CI/CD
Cordium Workspaces can operate as isolated, reproducible CI/CD execution environments capable of building, testing, packaging, and deploying software directly on Kubernetes. Unlike traditional CI runners, Cordium integrates with Octelium to provide identity-aware, secretless access to infrastructure resources such as Kubernetes clusters, internal APIs, SSH targets, container registries, and databases without exposing long-lived credentials inside the Workspace itself. All Workspace activity and infrastructure access are emitted via OpenTelemetry-native identity-based application-layer-aware visibility in real-time. Here is a simple example:
spec:
vars:
- name: BRANCH
value: main
- name: SERVICE
value: svc
- name: GOARCH
value: amd64
- name: RUN_RACE
value: "true"
image:
registry:
url: golang:1.23-bookworm
repository:
url: https://github.com/myorg/monorepo
cloneOptions:
branch: ${{ vars.BRANCH }}
depth: 1
singleBranch: true
disableLazyUnshallow: true
runtime:
autoStop: true
envVars:
- key: GOARCH
value: ${{ vars.GOARCH }}
- key: CGO_ENABLED
value: "0"
tasks:
- name: install-tools
type: ON_CREATE
runAsRoot: true
run: |
apt-get update
apt-get install -y \
git \
curl \
npm \
nodejs \
&& rm -rf /var/lib/apt/lists/*
- name: download-deps
run: go mod download
type: ON_CREATE
workingDir: /workspace/repo
onFailure: ON_FAILURE_ABORT
- name: build
run: |
cd ${{ vars.SERVICE }}
go build -o /workspace/output/$(basename ${{ vars.SERVICE }}) ./cmd/...
type: ON_CREATE
workingDir: /workspace/repo
onFailure: ON_FAILURE_ABORT
- name: test
run: |
cd ${{ vars.SERVICE }}
RACE_FLAG=""
if [ "${{ vars.RUN_RACE }}" = "true" ]; then RACE_FLAG="-race"; fi
go test ${RACE_FLAG} -count=1 ./...
type: ON_CREATE
workingDir: /workspace/repo
onFailure: ON_FAILURE_ABORT
limit:
cpu:
millicores: 4000
memory:
megabytes: 8192
storage:
megabytes: 20000