Skip to content

GitLab Groups & Projects

Project IDs, group hierarchy, shared CI/CD variables, and CI template inclusion for all CWIQ repositories.

The CWIQ GitLab instance is hosted at https://gitlab.shared.cwiq.io. All source code, CI/CD pipelines, merge requests, and GitLab releases live here.

Group Hierarchy

CWIQ repositories are organised into four top-level groups. The orchestrator group (ID 9) is the primary group for platform services and is where group-level CI/CD variables are defined.

graph TD
    ROOT[gitlab.shared.cwiq.io]

    ROOT --> ORCH[orchestrator/]
    ROOT --> DOCS[docs/]
    ROOT --> SYS[sysadmins/]
    ROOT --> DEV[devops/]

    ORCH --> P1[platform - parent]
    ORCH --> P2[server]
    ORCH --> P3[ui]
    ORCH --> P4[agent]
    ORCH --> P5[mcp]
    ORCH --> P6[cli]
    ORCH --> P7[executor]
    ORCH --> P8[runner-api]
    ORCH --> P9[audit-consumer]
    ORCH --> P10[audit-api]
    ORCH --> P11[ai-catalogue-api]
    ORCH --> P12[monitoring-api]
    ORCH --> P13[notification-api]
    ORCH --> P14[iam-api]
    ORCH --> P15[notification-worker]
    ORCH --> P16[monitoring-worker]
    ORCH --> P17[runner-worker]
    ORCH --> P18[cwiq-common]
    ORCH --> P19[ci-templates]

    DOCS --> D1[onboarding-guide]
    DOCS --> D2[infra-guide]
    DOCS --> D3[developer-guide]

    SYS --> S1[ansible-playbooks]
    SYS --> S2[terraform-plan]

    DEV --> V1[sssd-db-identity]

Project Registry

The table below lists every project with its GitLab path and numeric project ID. You need the project ID whenever you call the GitLab API directly — for example, to trigger a pipeline, query job logs, or create a merge request programmatically.

Component GitLab Path Project ID
platform (parent) orchestrator/platform 3
ui orchestrator/ui 4
server orchestrator/server 5
agent orchestrator/agent 6
cli orchestrator/cli 7
mcp (agent-runner) orchestrator/mcp 8
ci-templates orchestrator/ci-templates 9
executor orchestrator/executor 11
runner-api orchestrator/runner-api 22
audit-consumer orchestrator/audit-consumer 23
audit-api orchestrator/audit-api 24
ai-catalogue-api orchestrator/ai-catalogue-api 25
monitoring-api orchestrator/monitoring-api 26
notification-api orchestrator/notification-api 27
iam-api orchestrator/iam-api 28
cwiq-common orchestrator/cwiq-common 29
notification-worker orchestrator/notification-worker 31
monitoring-worker orchestrator/monitoring-worker 32
runner-worker orchestrator/runner-worker 33
ansible-playbooks sysadmins/ansible-playbooks 2
terraform-plan sysadmins/terraform-plan 12
sssd-db-identity devops/sssd-db-identity 30

Quick API Lookup

The most commonly referenced project IDs for daily CI/CD operations:

server=5   ui=4   agent=6   mcp=8   cli=7   executor=11   platform=3

Group-Level CI/CD Variables

These variables are set at the orchestrator group level (group ID 9) and are automatically inherited by every project in the group. You do not need to redefine them in individual project settings.

Variable Value Masked Purpose
VAULT_ADDR https://vault.shared.cwiq.io No Vault server URL for JWT auth in CI jobs
SSH_PRIVATE_KEY (secret) Yes SSH private key used by deploy jobs to reach DEV server
SSH_USER cwiq No SSH login user for deploy jobs
DEV_SERVER_IP VPC private IP No DEV server IP — must be a VPC private IP, not a Tailscale address
DEV_SERVER_URL https://orchestrator.dev.cwiq.io No DEV server HTTPS URL used by verify jobs

Nexus credentials are not CI/CD variables

NEXUS_USER and NEXUS_PASSWORD are not stored as GitLab CI/CD variables. All jobs that push to or pull from Nexus fetch credentials at runtime from Vault using GitLab's JWT authentication. See the Vault JWT Auth page for the pattern.

DEV_SERVER_IP must be a VPC private IP

Runner pods run inside EKS and use VPC CNI networking. Tailscale is not available inside pods. DEV_SERVER_IP must always point to the server's VPC private IP (in the 10.1.x.x range), never a Tailscale address.

The ci-templates Project

Project orchestrator/ci-templates (ID 9) contains the shared YAML templates that define all reusable CI/CD job definitions across the platform. Every CWIQ service repository includes these templates at the top of its .gitlab-ci.yml.

Template Files

File What It Provides
.gitlab-ci-common.yml Global variables, workflow rules, pipeline stages, default runner tag, Docker build/push templates, Ansible deploy template, health-check template
.gitlab-ci-python.yml Python lint (ruff), typecheck (mypy), test (pytest), Semgrep SAST, build, and PyPI publish templates
.gitlab-ci-node.yml Node.js lint (eslint), typecheck (tsc), test (vitest), Semgrep SAST, E2E (Playwright), build, and npm publish templates
.gitlab-ci-trivy.yml Trivy filesystem scan, Trivy Docker image scan, and DefectDojo import templates
.gitlab-ci-scan.yml SonarQube analysis template with Vault JWT authentication

Including Templates

Add the following include block at the top of your project's .gitlab-ci.yml to pull in the shared templates. Use .gitlab-ci-python.yml for backend services and .gitlab-ci-node.yml for the frontend.

include:
  - project: 'orchestrator/ci-templates'
    ref: main
    file:
      - '/.gitlab-ci-common.yml'
      - '/.gitlab-ci-python.yml'   # backend / CLI / worker services
      - '/.gitlab-ci-trivy.yml'
      - '/.gitlab-ci-scan.yml'

For the UI project, replace .gitlab-ci-python.yml with .gitlab-ci-node.yml:

include:
  - project: 'orchestrator/ci-templates'
    ref: main
    file:
      - '/.gitlab-ci-common.yml'
      - '/.gitlab-ci-node.yml'     # frontend (React / TypeScript)
      - '/.gitlab-ci-trivy.yml'
      - '/.gitlab-ci-scan.yml'

Always pin templates to main

Template includes always use ref: main. This ensures every project picks up the latest template improvements automatically when a new pipeline runs. There is no need to bump a version number in individual projects.