The latest articles on DEV Community by Sami Chibani (@sami_chibani). https://dev.to/sami_chibani https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2358691%2Fbac84f45-a2db-452c-926b-fb573495b966.png https://dev.to/sami_chibani en Sami Chibani Fri, 27 Mar 2026 00:26:11 +0000 https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-4-4323 https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-4-4323 <h1> Part 4: The AI-Native CI/CD Stack: Agents, Modules, and Spec-Driven Development </h1> <blockquote> <p>Fixed pipelines for speed and reliability. AI agents to write them and fix them when they break.</p> </blockquote> <p>In <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-1-58pi">Part 1</a> we built pipelines as real code. In <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75">Part 2</a> we decoupled them from infrastructure. In <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge">Part 3</a> we built AcmeCorp's private module library (<code>acme-backend</code>, <code>acme-frontend</code>, and <code>acme-deploy</code>) that wraps public daggerverse modules with organization-specific compliance, naming, and security.</p> <p>Now let's talk about where AI actually belongs in CI/CD, and where it doesn't.</p> <p>The thesis is simple: <strong>AI doesn't replace the pipeline. It writes the pipeline and fixes it when it breaks.</strong> The pipeline itself stays fixed, deterministic, and fast.</p> <h2> What Is a Dagger Agent? </h2> <p>Just as container primitives allow us to build CI pipelines, Dagger introduces an <code>LLM()</code> primitive that lets you create agents the same way you'd call any other pipeline function. Under the hood, <code>dag.llm()</code> connects to any supported model (Claude, GPT, Gemini) and gives you a composable builder to layer on system prompts, environment bindings, and tool access.</p> <p>What makes this powerful is the tool story. Any Dagger module, including the same private modules we built in <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge">Part 3</a>, can be exposed as MCP tools that the agent calls at runtime. Your <code>acme-deploy</code> module becomes a <code>cloud_run</code> tool. Your <code>acme-backend</code> module becomes <code>build</code> and <code>test</code> tools. You can also attach any local MCP server (a language linter, a CLI wrapper, a documentation server) alongside those module tools, giving the agent both your custom CI abstractions and third-party capabilities in a single environment.</p> <p>The result is a tight synergy between modules and agents: <strong>modules are the typed, testable building blocks; agents are the orchestration layer that composes them through natural language.</strong> You don't choose between writing pipelines and using AI. You write modules once, and agents compose them for you.</p> <blockquote> <p><strong>LLM provider required.</strong> The <code>dag.llm()</code> primitive needs access to a language model. Dagger detects your provider from environment variables — set one of:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Provider</th> <th>API Key Variable</th> <th>Model Variable</th> </tr> </thead> <tbody> <tr> <td>Anthropic (Claude)</td> <td><code>ANTHROPIC_API_KEY</code></td> <td><code>ANTHROPIC_MODEL</code></td> </tr> <tr> <td>OpenAI (GPT)</td> <td><code>OPENAI_API_KEY</code></td> <td><code>OPENAI_MODEL</code></td> </tr> <tr> <td>Google (Gemini)</td> <td><code>GEMINI_API_KEY</code></td> <td><code>GEMINI_MODEL</code></td> </tr> <tr> <td>Local (Ollama)</td> <td> <code>OLLAMA_HOST</code> (defaults to <code>http://localhost:11434</code>)</td> <td><code>OLLAMA_MODEL</code></td> </tr> </tbody> </table></div> <p>In CI, add the key as a repository secret and pass it via <code>env:</code>. Locally, export the variable in your shell before running <code>dagger call</code>. If no provider is detected, agent functions will fail at runtime with a clear error message.</p> </blockquote> <h2> The Problem With Setting Up CI </h2> <p>We solved the YAML problem in Part 1. Pipelines are real code now. And in Part 3, we went further: toolchains let you install AcmeCorp's private modules as zero-code CI, with <code>dagger check</code> running all your checks from a single <code>dagger.json</code>. No SDK, no <code>.dagger/</code> directory, no pipeline code.</p> <p>But there's still a bottleneck: <strong>configuring that setup requires knowing the module library.</strong> AcmeCorp's platform team maintains a growing set of private modules: <code>acme-backend</code>, <code>acme-frontend</code>, <code>acme-deploy</code>. Each module has its own <code>@check</code> functions, its own parameters, its own <code>DefaultPath</code> conventions. Knowing which modules to install as toolchains, which <code>customizations</code> to add for a monorepo layout, and how to wire the deployment step in GitHub Actions still requires familiarity with the internal module library.</p> <p>What if you could point an AI agent at your private modules and your source code, and have it generate the complete toolchain setup and CI workflow for you?</p> <h2> Generating the Setup With Daggie </h2> <p><a href="https://github.com/telchak/daggerverse/tree/main/daggie" rel="noopener noreferrer">Daggie</a> is a Dagger CI specialist agent. It reads module source code, understands their APIs, and generates the right toolchain configuration for your project. You give it your source directory and the Git URL of your module repository. Daggie discovers all available modules inside it and picks the ones relevant to the assignment.</p> <p>Let's pick up from where we left off in Part 3. We're in the <code>dagger-ci-demo</code> monorepo (FastAPI backend + Angular frontend), and AcmeCorp's private modules live at <a href="https://github.com/telchak/acme-dagger-modules" rel="noopener noreferrer"><code>github.com/telchak/acme-dagger-modules</code></a>. AcmeCorp's coding agents (Monty, Angie, Daggie) live at <a href="https://github.com/telchak/daggerverse" rel="noopener noreferrer"><code>github.com/telchak/daggerverse</code></a>.</p> <p>If you still have local changes from Part 3, you can stash them with <code>git stash -u</code> or simply delete the repo and clone it fresh — we want a clean starting point with no existing Dagger configuration.</p> <p>First, initialize Dagger in the project and write the assignment file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger init <span class="nb">cat</span> <span class="o">&gt;</span> daggie-assignment.md <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' Set up this monorepo with toolchains from the module library. The backend (backend/) is FastAPI/Python, the frontend (frontend/) is Angular. Install acme-backend, acme-frontend, and acme-deploy as toolchains with the right source path customizations for this monorepo layout. Also generate a .github/workflows/ci.yml with dagger check for PRs, and a deploy step for Cloud Run (backend) and Firebase (frontend) on main. On check failure, call Monty on the backend and Angie on the frontend to post inline fix suggestions on the PR. </span><span class="no">EOF </span></code></pre> </div> <p>Then point Daggie at both repositories — the module library and the daggerverse (so it can discover Monty and Angie's real URLs and versions):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger call <span class="nt">-m</span> github.com/telchak/daggerverse/daggie@v0.3.0 <span class="se">\</span> <span class="nt">--module-urls</span><span class="o">=</span><span class="s2">"https://github.com/telchak/acme-dagger-modules.git"</span> <span class="se">\</span> <span class="nt">--module-urls</span><span class="o">=</span><span class="s2">"https://github.com/telchak/daggerverse.git"</span> <span class="se">\</span> assist <span class="se">\</span> <span class="nt">--assignment-file</span><span class="o">=</span>./daggie-assignment.md <span class="se">\</span> <span class="nt">--source</span><span class="o">=</span><span class="nb">.</span> <span class="se">\</span> <span class="nb">export</span> <span class="nt">--path</span><span class="o">=</span><span class="nb">.</span> </code></pre> </div> <p>Daggie clones both repositories and auto-discovers all Dagger modules within them by finding <code>dagger.json</code> files. It reads each module's source code and <code>@check</code>-decorated functions (<code>acme-backend</code> (test, lint), <code>acme-frontend</code> (test, lint, audit), <code>acme-deploy</code> (scan)), detects the monorepo layout, and finds the coding agents (Monty, Angie) with their version tags. It also fetches the latest <code>dagger/dagger-for-github</code> action version automatically. The <code>export --path=.</code> writes the generated <code>dagger.json</code> and <code>.github/workflows/ci.yml</code> to your project root, ready to review, test with <code>dagger check</code>, and commit.</p> <h3> Meet the Agents </h3> <p>Before we look at what Daggie generates, let's introduce the three agents that work together in this setup. They're all Dagger modules, and you call them the same way you call any other module:</p> <ul> <li><p><a href="https://github.com/telchak/daggerverse/tree/main/daggie" rel="noopener noreferrer"><strong>Daggie</strong></a>: the CI specialist. It reads your source code and available modules, then generates the toolchain configuration and CI workflow. You've just seen it in action. Daggie writes the setup; it doesn't run in the pipeline.</p></li> <li><p><a href="https://github.com/telchak/daggerverse/tree/main/monty" rel="noopener noreferrer"><strong>Monty</strong></a>: the Python coding agent. When a check fails on Python code (a test failure, a lint error, a broken import), Monty reads the error output and the source code, analyzes the root cause, and posts an inline code fix suggestion directly on the pull request.</p></li> <li><p><a href="https://github.com/telchak/daggerverse/tree/main/angie" rel="noopener noreferrer"><strong>Angie</strong></a>: the Angular/TypeScript coding agent. Same role as Monty, but for the frontend stack. When an Angular build or test fails, Angie diagnoses the issue and suggests the fix.</p></li> </ul> <p>The key design: <strong>Daggie generates the toolchain setup once. Monty and Angie are called from the CI workflow only when something fails.</strong> The happy path (<code>dagger check</code>: lint, test, audit, scan) is pure deterministic module execution with no LLM involved. AI only enters the picture when a human needs help.</p> <h2> The Generated Setup </h2> <p>Here's what Daggie generates. No <code>.dagger/</code> directory, no SDK, no Python pipeline code. Just a <code>dagger.json</code> with toolchains and a CI workflow. The code blocks below are what Daggie consistently produced as output after 10+ runs with gemini-2.5-pro:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-monorepo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engineVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v0.20.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toolchains"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-backend@v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"test"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/backend"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"lint"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/backend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-frontend@v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"test"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/frontend"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"lint"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/frontend"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"audit"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/frontend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-deploy@v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"scan"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/backend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Notice what Daggie understood from the project structure and the module library:</p> <ul> <li> <strong>Monorepo layout detected.</strong> Daggie saw <code>backend/</code> and <code>frontend/</code> and added <code>customizations</code> to route each check's <code>source</code> argument to the right subdirectory.</li> <li> <strong>All <code>@check</code> functions discovered.</strong> It read the module source, found every function decorated with <code>@check</code> (<code>test</code>, <code>lint</code> on backend; <code>test</code>, <code>lint</code>, <code>audit</code> on frontend; <code>scan</code> on deploy), and installed the modules as toolchains so <code>dagger check</code> picks them all up.</li> <li> <strong>No pipeline code.</strong> No <code>dag.container()</code>, no base image selection, no <code>pip install</code>. The private modules encapsulate all of that. The project gets AcmeCorp-compliant CI from a single JSON file.</li> <li> <strong>Deployment stays explicit.</strong> <code>cloud_run</code> and <code>firebase</code> are regular functions, not checks. They don't run via <code>dagger check</code> — they're called explicitly from the CI workflow's deploy step, because deployments should be intentional.</li> </ul> <h2> Running the Checks </h2> <p>No GCP credentials needed for the checks — they run entirely in containers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger check </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✔ acme-backend:lint (12.9s) OK ✔ acme-backend:test (15.2s) OK ✔ acme-deploy:scan (18.4s) OK ✔ acme-frontend:lint (58.0s) OK ✔ acme-frontend:test (62.0s) OK ✔ acme-frontend:audit (25.6s) OK </code></pre> </div> <p>Six checks, three toolchains, zero lines of code. All six run in parallel. No tokens consumed. The private modules handled base images, cache volumes, coverage thresholds, and vulnerability scanning — all invisible to the project.</p> <h2> When a Check Fails </h2> <p>Let's say a developer pushes a PR and the backend tests fail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>dagger check <span class="go">✔ acme-backend:lint (3.1s) OK ✘ acme-backend:test (6.4s) ERROR ┇ .test( ┆ source: context ./backend ) › ✘ withExec pytest -v --tb=short --cov=src ... (4.2s) ERROR FAILED tests/test_auth.py::test_validate_token AssertionError: Expected 401, got 200 auth.py:47 — missing token expiry check ✔ acme-deploy:scan (18.4s) OK ✔ acme-frontend:lint (2.9s) OK ✔ acme-frontend:test (9.1s) OK ✔ acme-frontend:audit (25.6s) OK </span></code></pre> </div> <p>The CI workflow's failure step kicks in. Monty reads the error output and the source code, analyzes the root cause, and posts an inline code suggestion directly on the PR:</p> <blockquote> <p><strong>🐍 Monty</strong> suggested a fix for <code>backend/auth.py</code>:</p> <pre class="highlight plaintext"><code>def validate_token(token: str) -&gt; bool: payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"]) if payload["exp"] &lt; time.time(): raise HTTPException(status_code=401, detail="Token expired") return True </code></pre> <p>The test expects a <code>401</code> when the token is expired, but <code>validate_token</code> doesn't check the <code>exp</code> claim. This adds the expiry check before returning.</p> </blockquote> <p>The developer gets actionable fix suggestions, with code they can accept in one click, instead of a wall of logs to interpret.</p> <h2> Integrating Into CI/CD </h2> <p>Daggie also generates the GitHub Actions workflow. Here's what it produces: <code>dagger check</code> for PRs, deployment on main, and a failure handler that calls Monty or Angie directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yml (generated by Daggie)</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="c1"># Grant permissions for OIDC and for agents to post comments/suggestions</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">check</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run all Dagger checks</span> <span class="na">id</span><span class="pi">:</span> <span class="s">checks</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="c1"># Must match engineVersion in dagger.json</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">check</span> <span class="c1"># Allow the job to continue on failure so the fix suggestion steps can run</span> <span class="na">continue-on-error</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Call Monty to suggest fixes for the backend</span> <span class="na">if</span><span class="pi">:</span> <span class="s">failure() &amp;&amp; steps.checks.outcome == 'failure' &amp;&amp; github.event_name == 'pull_request'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">-m github.com/telchak/daggerverse/monty@v0.2.0</span> <span class="s">suggest-github-fix</span> <span class="s">--source=./backend</span> <span class="s">--github-token=env:GITHUB_TOKEN</span> <span class="s">--pr-number=${{ github.event.pull_request.number }}</span> <span class="s">--repo=${{ github.repository }}</span> <span class="s">--commit-sha=${{ github.event.pull_request.head.sha }}</span> <span class="s">--error-output="${{ steps.checks.outputs.stderr }}"</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="c1"># ANTHROPIC_API_KEY, OPENAI_API_KEY, or GOOGLE_API_KEY</span> <span class="c1"># depending on the agent's LLM provider</span> <span class="na">ANTHROPIC_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Call Angie to suggest fixes for the frontend</span> <span class="na">if</span><span class="pi">:</span> <span class="s">failure() &amp;&amp; steps.checks.outcome == 'failure' &amp;&amp; github.event_name == 'pull_request'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">-m github.com/telchak/daggerverse/angie@v0.2.0</span> <span class="s">suggest-github-fix</span> <span class="s">--source=./frontend</span> <span class="s">--github-token=env:GITHUB_TOKEN</span> <span class="s">--pr-number=${{ github.event.pull_request.number }}</span> <span class="s">--repo=${{ github.repository }}</span> <span class="s">--commit-sha=${{ github.event.pull_request.head.sha }}</span> <span class="s">--error-output="${{ steps.checks.outputs.stderr }}"</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">ANTHROPIC_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Fail the job if checks failed</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.checks.outcome == 'failure'</span> <span class="na">run</span><span class="pi">:</span> <span class="s">exit </span><span class="m">1</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">check</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main' &amp;&amp; github.event_name == 'push'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Backend to Cloud Run</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">deploy cloud-run</span> <span class="s">--source=./backend</span> <span class="s">--service-name=acme-backend-api</span> <span class="s">--team=api-team</span> <span class="s">--project-id=${{ vars.GCP_PROJECT_ID }}</span> <span class="s">--region=${{ vars.GCP_REGION }}</span> <span class="s">--environment=production</span> <span class="s">--oidc-request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN</span> <span class="s">--oidc-request-url=env:ACTIONS_ID_TOKEN_REQUEST_URL</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ACTIONS_ID_TOKEN_REQUEST_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}</span> <span class="na">ACTIONS_ID_TOKEN_REQUEST_URL</span><span class="pi">:</span> <span class="s">${{ secrets.ACTIONS_ID_TOKEN_REQUEST_URL }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Frontend to Firebase</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">deploy firebase</span> <span class="s">--source=./frontend</span> <span class="s">--project-id=${{ vars.GCP_PROJECT_ID }}</span> <span class="s">--oidc-request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN</span> <span class="s">--oidc-request-url=env:ACTIONS_ID_TOKEN_REQUEST_URL</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ACTIONS_ID_TOKEN_REQUEST_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}</span> <span class="na">ACTIONS_ID_TOKEN_REQUEST_URL</span><span class="pi">:</span> <span class="s">${{ secrets.ACTIONS_ID_TOKEN_REQUEST_URL }}</span> </code></pre> </div> <p>The <code>check</code> job uses zero LLM tokens. It's pure <code>dagger check</code> — six deterministic checks from three toolchains. The suggest-fix steps only run on failure, calling Monty and Angie directly as Dagger modules (not pipeline functions). The deploy job calls <code>acme-deploy</code>'s functions via <code>dagger call</code> on the installed toolchain. You get deterministic, fast CI with intelligent failure handling.</p> <h2> The Developer Experience Shift </h2> <h3> Before: Pipeline Specialists </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer → writes app code DevOps → writes pipeline code per stack DevOps → maintains deployment scripts per framework DevOps → debugs pipeline failures Everyone → waits for DevOps </code></pre> </div> <h3> After: Agents Configure and Fix CI </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Platform team → builds and maintains private modules (acme-backend, acme-frontend, acme-deploy) Platform team → builds and maintains agents (Daggie, Monty, Angie) Developer → asks Daggie to set up toolchains from the private module library dagger check → runs deterministically — no LLM, no tokens On failure → coding agents analyze errors and suggest fixes on the PR </code></pre> </div> <p>The platform team builds the modules and agents. Daggie configures toolchains and generates the CI workflow. <code>dagger check</code> runs fast and deterministic. When things break, coding agents step in with targeted fixes.</p> <h2> From Developer Platform to Agent Factory </h2> <p>So far we've seen how Dagger improves CI performance, maintainability, and developer experience. But there's a larger shift happening.