- Branch pushes run CI only.
- Public registries publish only from semver tags such as
vX.Y.Z. latestmoves only with a semver release.- GitHub Actions prefers
DOCKERHUB_TOKEN;DOCKERHUB_PASSWORDremains a legacy fallback only. - The CD badge in README.md should point to the latest public semver tag because the gated publish workflow runs from release tags.
The current public release is v1.4.1. It follows the v1.4.0 bilingual product, payment orchestration, and release verification baseline.
A release tag is valid only when quality-gate succeeds on that exact SHA.
Current required lanes:
core-qualitycore-integrationauth-qualityauth-integrationnotification-qualitynotification-integrationfinance-qualityfinance-integrationacademic-qualityacademic-integrationengagement-qualityengagement-integrationpeople-qualitypeople-integrationanalytics-qualityanalytics-integrationfrontend-qualityfrontend-fast-e2ecompose-contractk8s-contractimage-smokeedge-e2esecurity-scanquality-gate
Each public release must publish these nine images:
campuscore-backendcampuscore-auth-servicecampuscore-notification-servicecampuscore-finance-servicecampuscore-academic-servicecampuscore-engagement-servicecampuscore-people-servicecampuscore-analytics-servicecampuscore-frontend
Every release is verified with:
- a semver tag such as
v1.4.1 - an immutable short SHA tag
latest
After CD finishes, verify:
- manifests for all nine images with
node scripts/verify-release-manifests.mjs - published GHCR images with image smoke
- published Docker Hub images when Docker Hub credentials are configured
Example local verification:
$env:RELEASE_TAG='v1.4.1'
$env:RELEASE_SHORT_SHA=(git rev-parse --short HEAD).Trim()
node scripts/verify-release-manifests.mjsThe verifier checks GHCR and Docker Hub for all nine images across the semver tag, short SHA, and latest. It uses modest concurrency, per-request timeouts, and retries to reduce false negatives from transient registry behavior.
Each release should have a tracked note under docs/releases/ and a matching GitHub release page.
- Use docs/releases/TEMPLATE.md as the starting point.
- Keep compatibility and operator notes explicit so the release page is useful without reading the full repo.
- Attach the current GitHub social preview PNG when the release includes repo-facing asset changes.
- Do not move an existing release tag to include docs-only follow-up commits; publish a new patch tag only when runtime artifacts change.
The repository ships Kustomize manifests under k8s/ for the full nine-image topology.
Local-first path:
node scripts/run-k8s-preflight.mjsnode scripts/run-k8s-local-smoke.mjsnode scripts/run-k8s-local-deploy.mjsnode scripts/run-k8s-local-edge.mjs
Public/operator handoff path:
k8s/overlays/staging-generick8s/overlays/prod-generick8s/overlays/staging-operatork8s/overlays/prod-operatork8s/templates/private-operator/stagingk8s/templates/private-operator/prod
Use docs/K8S_HANDOFF.md for staging and production overlay handoff, and docs/CLOUDFLARE.md when the public domain is fronted through Cloudflare.