, OpenTofu controller, cluster topology,
  Flux Image Tag Automation denied policy
- safety: add Gitea-origin board-approval gate, board-approval scope
  section, and adapterConfig.env read-before-write rule
- coding-standards: replace "no agent merges their own PR" with the
  reviews-required-then-engineer-may-merge rule consistent with sdlc
- CLAUDE.md: update skill index, branch & merge policy, and SDLC phase
  summary to reflect engineer-self-merge and the new devops skill

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Chris Farhood
2026-06-09 09:25:58 -04:00
parent d0ff14c155
commit 530ecc74e6
5 changed files with 237 additions and 156 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/devops/SKILL.md
+81
View File
@@ -0,0 +1,81 @@
---
name: devops
description: >
Infrastructure lifecycle for CartSnitch. Governs work on the
cartsnitch/infra repo: single-branch main strategy, the infra PR review
pipeline, Flux GitOps reconciliation, OpenTofu controller workflow,
cluster topology, and the Flux image-automation policy. For application
code, see the sdlc skill.
---
# DevOps Practices
This skill governs work on **`cartsnitch/infra`**. For application code lifecycle, see the `sdlc` skill. For PR/test discipline and the `cc @cpfarhood` visibility rule, see `coding-standards`. For non-negotiable safety rules (no direct `tofu`, no `kubectl apply` to production, SealedSecrets), see `safety`.
## Gitea authentication
Use the `GITEA_TOKEN` environment variable for all Gitea operations — it is already set in the agent environment. Use the **`tea`** CLI for all Gitea/Git operations (e.g., `tea issue list`, `tea pr create`). Gitea is the primary source of truth.
## Branch strategy
`cartsnitch/infra` uses a single long-lived branch: **`main`**. Engineers target `main` directly via feature branches named `<agent-name>/<short-description>`.
## Pipeline
1. **Engineer** branches from `main`, writes code.
2. **Engineer** opens a PR against `main`.
3. **CI** fail → back to **Engineer**.
4. **CI** pass → **QA (Checkout Charlie `9b6012d0-0406-417e-bb22-78266a6e7f77`)** performs code review.
5. **QA** rejected → back to **Engineer**.
6. **QA** approved → **CTO (Savannah Savings `6ec1a5a9-113c-430b-90e6-260d60d79e1d`)** performs code review.
7. **CTO** rejected → back to **Engineer**.
8. **CTO** approved → **Engineer** merges PR → **Flux** reconciles automatically.
```bash
tea pr create --base main --title "..." --body "... cc @cpfarhood"
```
Gitea branch protection requires CI checks to pass. See `coding-standards` for the no-self-merge contract and the `cc @cpfarhood` rule.
## Infrastructure topology
* **Production:** namespace `cartsnitch`, FQDN `cartsnitch.com`
* **UAT:** namespace `cartsnitch-uat`, FQDN `uat.cartsnitch.com`
* **Dev:** namespace `cartsnitch-dev`, FQDN `dev.cartsnitch.com`
* **Cluster:** Kubernetes — cluster-wide read; read/write on `cartsnitch-dev` and `cartsnitch-uat`; read-only on `cartsnitch` (production).
* **Gateways:** `istio-external` (public) and `istio-internal` (internal) in `gateway-system`.
* **Container registry:** `git.farh.net/cartsnitch/<service>` only.
## GitOps (Flux)
Flux watches `cartsnitch/infra` as the **target** GitRepository — it is **not** a Flux bootstrap/cluster repo and must never be treated as one.
Reconciles Kustomize overlays:
- `apps/overlays/dev``cartsnitch-dev`
- `apps/overlays/uat``cartsnitch-uat`
- `apps/overlays/prod``cartsnitch`
Images currently use `:latest` with `imagePullPolicy: Always`; pin to a CalVer tag in the infra overlay when stabilizing a release.
**Policy — Flux Image Tag Automation is DENIED.** Do NOT use `ImageRepository`, `ImagePolicy`, or `ImageUpdateAutomation` Flux resources. Image tag updates must be made intentionally via a PR to `cartsnitch/infra` — typically as the final step of the `sdlc` application pipeline (Phase 5).
**To force a rollout without a manifest change:**
```bash
kubectl rollout restart deployment/<name> -n <namespace>
```
## Infrastructure as Code
Terraform (OpenTofu) is deployed via the **Flux OpenTofu Controller** in a GitOps fashion. Submit Terraform configurations via a PR to `cartsnitch/infra` — the tofu controller reconciles them on merge. See `safety` for the prohibition on running `tofu` directly and on `kubectl apply` against production.
## Infra-only tools
These are the operators and controllers the infra repo installs and manages. Alternatives are policy violations:
* **GitOps:** Flux CD (managed externally; reconciles `cartsnitch/infra`).
* **IaC:** Flux OpenTofu Controller.
* **Secret management:** Bitnami Sealed Secrets Controller — encrypt with `kubeseal`, commit `SealedSecret` resources to `cartsnitch/infra`. No plain Kubernetes secrets.
* **Database operator:** CloudNativePG (Postgres).
* **Cache / pub-sub operator:** DragonflyDB.
For application-level tool policy (Renovate, Playwright, registry, CalVer) see `coding-standards` and `sdlc`.