</p> <p>As coding agents become more capable, the developer's core role is evolving, from pure coder to <strong>agent orchestrator</strong>. You still need to understand the code, review the output, and make architectural decisions. But more and more of the mechanical work (implementing a well-specified feature, writing tests for existing code, fixing a lint error) can be delegated to agents that understand your codebase.</p> <p>Follow this evolution to its conclusion, and an Internal Developer Platform starts looking like an <strong>Internal Agent Factory</strong>: a system that manages not just infrastructure and deployments, but <em>how coding agents are built, composed, and deployed</em>: which agents run on which tasks, with what models, under what constraints, producing what artifacts.</p> <p>The building blocks are already here. We have:</p> <ul> <li> <strong>Typed, testable modules</strong> that encapsulate domain expertise (Part 3)</li> <li> <strong>Coding agents</strong> that read source code and produce changes (Monty, Angie)</li> <li> <strong>A CI specialist</strong> that generates pipelines from module libraries (Daggie)</li> </ul> <p>What's missing is the orchestration layer, something that takes a feature request, breaks it into agent-assignable tasks, and dispatches them through CI. That's <a href="https://github.com/telchak/daggerverse/tree/main/speck" rel="noopener noreferrer">Speck</a>.</p> <h2> Spec-Driven Development With Speck </h2> <p><a href="https://github.com/telchak/daggerverse/tree/main/speck" rel="noopener noreferrer">Speck</a> is a Dagger agent that implements <strong>spec-driven development</strong>, inspired by GitHub's <a href="https://github.com/github/spec-kit" rel="noopener noreferrer">spec-kit</a> methodology. The idea is simple: specifications first, code second.</p> <p>Given a feature request (either a prompt or a GitHub issue), Speck runs a three-step pipeline:</p> <ol> <li> <strong>Specify</strong>: generate a structured specification with user stories, acceptance criteria, and requirements</li> <li> <strong>Plan</strong>: produce a technical implementation plan grounded in the actual codebase</li> <li> <strong>Decompose</strong>: break the plan into ordered, dependency-aware tasks with agent and model assignments</li> </ol> <p>The output is a structured JSON object designed for GitHub Actions <code>fromJson()</code> + matrix strategy consumption. Each task includes a <code>suggested_agent</code> (which Dagger agent should execute it), a <code>suggested_model</code> (which LLM complexity tier it needs), and an <code>order</code> field that defines the execution sequence.</p> <h3> The Pipeline Pattern </h3> <p>When <code>--include-tests</code> and <code>--include-review</code> are enabled, Speck organizes tasks into phases that follow an <strong>implement → test → review</strong> pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Phase 1: T001 (implement, haiku) → T002 (test, sonnet) → T003 (review, sonnet) Phase 2: T004 (implement, sonnet) → T005 (implement, sonnet) → T006 (test, opus) → T007 (review, sonnet) </code></pre> </div> <p>Phases run in <strong>parallel</strong> (each on its own CI runner). Tasks within a phase use the <strong>prompt chaining</strong> pattern, a workflow where the output of one agent becomes the input of the next, forming a sequential pipeline. Concretely, each agent receives a source Directory, modifies it, and exports the result back to the workspace. The next agent in the chain picks up that modified workspace as its input. This is different from running agents independently: the test agent <em>sees</em> the code the implementation agent wrote, and the review agent <em>sees</em> both the implementation and the tests. One PR is created per phase from the accumulated changes.</p> <p>The model assignment is automatic: Speck maps task complexity to concrete model IDs based on the chosen provider family. Simple config changes get Haiku. Standard feature implementations get Sonnet. Cross-cutting architectural changes get Opus. Test tasks get one tier above their implementation task's complexity, since understanding the implementation requires more context.</p> <h3> Setting Up the Workflow </h3> <p>Let's see this in action. We'll fork a real-world application, the <a href="https://github.com/nsidnev/fastapi-realworld-example-app" rel="noopener noreferrer">FastAPI RealWorld Example App</a> (a production-like REST API with authentication, articles, comments, and favorites), and turn GitHub Actions into a spec-driven development platform.</p> <p><strong>Step 1: Fork the repository</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh repo fork nsidnev/fastapi-realworld-example-app <span class="nt">--clone</span> <span class="nb">cd </span>fastapi-realworld-example-app </code></pre> </div> <p><strong>Step 2: Add the Speck workflow</strong></p> <p>Create <code>.github/workflows/speck.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Spec-Driven Development with Speck</span> <span class="c1"># Triggers on "speck" label → decompose → execute phases → create PRs</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Spec-Driven Development</span> <span class="na">on</span><span class="pi">:</span> <span class="na">issues</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">labeled</span><span class="pi">]</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">issues</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">decompose</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event.label.name == 'speck'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">result</span><span class="pi">:</span> <span class="s">${{ steps.run.outputs.result }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">version</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Decompose issue into phases</span> <span class="na">id</span><span class="pi">:</span> <span class="s">run</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">ANTHROPIC_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="na">ANTHROPIC_MODEL</span><span class="pi">:</span> <span class="s">claude-opus-4-6</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">dagger call -m github.com/telchak/daggerverse/speck@feat/speck \</span> <span class="s">--allow-llm=all \</span> <span class="s">--source=. \</span> <span class="s">decompose \</span> <span class="s">--issue-id=${{ github.event.issue.number }} \</span> <span class="s">--repository="https://github.com/${{ github.repository }}" \</span> <span class="s">--github-token=env:GITHUB_TOKEN \</span> <span class="s">--create-pr \</span> <span class="s">--include-tests \</span> <span class="s">--include-review \</span> <span class="s">--agents='[{"name":"monty","source":"github.com/telchak/daggerverse/monty@feat/speck","specialization":"Python backend development","capabilities":["assist","review","write_tests","build","upgrade"]}]' \</span> <span class="s">--tech-stack="Python, FastAPI, PostgreSQL" \</span> <span class="s">&gt; /tmp/speck.json</span> <span class="s">echo "result=$(jq -c '.' /tmp/speck.json)" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Post summary to issue</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">RESULT</span><span class="pi">:</span> <span class="s">${{ steps.run.outputs.result }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">TASKS=$(echo "$RESULT" | jq '.total_tasks')</span> <span class="s">PHASES=$(echo "$RESULT" | jq '.execution_plan.total_phases')</span> <span class="s">PRETTY=$(echo "$RESULT" | jq '.')</span> <span class="s">gh issue comment "${{ github.event.issue.number }}" \</span> <span class="s">--body "## Speck Decomposition Complete</span> <span class="s">**Tasks**: ${TASKS} | **Phases**: ${PHASES}</span> <span class="s">&lt;details&gt;&lt;summary&gt;Full JSON&lt;/summary&gt;</span> <span class="s">\`\`\`json</span> <span class="s">${PRETTY}</span> <span class="s">\`\`\`</span> <span class="s">&lt;/details&gt;"</span> <span class="na">execute-phase</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">decompose</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">phase</span><span class="pi">:</span> <span class="s">${{ fromJson(needs.decompose.outputs.result).execution_plan.phases }}</span> <span class="na">max-parallel</span><span class="pi">:</span> <span class="m">3</span> <span class="na">fail-fast</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">version</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Execute phase ${{ matrix.phase.phase }} and create PR</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">ANTHROPIC_API_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.ANTHROPIC_API_KEY }}</span> <span class="na">SPECK_JSON</span><span class="pi">:</span> <span class="s">${{ needs.decompose.outputs.result }}</span> <span class="na">PHASE_NUM</span><span class="pi">:</span> <span class="s">${{ matrix.phase.phase }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">TASKS=$(echo "$SPECK_JSON" | jq -c \</span> <span class="s">"[.tasks[] | select(.phase == ($PHASE_NUM | tonumber))] | sort_by(.order)")</span> <span class="s">for i in $(seq 0 $(( $(echo "$TASKS" | jq 'length') - 1 ))); do</span> <span class="s">TASK=$(echo "$TASKS" | jq -c ".[$i]")</span> <span class="s">AGENT=$(echo "$TASK" | jq -r '.suggested_agent.source // empty')</span> <span class="s">ENTRY=$(echo "$TASK" | jq -r '.suggested_agent.entrypoint // "assist"' | tr '_' '-')</span> <span class="s">DESC=$(echo "$TASK" | jq -r '.description')</span> <span class="s">MODEL=$(echo "$TASK" | jq -r '.suggested_model')</span> <span class="s">echo "--- [$(echo "$TASK" | jq -r '.id')] $(echo "$TASK" | jq -r '.title') (model=$MODEL) ---"</span> <span class="s">[ -z "$AGENT" ] &amp;&amp; echo "Skipping: no agent" &amp;&amp; continue</span> <span class="s">if [ "$ENTRY" = "review" ]; then</span> <span class="s">ANTHROPIC_MODEL="$MODEL" dagger call -m "$AGENT" --allow-llm=all \</span> <span class="s">--source=. "$ENTRY" --assignment="$DESC"</span> <span class="s">else</span> <span class="s">ANTHROPIC_MODEL="$MODEL" dagger call -m "$AGENT" --allow-llm=all \</span> <span class="s">--source=. "$ENTRY" --assignment="$DESC" export --path=.</span> <span class="s">fi</span> <span class="s">done</span> <span class="s"># Create PR from accumulated changes</span> <span class="s">dagger call -m github.com/kpenfound/dag/github-issue \</span> <span class="s">--token=env:GITHUB_TOKEN \</span> <span class="s">create-pull-request \</span> <span class="s">--repo="https://github.com/${{ github.repository }}" \</span> <span class="s">--source=. \</span> <span class="s">--branch="${{ matrix.phase.pr_branch }}" \</span> <span class="s">--base=master \</span> <span class="s">--title="Phase ${{ matrix.phase.phase }}: ${{ matrix.phase.name }}" \</span> <span class="s">--body="Implements **${{ matrix.phase.name }}**. Closes #${{ github.event.issue.number }}. Generated by Speck." \</span> <span class="s">url</span> </code></pre> </div> <p>A few things to note in this workflow:</p> <ul> <li> <strong>Two jobs, one workflow.</strong> The <code>decompose</code> job uses Opus for planning, since it needs the most reasoning power to analyze the codebase and produce a good decomposition. The <code>execute-phase</code> job uses the <code>suggested_model</code> from each task: Haiku for simple changes, Sonnet for standard work, Opus for complex logic.</li> <li> <strong><code>--allow-llm=all</code></strong> is required in CI. In interactive mode, Dagger prompts for LLM API access approval. In GitHub Actions there's no TTY, so we bypass the prompt.</li> <li> <strong>PR creation uses a Dagger module.</strong> Instead of raw git commands, we use the <a href="https://github.com/kpenfound/dag/tree/main/github-issue" rel="noopener noreferrer"><code>github-issue</code></a> module's <code>create-pull-request</code> function, which takes a <code>--source</code> Directory and handles branch creation, commit, push, and PR creation internally.</li> <li> <strong>Review tasks skip <code>export</code>.</strong> The <code>review</code> entrypoint returns a string (the review text), not a Directory. Other entrypoints return a Directory that gets exported back to the workspace for the next task in the chain.</li> </ul> <p><strong>Step 3: Configure secrets</strong></p> <p>The workflow needs an LLM API key. Add it as a repository secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gh secret <span class="nb">set </span>ANTHROPIC_API_KEY <span class="nt">--repo</span> your-org/fastapi-realworld-example-app </code></pre> </div> <p>The <code>GITHUB_TOKEN</code> is provided automatically by GitHub Actions with the permissions declared in the workflow.</p> <p><strong>Step 4: Commit, push, and create a test issue</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add .github/workflows/speck.yml git commit <span class="nt">-m</span> <span class="s2">"Add Speck spec-driven development workflow"</span> git push origin master </code></pre> </div> <p>Now create a GitHub issue with a feature request (see <a href="https://github.com/telchak/fastapi-realworld-example-app/issues/1" rel="noopener noreferrer">issue #1</a>):</p> <blockquote> <p><strong>Title:</strong> Add article bookmarking/favorites list endpoint</p> <p><strong>Body:</strong></p> <p>Add the ability for authenticated users to retrieve their list of favorited articles with pagination and optional filtering.</p> <p><strong>Requirements:</strong></p> <ul> <li>New <code>GET /api/articles/feed</code> endpoint that returns articles the current user has favorited</li> <li>Support pagination via <code>limit</code> and <code>offset</code> query parameters (defaults: limit=20, offset=0)</li> <li>Support optional <code>tag</code> filter to narrow favorites by tag</li> <li>Response format must match the existing <code>GET /api/articles</code> response shape (articles array + articlesCount)</li> <li>Only accessible to authenticated users (return 401 if unauthenticated)</li> </ul> </blockquote> <h3> Running the Workflow </h3> <p>Add the <code>speck</code> label to the issue. This triggers the workflow.</p> <p><strong>Step 1, Decomposition (Opus):</strong></p> <p>Speck reads the issue, explores the FastAPI codebase (models, routes, repositories, existing test patterns), and produces a structured decomposition. It posts the result as a <a href="https://github.com/telchak/fastapi-realworld-example-app/issues/1#issuecomment-4106448160" rel="noopener noreferrer">comment on the issue</a>:</p> <p>In this case, Speck decomposed the feature into 3 phases with 9 tasks:</p> <ul> <li> <strong>Phase 1, Repository and Query Layer</strong> (T001-T004): add repository method to fetch favorited articles (assist, sonnet), add dependency function and filter schema (assist, haiku), write tests for repository and schema (write-tests, sonnet), review (review, sonnet)</li> <li> <strong>Phase 2, API Endpoint</strong> (T005-T007): implement <code>GET /api/articles/favorites</code> endpoint (assist, sonnet), write integration tests (write-tests, opus), review endpoint and tests (review, sonnet)</li> <li> <strong>Phase 3, Error Handling and Strings</strong> (T008-T009): add error handling strings and edge case coverage (assist, haiku), final integration review (review, sonnet)</li> </ul> <p>Each task has a <code>suggested_model</code> based on complexity: simple schema additions get <code>claude-haiku-4-5</code>, standard implementations get <code>claude-sonnet-4-6</code>, and comprehensive test writing gets <code>claude-opus-4-6</code> (since tests need to understand the full implementation context).</p> <p><strong>Step 2, Execution (parallel phases, sequential tasks):</strong></p> <p>GitHub Actions matrices by phase. Each phase runs on its own runner. Within each phase, tasks are chained sequentially. Monty implements the feature, then writes tests on top of the implementation, then reviews the accumulated changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Phase 1 runner (Repository and Query Layer): T001 (assist, sonnet) → Monty adds repository method → exports to . T002 (assist, haiku) → Monty adds filter schema + dependency → exports to . T003 (write-tests, sonnet) → Monty writes tests → exports to . T004 (review, sonnet) → Monty reviews all changes → logs review → github-issue creates PR #3 from accumulated changes Phase 2 runner (API Endpoint): T005 (assist, sonnet) → Monty implements the endpoint → exports to . T006 (write-tests, opus) → Monty writes integration tests → exports to . T007 (review, sonnet) → Monty reviews endpoint + tests → logs review → github-issue creates PR #4 from accumulated changes Phase 3 runner (Error Handling and Strings): T008 (assist, haiku) → Monty adds error handling + edge cases → exports to . T009 (review, sonnet) → Monty does final integration review → logs review → github-issue creates PR #5 from accumulated changes </code></pre> </div> <p><strong>Step 3, Pull Requests:</strong></p> <p>Each phase produced one PR with all accumulated changes, linked to the original issue:</p> <ul> <li> <a href="https://github.com/telchak/fastapi-realworld-example-app/pull/3" rel="noopener noreferrer"><strong>PR #3</strong>: Phase 1: Repository and Query Layer</a> — 361 additions across 5 files</li> <li> <a href="https://github.com/telchak/fastapi-realworld-example-app/pull/4" rel="noopener noreferrer"><strong>PR #4</strong>: Phase 2: API Endpoint</a> — 317 additions across 5 files</li> <li> <a href="https://github.com/telchak/fastapi-realworld-example-app/pull/5" rel="noopener noreferrer"><strong>PR #5</strong>: Phase 3: Error Handling and Strings</a> — 74 additions across 3 files</li> </ul> <p>Each PR includes implementation, tests, and a review pass, all generated by Monty working sequentially on the same codebase within the phase.</p> <h3> What Just Happened </h3> <p>A developer wrote a feature request with acceptance criteria. The system:</p> <ol> <li> <strong>Opus</strong> analyzed the codebase and decomposed the request into 9 tasks across 3 phases</li> <li> <strong>Haiku</strong>, <strong>Sonnet</strong>, and <strong>Opus</strong> implemented the feature, wrote tests, and reviewed the code, each task using the right model for its complexity</li> <li> <strong>Three PRs</strong> were created automatically, linked to the issue, ready for human review — 752 lines of code across 13 files</li> </ol> <p>No pipeline code was written. No agent was invoked manually. The developer's job is now to <strong>review the PRs</strong>: read the code, check the tests, verify the approach. The mechanical work of translating a spec into code, tests, and PRs happened automatically.</p> <p>This is the shift from Internal Developer Platform to Internal Agent Factory: <strong>the platform doesn't just run your CI. It runs your agents, manages their model costs, chains their outputs, and produces reviewable artifacts from natural language specifications.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdsctemafrciaj5jnrxmd.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdsctemafrciaj5jnrxmd.jpg" alt=" " width="800" height="446"></a><br> <em>Image generated with Google's Gemini "Nano Banana Pro"</em></p> <h2> Agents That Learn: Self-Improvement Across Runs </h2> <p>There's one more capability worth covering. Every agent (Monty, Angie, Daggie, and Goose, a GCP deployment orchestrator) reads per-repo context files to understand project conventions. But until now, the context was static. The developer wrote it once and maintained it by hand.</p> <p>With <code>--self-improve</code>, the agents can <strong>update those files themselves</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger call <span class="nt">-m</span> github.com/telchak/daggerverse/monty@v0.2.0 <span class="se">\</span> <span class="nt">--self-improve</span><span class="o">=</span>write <span class="se">\</span> assist <span class="se">\</span> <span class="nt">--source</span><span class="o">=</span><span class="nb">.</span> <span class="se">\</span> <span class="nt">--assignment</span><span class="o">=</span><span class="s2">"Add input validation to all API endpoints"</span> </code></pre> </div> <p>As Monty works through the codebase (reading models, tracing routes, checking existing patterns), it discovers things: "This project uses Pydantic v2 field validators, not v1-style <code>@validator</code>." "Tests use <code>httpx.AsyncClient</code>, not the sync test client." "Custom exceptions live in <code>app/errors.py</code>."</p> <p>Instead of those discoveries dying with the session, Monty records them in <strong>two</strong> files:</p> <p><strong><code>MONTY.md</code></strong>, Python-specific knowledge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Learned Context</span> <span class="p"> -</span> Pydantic v2 with field validators (<span class="sb">`field_validator`</span>), not v1 <span class="sb">`@validator`</span> <span class="p">-</span> All route handlers are async; tests use <span class="sb">`httpx.AsyncClient`</span> with <span class="sb">`pytest-asyncio`</span> <span class="p">-</span> Input validation pattern: Pydantic model as request body, raises <span class="sb">`ValidationError`</span> → 422 </code></pre> </div> <p><strong><code>AGENTS.md</code></strong>, general project knowledge shared across all agents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Learned Context</span> <span class="p"> -</span> Custom exception hierarchy in <span class="sb">`app/errors.py`</span>, handlers in <span class="sb">`app/middleware.py`</span> <span class="p">-</span> Project uses src layout with <span class="sb">`app/`</span> as the main package <span class="p">-</span> CI runs pytest with coverage; minimum threshold is 80% </code></pre> </div> <p>The next time any agent runs on this repo, whether it's Monty, Angie, or a different developer, it reads both the agent-specific file and the shared <code>AGENTS.md</code>, starting with better knowledge. Python patterns stay in <code>MONTY.md</code> where only Monty reads them; project-wide conventions go in <code>AGENTS.md</code> where every agent benefits. No one had to write documentation. The agents documented the project by working on it.