Stage: deploy-dev
The deploy-dev stage gets the change running in the low-risk dev environment. Approval is automatic, but the deployment is still attested — even dev carries a complete evidence trail. It runs after attest and gives dast a live target.
Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.
flowchart TD CR["ServiceNow CR (from attest)<br/>auto-approved if risk < dev threshold"] APP["servicenow:cr:approve-dev<br/>auto-approve (low risk)"] DEPLOY["deploy:helm:dev<br/>helm upgrade --install<br/>karc-portal only<br/>(podtato-head is ArgoCD-owned)"] ATT["fides:attest:deploy:dev<br/>deploy attestation + DORA report"] CR --> APP --> DEPLOY --> ATT class APP gate class DEPLOY dev class ATT attest class CR snow classDef dev fill:#1b7c83,stroke:#0f4a4e,color:#ffffff classDef attest fill:#2da44e,stroke:#116329,color:#ffffff classDef gate fill:#9a6700,stroke:#5c3d00,color:#ffffff classDef snow fill:#d29922,stroke:#8a6500,color:#ffffff
Jobs in this stage
Section titled “Jobs in this stage”| Job | What it does | Why |
|---|---|---|
servicenow:cr:approve-dev | Auto-approves the dev change request when the risk score is below the dev threshold. | dev is a fast-iteration environment; low-risk changes flow without a human. |
deploy:helm:dev | helm upgrade --install of karc-portal only into the karc-portal namespace on the TARGET_CLOUD cluster (values layered: base + per-cloud + envs/dev). podtato-head is deployed solely by ArgoCD (image tag bumped onto the gitops branch by gitops:bump:podtato-head:dev), not by this job. Skips on k3d/MR. | Gets the candidate running so dynamic tests and a real environment exist. |
fides:attest:deploy:dev | Writes the deploy attestation to the Evidence Vault / Fides (compliant = the deploy job’s actual result) and reports DORA metrics. allow_failure: true, interruptible: false. | Immutable deploy evidence; non-interruptible so a rapid re-merge can’t leave the trail incomplete. |
Why this stage exists
Section titled “Why this stage exists”It proves the change actually runs, in a safe place, with the same evidence discipline as production. The deploy attestation derives its compliant flag from the real job outcome (issue #388), so the trail is truthful — a failed deploy is recorded as non-compliant, not silently skipped.
Stages: attest → deploy-dev → dast → deploy-qa · all stages