Skip to content
Nikolai Emil | Devantler
Blog

🚀 GitOps Tenant Template

A template for GitOps tenants on the devantler-tech platform — an application that runs on the platform from its own repository. Skip the CI/CD boilerplate — bring your own stack and start shipping.

Repository: devantler-tech/gitops-tenant-template

It is intentionally stack-neutral: it carries no application code or language-specific tooling. Bring your own language and framework, and fill in the scaffolding.

What’s Inside

Section titled “What’s Inside”
  • Signed supply chain — On a v* tag, the image and deploy/ manifests are built, digest-pinned, pushed as an OCI artifact, and cosign-signed. The platform’s OCIRepository verifies that signature, so only artifacts from this trusted workflow are reconciled.
  • Release automationsemantic-release turns Conventional-Commit merges to main into vX.Y.Z tags that drive deployment.
  • Stays currenttemplate-sync opens a weekly PR keeping the shared CI/CD plumbing up to date across every tenant.
  • Security baseline — A zizmor.yml policy enforces GitHub Actions pinning, scanned in CI.

What the template owns vs. what you own

Section titled “What the template owns vs. what you own”
OwnershipFilesNotes
Template-ownedShared CI/CD plumbing under .github/workflows/ (cd.yaml, release.yaml, template-sync.yaml, validate-scaffold.yaml, sync-labels.yaml), scripts/rename-placeholders.sh, CLAUDE.md, zizmor.ymlOverwritten by template-sync
You ownApp code, Dockerfile, deploy/ manifests, .github/workflows/ci.yaml, .github/dependabot.yml, AGENTS.md, .claude/skills/maintain/SKILL.md, README.md, .releaserc, .gitignore, LICENSE, .templatesyncignoreDeclare in .templatesyncignore (same syntax as .gitignore), using these full paths

See the template’s README for the authoritative file-by-file list.

Getting Started

Section titled “Getting Started”
Terminal window
# Create a new private repo from the template
gh repo create devantler-tech/my-tenant --template devantler-tech/gitops-tenant-template --private --clone


# Replace the scaffolding with your app (code, Dockerfile, deploy/ manifests, ci.yaml),
# then validate locally:
cd my-tenant
kubectl kustomize deploy/        # manifests build
actionlint .github/workflows/*   # workflows parse

Then register the tenant on the platform by following platform/docs/TENANTS.md.

Convention: the Deployment’s container name MUST equal the repository name — publish-app pins the built image digest into the container with that name.

Section titled “Links”