← knowledge.oriz.in

Everything should be in Dagger — GHA/GitLab/Codeberg are thin adapters only

rule cidaggerpipelineportable

Everything should be in Dagger

The rule

Every CI/CD pipeline must be implemented as a Dagger TS module. GitHub Actions, GitLab CI, Woodpecker, and Codeberg workflows are 5-line thin adapters that invoke dagger call. Zero real logic lives in YAML.

What "thin adapter" means

# .github/workflows/ci.yml — this is the ENTIRE workflow
name: ci
on: [push, pull_request]
jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dagger/dagger-for-github@v8.4.1
        with:
          version: latest
          call: ci --source=.

The actual lint, typecheck, test, build, deploy logic lives in dagger/src/index.ts.

Why

Anti-patterns

The screenpipe GHA workflow lesson

The build-windows-personal.yml created for chirag127/screenpipe failed because LLVM version was wrong in the YAML steps. Had this been a Dagger module, the LLVM setup would be in TypeScript with proper version detection — not brittle choco pin. Every YAML failure is a reminder to move logic to Dagger.

Where Dagger modules live

Fleet-wide reusable modules: chirag127/workflows/dagger/<class>/src/index.ts

Classes:

Exception: GH-integrated workflows

Keep native YAML for: ossf/scorecard, CodeQL, actions/deploy-pages@v4 (OIDC), Dependabot config. These integrate with GitHub Security tab dashboards — Dagger cannot replicate that.

Cross-refs