LuciDashboardDocsread-only public CI

Luci docs

Local wrapper

def ci [...args] { ssh -p 2223 luci.example.invalid ...$args }

.ci/*.kdl

job "test" {
  image "docker.io/library/alpine:latest"
  run "echo ok"
}

Manual runs

luci run repo job --ref main
luci run repo job --rev abc123

Trigger behavior

Push jobs match branch/tag globs. Manual runs ignore push false but require the job to exist.

Secrets layout

$LUCI_DATA_DIR/secrets/<repo>/<job>/<secret-name>

Publish targets

Publish adapters are configured by environment. Missing adapter config fails the job.

Security model

Every repo Luci can see is public. Every Luci log/artifact is public-readable. Never rely on log masking as the only secret protection.