Multi-Project Pipeline Integration
Multi-Project Pipeline Integration
This document describes the multi-project pipeline architecture used across the blueflyio ecosystem for agent-based CI/CD automation.
Overview
Multi-project pipelines allow upstream repositories to trigger specialized agent jobs in downstream repositories. This enables centralized agent execution while maintaining repository autonomy.
Architecture
Upstream Projects
(openstandardagents,
agent-buildkit, etc.)
trigger
Platform Agents
(blueflyio/platform-
agents)
ts:build:agent
native:build:agent
deploy:infra:agent
deploy:ml:agent
Configuration
Upstream Repository Setup
Add trigger jobs to your .gitlab-ci.yml or .gitlab/ci/agents.yml:
variables: AGENT_PLATFORM_PROJECT: blueflyio/platform-agents ts:build:agent: stage: build trigger: project: ${AGENT_PLATFORM_PROJECT} strategy: mirror # Reflects downstream status variables: AGENT_NAME: ts-prod AGENT_TASK: build BUILD_TARGET: production rules: - if: $CI_COMMIT_BRANCH == "main" when: on_success allow_failure: true
Key Configuration Elements
| Element | Description |
|---|---|
trigger.project | Downstream project path |
trigger.strategy | mirror to reflect downstream status |
variables | Passed to downstream pipeline |
rules | When to trigger |
allow_failure | At rule level, not job level |
Authentication
JOB-TOKEN vs PRIVATE-TOKEN
When using CI_JOB_TOKEN for API calls, use the correct header:
# CORRECT - use JOB-TOKEN header curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" \ "https://gitlab.com/api/v4/projects/..." # WRONG - PRIVATE-TOKEN is for personal/project tokens only # curl --header "PRIVATE-TOKEN: ${CI_JOB_TOKEN}" # 401/403 error
Token Scopes
| Token Type | Header | Use Case |
|---|---|---|
CI_JOB_TOKEN | JOB-TOKEN | Cross-project API calls in pipelines |
| Personal Access Token | PRIVATE-TOKEN | Manual/scripted API calls |
| Project Access Token | PRIVATE-TOKEN | Automation with project scope |
Variable Passing
Variables flow from upstream to downstream through:
- Explicit variables in the trigger job
- Predefined variables via interpolation
- dotenv artifacts (Premium/Ultimate)
trigger_job: trigger: project: blueflyio/platform-agents variables: # Explicit AGENT_NAME: my-agent AGENT_TASK: build # Interpolated predefined variables SOURCE_REF: $CI_COMMIT_REF_NAME SOURCE_PROJECT: $CI_PROJECT_PATH
Agent Jobs in openstandardagents
The openstandardagents repository triggers these agent jobs:
| Job | Purpose | Trigger Condition |
|---|---|---|
ts:build:agent | TypeScript production build | main branch, tags |
native:build:agent | Multi-platform native build | tags only |
deploy:infra:agent | Infrastructure deployment | main + infra changes |
deploy:ml:agent | ML model deployment | main + model changes |
drupal:sync:agent | Drupal content sync | main + spec changes |
docs:sync:agent | Documentation sync | main + docs changes |
github:sync:agent | GitHub PR sync | schedule, manual |
Local Execution Agents
Some agents run locally (not triggered downstream):
| Job | Purpose | Manifest Path |
|---|---|---|
code:review:agent | MR code review | .gitlab/agents/ossa-agent/manifest.ossa.yaml |
security:scan:agent | Security scanning | .gitlab/agents/security-scanner/manifest.ossa.yaml |
Troubleshooting
Common Issues
Pipeline not triggered:
- Verify
AGENT_PLATFORM_PROJECT: blueflyio/platform-agents - Check upstream project has trigger access
- Verify rule conditions match
401/403 authentication errors:
- Use
JOB-TOKENheader withCI_JOB_TOKEN - Never use
PRIVATE-TOKENwithCI_JOB_TOKEN
Downstream fails but upstream passes:
- Add
strategy: mirrorto reflect downstream status - Check downstream pipeline logs
Debugging
View downstream pipeline status:
# Get pipeline info glab api projects/blueflyio%2Fplatform-agents/pipelines --per-page 5
Best Practices
- Use
strategy: mirrorto reflect downstream results - Put
allow_failureat rule level, not job level - Use meaningful
AGENT_NAMEandAGENT_TASKvariables - Add
when: on_successto rules for clarity - Document required variables for each agent
Related Documentation
Last Updated: 2025-12-21