</p> <h3> Three modes </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mode</th> <th>What happens</th> </tr> </thead> <tbody> <tr> <td> <code>off</code> (default)</td> <td>Current behavior: context files are read-only</td> </tr> <tr> <td><code>write</code></td> <td>Agent updates context files in the returned workspace directory</td> </tr> <tr> <td><code>commit</code></td> <td>Agent updates context files and creates a git commit</td> </tr> </tbody> </table></div> <p>The <code>commit</code> mode is useful for automation. When combined with <code>develop-github-issue</code>, the context file updates get included in the PR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger call <span class="nt">-m</span> github.com/telchak/daggerverse/monty@v0.2.0 <span class="se">\</span> <span class="nt">--self-improve</span><span class="o">=</span>commit <span class="se">\</span> develop-github-issue <span class="se">\</span> <span class="nt">--github-token</span><span class="o">=</span><span class="nb">env</span>:GITHUB_TOKEN <span class="se">\</span> <span class="nt">--issue-id</span><span class="o">=</span>42 <span class="se">\</span> <span class="nt">--repository</span><span class="o">=</span><span class="s2">"https://github.com/owner/my-python-api"</span> <span class="se">\</span> <span class="nt">--source</span><span class="o">=</span><span class="nb">.</span> </code></pre> </div> <p>The PR includes both the code changes and a commit like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>chore(monty): update context files with learned discoveries </code></pre> </div> <p>Over time, the context files become living documents, a compressed summary of the project's architecture, conventions, and gotchas, maintained by the agents that work on it.</p> <h2> Would I Recommend Dagger CI in Production Right Now? </h2> <p>I've been following the Dagger project for several years now. And I can say with confidence: <strong>it has never been closer to production-ready than it is today.</strong></p> <p>The core primitives (typed functions, composable modules, containerized execution, deterministic caching) are solid. The <code>dagger call</code> experience is genuinely portable across local development and CI. The module ecosystem is growing. And as we've seen throughout this series, the LLM integration through the <code>dag.llm()</code> primitive opens up a category of workflows that simply didn't exist before.</p> <p>That said, there are areas where the platform still needs to mature. Here's what I'd like to see, and what's already on the roadmap.</p> <h3> What the Agent Layer Needs </h3> <p>The current <code>LLM</code> primitive is functional but minimal. To build truly capable agents in Dagger, a few key features would make a significant difference:</p> <ul> <li> <strong>External memory</strong>: Right now, agents forget everything between runs. Connecting the LLM to persistent memory stores (a vector database, a knowledge graph, or even a simple key-value store) would let agents accumulate project knowledge beyond what <code>--self-improve</code> and context files can provide.</li> <li> <strong>RAG integration</strong>: Being able to connect the LLM to external retrieval-augmented generation engines would allow agents to reason over large documentation sets, internal wikis, or historical CI logs without stuffing everything into the context window.</li> <li> <strong>Remote MCP servers</strong>: Dagger currently supports stdio-based MCP servers. Adding support for remote HTTP MCP servers would unlock integration with hosted tool services (SonarQube, Jira, Slack, observability platforms) without needing to bundle everything as a local process.</li> <li> <strong>Broader BYOK compatibility</strong>: Dagger natively recognizes only four provider configurations: <code>ANTHROPIC_API_KEY</code>, <code>GEMINI_API_KEY</code>, <code>OPENAI_API_KEY</code>, and Ollama. To use any other provider (Mistral, Qwen, DeepSeek), you have to route through the <code>OPENAI_BASE_URL</code> compatibility layer, which works but feels like a workaround. Native support for more provider environment variables (<code>MISTRAL_API_KEY</code>, <code>DEEPSEEK_API_KEY</code>, etc.) would make BYOK a first-class experience rather than an OpenAI-compat hack.</li> <li> <strong>Native multi-agent patterns</strong>: Right now, orchestrating multiple agents (like Speck decomposing work across Monty and Angie) requires external coordination (a GitHub Actions matrix, a shell loop, or a custom orchestrator). A native <code>Graph</code> type in Dagger's core, similar to what LangGraph provides, would let you define agent workflows as typed, cacheable DAGs. Imagine declaring "run these three agents in parallel, merge their outputs, then run a review agent" as a first-class Dagger construct.</li> </ul> <h3> What's Coming, and Why It Matters </h3> <p>Some of the most exciting changes are already in active development:</p> <p><strong><a href="https://dagger.io/changelog/#cloud-engines" rel="noopener noreferrer">Cloud Engines</a></strong>: Fully managed Dagger execution environments with auto-scaling and distributed caching built in. Run <code>dagger --cloud</code> and your pipeline executes on managed infrastructure, with secrets and local context securely streamed to the cloud. No more managing Kubernetes daemonsets or custom cache layers.</p> <p><strong><a href="https://dagger.io/changelog/#cloud-checks" rel="noopener noreferrer">Cloud Checks</a></strong>: This is the big one. Cloud Checks connects directly to your Git provider and triggers <code>dagger check</code> on every change, running on Cloud Engines. No YAML. No vendor syntax. No orchestration layer. Just your Dagger modules.</p> <p>Those two previous features are welcome because the more complex our Dagger workflows get, the more trying to fit them into GitHub Actions or GitLab CI feels like forcing circles into squares. Our Speck-driven development workflow is a perfect example: a decompose job that outputs dynamic JSON, a matrix strategy that fans out phases, shell scripts converting snake_case to kebab-case, environment variables carrying JSON between steps, conditional <code>export</code> commands based on return types... All of this ceremony exists because GitHub Actions was designed for static, declarative workflows, not for the kind of dynamic, graph-shaped execution that Dagger naturally produces. Cloud Checks would eliminate that entire translation layer. Your Dagger module <em>is</em> the CI platform. Add to that a native <code>Graph</code> core type, and you could have a full native multi-agent workflow completely independent from GitHub Actions or any other CI engine. Dagger CI would go from a "CI development toolkit" to a fully operational CI/CD platform.</p> <p><strong><a href="https://dagger.io/changelog/#modules-v2" rel="noopener noreferrer">Modules V2</a></strong>: A fundamental redesign of how modules interact with projects. Today, modules can't see your project structure unless you thread it through manually with <code>--source</code> flags, custom boilerplate, and static path patterns. Modules V2 introduces a <strong>typed Workspace API</strong> that lets modules parse configuration files, traverse directory trees, and adapt to any project layout, all through executable code rather than rigid pragmas. A new <code>.dagger/config.toml</code> file declares which modules a project uses in a human-editable format, and a lockfile ensures reproducible resolution across teams. This shifts complexity from users to module authors, which is exactly where it belongs.</p> <p>These three features together (managed compute, native CI triggering, and smarter module integration) would close the gap between "Dagger as a portable pipeline SDK" and "Dagger as a complete CI platform." And from everything I've seen in the project's trajectory, that gap is closing fast.</p> <h2> Conclusion </h2> <p>This is where the whole series comes together.</p> <ol> <li> <strong><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-1-58pi">Part 1</a></strong>: Pipelines as real code — typed, testable, portable. No more YAML guesswork.</li> <li> <strong><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75">Part 2</a></strong>: Decoupled from infrastructure. Same pipeline on any runner, any cloud.</li> <li> <strong><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge">Part 3</a></strong>: A module library. Public daggerverse modules for generic operations, private modules for organizational compliance. Domain expertise encoded as deterministic, versioned functions.</li> <li> <strong>Part 4</strong>: AI agents at the edges. Daggie generates the toolchain setup from the module library. <code>dagger check</code> runs fast and deterministic — no LLM, no tokens. When checks fail, Monty and Angie post fix suggestions on the PR. Speck decomposes feature requests into phased, agent-executable task plans. And with <code>--self-improve</code>, every agent interaction leaves the project better documented.</li> </ol> <p>The key insight: <strong>CI checks need to be fast, reliable, and deterministic.</strong> AI belongs at the edges — generating the configuration, diagnosing failures, decomposing specs into tasks, and learning from every run. Never in the hot path.</p> <p>The example apps and Dagger module are at <a href="https://github.com/telchak/dagger-ci-demo" rel="noopener noreferrer">github.com/telchak/dagger-ci-demo</a>. The AcmeCorp private modules from Part 3 are at <a href="https://github.com/telchak/acme-dagger-modules" rel="noopener noreferrer">github.com/telchak/acme-dagger-modules</a>.</p> <p><strong>Useful links</strong>:</p> <ul> <li> <a href="https://github.com/dagger/dagger" rel="noopener noreferrer">github.com/dagger/dagger</a>: the main Dagger repository</li> <li> <a href="https://dagger.io/changelog/#dev" rel="noopener noreferrer">dagger.io/changelog</a>: follow what features are being actively developed (Cloud Engines, Cloud Checks, Modules V2, and more)</li> <li> <a href="https://daggerverse.dev/" rel="noopener noreferrer">daggerverse.dev</a>: the public module registry, where you can discover and reuse community modules</li> <li> <a href="https://github.com/telchak/daggerverse" rel="noopener noreferrer">github.com/telchak/daggerverse</a>: all the modules I've been personally creating throughout this series (Daggie, Monty, Angie, Goose, Speck, and the GCP infrastructure modules), and that I'll continue to support to bring my little piece to this open-source project</li> </ul> <h2> Key Takeaways </h2> <ol> <li> <strong>Deterministic checks, not LLM-routed ones</strong>: CI needs speed and reliability; keep AI out of the hot path</li> <li> <strong>Daggie configures toolchains</strong>: point it at your module library and your project, and it generates the right <code>dagger.json</code> and CI workflow</li> <li> <strong>Agents fix failures</strong>: Monty and Angie analyze errors and post code suggestions on PRs</li> <li> <strong>Agents learn</strong>: <code>--self-improve</code> lets agents update context files (agent-specific + shared <code>AGENTS.md</code>) with project discoveries, getting smarter across runs</li> <li> <strong>Spec-driven development</strong>: Speck decomposes high-level specs into structured task lists, dispatching work across specialized agents with model-appropriate assignments</li> <li> <strong>Modules are the foundation</strong>: public modules for generic operations, private modules for org compliance, both composable by humans and agents</li> <li> <strong>AI at the edges</strong>: configure the setup (before), fix the failures (after), learn from the work. Never in the hot path</li> </ol> <p><em>This concludes the 4-part series. Thanks for reading.</em></p> <p><strong>Full Series</strong>:</p> <ul> <li><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-1-58pi">Part 1: The CI/CD Bottleneck Nobody Talks About</a></li> <li><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75">Part 2: Decoupling Pipelines from Infrastructure</a></li> <li><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge">Part 3: From Scripts to a Platform: Your CI/CD Module Library</a></li> <li><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-4-4323">Part 4: The AI-Native CI/CD Stack: Agents, Modules, and Spec-Driven Development</a></li> </ul> <p><strong>Tags</strong>: <code>#cicd</code> <code>#dagger</code> <code>#ai-agents</code> <code>#platform-engineering</code> <code>#mcp</code> <code>#cloudrun</code> <code>#firebase</code> <code>#spec-driven-development</code></p> cicd ai devops python Sami Chibani Fri, 27 Mar 2026 00:20:27 +0000 https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge <h1> Part 3: From Scripts to a Platform: Your CI/CD Module Library </h1> <blockquote> <p>Let's be clear: Dagger doesn't eliminate the complexity of modern CI/CD systems. It tames that complexity into a testable, maintainable, and reusable system suitable for modern Platform Engineering practices.</p> </blockquote> <p>In <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-1-58pi">Part 1</a> we wrote pipelines as real code. In <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75">Part 2</a> we decoupled them from infrastructure. Our <code>dagger-ci-demo</code> module works. It builds, tests, and runs identically on a laptop and in CI. But it's a single module in a single repository. What happens when the organization grows?</p> <h2> The Growth Problem </h2> <p>Let's say you're at <strong>AcmeCorp</strong>. Your platform team adopted Dagger six months ago. The first project went well: a single <code>.dagger/</code> module with build, test, and deploy functions. Then things accelerated.</p> <p>New repositories appeared. The mobile team needs CI. The data team wants to containerize their pipelines. The infrastructure team is building internal tools. Each team creates their own <code>.dagger/</code> module, and within weeks, you see the pattern:</p> <ul> <li> <strong>Copy-paste proliferation.</strong> Every team has its own GCP authentication function. Some use service account keys. Some use OIDC. Some hardcode the project ID. None of them handle credential rotation.</li> <li> <strong>Security drift.</strong> The data team's deploy function doesn't validate image signatures. The mobile team allows unauthenticated Cloud Run services in production. Nobody enforces the naming convention.</li> <li> <strong>Maintenance burden.</strong> When GCP deprecates the old <code>gcloud auth activate-service-account</code> flow, someone has to find and update every copy. Nobody knows how many there are.</li> </ul> <p>This is the exact same problem that Terraform modules and Helm charts solved for infrastructure. The solution is the same too: <strong>a module library</strong>.</p> <p>The difference is that Dagger already has this built in.</p> <h2> The Daggerverse: Community Modules </h2> <p>Before building anything custom, check what already exists. Dagger is a community-driven project, and the community has published hundreds of modules for common use cases, all centralized in what's called <a href="https://daggerverse.dev" rel="noopener noreferrer"><strong>the Daggerverse</strong></a>.</p> <p>The Daggerverse is Dagger's public module registry. Any module published to a Git repository and indexed by Dagger Cloud becomes discoverable there. You can browse by category, search by keyword, and inspect the typed API of any module before installing it.</p> <p>For example, if AcmeCorp runs on Google Cloud, a quick search reveals modules that already handle the GCP fundamentals:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Module</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><a href="https://daggerverse.dev/mod/github.com/telchak/daggerverse/gcp-auth" rel="noopener noreferrer"><code>gcp-auth</code></a></td> <td>GCP authentication via OIDC or service account key</td> </tr> <tr> <td><a href="https://daggerverse.dev/mod/github.com/telchak/daggerverse/gcp-artifact-registry" rel="noopener noreferrer"><code>gcp-artifact-registry</code></a></td> <td>Publish container images to Artifact Registry</td> </tr> <tr> <td><a href="https://daggerverse.dev/mod/github.com/telchak/daggerverse/gcp-cloud-run" rel="noopener noreferrer"><code>gcp-cloud-run</code></a></td> <td>Deploy services to Cloud Run</td> </tr> <tr> <td><a href="https://daggerverse.dev/mod/github.com/telchak/daggerverse/gcp-firebase" rel="noopener noreferrer"><code>gcp-firebase</code></a></td> <td>Deploy to Firebase Hosting</td> </tr> <tr> <td><a href="https://daggerverse.dev/mod/github.com/telchak/daggerverse/python-build" rel="noopener noreferrer"><code>python-build</code></a></td> <td>Build Python applications with pip/uv</td> </tr> <tr> <td><a href="https://daggerverse.dev/mod/github.com/telchak/daggerverse/angular" rel="noopener noreferrer"><code>angular</code></a></td> <td>Build and test Angular applications</td> </tr> <tr> <td><a href="https://daggerverse.dev/mod/github.com/sagikazarmark/daggerverse/trivy" rel="noopener noreferrer"><code>trivy</code></a></td> <td>Container vulnerability scanning with Trivy</td> </tr> </tbody> </table></div> <p>These are real, production-tested modules. Each one has a typed API, documentation auto-generated from the code, and a version you can pin.</p> <blockquote> <p><strong>Full disclosure:</strong> I'm the author of most of the GCP modules listed above (<code>gcp-auth</code>, <code>gcp-artifact-registry</code>, <code>gcp-cloud-run</code>, <code>gcp-firebase</code>, <code>python-build</code>, <code>angular</code>). I'm recommending them not because they're mine, but because I built them to solve real problems I kept running into over several years of running production workloads on Google Cloud. They encode patterns and guardrails that my team and I needed — OIDC authentication that actually works across CI providers, Artifact Registry publishing with proper tagging, Cloud Run deployments with sane defaults. If you're on GCP, I genuinely think they'll save you time. If they don't fit your needs, fork them or build your own — that's the beauty of the module system.</p> </blockquote> <p>You install them with a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger <span class="nb">install </span>github.com/telchak/daggerverse/gcp-auth@gcp-auth/v0.2.1 </code></pre> </div> <p>This adds the module as a dependency in your <code>dagger.json</code>. You can then call its functions from your pipeline code via <code>dag.gcp_auth()</code>, or directly from the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test GCP authentication from your terminal using a service account key</span> dagger call <span class="nt">-m</span> github.com/telchak/daggerverse/gcp-auth@gcp-auth/v0.2.1 <span class="se">\</span> gcloud-container <span class="se">\</span> <span class="nt">--credentials</span><span class="o">=</span>file:./my-service-account-key.json <span class="se">\</span> <span class="nt">--project-id</span><span class="o">=</span>my-project <span class="se">\</span> with-exec <span class="nt">--args</span><span class="o">=</span><span class="s2">"gcloud"</span>,<span class="s2">"auth"</span>,<span class="s2">"list"</span> <span class="se">\</span> stdout </code></pre> </div> <p>The module system handles dependency resolution, version pinning, and cross-module type compatibility. You compose modules the same way you compose functions, by passing outputs as inputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Authenticate </span><span class="n">gcloud</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_auth</span><span class="p">().</span><span class="nf">from_service_account_key</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">sa_key</span><span class="p">,</span> <span class="n">project</span><span class="o">=</span><span class="n">project</span><span class="p">)</span> <span class="c1"># Publish (takes the authenticated container from gcp-auth) </span><span class="n">image_uri</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_artifact_registry</span><span class="p">().</span><span class="nf">publish</span><span class="p">(</span> <span class="n">container</span><span class="o">=</span><span class="n">my_app</span><span class="p">,</span> <span class="n">gcloud</span><span class="o">=</span><span class="n">gcloud</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">,</span> <span class="n">repository</span><span class="o">=</span><span class="sh">"</span><span class="s">my-repo</span><span class="sh">"</span><span class="p">,</span> <span class="n">image_name</span><span class="o">=</span><span class="sh">"</span><span class="s">api</span><span class="sh">"</span><span class="p">,</span> <span class="n">tag</span><span class="o">=</span><span class="sh">"</span><span class="s">v1.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Deploy (takes the image URI from artifact-registry) </span><span class="n">url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_cloud_run</span><span class="p">().</span><span class="nf">service</span><span class="p">().</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">gcloud</span><span class="o">=</span><span class="n">gcloud</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">api</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="n">image_uri</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>This is the first layer of the module system: <strong>public modules</strong> that handle generic, well-understood operations. They're open-source, community-maintained, and available to anyone.</p> <p>But for most organizations, public modules alone aren't enough.</p> <h2> Two-Layer Module Architecture </h2> <p>A typical production setup has two layers of modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────┐ ┌──────────────────────────┐ ┌──────────────────────┐ │ Daggerverse │────▶│ Private Modules Repo │────▶│ Your CI Pipelines │ │ (public modules) │ │ (org-specific layer) │ │ (.dagger/ per repo) │ └──────────────────────┘ └──────────────────────────┘ └──────────────────────┘ Generic operations Security, compliance, Project-specific (GCP auth, Docker, naming, defaults, build/test/deploy language builds) org business logic logic </code></pre> </div> <p><strong>Layer 1: Public modules</strong> handle generic operations: authenticate to GCP, push a container image, deploy to Cloud Run. They have no opinion about your organization's naming conventions, security policies, or environment structure.