Version: Next

CI Workflows

CI workflows are Workflows that integrate with OpenChoreo's components. They use the same Workflow and WorkflowRun resources, with governance via ComponentTypes.

What Makes a CI Workflow Different

A Workflow is used for CI when:

It carries openchoreo.dev/workflow-scope: "component" — Required for workflows intended to be used by Components
A Component references it via Component.spec.workflow.name
It is listed in ComponentType.spec.allowedWorkflows — This is how platform engineers control which workflows are available for components of a given type

There is no separate CRD: CI workflows are just Workflows that are allowed by a ComponentType and referenced by Components.

CI Workflow Lifecycle

1. Platform Engineer creates Workflow CR
   └── Defines parameter schema with repository fields

2. Platform Engineer adds Workflow to ComponentType.spec.allowedWorkflows
   └── Only workflows in this list can be used by Components

3. Developer creates Component
   └── References the Workflow by name in spec.workflow
   └── Component controller validates the workflow against allowedWorkflows

4. WorkflowRun created
   └── Labels added: openchoreo.dev/component, openchoreo.dev/project
   └── Controller renders and executes the Argo Workflow

5. (Optional) Workload generated from build output
   └── Controller reads generate-workload-cr step output
   └── Creates Workload CR in the control plane

Annotations

`openchoreo.dev/workflow-scope` (Required)

Required for workflows intended to be used by Components, and used by developer tooling (for example occ) to categorize a workflow as CI.

metadata:
  annotations:
    openchoreo.dev/workflow-scope: "component"

`openchoreo.dev/component-workflow-parameters` (Required for Auto-Build feature and UI enrichments)

metadata:
  annotations:
    openchoreo.dev/component-workflow-parameters: |
      repoUrl: parameters.repository.url
      branch: parameters.repository.revision.branch
      appPath: parameters.repository.appPath
      commit: parameters.repository.revision.commit
      secretRef: parameters.repository.secretRef

WorkflowRun Labels

When a WorkflowRun is created for a component, it carries labels that link it to the component:

metadata:
  labels:
    openchoreo.dev/component: greeter-service
    openchoreo.dev/project: default

These labels are accessible in the Workflow CR's CEL expressions:

${metadata.labels['openchoreo.dev/component']} — Component name
${metadata.labels['openchoreo.dev/project']} — Project name

Architecture

Governance via ComponentTypes

Platform engineers control which CI workflows are available for components using ComponentType's allowedWorkflows field. This is the primary governance mechanism for CI workflows.

How It Works

Platform Engineer defines allowedWorkflows in a ComponentType
When a developer creates a Component, they must reference a workflow in spec.workflow.name
The Component controller validates that the referenced workflow is in the ComponentType's allowedWorkflows list
If validation fails, the Component enters a Failed state with a condition explaining the error

allowedWorkflows Field

apiVersion: openchoreo.dev/v1alpha1
kind: ComponentType
metadata:
  name: backend
spec:
  # Restrict components to using only docker and google-cloud-buildpacks workflows
  allowedWorkflows:
    - docker
    - google-cloud-buildpacks

Only Workflows listed in allowedWorkflows can be referenced by Components of this type.

Governance Patterns

Pattern 1: Single Workflow (Strict)

spec:
  allowedWorkflows:
    - docker  # All components must use this workflow

Pattern 2: Multiple Workflows (Developer Choice)

spec:
  allowedWorkflows:
    - docker
    - google-cloud-buildpacks
    - react

Pattern 3: Language-Specific Workflows

spec:
  allowedWorkflows:
    - docker                      # For compiled languages
    - google-cloud-buildpacks     # For interpreted languages
    - ballerina-buildpack         # For Ballerina services

Validation and Error Handling

When a Component references a workflow that's not in allowedWorkflows:

ComponentStatus:
conditions:
  - type: Ready
    status: False
    reason: WorkflowNotAllowed
    message: "Workflow 'custom-workflow' is not in ComponentType 'backend' allowedWorkflows"

The Component will not proceed to creating WorkflowRuns until the workflow is either:

Added to the ComponentType's allowedWorkflows
Changed to a workflow that is allowed

Benefits of This Governance Model

Security — Platform engineers ensure only approved build processes are used
Consistency — All components of a type follow the same build patterns
Compliance — Easy to enforce organizational policies (e.g., "all builds must scan for vulnerabilities")
Flexibility — Different component types can have different allowed workflows
Developer Experience — Clear error messages when trying to use disallowed workflows

Default CI Workflows

OpenChoreo ships with four default Workflow CRs and their supporting ClusterWorkflowTemplates:

Workflow CR	Build CWT	Description
`docker`	`docker`	Builds container images using a user-provided Dockerfile
`google-cloud-buildpacks`	`google-cloud-buildpacks`	Auto-detects language and builds without a Dockerfile
`ballerina-buildpack`	`ballerina-buildpack`	Ballerina-specific buildpack builds
`react`	`react`	Optimized React/SPA frontend builds with nginx serving

What's Next

Workload Generation — How build outputs become Workload CRs

What Makes a CI Workflow Different​

CI Workflow Lifecycle​

Annotations​

openchoreo.dev/workflow-scope (Required)​

openchoreo.dev/component-workflow-parameters (Required for Auto-Build feature and UI enrichments)​

WorkflowRun Labels​

Architecture​

Governance via ComponentTypes​

How It Works​

allowedWorkflows Field​

Governance Patterns​

Validation and Error Handling​

Benefits of This Governance Model​

Default CI Workflows​

What's Next​