Github Connection
GithubConnection
Defines the high-level intent for connecting the platform to a GitHub organization.
Translates the target organization properties into API credentials, and drives the synchronization of teams, memberships, and overarching organization secrets across the infrastructure.
| Property | Type | Description |
|---|---|---|
| apiVersion | string | |
| kind | string | |
| metadata | map | |
| spec | Spec |
Executors
Aggregates runner footprints for CI/CD sizing. Used during the generation of GitHub Actions runners to scale compute based on the number of requested executors across the organization.
| Property | Type | Description |
|---|---|---|
| ubuntu | int64 | |
| macos | int64 | |
| windows | int64 |
ManagedWorkflowsPrivateEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
ManagedWorkflowsPublicEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | string |
RelatedArtifactRegistriesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedRelatedArtifactRegistry |
RelatedExternalRegistriesEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedRelatedExternalRegistry |
SecretsEntry
| Property | Type | Description |
|---|---|---|
| key | string | |
| value | ComputedGithubSecretRepositories |
Spec
Contains the user-defined configuration for the GitHub connection. Instructs the execution engine on which organization to map to, and which users should hold administrative access rights.
| Property | Type | Description |
|---|---|---|
| description | string | This description is optional but will drastically improve the understand of the AI assistant about the structural elements of the organization |
| owner | string | The name of the GitHub organization to connect to. This entity acts as the root scope boundary for all repository, team, and secret generation operations performed within this connection. |
| authenticationMethod | string | The method to use for authenticating with the GitHub API. Choose 'TOKEN' for Personal Access Token or GITHUB_APP for github app installations. The platform will expect a secret named 'github-token' to be present in the Organization for retrieving the necessary API token. |
| hostname | string | The hostname of the GitHub instance (e.g., 'github.my-company.com'). This should only be set for GitHub Enterprise Server instances, otherwise it defaults to 'github.com'. |
| administrators | list of string | A list of GitHub usernames to be granted the 'admin' role in the GitHub organization. Resolves to elevated membership assignments, ensuring explicitly defined operational control over the GitHub entity. |
ComputedRelatedArtifactRegistry
Groups an Artifact Registry with a list of dependent repository names.
Used to correlate an environment's registry with the specific application repositories built into it, simplifying the generation of IAM and image paths.
| Property | Type | Description |
|---|---|---|
| repositories | list of string | |
| registry | ComputedArtifactRegistry |
ComputedRelatedExternalRegistry
Groups an External Registry with a list of dependent repository names.
Associates specific application repositories to a configured external registry.
| Property | Type | Description |
|---|---|---|
| repositories | list of string | |
| registry | ComputedExternalRegistry |
ComputedGithubSecretRepositories
Represents the computed relationships between a GitHub secret and its target repositories.
This is an internal state object used by the engine to track which repositories a specific GithubSecret manifest has been distributed to during gitops reconciliation.
| Property | Type | Description |
|---|---|---|
| secretKey | string | The name of the secret. |
| repositories | list of string | A list of repositories where this secret is configured. |
ComputedArtifactRegistry
Represents a computed Artifact Registry resource.
JIT-resolved state of an ArtifactRegistry manifest containing the definitive configuration utilized during the implementation phase.
| Property | Type | Description |
|---|---|---|
| name | string | This value is a direct reflection of 'metadata.name' from this 'ArtifactRegistry' manifest. |
| type | string | This value is a direct reflection of 'spec.type' from this 'ArtifactRegistry' manifest. |
| publishUrl | string | This URL is composed based on the 'spec.type' from this 'ArtifactRegistry' manifest. |
| region | string | This value is taken from 'spec.region' from this 'ArtifactRegistry' manifest. |
| permissions | ArtifactRegistryAccessPermissions | This block is a direct reflection of the 'spec.permissions' block from this 'ArtifactRegistry' manifest, with user and group names resolved to their full Google Cloud Identity identifiers. |
ComputedExternalRegistry
Represents a computed external container registry dependency.
Resolves the linkage between external registry configurations and the GCP / GitHub secrets containing their authentication credentials.
| Property | Type | Description |
|---|---|---|
| name | string | This value is a direct reflection of 'metadata.name' from the 'ExternalRegistry' manifest. |
| type | string | This value is a direct reflection of 'spec.type' from the 'ExternalRegistry' manifest. |
| publishUrl | string | This value is a direct reflection of 'spec.url' from the 'ExternalRegistry' manifest. |
| authentication | string | This value is a direct reflection of 'spec.authentication' from the 'ExternalRegistry' manifest. |
| usernameGcpSecretId | string | This value is populated by looking up a 'Secret' manifest with a conventional name, typically '<registryName>-username', and retrieving its fully qualified GCP resource StateID. |
| usernameSourceControlSecretId | string | This value is populated by looking up a 'GithubSecret' manifest with a conventional name, typically '<registryName>-username', and retrieving its name. |
| passwordGcpSecretId | string | This value is populated by looking up a 'Secret' manifest with a conventional name, typically '<registryName>-password', and retrieving its fully qualified GCP resource StateID. |
| passwordSourceControlSecretId | string | This value is populated by looking up a 'GithubSecret' manifest with a conventional name, typically '<registryName>-password', and retrieving its name. |
| region | string |
ArtifactRegistryAccessPermissions
Defines access levels specifically for Artifact Registry repositories.
Maps readers and writers to roles/artifactregistry.reader and roles/artifactregistry.writer respectively on the targeted google_artifact_registry_repository.
| Property | Type | Description |
|---|---|---|
| readers | DetailedAccessPermissions | A list of users and groups who are granted read-only access to the repository. Corresponds to the 'roles/artifactregistry.reader' IAM role. |
| writers | DetailedAccessPermissions | A list of users and groups who are granted read and write access to the repository. Corresponds to the 'roles/artifactregistry.writer' IAM role. |
DetailedAccessPermissions
Aggregation of specific user and group access definitions.
Refers to lists of OrganizationUser and OrganizationUserGroup manifests that will be parsed to retrieve actual Google Workspace identity emails for IAM binding construction.
| Property | Type | Description |
|---|---|---|
| members | list of string | A list of 'OrganizationUser' manifest names to be included in this permission set. |
| groups | list of string | A list of 'OrganizationUserGroup' manifest names to be included in this permission set. |