</p> <p><strong>Layer 2: Private modules</strong> wrap public modules with organization-specific logic. They encode your security requirements, enforce naming conventions, inject audit trails, and provide a curated interface that teams consume without needing to understand the underlying complexity.</p> <p>This separation matters because:</p> <ul> <li> <strong>Public modules evolve independently.</strong> When <code>gcp-auth</code> adds a new authentication method, you get it for free on the next version bump.</li> <li> <strong>Private modules enforce your rules.</strong> Every deploy goes through your security checks, regardless of which team triggered it.</li> <li> <strong>Teams consume the private layer only.</strong> They don't need to know which public modules are underneath, or how authentication works internally. They call <code>dag.acme_deploy()</code> and get a compliant deployment.</li> </ul> <p>Let's see what this looks like in practice for AcmeCorp. But first, a few principles that apply to both layers.</p> <h2> Module Development Best Practices </h2> <p>Whether you're building public daggerverse modules or private organizational ones, the same practices apply. Dagger modules are consumed across SDKs (Python, Go, TypeScript, Java) and from the CLI, so the way you write them directly impacts the experience for every consumer.</p> <h3> Documentation is your API </h3> <p>This is the single most important practice. Every docstring, every <code>Doc()</code> annotation, every class description you write is <strong>automatically used to generate documentation</strong> across all Dagger SDKs and the CLI. When someone runs <code>dagger call your-function --help</code>, they see your docstrings. When someone browses your module on the Daggerverse, they see your <code>Doc()</code> annotations. When someone uses your module from Go or TypeScript, their IDE shows your descriptions as inline documentation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">GcpAuth</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Authenticate to Google Cloud Platform. ← Shows in module description Supports two authentication methods: - Service account key (local dev, testing) - OIDC / Workload Identity Federation (CI/CD) </span><span class="sh">"""</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">from_oidc</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">token</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="c1"># ← Each parameter gets its own </span> <span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span><span class="p">,</span> <span class="c1"># help text in CLI and IDE </span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">OIDC token from the CI provider </span><span class="sh">"</span> <span class="sh">"</span><span class="s">(e.g. GitHub Actions ID token)</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="n">provider</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Full Workload Identity Provider resource name </span><span class="sh">"</span> <span class="sh">"</span><span class="s">(projects/{id}/locations/global/workloadIdentityPools/{pool}/providers/{provider})</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Authenticate using OIDC / Workload Identity. ← Shows in `dagger call --help` Best for CI/CD pipelines — no long-lived credentials to rotate or leak. </span><span class="sh">"""</span> </code></pre> </div> <p>Write docstrings as if they're the only documentation someone will ever read, because for most consumers, they are.</p> <h3> Single responsibility per module </h3> <p>Each module should do one thing well. <code>gcp-auth</code> handles authentication. <code>gcp-cloud-run</code> handles Cloud Run deployments. Don't create a <code>gcp-everything</code> module that does auth, registry, Cloud Run, and Firebase. Smaller modules are easier to test, version, and compose.</p> <p>A good rule of thumb: if your module needs two unrelated sets of credentials, it's probably two modules.</p> <h3> Use <code>field()</code> for constructor dependencies </h3> <p>When a module needs an authenticated context or shared state, accept it as a constructor field rather than repeating it on every function:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">ArtifactRegistry</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Manage container images in Google Artifact Registry.</span><span class="sh">"""</span> <span class="n">gcloud</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Authenticated gcloud container from gcp-auth</span><span class="sh">"</span><span class="p">),</span> <span class="p">]</span> <span class="o">=</span> <span class="nf">field</span><span class="p">()</span> </code></pre> </div> <p>This makes composition natural. You wire up authentication once and pass it in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">gcloud</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_auth</span><span class="p">().</span><span class="nf">from_service_account_key</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">key</span><span class="p">,</span> <span class="n">project</span><span class="o">=</span><span class="n">project</span><span class="p">)</span> <span class="n">registry</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">artifact_registry</span><span class="p">(</span><span class="n">gcloud</span><span class="o">=</span><span class="n">gcloud</span><span class="p">)</span> <span class="c1"># Authenticated for all calls </span></code></pre> </div> <h3> Return Dagger types, not strings </h3> <p>When possible, return <code>Container</code>, <code>Directory</code>, or <code>File</code> rather than strings. This enables chaining: the output of your module becomes the input of the next one. Return <code>str</code> only for terminal values (URLs, status messages) or when the consumer explicitly needs text output.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Good: returns Container — composable with other modules </span><span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">build</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="p">...)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="bp">...</span> <span class="c1"># Good: returns str — terminal value (a URL) </span><span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">deploy</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">image</span><span class="p">:</span> <span class="p">...)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="bp">...</span> </code></pre> </div> <h3> Use <code>dagger.Secret</code> for sensitive data </h3> <p>Never accept credentials, tokens, or keys as plain <code>str</code> parameters. Dagger's <code>Secret</code> type ensures sensitive data is never logged, cached, or written to disk. The CLI handles secret injection transparently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># From environment variable</span> dagger call deploy <span class="nt">--token</span><span class="o">=</span><span class="nb">env</span>:MY_TOKEN <span class="c"># From file</span> dagger call deploy <span class="nt">--key</span><span class="o">=</span>file:./service-account.json </code></pre> </div> <h3> Private functions stay private </h3> <p>Not every function in your module needs to be part of the public API. Dagger follows each SDK's language conventions for visibility. In Python, any method prefixed with an underscore (<code>_</code>) is treated as private and <strong>won't be exported</strong> by Dagger. It won't show up in <code>dagger call --help</code>, won't be callable from the CLI, and won't appear in the Daggerverse documentation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">AcmeDeploy</span><span class="p">:</span> <span class="k">def</span> <span class="nf">_validate_and_resolve</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">team</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">environment</span><span class="p">,</span> <span class="n">region</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Internal helper — not exported by Dagger.</span><span class="sh">"""</span> <span class="bp">...</span> <span class="k">def</span> <span class="nf">_authenticate</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">oidc_token</span><span class="p">,</span> <span class="n">project</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Internal helper — not exported by Dagger.</span><span class="sh">"""</span> <span class="bp">...</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">cloud_run</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="p">...)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Public function — exported and callable.</span><span class="sh">"""</span> <span class="n">ctx</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_validate_and_resolve</span><span class="p">(...)</span> <span class="n">gcloud</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_authenticate</span><span class="p">(...)</span> <span class="bp">...</span> </code></pre> </div> <p>Use this to keep your public API clean while organizing internal logic into reusable helpers. In Go, unexported (lowercase) functions serve the same role. In TypeScript, omit the <code>@func()</code> decorator.</p> <h3> Pin your dependencies </h3> <p>Always pin module dependencies to a specific version tag, not <code>@main</code> or <code>@latest</code>. This ensures reproducible builds and prevents upstream changes from breaking your pipelines unexpectedly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gcp-auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/daggerverse/gcp-auth@gcp-auth/v0.2.1"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Building the Private Module Layer </h2> <p>AcmeCorp's platform team creates a private repository, <code>github.com/telchak/acme-dagger-modules</code>, that contains organization-specific modules. These modules wrap the public daggerverse modules and add AcmeCorp's business logic.</p> <h3> Repository Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>telchak/acme-dagger-modules/ ├── acme-backend/ # Python/FastAPI build, test, lint, SBOM │ ├── dagger.json │ ├── pyproject.toml │ └── src/acme_backend/ │ └── main.py ├── acme-frontend/ # Angular build, test, lint, audit │ ├── dagger.json │ ├── pyproject.toml │ └── src/acme_frontend/ │ └── main.py ├── acme-deploy/ # Compliant deployment (Cloud Run + Firebase) │ ├── dagger.json # + Trivy scanning, production branch gating │ ├── pyproject.toml │ └── src/acme_deploy/ │ └── main.py └── tests/ # Integration tests for all modules ├── dagger.json ├── pyproject.toml └── src/tests/ └── main.py </code></pre> </div> <p>Each module is a self-contained Dagger module with its own <code>dagger.json</code>, dependencies, and source code. They're versioned together via Git tags (e.g. <code>acme-deploy/v1.2.0</code>) or as a monorepo with a single version.</p> <p>Let's walk through the three core modules that cover AcmeCorp's full-stack pipeline: build, test, and deploy.</p> <h3> <code>acme-backend</code>: Python Build &amp; Test </h3> <p>This module wraps the public <code>python-build</code> module with AcmeCorp's standards: base image policy, cache volume conventions, health check endpoint, and standard entrypoint configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="sh">"""</span><span class="s">AcmeCorp Python backend builder — standardized, cached, production-ready.</span><span class="sh">"""</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Annotated</span> <span class="kn">import</span> <span class="n">dagger</span> <span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">DefaultPath</span><span class="p">,</span> <span class="n">Doc</span><span class="p">,</span> <span class="n">check</span><span class="p">,</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="c1"># Approved base images — only these are allowed in production containers. </span><span class="n">APPROVED_BASE_IMAGE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">python:3.13-slim</span><span class="sh">"</span> <span class="c1"># Minimum test coverage threshold enforced across all backend services. </span><span class="n">MIN_COVERAGE_PERCENT</span> <span class="o">=</span> <span class="mi">80</span> <span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">AcmeBackend</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build and test Python backends the AcmeCorp way. Enforces: - Organization-approved base images (python:3.13-slim) - Standardized cache volumes for pip - Health check endpoint convention (/health) - Cloud Run-compatible entrypoint and port - Minimum 80% test coverage - CycloneDX SBOM generation for vulnerability tracking </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">_base_container</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Standard Python container with source and cached deps.</span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="n">APPROVED_BASE_IMAGE</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/root/.cache/pip</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">acme-pip</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="p">)</span> <span class="nd">@function</span> <span class="k">def</span> <span class="nf">build</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Python backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="n">port</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">int</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Application port</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">8080</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build a production-ready FastAPI container. Uses the organization-approved base image and standardized entrypoint. Returns a Container that can be passed directly to acme-deploy. </span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="nf">_base_container</span><span class="p">(</span><span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_env_variable</span><span class="p">(</span><span class="sh">"</span><span class="s">PORT</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">port</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exposed_port</span><span class="p">(</span><span class="n">port</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_label</span><span class="p">(</span><span class="sh">"</span><span class="s">org.opencontainers.image.vendor</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">AcmeCorp</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_entrypoint</span><span class="p">([</span> <span class="sh">"</span><span class="s">uvicorn</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">src.main:app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--port</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">port</span><span class="p">),</span> <span class="p">])</span> <span class="p">)</span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Python backend source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="n">coverage</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">bool</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Enforce minimum coverage threshold</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run the test suite with AcmeCorp conventions. Uses pytest with verbose output, short tracebacks, and coverage reporting. Fails if coverage drops below the org-wide threshold. </span><span class="sh">"""</span> <span class="n">pytest_args</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">pytest</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-v</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--tb=short</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="n">coverage</span><span class="p">:</span> <span class="n">pytest_args</span><span class="p">.</span><span class="nf">extend</span><span class="p">([</span> <span class="sh">"</span><span class="s">--cov=src</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--cov-report=term-missing</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">--cov-fail-under=</span><span class="si">{</span><span class="n">MIN_COVERAGE_PERCENT</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="p">])</span> <span class="n">pytest_args</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s">tests/</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="nf">_base_container</span><span class="p">(</span><span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">(</span><span class="n">pytest_args</span><span class="p">)</span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lint</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Python backend source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run linting (ruff) on the source code.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="n">APPROVED_BASE_IMAGE</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ruff</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">ruff</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">check</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">src/</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">sbom</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Python backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">File</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate a CycloneDX SBOM for vulnerability tracking. Produces a Software Bill of Materials in CycloneDX JSON format, suitable for upload to Dependency-Track or similar platforms. </span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="nf">_base_container</span><span class="p">(</span><span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cyclonedx-bom</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span> <span class="sh">"</span><span class="s">cyclonedx-py</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--input</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--output</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/app/sbom.json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--format</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">,</span> <span class="p">])</span> <span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/sbom.json</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>Its <code>dagger.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engineVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v0.20.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sdk"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python-build"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/daggerverse/python-build@python-build/v0.2.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> <code>acme-frontend</code>: Angular Build &amp; Test </h3> <p>Same pattern for the frontend: wraps the public <code>angular</code> module with AcmeCorp's Node version policy, cache conventions, and build configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="sh">"""</span><span class="s">AcmeCorp Angular frontend builder — standardized builds and testing.</span><span class="sh">"""</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Annotated</span> <span class="kn">import</span> <span class="n">dagger</span> <span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">DefaultPath</span><span class="p">,</span> <span class="n">Doc</span><span class="p">,</span> <span class="n">check</span><span class="p">,</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="c1"># Approved Node.js version — pinned to LTS for security compliance. </span><span class="n">APPROVED_NODE_VERSION</span> <span class="o">=</span> <span class="sh">"</span><span class="s">20</span><span class="sh">"</span> <span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">AcmeFrontend</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build and test Angular frontends the AcmeCorp way. Enforces: - Organization-approved Node.js version (20 LTS) - Standardized npm cache volumes - Production build configuration with source map exclusion - Vitest-based testing via Angular</span><span class="sh">'</span><span class="s">s built-in test runner - Audit check for known vulnerabilities in dependencies </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">_base_container</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Standard Node container with source and cached deps.</span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">node:</span><span class="si">{</span><span class="n">APPROVED_NODE_VERSION</span><span class="si">}</span><span class="s">-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/root/.npm</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">acme-npm</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ci</span><span class="sh">"</span><span class="p">])</span> <span class="p">)</span> <span class="nd">@function</span> <span class="k">def</span> <span class="nf">build</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Angular project source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build the Angular app for production. Returns a Directory containing the dist/ output, ready to be passed to acme-deploy for Firebase Hosting. </span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">angular</span><span class="p">()</span> <span class="p">.</span><span class="nf">build</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">,</span> <span class="n">configuration</span><span class="o">=</span><span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">,</span> <span class="n">node_version</span><span class="o">=</span><span class="n">APPROVED_NODE_VERSION</span><span class="p">,</span> <span class="n">npm_cache</span><span class="o">=</span><span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">acme-npm</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="p">)</span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Angular project source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run the Angular test suite.