원클릭으로
truefoundry-gitops
Sets up GitOps CI/CD pipelines for TrueFoundry using tfy apply. Supports GitHub Actions, GitLab CI, and Bitbucket Pipelines.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Sets up GitOps CI/CD pipelines for TrueFoundry using tfy apply. Supports GitHub Actions, GitLab CI, and Bitbucket Pipelines.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Manages TrueFoundry roles, teams, and collaborators. Create custom roles, organize users into teams, and grant access to resources. Use when managing permissions, creating teams, or adding collaborators.
Manages TrueFoundry personal access tokens (PATs). List, create, and delete tokens for API auth and CI/CD.
Lists, inspects, and manages TrueFoundry application deployments. Shows status, health, and details for services, jobs, and Helm releases. Also handles requests to delete, remove, or destroy applications by directing users to the TrueFoundry UI.
Deploys applications to TrueFoundry. Handles single HTTP services, async/queue workers, multi-service projects, and declarative manifest apply. Supports `tfy apply`, `tfy deploy`, docker-compose translation, and CI/CD pipelines. Use when deploying apps, applying manifests, shipping services, or orchestrating multi-service deployments.
Fetches TrueFoundry documentation, API reference, and deployment guides. Use when the user needs platform docs or how-to guidance.
Deploys infrastructure components via Helm charts on TrueFoundry. Supports any public or private OCI Helm chart including databases (Postgres, MongoDB, Redis), message brokers (Kafka, RabbitMQ), and vector databases (Qdrant, Milvus). Uses YAML manifests with `tfy apply`. Use when installing Helm charts or deploying infrastructure on TrueFoundry.
| name | truefoundry-gitops |
| description | Sets up GitOps CI/CD pipelines for TrueFoundry using tfy apply. Supports GitHub Actions, GitLab CI, and Bitbucket Pipelines. |
| license | MIT |
| compatibility | Requires Bash, curl, and access to a TrueFoundry instance |
| allowed-tools | Bash(*/tfy-api.sh *) |
Routing note: For ambiguous user intents, use the shared clarification templates in references/intent-clarification.md.
Set up GitOps-style deployments with TrueFoundry. Store deployment configurations as YAML specs in Git and auto-deploy on push using tfy apply in CI/CD pipelines.
Set up automated Git-based deployments with tfy apply. Store TrueFoundry YAML specs in Git and auto-deploy on push/merge via CI/CD pipelines.
deploy skill; ask if the user wants another valid pathllm-deploy skill; ask if the user wants another valid pathapplications skill; ask if the user wants another valid pathhelm skill; ask if the user wants another valid pathstatus skill; ask if the user wants another valid pathAlways verify before setting up GitOps:
TFY_BASE_URL and TFY_API_KEY must be set (env or .env)tfy CLI must be available in the CI/CD environment (pin an exact version, avoid floating installs)For credential check commands and .env setup, see references/prerequisites.md. Use the status skill to verify connection before proceeding.
GitOps treats Git as the single source of truth for deployment configurations. The workflow is:
tfy apply --dry-run validating specs in CItfy apply deploys them automaticallyOrganize your repo with directories for each resource type:
truefoundry-configs/
├── clusters/
│ └── my-cluster/
│ ├── dev-workspace/
│ │ ├── my-api-service.yaml
│ │ ├── my-worker.yaml
│ │ └── my-llm.yaml
│ ├── staging-workspace/
│ │ ├── my-api-service.yaml
│ │ └── my-worker.yaml
│ └── prod-workspace/
│ ├── my-api-service.yaml
│ └── my-worker.yaml
├── integrations/
│ └── custom-integration.yaml
├── teams/
│ └── my-team.yaml
└── virtualaccounts/
└── my-account.yaml
name field inside the specEach YAML spec follows the standard TrueFoundry manifest format. For example, a service spec:
type: service
name: my-api-service
image:
type: image
image_uri: my-registry/my-app:latest
command: uvicorn main:app --host 0.0.0.0 --port 8000
ports:
- port: 8000
expose: true
protocol: TCP
app_protocol: http
host: my-api-dev.ml.example.truefoundry.cloud
workspace_fqn: my-cluster:dev-workspace
env:
APP_ENV: development
LOG_LEVEL: debug
replicas:
min: 1
max: 3
resources:
cpu_request: 0.5
cpu_limit: 1.0
memory_request: 512
memory_limit: 1024
Maintain separate YAML files per environment. Common differences:
| Setting | Dev | Staging | Prod |
|---|---|---|---|
replicas.min | 1 | 1 | 2+ |
replicas.max | 1 | 3 | 10+ |
resources.cpu_request | 0.25 | 0.5 | 1.0+ |
resources.memory_request | 256 | 512 | 1024+ |
env.LOG_LEVEL | debug | info | warn |
ports.host | *-dev.* | *-staging.* | *-prod.* |
workspace_fqn | cluster:dev-ws | cluster:staging-ws | cluster:prod-ws |
Example directory layout:
clusters/my-cluster/
├── dev-workspace/
│ └── my-service.yaml # min resources, 1 replica, debug logging
├── staging-workspace/
│ └── my-service.yaml # moderate resources, autoscaling, info logging
└── prod-workspace/
└── my-service.yaml # full resources, HA replicas, warn logging
tfy apply in CI/CD PipelinesThe tfy apply command is the core of GitOps with TrueFoundry.
