Skip to content

Stage: deploy-dev

The deploy-dev stage gets the change running in the low-risk dev environment. Approval is automatic, but the deployment is still attested — even dev carries a complete evidence trail. It runs after attest and gives dast a live target.

Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.

flowchart TD
  CR["ServiceNow CR (from attest)<br/>auto-approved if risk &lt; dev threshold"]
  APP["servicenow:cr:approve-dev<br/>auto-approve (low risk)"]
  DEPLOY["deploy:helm:dev<br/>helm upgrade --install<br/>karc-portal only<br/>(podtato-head is ArgoCD-owned)"]
  ATT["fides:attest:deploy:dev<br/>deploy attestation + DORA report"]

  CR --> APP --> DEPLOY --> ATT

  class APP gate
  class DEPLOY dev
  class ATT attest
  class CR snow
  classDef dev fill:#1b7c83,stroke:#0f4a4e,color:#ffffff
  classDef attest fill:#2da44e,stroke:#116329,color:#ffffff
  classDef gate fill:#9a6700,stroke:#5c3d00,color:#ffffff
  classDef snow fill:#d29922,stroke:#8a6500,color:#ffffff
JobWhat it doesWhy
servicenow:cr:approve-devAuto-approves the dev change request when the risk score is below the dev threshold.dev is a fast-iteration environment; low-risk changes flow without a human.
deploy:helm:devhelm upgrade --install of karc-portal only into the karc-portal namespace on the TARGET_CLOUD cluster (values layered: base + per-cloud + envs/dev). podtato-head is deployed solely by ArgoCD (image tag bumped onto the gitops branch by gitops:bump:podtato-head:dev), not by this job. Skips on k3d/MR.Gets the candidate running so dynamic tests and a real environment exist.
fides:attest:deploy:devWrites the deploy attestation to the Evidence Vault / Fides (compliant = the deploy job’s actual result) and reports DORA metrics. allow_failure: true, interruptible: false.Immutable deploy evidence; non-interruptible so a rapid re-merge can’t leave the trail incomplete.

It proves the change actually runs, in a safe place, with the same evidence discipline as production. The deploy attestation derives its compliant flag from the real job outcome (issue #388), so the trail is truthful — a failed deploy is recorded as non-compliant, not silently skipped.


Stages: attestdeploy-devdastdeploy-qa · all stages