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="nf">_base_container</span><span class="p">(</span><span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ng</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lint</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Angular project source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run Angular linting.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="nf">_base_container</span><span class="p">(</span><span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ng</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">lint</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">audit</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Angular project source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Check npm dependencies for known vulnerabilities. Runs npm audit at the </span><span class="sh">'</span><span class="s">moderate</span><span class="sh">'</span><span class="s"> severity level. Fails if any vulnerabilities at moderate or higher are found. </span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="nf">_base_container</span><span class="p">(</span><span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">audit</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--audit-level=moderate</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> </code></pre> </div> <p>Its <code>dagger.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engineVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v0.20.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sdk"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"angular"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/daggerverse/angular@angular/v0.2.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> <code>acme-deploy</code>: Compliant Deployment </h3> <blockquote> <p><strong>Required Google APIs</strong> — The deployment module needs these APIs enabled on each target GCP project (staging and production):</p> <pre class="highlight shell"><code>gcloud services <span class="nb">enable</span> <span class="se">\</span> run.googleapis.com <span class="se">\</span> artifactregistry.googleapis.com <span class="se">\</span> firebasehosting.googleapis.com <span class="se">\</span> iam.googleapis.com </code></pre> <p>These cover Cloud Run deployment, container image storage in Artifact Registry, Firebase Hosting for the frontend, and IAM for service account authentication.</p> </blockquote> <p>This module handles the full deployment lifecycle: vulnerability scanning, authentication, registry, Cloud Run for backends, and Firebase Hosting for frontends. It wraps four public daggerverse modules plus Trivy with organization-specific defaults, security checks, and production safeguards:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="sh">"""</span><span class="s">AcmeCorp deployment module — compliant, opinionated, simple.</span><span class="sh">"""</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Annotated</span> <span class="kn">import</span> <span class="n">dagger</span> <span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">DefaultPath</span><span class="p">,</span> <span class="n">Doc</span><span class="p">,</span> <span class="n">check</span><span class="p">,</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="n">ALLOWED_REGIONS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">europe-west1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">]</span> <span class="n">ALLOWED_ENVIRONMENTS</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Pin Trivy to a known safe version. # Versions 0.69.4–0.69.6 were compromised in a supply chain attack (CVE-2026-33634). </span><span class="n">TRIVY_VERSION</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0.69.3</span><span class="sh">"</span> <span class="c1"># Resource defaults enforced across all Cloud Run services. </span><span class="n">CLOUD_RUN_DEFAULTS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">min_instances</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">},</span> <span class="sh">"</span><span class="s">max_instances</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">:</span> <span class="mi">50</span><span class="p">},</span> <span class="sh">"</span><span class="s">cpu</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">memory</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">512Mi</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">concurrency</span><span class="sh">"</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="sh">"</span><span class="s">timeout</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">300s</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">AcmeDeploy</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Deploy services the AcmeCorp way. Wraps public daggerverse modules with org-specific defaults: - Enforces naming conventions (acme-{team}-{service}-{env}) - Supports OIDC authentication (CI) and local ADC (developer laptops) - Deploys to the org</span><span class="sh">'</span><span class="s">s standard regions - Injects required labels and metadata for cost tracking and audit - Production services always authenticated (no public endpoints) - Git metadata (branch, commit SHA) attached to every deployment </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">_validate_and_resolve</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">team</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">service_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">region</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Shared validation and naming logic. Returns the full service name.</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">region</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">ALLOWED_REGIONS</span><span class="p">:</span> <span class="n">msg</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Region </span><span class="si">{</span><span class="n">region</span><span class="si">}</span><span class="s"> not allowed. Must be one of: </span><span class="si">{</span><span class="n">ALLOWED_REGIONS</span><span class="si">}</span><span class="sh">"</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">if</span> <span class="n">environment</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">ALLOWED_ENVIRONMENTS</span><span class="p">:</span> <span class="n">msg</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Environment </span><span class="si">{</span><span class="n">environment</span><span class="si">}</span><span class="s"> not allowed. Must be one of: </span><span class="si">{</span><span class="n">ALLOWED_ENVIRONMENTS</span><span class="si">}</span><span class="sh">"</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">acme-</span><span class="si">{</span><span class="n">team</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">service_name</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">environment</span><span class="si">}</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">_validate_production_branch</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">git_branch</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Refuse production deployments from non-main branches.</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">environment</span> <span class="o">==</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span> <span class="ow">and</span> <span class="n">git_branch</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">main</span><span class="sh">"</span><span class="p">:</span> <span class="n">msg</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Production deployment forbidden from branch </span><span class="sh">'</span><span class="si">{</span><span class="n">git_branch</span><span class="si">}</span><span class="sh">'</span><span class="s">. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Only the </span><span class="sh">'</span><span class="s">main</span><span class="sh">'</span><span class="s"> branch can deploy to production.</span><span class="sh">"</span> <span class="p">)</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_authenticate</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">project_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">oidc_request_token</span><span class="p">:</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="p">:</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="p">:</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Authenticate to GCP — CI (OIDC) or local (ADC from host). In CI: pass oidc_request_token and oidc_request_url (from GitHub Actions). Locally: pass gcloud_config (your ~/.config/gcloud directory). </span><span class="sh">"""</span> <span class="k">if</span> <span class="n">gcloud_config</span><span class="p">:</span> <span class="k">return</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_auth</span><span class="p">().</span><span class="nf">gcloud_container_from_host</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="o">=</span><span class="n">gcloud_config</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">oidc_request_token</span> <span class="ow">and</span> <span class="n">oidc_request_url</span><span class="p">:</span> <span class="k">return</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_auth</span><span class="p">().</span><span class="nf">gcloud_container_from_github_actions</span><span class="p">(</span> <span class="n">workload_identity_provider</span><span class="o">=</span><span class="sh">"</span><span class="s">projects/123456/locations/global/workloadIdentityPools/github/providers/github-actions</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">oidc_request_token</span><span class="o">=</span><span class="n">oidc_request_token</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="o">=</span><span class="n">oidc_request_url</span><span class="p">,</span> <span class="n">service_account_email</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">ci-deployer@</span><span class="si">{</span><span class="n">project_id</span><span class="si">}</span><span class="s">.iam.gserviceaccount.com</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">msg</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Provide either gcloud-config (local) or oidc-request-token + oidc-request-url (CI)</span><span class="sh">"</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">scan</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="n">port</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">int</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Application port</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">8080</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Scan the built container for HIGH and CRITICAL CVEs. Builds the container from source using acme-backend, then runs Trivy against it. Fails if any vulnerabilities at HIGH severity or above are found. Pinned to a safe Trivy version. </span><span class="sh">"""</span> <span class="n">container</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_backend</span><span class="p">().</span><span class="nf">build</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="n">port</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">trivy</span><span class="p">(</span><span class="n">version</span><span class="o">=</span><span class="n">TRIVY_VERSION</span><span class="p">).</span><span class="nf">container</span><span class="p">(</span><span class="n">container</span><span class="p">).</span><span class="nf">output</span><span class="p">(</span><span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">table</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_build_labels</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">team</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">git_branch</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">,</span> <span class="n">git_sha</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Standard labels for cost tracking, audit, and ownership.</span><span class="sh">"""</span> <span class="n">labels</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">team</span><span class="sh">"</span><span class="p">:</span> <span class="n">team</span><span class="p">,</span> <span class="sh">"</span><span class="s">environment</span><span class="sh">"</span><span class="p">:</span> <span class="n">environment</span><span class="p">,</span> <span class="sh">"</span><span class="s">managed-by</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">dagger</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="k">if</span> <span class="n">git_branch</span><span class="p">:</span> <span class="n">labels</span><span class="p">[</span><span class="sh">"</span><span class="s">git-branch</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">git_branch</span> <span class="k">if</span> <span class="n">git_sha</span><span class="p">:</span> <span class="n">labels</span><span class="p">[</span><span class="sh">"</span><span class="s">git-sha</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">git_sha</span><span class="p">[:</span><span class="mi">8</span><span class="p">]</span> <span class="k">return</span> <span class="n">labels</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">cloud_run</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="n">service_name</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Service name (without prefix)</span><span class="sh">"</span><span class="p">)],</span> <span class="n">team</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Team name for naming and labels</span><span class="sh">"</span><span class="p">)],</span> <span class="n">project_id</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">GCP project ID to deploy to</span><span class="sh">"</span><span class="p">)],</span> <span class="n">oidc_request_token</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">ACTIONS_ID_TOKEN_REQUEST_TOKEN (CI)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">ACTIONS_ID_TOKEN_REQUEST_URL (CI)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Host gcloud config dir for local auth (~/.config/gcloud)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Target environment</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">region</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">GCP region</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">europe-west1</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">int</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Application port</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">8080</span><span class="p">,</span> <span class="n">repository</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Artifact Registry repository name (defaults to acme-{team})</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">""</span><span class="p">,</span> <span class="n">git_branch</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Git branch (for audit labels)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">""</span><span class="p">,</span> <span class="n">git_sha</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Git commit SHA (for audit labels)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">""</span><span class="p">,</span> <span class="c1"># NOTE: This flag is exposed here for demo/testing purposes only. </span> <span class="c1"># In a real production setup, IAM invoker checks should remain enabled </span> <span class="c1"># and access should be controlled via proper IAM bindings or a load balancer. </span> <span class="n">disable_invoker_iam_check</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">bool</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Disable Cloud Run IAM invoker check (for demo/testing only)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build and deploy a backend service to Cloud Run with AcmeCorp compliance. Builds the container from source using acme-backend, scans for vulnerabilities, pushes to Artifact Registry, and deploys to Cloud Run — all in a single call. Enforces naming conventions, region whitelist, production branch gate, and access controls. Authentication: pass gcloud-config for local development, or oidc-request-token + oidc-request-url for CI (GitHub Actions). Production services are never publicly accessible — they require IAM authentication. Staging services allow unauthenticated access for testing convenience. </span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="nf">_validate_production_branch</span><span class="p">(</span><span class="n">environment</span><span class="p">,</span> <span class="n">git_branch</span><span class="p">)</span> <span class="n">full_name</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_validate_and_resolve</span><span class="p">(</span><span class="n">team</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">environment</span><span class="p">,</span> <span class="n">region</span><span class="p">)</span> <span class="n">gcloud</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_authenticate</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">oidc_request_token</span><span class="o">=</span><span class="n">oidc_request_token</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="o">=</span><span class="n">oidc_request_url</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="o">=</span><span class="n">gcloud_config</span><span class="p">,</span> <span class="p">)</span> <span class="n">labels</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_build_labels</span><span class="p">(</span><span class="n">team</span><span class="p">,</span> <span class="n">environment</span><span class="p">,</span> <span class="n">git_branch</span><span class="p">,</span> <span class="n">git_sha</span><span class="p">)</span> <span class="c1"># Build the container from source </span> <span class="n">container</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_backend</span><span class="p">().</span><span class="nf">build</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="n">port</span><span class="p">)</span> <span class="c1"># Scan for vulnerabilities before shipping </span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">trivy</span><span class="p">(</span><span class="n">version</span><span class="o">=</span><span class="n">TRIVY_VERSION</span><span class="p">).</span><span class="nf">container</span><span class="p">(</span><span class="n">container</span><span class="p">).</span><span class="nf">output</span><span class="p">(</span><span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">table</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Publish to Artifact Registry </span> <span class="n">image_uri</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_artifact_registry</span><span class="p">().</span><span class="nf">publish</span><span class="p">(</span> <span class="n">container</span><span class="o">=</span><span class="n">container</span><span class="p">,</span> <span class="n">gcloud</span><span class="o">=</span><span class="n">gcloud</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="n">region</span><span class="p">,</span> <span class="n">repository</span><span class="o">=</span><span class="n">repository</span> <span class="ow">or</span> <span class="sa">f</span><span class="sh">"</span><span class="s">acme-</span><span class="si">{</span><span class="n">team</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">image_name</span><span class="o">=</span><span class="n">service_name</span><span class="p">,</span> <span class="n">tag</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">environment</span><span class="si">}</span><span class="s">-latest</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Deploy to Cloud Run with org-standard configuration </span> <span class="n">url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_cloud_run</span><span class="p">().</span><span class="nf">service</span><span class="p">().