feat: seed Lariza feature demonstration

Add synthetic fixtures and proposed policy contracts for safely demonstrating future Lariza capabilities.

Assisted-by: Codex: GPT-5.6
This commit is contained in:
reynold
2026-07-18 20:21:39 +08:00
commit 0be6ee5d42
8 changed files with 114 additions and 0 deletions
@@ -0,0 +1,22 @@
name: Manual deployment evidence demonstration
on:
workflow_dispatch:
permissions:
contents: read
jobs:
validate-evidence:
runs-on: lariza-test
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- name: Validate fixtures without deploying
shell: sh
run: |
set -eu
test -f .lariza/environments.yaml
test -f fixtures/release-evidence.json
test -f deploy/environments/production.yaml
printf 'Deployment fixtures are present; no environment was changed.\n'
+27
View File
@@ -0,0 +1,27 @@
apiVersion: delivery.lariza.dev/v1alpha1
kind: EnvironmentSetIntent
metadata:
name: sample-promotion-path
spec:
environments:
- name: development
tier: development
approvals: 0
- name: staging
tier: staging
approvals: 1
requiredChecks: [integration-tests]
- name: production
tier: production
approvals: 2
disallowSelfApproval: true
requiredGroups: [service-owner, operations]
requiredChecks: [security-gate, change-window, gitops-ready]
freezeWindows:
- name: weekend-freeze
timezone: Asia/Manila
expression: 'Fri 18:00-Mon 08:00'
emergencyBypass:
requireReason: true
requireIncident: true
notify: [governance-owners]
+14
View File
@@ -0,0 +1,14 @@
# Protected delivery demo
This repository models a harmless application promotion through development,
staging, and production. It is a foundation for demonstrating:
- first-class environments and deployment history;
- independent manual approval and no self-approval;
- environment-scoped secrets;
- business-hours and freeze-window decisions;
- external checks and GitOps reconciliation;
- audited emergency bypass and release evidence bundles.
The active workflow is manual-only and validates fixtures; it never contacts a
cluster or changes an environment.
+8
View File
@@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: lariza-delivery-demo
namespace: demo-development
data:
environment: development
message: synthetic-development-release
+8
View File
@@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: lariza-delivery-demo
namespace: demo-production
data:
environment: production
message: synthetic-production-release
+8
View File
@@ -0,0 +1,8 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: lariza-delivery-demo
namespace: demo-staging
data:
environment: staging
message: synthetic-staging-release
+11
View File
@@ -0,0 +1,11 @@
# Demonstration runbook
1. Select a synthetic commit and artifact.
2. Preview the effective production policy.
3. Record independent service-owner and operations approvals.
4. Evaluate change-window and external checks.
5. Create a deployment record without applying the sample ConfigMap.
6. Export the resulting audit and release-evidence bundle.
Emergency-bypass demonstrations must use a synthetic incident identifier and
must never change a real cluster.
+16
View File
@@ -0,0 +1,16 @@
{
"schemaVersion": "1.0",
"release": "demo-2026.07.18.1",
"commit": "0000000000000000000000000000000000000000",
"artifact": {"name": "delivery-demo", "digest": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
"approvals": [
{"group": "service-owner", "actor": "synthetic-owner", "decision": "approved"},
{"group": "operations", "actor": "synthetic-operator", "decision": "approved"}
],
"checks": [
{"name": "security-gate", "status": "passed"},
{"name": "change-window", "status": "passed"},
{"name": "gitops-ready", "status": "passed"}
],
"synthetic": true
}