# Install TrueFoundry CLI (pin exact version to prevent supply-chain attacks)
pip install 'truefoundry==0.5.3'
# Authenticate (uses TFY_HOST and TFY_API_KEY env vars)
# TFY_HOST is the TrueFoundry platform URL (same as TFY_BASE_URL)
# Dry run — validate without deploying
tfy apply --file path/to/spec.yaml --dry-run
# Apply — deploy the spec
tfy apply --file path/to/spec.yaml
To apply all changed files in a CI/CD pipeline, detect which files were modified in the commit or PR:
# Apply each changed YAML file
while IFS= read -r file; do
[ -z "$file" ] && continue
case "$file" in
*.yaml) ;;
*) echo "Skipping non-yaml path: $file"; continue ;;
esac
# Keep apply scope constrained to your config tree
case "$file" in
truefoundry-configs/*) ;;
*) echo "Skipping out-of-scope path: $file"; continue ;;
esac
echo "Applying $file..."
tfy apply --file "$file"
done < <(git diff --name-only HEAD~1 HEAD -- '*.yaml')
When a YAML spec file is deleted from the repo, the corresponding resource should be removed. The CI/CD pipeline should detect deleted files and handle them:
# Warn about deleted files
while IFS= read -r file; do
[ -z "$file" ] && continue
echo "WARNING: $file was deleted. Remove the resource manually from the TrueFoundry dashboard."
done < <(git diff --name-only --diff-filter=D HEAD~1 HEAD -- '*.yaml')
For complete workflow files for each CI provider:
All providers require TFY_HOST and TFY_API_KEY as repository secrets/variables.
TFY_API_KEY scoped minimally and rotated regularly.status skill to confirm credentialsTFY_HOST and TFY_API_KEY as secrets/variables in your CI provider<success_criteria>
tfy apply --dry-runtfy applyTFY_HOST, TFY_API_KEY) are configured in the CI provider</success_criteria>
status skill to check TrueFoundry credentialsworkspaces skill to get workspace FQNs for your specsapplications skill to see what is already deployedllm-deploy skill to generate the manifest YAML, then store it in Gitsecrets skill to set up secret groups referenced in your specslogs skill to debug deployments after applytfy apply returned a validation error.
Check:
- YAML syntax is valid (no tabs, proper indentation)
- Required fields are present (type, name, workspace_fqn)
- Resource references exist (workspace, secrets, etc.)
Run: tfy apply --file spec.yaml --dry-run
401 Unauthorized from tfy apply.
Check:
- TFY_HOST is set correctly (the platform URL, e.g., https://your-org.truefoundry.cloud)
- TFY_API_KEY is valid and not expired
- Secrets are configured correctly in your CI provider
Workspace FQN in the spec does not exist.
Check:
- workspace_fqn field matches an existing workspace
- Use the workspaces skill to list available workspaces
Workflow not running on push/PR.
Check:
- File path filters match your YAML file locations
- Branch filters match your default branch name
- CI provider secrets are set (TFY_HOST, TFY_API_KEY)
The YAML filename should match the 'name' field inside the spec.
Example: my-service.yaml should contain name: my-service
This is a convention for clarity — tfy apply uses the internal name, not the filename.