</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">gcloud</span><span class="o">=</span><span class="n">gcloud</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="n">full_name</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="n">image_uri</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="n">region</span><span class="p">,</span> <span class="n">allow_unauthenticated</span><span class="o">=</span><span class="p">(</span><span class="n">environment</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">),</span> <span class="n">min_instances</span><span class="o">=</span><span class="n">CLOUD_RUN_DEFAULTS</span><span class="p">[</span><span class="sh">"</span><span class="s">min_instances</span><span class="sh">"</span><span class="p">][</span><span class="n">environment</span><span class="p">],</span> <span class="n">max_instances</span><span class="o">=</span><span class="n">CLOUD_RUN_DEFAULTS</span><span class="p">[</span><span class="sh">"</span><span class="s">max_instances</span><span class="sh">"</span><span class="p">][</span><span class="n">environment</span><span class="p">],</span> <span class="n">cpu</span><span class="o">=</span><span class="n">CLOUD_RUN_DEFAULTS</span><span class="p">[</span><span class="sh">"</span><span class="s">cpu</span><span class="sh">"</span><span class="p">],</span> <span class="n">memory</span><span class="o">=</span><span class="n">CLOUD_RUN_DEFAULTS</span><span class="p">[</span><span class="sh">"</span><span class="s">memory</span><span class="sh">"</span><span class="p">],</span> <span class="n">concurrency</span><span class="o">=</span><span class="n">CLOUD_RUN_DEFAULTS</span><span class="p">[</span><span class="sh">"</span><span class="s">concurrency</span><span class="sh">"</span><span class="p">],</span> <span class="n">timeout</span><span class="o">=</span><span class="n">CLOUD_RUN_DEFAULTS</span><span class="p">[</span><span class="sh">"</span><span class="s">timeout</span><span class="sh">"</span><span class="p">],</span> <span class="n">disable_invoker_iam_check</span><span class="o">=</span><span class="n">disable_invoker_iam_check</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">url</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">firebase</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Frontend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="n">service_name</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Service name for the hosting site</span><span class="sh">"</span><span class="p">)],</span> <span class="n">team</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Team name</span><span class="sh">"</span><span class="p">)],</span> <span class="n">project_id</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">GCP project ID to deploy to</span><span class="sh">"</span><span class="p">)],</span> <span class="n">oidc_request_token</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">ACTIONS_ID_TOKEN_REQUEST_TOKEN (CI)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">ACTIONS_ID_TOKEN_REQUEST_URL (CI)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Host gcloud config dir for local auth (~/.config/gcloud)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Target environment</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">git_branch</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Git branch (for audit trail)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">""</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build and deploy a frontend to Firebase Hosting with AcmeCorp compliance. Builds the frontend from source using acme-frontend, then deploys to production channel (</span><span class="sh">'</span><span class="s">live</span><span class="sh">'</span><span class="s">) or a preview channel matching the environment name. Production deploys are gated to the main branch only. Authentication: pass gcloud-config for local development, or oidc-request-token + oidc-request-url for CI (GitHub Actions). </span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="nf">_validate_production_branch</span><span class="p">(</span><span class="n">environment</span><span class="p">,</span> <span class="n">git_branch</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_validate_and_resolve</span><span class="p">(</span><span class="n">team</span><span class="p">,</span> <span class="n">service_name</span><span class="p">,</span> <span class="n">environment</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">europe-west1</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Authenticate to Firebase: use ADC credentials (local) or OIDC (CI). </span> <span class="c1"># gcp-firebase has its own auth — it doesn't use gcloud containers. </span> <span class="n">firebase_auth</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">if</span> <span class="n">gcloud_config</span><span class="p">:</span> <span class="n">credentials</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">set_secret</span><span class="p">(</span> <span class="sh">"</span><span class="s">firebase_credentials</span><span class="sh">"</span><span class="p">,</span> <span class="k">await</span> <span class="n">gcloud_config</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">application_default_credentials.json</span><span class="sh">"</span><span class="p">).</span><span class="nf">contents</span><span class="p">(),</span> <span class="p">)</span> <span class="n">firebase_auth</span><span class="p">[</span><span class="sh">"</span><span class="s">credentials</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">credentials</span> <span class="k">elif</span> <span class="n">oidc_request_token</span> <span class="ow">and</span> <span class="n">oidc_request_url</span><span class="p">:</span> <span class="n">gcloud</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_authenticate</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">oidc_request_token</span><span class="o">=</span><span class="n">oidc_request_token</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="o">=</span><span class="n">oidc_request_url</span><span class="p">,</span> <span class="p">)</span> <span class="n">token_output</span> <span class="o">=</span> <span class="k">await</span> <span class="n">gcloud</span><span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">gcloud</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">auth</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">print-access-token</span><span class="sh">"</span><span class="p">]).</span><span class="nf">stdout</span><span class="p">()</span> <span class="n">firebase_auth</span><span class="p">[</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">set_secret</span><span class="p">(</span><span class="sh">"</span><span class="s">firebase_access_token</span><span class="sh">"</span><span class="p">,</span> <span class="n">token_output</span><span class="p">.</span><span class="nf">strip</span><span class="p">())</span> <span class="n">channel</span> <span class="o">=</span> <span class="sh">"</span><span class="s">live</span><span class="sh">"</span> <span class="k">if</span> <span class="n">environment</span> <span class="o">==</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span> <span class="k">else</span> <span class="n">environment</span> <span class="n">build_command</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">npm run build -- --configuration=</span><span class="si">{</span><span class="n">environment</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">channel</span> <span class="o">==</span> <span class="sh">"</span><span class="s">live</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_firebase</span><span class="p">().</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">,</span> <span class="n">build_command</span><span class="o">=</span><span class="n">build_command</span><span class="p">,</span> <span class="n">deploy_functions</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="o">**</span><span class="n">firebase_auth</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_firebase</span><span class="p">().</span><span class="nf">deploy_preview</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">channel_id</span><span class="o">=</span><span class="n">channel</span><span class="p">,</span> <span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">,</span> <span class="n">build_command</span><span class="o">=</span><span class="n">build_command</span><span class="p">,</span> <span class="o">**</span><span class="n">firebase_auth</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>Its <code>dagger.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engineVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v0.20.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sdk"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gcp-auth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/daggerverse/gcp-auth@gcp-auth/v0.2.1"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gcp-artifact-registry"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/daggerverse/gcp-artifact-registry@gcp-artifact-registry/v0.2.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gcp-cloud-run"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/daggerverse/gcp-cloud-run@gcp-cloud-run/v0.3.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gcp-firebase"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/daggerverse/gcp-firebase@gcp-firebase/v0.2.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"trivy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/sagikazarmark/daggerverse/trivy@v0.6.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"../acme-backend"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"../acme-frontend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> What the private layer gives you </h3> <p>Compare what a developer writes <strong>without</strong> the private layer, a full-stack deploy across two GCP services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Without private modules — every team reinvents this (per service!) </span><span class="n">gcloud</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_auth</span><span class="p">().</span><span class="nf">from_oidc</span><span class="p">(</span> <span class="n">token</span><span class="o">=</span><span class="n">oidc_token</span><span class="p">,</span> <span class="n">provider</span><span class="o">=</span><span class="sh">"</span><span class="s">projects/123456/locations/global/workloadIdentityPools/github/providers/github-actions</span><span class="sh">"</span><span class="p">,</span> <span class="n">service_account</span><span class="o">=</span><span class="sh">"</span><span class="s">ci-deployer@acmecorp-staging.iam.gserviceaccount.com</span><span class="sh">"</span><span class="p">,</span> <span class="n">project</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-staging</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Backend: build, scan, push, deploy </span><span class="n">backend</span> <span class="o">=</span> <span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">().</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.13-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="n">backend_source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/src</span><span class="sh">"</span><span class="p">,</span> <span class="n">backend_source</span><span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="sh">"</span><span class="s">src</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_env_variable</span><span class="p">(</span><span class="sh">"</span><span class="s">PORT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">8080</span><span class="sh">"</span><span class="p">).</span><span class="nf">with_exposed_port</span><span class="p">(</span><span class="mi">8080</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_entrypoint</span><span class="p">([</span><span class="sh">"</span><span class="s">uvicorn</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">src.main:app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--port</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">8080</span><span class="sh">"</span><span class="p">])</span> <span class="p">)</span> <span class="c1"># Vulnerability scan — easy to forget, and every team configures it differently </span><span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">trivy</span><span class="p">().</span><span class="nf">container</span><span class="p">(</span><span class="n">backend</span><span class="p">).</span><span class="nf">output</span><span class="p">(</span><span class="sh">"</span><span class="s">table</span><span class="sh">"</span><span class="p">)</span> <span class="n">image_uri</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_artifact_registry</span><span class="p">().</span><span class="nf">publish</span><span class="p">(</span> <span class="n">container</span><span class="o">=</span><span class="n">backend</span><span class="p">,</span> <span class="n">gcloud</span><span class="o">=</span><span class="n">gcloud</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">europe-west1</span><span class="sh">"</span><span class="p">,</span> <span class="n">repository</span><span class="o">=</span><span class="sh">"</span><span class="s">acme-backend</span><span class="sh">"</span><span class="p">,</span> <span class="n">image_name</span><span class="o">=</span><span class="sh">"</span><span class="s">api</span><span class="sh">"</span><span class="p">,</span> <span class="n">tag</span><span class="o">=</span><span class="sh">"</span><span class="s">staging-latest</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">backend_url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_cloud_run</span><span class="p">().</span><span class="nf">service</span><span class="p">().</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">gcloud</span><span class="o">=</span><span class="n">gcloud</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">acme-backend-api-staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="n">image_uri</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">europe-west1</span><span class="sh">"</span><span class="p">,</span> <span class="n">allow_unauthenticated</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Frontend: build, deploy </span><span class="n">dist</span> <span class="o">=</span> <span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">().</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">node:20-slim</span><span class="sh">"</span><span class="p">).</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">frontend_source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ci</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ng</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">build</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--configuration=production</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/dist/angular-frontend/browser</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="n">token_output</span> <span class="o">=</span> <span class="k">await</span> <span class="n">gcloud</span><span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">gcloud</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">auth</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">print-access-token</span><span class="sh">"</span><span class="p">]).</span><span class="nf">stdout</span><span class="p">()</span> <span class="n">access_token</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">set_secret</span><span class="p">(</span><span class="sh">"</span><span class="s">firebase_access_token</span><span class="sh">"</span><span class="p">,</span> <span class="n">token_output</span><span class="p">.</span><span class="nf">strip</span><span class="p">())</span> <span class="n">frontend_url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_firebase</span><span class="p">().</span><span class="nf">deploy_preview</span><span class="p">(</span> <span class="n">project_id</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">channel_id</span><span class="o">=</span><span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="o">=</span><span class="n">dist</span><span class="p">,</span> <span class="n">access_token</span><span class="o">=</span><span class="n">access_token</span><span class="p">,</span> <span class="n">skip_build</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>With the private layer, the same full-stack deploy becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># With private modules — two calls, compliance baked in everywhere </span><span class="n">backend_url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_deploy</span><span class="p">().</span><span class="nf">cloud_run</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">backend_source</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">api</span><span class="sh">"</span><span class="p">,</span> <span class="n">team</span><span class="o">=</span><span class="sh">"</span><span class="s">backend</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-staging</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">frontend_url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_deploy</span><span class="p">().</span><span class="nf">firebase</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">frontend_source</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">web</span><span class="sh">"</span><span class="p">,</span> <span class="n">team</span><span class="o">=</span><span class="sh">"</span><span class="s">frontend</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-staging</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>Two calls instead of thirty lines. No authentication boilerplate, no naming convention to remember. The naming convention, region whitelist, authentication flow, label requirements, vulnerability scanning, production branch gating, Cloud Run resource defaults, SBOM generation — all of it is encoded once in the private modules and enforced everywhere. A new team member doesn't need to know which base image is approved, that containers are Trivy-scanned before shipping, or that production services must not be publicly accessible. The modules handle it.</p> <h2> Consuming Modules in Your Pipelines </h2> <p>With both layers in place, here's what a typical project's <code>.dagger/</code> looks like at AcmeCorp:</p> <h3> Project Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dagger-ci-demo/ ├── backend/ # FastAPI application code │ ├── src/ │ ├── tests/ │ └── requirements.txt ├── frontend/ # Angular application code │ ├── src/ │ └── package.json ├── .dagger/ # Dagger module (CI/CD pipeline) │ ├── dagger.json │ ├── pyproject.toml │ └── src/dagger_ci_demo/ │ └── main.py └── .github/ └── workflows/ └── ci.yml # GitHub Actions (just calls dagger) </code></pre> </div> <h3> <code>dagger.json</code>: Dependencies </h3> <p>The project only depends on the private layer. Public modules are transitive dependencies; the project never references them directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dagger-ci-demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engineVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v0.20.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sdk"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"python"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-backend@v1.0.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-frontend@v1.0.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-deploy@v1.0.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>To install these modules, run <code>dagger install</code> for each dependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger <span class="nb">install </span>github.com/telchak/acme-dagger-modules/acme-backend@v1.0.0 dagger <span class="nb">install </span>github.com/telchak/acme-dagger-modules/acme-frontend@v1.0.0 dagger <span class="nb">install </span>github.com/telchak/acme-dagger-modules/acme-deploy@v1.0.0 </code></pre> </div> <h3> Pipeline Code </h3> <p>If you want to follow along, you can come back to the same <code>dagger-ci-demo</code> repository from Part 1. If you're starting fresh, run <code>dagger init --sdk=python</code> to scaffold a new module. Once you've installed the AcmeCorp modules above, replace the content of <code>.dagger/src/dagger_ci_demo/main.py</code> with the following:</p> <p>This is where everything comes together. The project pipeline doesn't contain a single line of build logic, authentication boilerplate, or deployment configuration. It orchestrates the private modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="sh">"""</span><span class="s">CI/CD pipeline for dagger-ci-demo — powered by AcmeCorp modules.</span><span class="sh">"""</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Annotated</span> <span class="kn">import</span> <span class="n">dagger</span> <span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">Doc</span><span class="p">,</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">DaggerCiDemo</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Full-stack pipeline for the Angular + FastAPI product.</span><span class="sh">"""</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">backend_source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="n">frontend_source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Frontend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run all tests (backend + frontend).</span><span class="sh">"""</span> <span class="n">backend_result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_backend</span><span class="p">().</span><span class="nf">test</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">backend_source</span><span class="p">)</span> <span class="n">frontend_result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_frontend</span><span class="p">().</span><span class="nf">test</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">frontend_source</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Backend:</span><span class="se">\n</span><span class="si">{</span><span class="n">backend_result</span><span class="si">}</span><span class="se">\n\n</span><span class="s">Frontend:</span><span class="se">\n</span><span class="si">{</span><span class="n">frontend_result</span><span class="si">}</span><span class="sh">"</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lint</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">backend_source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="n">frontend_source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Frontend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run linting on all source code.</span><span class="sh">"""</span> <span class="n">backend_result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_backend</span><span class="p">().</span><span class="nf">lint</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">backend_source</span><span class="p">)</span> <span class="n">frontend_result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_frontend</span><span class="p">().</span><span class="nf">lint</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">frontend_source</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Backend:</span><span class="se">\n</span><span class="si">{</span><span class="n">backend_result</span><span class="si">}</span><span class="se">\n\n</span><span class="s">Frontend:</span><span class="se">\n</span><span class="si">{</span><span class="n">frontend_result</span><span class="si">}</span><span class="sh">"</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">deploy</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">backend_source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="n">frontend_source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Frontend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="n">project_id</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">GCP project ID to deploy to</span><span class="sh">"</span><span class="p">)],</span> <span class="n">oidc_request_token</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">ACTIONS_ID_TOKEN_REQUEST_TOKEN (CI)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Secret</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">ACTIONS_ID_TOKEN_REQUEST_URL (CI)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Host gcloud config dir for local auth (~/.config/gcloud)</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Target environment</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">staging</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Test and deploy the full stack. 