Superpowers Brainstorming

Connected

Design Section 4: CI/CD Pipeline & GitOps

GitHub Actions → ECR → ArgoCD → EKS

Deployment Pipeline Flow
 Developer                GitHub Actions                    ECR              ArgoCD            EKS
    │                          │                             │                 │                │
    ├── git push main ────────►│                             │                 │                │
    │                          ├── lint + test (SQLite) ───► │                 │                │
    │                          ├── test (PostgreSQL) ──────► │                 │                │
    │                          ├── docker build ────────────►├── push image    │                │
    │                          ├── update image tag ─────────┼────────────────►├── detect diff  │
    │                          │   in k8s manifests repo     │                 ├── sync ───────►├── rolling update
    │                          │                             │                 │                │
    │                          │        dev: auto-deploy on push to main                        │
    │                          │        prod: manual approval in ArgoCD UI
Application Repos (existing)
github.com/greeep/arx
├── src/
├── Cargo.toml
├── Dockerfile              ← multi-stage build
└── .github/workflows/
    └── ci.yml              ← test + build + push ECR

github.com/greeep/PitchPilot
├── app/
├── package.json
├── Dockerfile
└── .github/workflows/
    └── ci.yml
App repos own: source code, Dockerfile, CI pipeline (test + build + push).
They do NOT contain K8s manifests.
GitOps Repo (new)
github.com/greeep/k8s-manifests
├── base/                    ← shared templates
│   ├── arx/
│   │   ├── deployment.yaml
│   │   ├── service.yaml
│   │   ├── ingress.yaml
│   │   └── kustomization.yaml
│   ├── pitchpilot/
│   │   ├── deployment.yaml
│   │   ├── service.yaml
│   │   ├── ingress.yaml
│   │   └── kustomization.yaml
│   └── system/
│       ├── nginx-ingress/
│       ├── cert-manager/
│       ├── external-secrets/
│       └── argocd/
├── overlays/
│   ├── dev/                 ← dev overrides
│   │   ├── kustomization.yaml
│   │   ├── arx-patch.yaml   # 1 replica, dev DB, dev S3
│   │   └── pp-patch.yaml
│   └── prod/                ← prod overrides
│       ├── kustomization.yaml
│       ├── arx-patch.yaml   # 2 replicas, Aurora, prod S3
│       └── pp-patch.yaml
└── README.md
GitOps repo owns: K8s manifests, env-specific overrides, Kustomize overlays.
ArgoCD watches this repo → auto-syncs to cluster.
GitHub Actions CI (per app repo)
# .github/workflows/ci.yml
name: CI/CD
on:
  push: { branches: [main] }
  pull_request: { branches: [main] }

jobs:
  test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        db: [sqlite, postgres]
    services:
      postgres:
        image: postgres:16
        env: { POSTGRES_DB: test, POSTGRES_PASSWORD: test }
        ports: ['5432:5432']
        options: --health-cmd pg_isready
    steps:
      - uses: actions/checkout@v4
      - # run tests against ${{ matrix.db }}

  build-push:
    needs: test
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with: { role-to-assume: arn:aws:iam::xxx:role/github-ecr-push }
      - uses: aws-actions/amazon-ecr-login@v2
      - run: |
          docker build -t $ECR_REPO:${{ github.sha }} .
          docker push $ECR_REPO:${{ github.sha }}
          docker tag $ECR_REPO:${{ github.sha }} $ECR_REPO:latest
          docker push $ECR_REPO:latest

  update-manifests:
    needs: build-push
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { repository: greeep/k8s-manifests, token: ${{ secrets.GITOPS_TOKEN }} }
      - run: |
          # Update image tag in dev overlay
          cd overlays/dev
          kustomize edit set image $ECR_REPO=$ECR_REPO:${{ github.sha }}
          git commit -am "deploy: ${{ github.repository }}@${{ github.sha }}"
          git push
      # ArgoCD detects change → auto-syncs dev
      # Prod: manual promotion in ArgoCD UI
Arx Dockerfile (multi-stage)
# Build stage
FROM rust:1.80 AS builder
WORKDIR /app
COPY . .
RUN cargo build --release --features postgres,s3

# Runtime stage
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates
COPY --from=builder /app/target/release/arx /usr/local/bin/
EXPOSE 3000
CMD ["arx", "serve"]
PitchPilot Dockerfile
# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY app/package*.json ./
RUN npm ci
COPY app/ .
RUN npm run build

# Runtime stage
FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/server ./server
COPY --from=builder /app/node_modules ./node_modules
EXPOSE 3001
CMD ["node", "server/index.mjs"]
ArgoCD Application Definitions
app: greeep-dev
source: greeep/k8s-manifests
path: overlays/dev
destination: eks-cluster / ns:dev
sync: auto (on git push)
prune: true
app: greeep-prod
source: greeep/k8s-manifests
path: overlays/prod
destination: eks-cluster / ns:prod
sync: manual (click to deploy)
prune: false (safety)
app: greeep-system
source: greeep/k8s-manifests
path: base/system
destination: eks-cluster / ns:system
sync: auto
self-heal: true
Prod promotion flow: dev passes smoke tests → update image tag in overlays/prod → PR to k8s-manifests → merge → click Sync in ArgoCD UI

CI/CD pipeline — looks right?

Next: Networking & Ingress (Nginx, TLS, domains, network policies)

A

Looks good, next section

CI/CD and GitOps design is solid, move to networking

B

Needs changes

I'll describe adjustments in the terminal

Click an option above, then return to the terminal