Luci docs
Local wrapper
def ci [...args] { ssh -p 2223 luci.example.invalid ...$args }.ci/*.kdl
job "test" {
image "docker.io/library/alpine:latest"
run "echo ok"
}Manual runs
luci run repo job --ref main luci run repo job --rev abc123
Trigger behavior
Push jobs match branch/tag globs. Manual runs ignore push false but require the job to exist.
Secrets layout
$LUCI_DATA_DIR/secrets/<repo>/<job>/<secret-name>
Publish targets
Publish adapters are configured by environment. Missing adapter config fails the job.
Security model
Every repo Luci can see is public. Every Luci log/artifact is public-readable. Never rely on log masking as the only secret protection.