1. Tests both apps (fails fast if anything breaks) 2. Deploys backend to Cloud Run, frontend to Firebase Hosting (build, scan, push are handled internally by acme-deploy) Authentication: pass gcloud-config for local development, or oidc-request-token + oidc-request-url for CI (GitHub Actions). </span><span class="sh">"""</span> <span class="c1"># 1. Test first — fail fast </span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span> <span class="n">backend_source</span><span class="o">=</span><span class="n">backend_source</span><span class="p">,</span> <span class="n">frontend_source</span><span class="o">=</span><span class="n">frontend_source</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># 2. Deploy both apps — build, scan, push, and deploy are all internal </span> <span class="n">backend_url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_deploy</span><span class="p">().</span><span class="nf">cloud_run</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">backend_source</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">api</span><span class="sh">"</span><span class="p">,</span> <span class="n">team</span><span class="o">=</span><span class="sh">"</span><span class="s">product</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">oidc_request_token</span><span class="o">=</span><span class="n">oidc_request_token</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="o">=</span><span class="n">oidc_request_url</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="o">=</span><span class="n">gcloud_config</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="n">environment</span><span class="p">,</span> <span class="p">)</span> <span class="n">frontend_url</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_deploy</span><span class="p">().</span><span class="nf">firebase</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">frontend_source</span><span class="p">,</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">web</span><span class="sh">"</span><span class="p">,</span> <span class="n">team</span><span class="o">=</span><span class="sh">"</span><span class="s">product</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="n">project_id</span><span class="p">,</span> <span class="n">oidc_request_token</span><span class="o">=</span><span class="n">oidc_request_token</span><span class="p">,</span> <span class="n">oidc_request_url</span><span class="o">=</span><span class="n">oidc_request_url</span><span class="p">,</span> <span class="n">gcloud_config</span><span class="o">=</span><span class="n">gcloud_config</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="n">environment</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Backend: </span><span class="si">{</span><span class="n">backend_url</span><span class="si">}</span><span class="se">\n</span><span class="s">Frontend: </span><span class="si">{</span><span class="n">frontend_url</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>Read this pipeline again. There are zero <code>dag.container()</code> calls. No base image choices. No <code>pip install</code>. No <code>npm ci</code>. No Artifact Registry URIs. No Cloud Run flags. No Firebase channel logic. No Trivy configuration. No branch gating logic. The only project-specific value is the <code>project_id</code>, which the caller provides. Every other operational detail is encapsulated in the three private modules, and every project at AcmeCorp gets the same standards, the same security, the same compliance, without any effort from the project team.</p> <h3> Try It Locally </h3> <p>You can test the pipeline right away on your machine. The <code>test</code> and <code>lint</code> functions work without any cloud credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run the test suite on both apps</span> dagger call <span class="nb">test</span> <span class="se">\</span> <span class="nt">--backend-source</span><span class="o">=</span>./backend <span class="se">\</span> <span class="nt">--frontend-source</span><span class="o">=</span>./frontend <span class="c"># Run linting on both apps</span> dagger call lint <span class="se">\</span> <span class="nt">--backend-source</span><span class="o">=</span>./backend <span class="se">\</span> <span class="nt">--frontend-source</span><span class="o">=</span>./frontend </code></pre> </div> <p>The <code>deploy</code> function requires GCP credentials. In CI, it uses OIDC tokens from GitHub Actions. For local development, you can pass your host's gcloud config directory instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy from your laptop using local ADC credentials</span> dagger call deploy <span class="se">\</span> <span class="nt">--backend-source</span><span class="o">=</span>./backend <span class="se">\</span> <span class="nt">--frontend-source</span><span class="o">=</span>./frontend <span class="se">\</span> <span class="nt">--project-id</span><span class="o">=</span>acmecorp-staging <span class="se">\</span> <span class="nt">--gcloud-config</span><span class="o">=</span><span class="nv">$HOME</span>/.config/gcloud <span class="se">\</span> <span class="nt">--environment</span><span class="o">=</span>staging <span class="c"># Check that the module loads and all dependencies resolve</span> dagger functions </code></pre> </div> <h3> GitHub Actions Workflow </h3> <p>The workflow file stays minimal. It just calls <code>dagger</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI/CD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">check</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="s">lint --backend-source=./backend --frontend-source=./frontend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="s">test --backend-source=./backend --frontend-source=./frontend</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">check</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to staging</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">deploy</span> <span class="s">--backend-source=./backend</span> <span class="s">--frontend-source=./frontend</span> <span class="s">--oidc-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN</span> <span class="s">--environment=staging</span> </code></pre> </div> <p>The entire CI configuration calls three Dagger functions: <code>lint</code>, <code>test</code>, and <code>deploy</code>. All the logic (base images, dependency installation, build steps, authentication, compliance, registry push, Cloud Run flags, Firebase channels) lives in typed, testable, version-pinned modules.</p> <h3> The Local Developer Experience </h3> <p>This is where Dagger's CLI really shines. A developer clones <code>dagger-ci-demo</code>, and without reading any documentation, they can discover every available pipeline function, run them individually, and even inspect intermediate build artifacts, all from their terminal.</p> <p><strong>Discovering what's available:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>dagger functions Name Description deploy Build, <span class="nb">test</span>, and deploy the full stack. lint Run linting on all <span class="nb">source </span>code. <span class="nb">test </span>Run all tests <span class="o">(</span>backend + frontend<span class="o">)</span><span class="nb">.</span> </code></pre> </div> <p>Every function name and description comes directly from the Python docstrings we wrote. The <code>Doc()</code> annotations on parameters become <code>--help</code> text:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>dagger call deploy <span class="nt">--help</span> Deploy the full stack. 1. Tests both apps <span class="o">(</span>fails fast <span class="k">if </span>anything breaks<span class="o">)</span> 2. Builds both apps via acme-backend and acme-frontend 3. Deploys backend to Cloud Run, frontend to Firebase Hosting Authentication: pass gcloud-config <span class="k">for </span><span class="nb">local </span>development, or oidc-request-token + oidc-request-url <span class="k">for </span>CI <span class="o">(</span>GitHub Actions<span class="o">)</span><span class="nb">.</span> USAGE dagger call deploy <span class="o">[</span>arguments] ARGUMENTS <span class="nt">--backend-source</span> Directory Backend <span class="nb">source </span>directory <span class="o">(</span>required<span class="o">)</span> <span class="nt">--frontend-source</span> Directory Frontend <span class="nb">source </span>directory <span class="o">(</span>required<span class="o">)</span> <span class="nt">--project-id</span> string GCP project ID to deploy to <span class="o">(</span>required<span class="o">)</span> <span class="nt">--oidc-request-token</span> Secret ACTIONS_ID_TOKEN_REQUEST_TOKEN <span class="o">(</span>CI<span class="o">)</span> <span class="nt">--oidc-request-url</span> Secret ACTIONS_ID_TOKEN_REQUEST_URL <span class="o">(</span>CI<span class="o">)</span> <span class="nt">--gcloud-config</span> Directory Host gcloud config <span class="nb">dir </span><span class="k">for </span><span class="nb">local </span>auth <span class="o">(</span>~/.config/gcloud<span class="o">)</span> <span class="nt">--environment</span> string Target environment <span class="o">(</span>default <span class="s2">"staging"</span><span class="o">)</span> </code></pre> </div> <p>No wiki page. No Confluence document. No Slack thread asking "how do I deploy again?" The CLI <em>is</em> the documentation, and it's always in sync with the code because it's generated from it.</p> <p><strong>Running individual functions:</strong></p> <p>A developer working on the backend doesn't need to run the full pipeline. Since <code>acme-backend</code>, <code>acme-frontend</code>, and <code>acme-deploy</code> are already installed as dependencies in the project's <code>dagger.json</code>, they can call any dependency's functions by name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run backend tests only (calling the project's own pipeline function)</span> dagger call <span class="nb">test</span> <span class="nt">--backend-source</span><span class="o">=</span>./backend <span class="nt">--frontend-source</span><span class="o">=</span>./frontend <span class="c"># Lint just the backend (calling the installed dependency directly)</span> dagger call <span class="nt">-m</span> acme-backend lint <span class="nt">--source</span><span class="o">=</span>./backend <span class="c"># Generate an SBOM for the backend</span> dagger call <span class="nt">-m</span> acme-backend sbom <span class="nt">--source</span><span class="o">=</span>./backend <span class="nt">-o</span> ./sbom.json <span class="c"># Run the frontend dependency audit</span> dagger call <span class="nt">-m</span> acme-frontend audit <span class="nt">--source</span><span class="o">=</span>./frontend </code></pre> </div> <p>The <code>-m</code> flag selects which module to call. When you use it with a dependency name (<code>acme-backend</code>), Dagger resolves it from your <code>dagger.json</code>, so there's no need for the full Git path. You can also use <code>-m</code> with a full path to call modules that <em>aren't</em> installed, which is useful for trying out a new daggerverse module before adding it as a dependency.</p> <p><strong>Inspecting build artifacts with <code>terminal</code>:</strong></p> <p>This is one of Dagger's most powerful features for local development. Any function that returns a <code>Container</code> can be chained with <code>terminal</code> to drop into an interactive shell <em>inside the built container</em>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>dagger call <span class="nt">-m</span> acme-backend build <span class="nt">--source</span><span class="o">=</span>./backend terminal ● Attaching terminal: container: Container! .from<span class="o">(</span>address: <span class="s2">"docker.io/library/python:3.13-slim@sha256:739e7213..."</span><span class="o">)</span>: Container! withWorkdir /app .withDirectory<span class="o">(</span> ┆ ┆ path: <span class="s2">"/app"</span> ┆ ┆ <span class="nb">source</span>: Host.directory<span class="o">(</span>path: <span class="s2">"./backend"</span><span class="o">)</span>: Directory! ┆ <span class="o">)</span>: Container! .withMountedCache<span class="o">(</span> ┆ ┆ path: <span class="s2">"/root/.cache/pip"</span> ┆ ┆ cache: cacheVolume<span class="o">(</span>key: <span class="s2">"acme-pip"</span>, ...<span class="o">)</span>: CacheVolume! ┆ <span class="o">)</span>: Container! withExec pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt withEnvVariable <span class="nv">PORT</span><span class="o">=</span>8080 .withExposedPort<span class="o">(</span>port: 8080<span class="o">)</span>: Container! .withLabel<span class="o">(</span>name: <span class="s2">"org.opencontainers.image.vendor"</span>, value: <span class="s2">"AcmeCorp"</span><span class="o">)</span>: Container! .withEntrypoint<span class="o">(</span>args: <span class="o">[</span><span class="s2">"uvicorn"</span>, <span class="s2">"src.main:app"</span>, <span class="s2">"--host"</span>, <span class="s2">"0.0.0.0"</span>, <span class="s2">"--port"</span>, <span class="s2">"8080"</span><span class="o">])</span>: Container! dagger /app <span class="err">$</span> </code></pre> </div> <p>This means a developer can build the exact same container that will ship to Cloud Run, then poke around inside it: check installed packages, verify file layout, test imports, inspect environment variables. The container is identical whether you're on your laptop or in CI, because Dagger builds are hermetic.</p> <p>The same trick works with any <code>Container</code> return type in the chain, even transitive dependencies you haven't installed directly. For example, to inspect the authenticated gcloud container that <code>acme-deploy</code> uses under the hood:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Call a transitive dependency by its full Git path</span> <span class="nv">$ </span>dagger call <span class="nt">-m</span> github.com/telchak/daggerverse/gcp-auth@gcp-auth/v0.2.1 <span class="se">\</span> gcloud-container <span class="se">\</span> <span class="nt">--credentials</span><span class="o">=</span>file:./my-service-account-key.json <span class="se">\</span> <span class="nt">--project-id</span><span class="o">=</span>acmecorp-staging <span class="se">\</span> terminal root@def456:/# gcloud auth list Credentialed Accounts ACTIVE ACCOUNT <span class="k">*</span> ci-deployer@acmecorp-staging.iam.gserviceaccount.com root@def456:/# gcloud config get-value project acmecorp-staging </code></pre> </div> <p><strong>Chaining functions from the CLI:</strong></p> <p>Any <code>Container</code> or <code>Directory</code> return type can be chained further. This means you can compose operations from the CLI the same way you compose them in code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Build the backend, then run a custom command inside the result</span> dagger call <span class="nt">-m</span> acme-backend <span class="se">\</span> build <span class="nt">--source</span><span class="o">=</span>./backend <span class="se">\</span> with-exec <span class="nt">--args</span><span class="o">=</span><span class="s2">"python"</span>,<span class="s2">"-c"</span>,<span class="s2">"import sys; print(sys.version)"</span> <span class="se">\</span> stdout <span class="c"># Build the frontend dist, then list its contents</span> dagger call <span class="nt">-m</span> acme-frontend <span class="se">\</span> build <span class="nt">--source</span><span class="o">=</span>./frontend <span class="se">\</span> entries </code></pre> </div> <p><strong>Why this matters:</strong></p> <p>Every function the platform team writes (<code>build</code>, <code>test</code>, <code>lint</code>, <code>sbom</code>, <code>audit</code>, <code>deploy</code>) is immediately available as a CLI command with full documentation, tab completion, and composability. A developer who has never seen the codebase can run <code>dagger functions</code>, understand what's available, run <code>dagger call test --help</code>, understand what parameters are needed, and execute the pipeline, all without leaving the terminal. The same commands work identically in CI. There is no "it works on my machine" gap.</p> <h2> Testing Modules </h2> <p>Modules are code, and code should be tested. Each module repository should include integration tests that validate the public API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="sh">"""</span><span class="s">Integration tests for AcmeCorp modules.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">dagger</span> <span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">Tests</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Test suite for AcmeCorp private modules. Validates naming conventions, region whitelists, production branch gating, and module composition without hitting real GCP services. </span><span class="sh">"""</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_region_whitelist_rejects_invalid</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verify that regions outside the whitelist are rejected.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_deploy</span><span class="p">().</span><span class="nf">cloud_run</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">dag</span><span class="p">.</span><span class="nf">directory</span><span class="p">().</span><span class="nf">with_new_file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">fastapi</span><span class="se">\n</span><span class="sh">"</span><span class="p">),</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">,</span> <span class="n">team</span><span class="o">=</span><span class="sh">"</span><span class="s">platform</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">asia-east1</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Not in whitelist </span> <span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">[FAIL] Should have rejected region</span><span class="sh">"</span> <span class="k">except</span> <span class="n">dagger</span><span class="p">.</span><span class="n">ExecError</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">[OK] Invalid region rejected</span><span class="sh">"</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_invalid_environment_rejected</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verify that unknown environments are rejected.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_deploy</span><span class="p">().</span><span class="nf">cloud_run</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">dag</span><span class="p">.</span><span class="nf">directory</span><span class="p">().</span><span class="nf">with_new_file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">fastapi</span><span class="se">\n</span><span class="sh">"</span><span class="p">),</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">,</span> <span class="n">team</span><span class="o">=</span><span class="sh">"</span><span class="s">platform</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-staging</span><span class="sh">"</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="sh">"</span><span class="s">development</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Not staging/production </span> <span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">[FAIL] Should have rejected environment</span><span class="sh">"</span> <span class="k">except</span> <span class="n">dagger</span><span class="p">.</span><span class="n">ExecError</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">[OK] Invalid environment rejected</span><span class="sh">"</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_production_deploy_requires_main_branch</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verify that production deploys are blocked from non-main branches.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_deploy</span><span class="p">().</span><span class="nf">cloud_run</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">dag</span><span class="p">.</span><span class="nf">directory</span><span class="p">().</span><span class="nf">with_new_file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">fastapi</span><span class="se">\n</span><span class="sh">"</span><span class="p">),</span> <span class="n">service_name</span><span class="o">=</span><span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">,</span> <span class="n">team</span><span class="o">=</span><span class="sh">"</span><span class="s">platform</span><span class="sh">"</span><span class="p">,</span> <span class="n">project_id</span><span class="o">=</span><span class="sh">"</span><span class="s">acmecorp-prod</span><span class="sh">"</span><span class="p">,</span> <span class="n">environment</span><span class="o">=</span><span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">,</span> <span class="n">git_branch</span><span class="o">=</span><span class="sh">"</span><span class="s">feature/my-branch</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="sh">"</span><span class="s">[FAIL] Should have blocked non-main production deploy</span><span class="sh">"</span> <span class="k">except</span> <span class="n">dagger</span><span class="p">.</span><span class="n">ExecError</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">[OK] Production deploy blocked from non-main branch</span><span class="sh">"</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_backend_build_returns_container</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Verify that acme-backend build produces a container with the expected port.</span><span class="sh">"""</span> <span class="n">source</span> <span class="o">=</span> <span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">directory</span><span class="p">()</span> <span class="p">.</span><span class="nf">with_new_file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">fastapi</span><span class="se">\n</span><span class="s">uvicorn</span><span class="se">\n</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_new_file</span><span class="p">(</span><span class="sh">"</span><span class="s">src/__init__.py</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_new_file</span><span class="p">(</span><span class="sh">"</span><span class="s">src/main.py</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span> <span class="sh">"</span><span class="s">from fastapi import FastAPI</span><span class="se">\n</span><span class="sh">"</span> <span class="sh">"</span><span class="s">app = FastAPI()</span><span class="se">\n</span><span class="sh">"</span> <span class="sh">"</span><span class="s">@app.get(</span><span class="sh">'</span><span class="s">/health</span><span class="sh">'</span><span class="s">)</span><span class="se">\n</span><span class="sh">"</span> <span class="sh">"</span><span class="s">def health(): return {</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="s">: </span><span class="sh">'</span><span class="s">ok</span><span class="sh">'</span><span class="s">}</span><span class="se">\n</span><span class="sh">"</span> <span class="p">))</span> <span class="p">)</span> <span class="n">container</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_backend</span><span class="p">().</span><span class="nf">build</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">)</span> <span class="n">ports</span> <span class="o">=</span> <span class="k">await</span> <span class="n">container</span><span class="p">.</span><span class="nf">exposed_ports</span><span class="p">()</span> <span class="n">port_numbers</span> <span class="o">=</span> <span class="p">[</span><span class="k">await</span> <span class="n">p</span><span class="p">.</span><span class="nf">port</span><span class="p">()</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">ports</span><span class="p">]</span> <span class="k">if</span> <span class="mi">8080</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">port_numbers</span><span class="p">:</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">[FAIL] Expected port 8080, got </span><span class="si">{</span><span class="n">port_numbers</span><span class="si">}</span><span class="sh">"</span> <span class="k">return</span> <span class="sh">"</span><span class="s">[OK] Backend build produces container with port 8080</span><span class="sh">"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run tests locally</span> dagger call <span class="nt">-m</span> tests/ test-region-whitelist-rejects-invalid dagger call <span class="nt">-m</span> tests/ test-production-deploy-requires-main-branch dagger call <span class="nt">-m</span> tests/ test-backend-build-returns-container </code></pre> </div> <p>For example, running the region whitelist test shows exactly how the module enforces compliance at the function level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>dagger call <span class="nt">-m</span> tests/ test-region-whitelist-rejects-invalid <span class="go"> ✔ tests: Tests! 3.4s ✘ .testRegionWhitelistRejectsInvalid: String! 27.3s ERROR ✘ AcmeDeploy.cloudRun( ┆ container: Container.from(address: "alpine"): Container! ┆ serviceName: "test" ┆ team: "platform" ┆ oidcToken: setSecret(name: "test-token"): Secret! ┆ region: "asia-east1" ): String! 11.7s ERROR ValueError: Region asia-east1 not allowed. Must be one of: ['europe-west1', 'us-central1'] </span></code></pre> </div> <p>The test deliberately passes a forbidden region (<code>asia-east1</code>) and verifies the module rejects it with a clear error. The branch gating test works the same way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>dagger call <span class="nt">-m</span> tests/ test-production-deploy-requires-main-branch <span class="go"> ✔ tests: Tests! 0.0s ✘ .testProductionDeployRequiresMainBranch: String! 23.2s ERROR ✘ AcmeDeploy.cloudRun( ┆ container: Container.from(address: "alpine"): Container! ┆ serviceName: "test" ┆ team: "platform" ┆ oidcToken: setSecret(name: "test-token"): Secret! ┆ environment: "production" ┆ gitBranch: "feature/my-branch" ): String! 11.9s ERROR ValueError: Production deployment forbidden from branch 'feature/my-branch'. Only the 'main' branch can deploy to production. </span></code></pre> </div> <p>This is policy-as-code: region restrictions, naming conventions, and branch gating are all enforced by the module itself, not by documentation or code review.</p> <h2> Versioning Strategy </h2> <p>For a monorepo with multiple modules, use per-module Git tags:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>telchak/acme-dagger-modules/ ├── acme-backend/ → git tag: acme-backend/v1.0.0 ├── acme-frontend/ → git tag: acme-frontend/v1.0.0 ├── acme-deploy/ → git tag: acme-deploy/v1.2.0 └── tests/ </code></pre> </div> <p>Automate with conventional commits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># "feat(acme-deploy): add Firebase Hosting support" → acme-deploy/v1.3.0 (minor)</span> <span class="c"># "fix(acme-deploy): handle empty labels" → acme-deploy/v1.2.1 (patch)</span> </code></pre> </div> <p>Consuming teams pin to a version and upgrade on their own schedule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-deploy@v1.0.0"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>When the platform team releases <code>v1.3.0</code>, teams can upgrade by bumping the version in <code>dagger.json</code>. The typed API ensures that breaking changes are caught at development time, not in production.</p> <h2> Toolchains: Zero-Code Consumption </h2> <p>So far, every project at AcmeCorp writes a <code>.dagger/</code> module, a few dozen lines of Python that orchestrates the private modules. That's already much simpler than raw CI scripts, but Dagger recently introduced a feature that eliminates even that: <strong>toolchains</strong>.</p> <p>A toolchain is a Dagger module installed directly into your project's <code>dagger.json</code> with no SDK code required. You install it, and its functions become available via <code>dagger call</code> and <code>dagger check</code> immediately.</p> <h3> Official toolchains </h3> <p>Dagger already maintains a growing set of <a href="https://github.com/dagger?q=toolchain" rel="noopener noreferrer">official toolchains</a> for popular tools and frameworks, ready to install with zero configuration:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Toolchain</th> <th>What it does</th> <th>Install</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/dagger/pytest" rel="noopener noreferrer"><code>pytest</code></a></td> <td>Python test framework</td> <td><code>dagger toolchain install github.com/dagger/pytest</code></td> </tr> <tr> <td><a href="https://github.com/dagger/jest" rel="noopener noreferrer"><code>jest</code></a></td> <td>JavaScript testing (Jest)</td> <td><code>dagger toolchain install github.com/dagger/jest</code></td> </tr> <tr> <td><a href="https://github.com/dagger/vitest" rel="noopener noreferrer"><code>vitest</code></a></td> <td>Test framework for Vite.js</td> <td><code>dagger toolchain install github.com/dagger/vitest</code></td> </tr> <tr> <td><a href="https://github.com/dagger/eslint" rel="noopener noreferrer"><code>eslint</code></a></td> <td>JavaScript static analysis</td> <td><code>dagger toolchain install github.com/dagger/eslint</code></td> </tr> <tr> <td><a href="https://github.com/dagger/prettier" rel="noopener noreferrer"><code>prettier</code></a></td> <td>Multi-language code formatter</td> <td><code>dagger toolchain install github.com/dagger/prettier</code></td> </tr> <tr> <td><a href="https://github.com/dagger/biomejs" rel="noopener noreferrer"><code>biomejs</code></a></td> <td>Web application formatter (Biome)</td> <td><code>dagger toolchain install github.com/dagger/biomejs</code></td> </tr> <tr> <td><a href="https://github.com/dagger/mochajs" rel="noopener noreferrer"><code>mochajs</code></a></td> <td>JavaScript testing (Mocha)</td> <td><code>dagger toolchain install github.com/dagger/mochajs</code></td> </tr> <tr> <td><a href="https://github.com/dagger/bun" rel="noopener noreferrer"><code>bun</code></a></td> <td>Bun JavaScript runtime</td> <td><code>dagger toolchain install github.com/dagger/bun</code></td> </tr> </tbody> </table></div> <p>These official toolchains follow the single-tool-per-module philosophy: each integrates deeply with one specific tool, provides sensible defaults, and exposes checks that run via <code>dagger check</code>. You can mix and match them freely: install <code>pytest</code> for your backend and <code>eslint</code> + <code>prettier</code> for your frontend, and <code>dagger check</code> runs all of them.</p> <p>But the real power of toolchains is that <strong>you can build your own</strong>, which is exactly what AcmeCorp's private modules become when you add <code>@check</code> and <code>DefaultPath</code>.</p> <h3> Making modules toolchain-ready </h3> <p>The key ingredients are the <code>@check</code> decorator and <code>DefaultPath(".")</code>. Adding <code>@check</code> to an existing function makes it discoverable via <code>dagger check</code>. Adding <code>DefaultPath(".")</code> to the <code>source</code> parameter makes it optional. Dagger automatically passes the project's source directory when no <code>--source</code> flag is provided. Here's what it looks like in <code>acme-backend</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">DefaultPath</span><span class="p">,</span> <span class="n">Doc</span><span class="p">,</span> <span class="n">check</span><span class="p">,</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">AcmeBackend</span><span class="p">:</span> <span class="c1"># ... build(), sbom() as before ... </span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lint</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Python backend source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run linting (ruff) on the source code.</span><span class="sh">"""</span> <span class="bp">...</span> <span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Python backend source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="n">coverage</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">bool</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Enforce minimum coverage threshold</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run the test suite with AcmeCorp conventions.</span><span class="sh">"""</span> <span class="bp">...</span> </code></pre> </div> <p>No separate wrapper functions needed. <code>@check</code> goes directly on the existing <code>lint</code> and <code>test</code> functions. They keep their <code>str</code> return type and remain callable via <code>dagger call</code> as before, but they're now also registered as checks.</p> <p><code>acme-frontend</code> follows the same pattern: <code>lint</code>, <code>test</code>, and <code>audit</code> all get <code>@check</code> + <code>DefaultPath(".")</code>.</p> <h3> The zero-code project setup </h3> <p>Our <code>dagger-ci-demo</code> pipeline is powerful, but it still required writing Python code. What if a team just wants standard CI, with no custom pipeline logic at all?</p> <p>Let's try it. In our <code>dagger-ci-demo</code> repository, we can strip everything back: remove the <code>.dagger/</code> directory, remove the SDK, remove the dependencies, and instead use <code>dagger toolchain install</code> to add AcmeCorp modules directly as toolchains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Remove the existing module code</span> <span class="nb">rm</span> <span class="nt">-rf</span> .dagger/ <span class="c"># Reset dagger.json to a minimal config (no SDK, no dependencies)</span> <span class="nb">echo</span> <span class="s1">'{"name": "dagger-ci-demo"}'</span> <span class="o">&gt;</span> dagger.json <span class="c"># Install AcmeCorp modules as toolchains</span> dagger toolchain <span class="nb">install </span>github.com/telchak/acme-dagger-modules/acme-backend@acme-backend/v1.0.0 dagger toolchain <span class="nb">install </span>github.com/telchak/acme-dagger-modules/acme-frontend@acme-frontend/v1.0.0 dagger toolchain <span class="nb">install </span>github.com/telchak/acme-dagger-modules/acme-deploy@acme-deploy/v1.0.0 </code></pre> </div> <p>This produces a <code>dagger.json</code> with no SDK, no Python, no <code>.dagger/</code> directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dagger-ci-demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engineVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v0.20.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toolchains"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-backend@acme-backend/v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2fc60326472c2141e7d6cc6cdfb3382f2d38b303"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-frontend@acme-frontend/v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2fc60326472c2141e7d6cc6cdfb3382f2d38b303"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-deploy@acme-deploy/v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"f6d4de715efc78610f43900334eabd667d918b84"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That's it. One file, no code. Now they can run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Call any function directly</span> <span class="nv">$ </span>dagger call acme-backend lint <span class="nt">--source</span><span class="o">=</span>./backend <span class="nv">$ </span>dagger call acme-backend <span class="nb">test</span> <span class="nt">--source</span><span class="o">=</span>./backend <span class="nv">$ </span>dagger call acme-backend build <span class="nt">--source</span><span class="o">=</span>./backend terminal </code></pre> </div> <p>No Python. No <code>.dagger/</code> directory. No pipeline code to maintain. The team gets AcmeCorp-compliant linting, testing, and building from a single JSON file.</p> <h3> Customizing toolchain defaults </h3> <p>Toolchains work out of the box, but you can override any argument's default value directly in <code>dagger.json</code>, without touching code. The <code>customizations</code> array lets you scope overrides to specific functions using the <code>function</code> field.</p> <p>For example, say one team's backend doesn't follow the default coverage threshold and they want to target a specific function's argument:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"simple-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toolchains"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-backend@v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"test"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"coverage"</span><span class="p">,</span><span class="w"> </span><span class="nl">"default"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>function</code> field scopes the override. Here, only the <code>test</code> function's <code>coverage</code> argument is changed. Without a <code>function</code> field, the override targets the module's constructor arguments instead.</p> <p>This also works for directory paths. When a module uses <code>DefaultPath(".")</code> to pick up your source automatically, you can redirect it to a subdirectory. Use the <code>function</code> field to scope the override to specific functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"monorepo-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toolchains"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-backend@v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"test"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/services/api"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"lint"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/services/api"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each customization targets a specific function via the <code>function</code> field. Without it, the override applies to the module's constructor — not to individual functions. Here, both <code>test</code> and <code>lint</code> checks will automatically operate on <code>./services/api</code> instead of the project root. No <code>--source</code> flag needed.</p> <p>You can also filter out checks you're not ready for using <code>ignoreChecks</code> with glob patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"simple-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toolchains"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-backend@v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ignoreChecks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"test"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This is useful for gradual adoption. A team can start with just linting and add test enforcement later. Run <code>dagger check -l</code> to see which checks are active after filtering.</p> <h3> Full-stack toolchains </h3> <p>Let's go back to our <code>dagger-ci-demo</code> repository and set it up as a full-stack toolchain project. Since our backend lives in <code>./backend</code> and our frontend in <code>./frontend</code>, we need to tell each toolchain's check functions where to find their source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dagger-ci-demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"engineVersion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v0.20.3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"toolchains"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-backend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-backend@acme-backend/v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2fc60326472c2141e7d6cc6cdfb3382f2d38b303"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"test"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/backend"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"lint"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/backend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-frontend"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-frontend@acme-frontend/v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2fc60326472c2141e7d6cc6cdfb3382f2d38b303"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"test"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/frontend"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"lint"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/frontend"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"audit"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/frontend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-deploy@acme-deploy/v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"f6d4de715efc78610f43900334eabd667d918b84"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"scan"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/backend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each <code>customizations</code> entry uses the <code>function</code> field to target a specific check function. This tells <code>acme-backend:test</code> and <code>acme-backend:lint</code> to use <code>./backend</code>, <code>acme-frontend:test</code>, <code>acme-frontend:lint</code>, and <code>acme-frontend:audit</code> to use <code>./frontend</code>, and <code>acme-deploy:scan</code> to build and scan the backend container from <code>./backend</code>. Now <code>dagger check</code> runs all checks from all three toolchains with the right source directories:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>dagger check ✔ acme-backend:lint <span class="o">(</span>12.9s<span class="o">)</span> OK ✔ acme-backend:test <span class="o">(</span>15.2s<span class="o">)</span> OK ✔ acme-deploy:scan <span class="o">(</span>18.4s<span class="o">)</span> OK ✔ acme-frontend:lint <span class="o">(</span>58.0s<span class="o">)</span> OK ✔ acme-frontend:test <span class="o">(</span>62.0s<span class="o">)</span> OK ✔ acme-frontend:audit <span class="o">(</span>25.6s<span class="o">)</span> OK </code></pre> </div> <p>When a check fails, Dagger surfaces the full error inline — no need to dig through logs. Here's what it looks like when <code>acme-frontend:audit</code> catches a real vulnerability in a transitive dependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>dagger check ✔ acme-backend:lint <span class="o">(</span>0.1s<span class="o">)</span> OK ✔ acme-backend:test <span class="o">(</span>0.1s<span class="o">)</span> OK ✘ acme-frontend:audit <span class="o">(</span>26.2s<span class="o">)</span> ERROR ┇ .audit<span class="o">(</span> ┆ <span class="nb">source</span>: context /tmp/dagger-ci-demo/frontend <span class="o">(</span>exclude: <span class="o">[])</span> <span class="o">)</span> › ✘ withExec npm audit <span class="nt">--audit-level</span><span class="o">=</span>moderate <span class="o">(</span>2.3s<span class="o">)</span> ERROR <span class="c"># npm audit report</span> undici 7.0.0 - 7.23.0 Severity: high Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm fix available via <span class="sb">`</span>npm audit fix <span class="nt">--force</span><span class="sb">`</span> Will <span class="nb">install</span> @angular/build@20.3.21, which is a breaking change node_modules/undici @angular/build 21.0.0-next.0 - 21.2.3 Depends on vulnerable versions of undici 2 high severity vulnerabilities <span class="o">!</span> <span class="nb">exit </span>code: 1 ✔ acme-frontend:lint <span class="o">(</span>4.4s<span class="o">)</span> OK ✔ acme-frontend:test <span class="o">(</span>4.4s<span class="o">)</span> OK </code></pre> </div> <p>Notice how the failing check doesn't block the others — all six run in parallel, and Dagger reports the full audit output so the team knows exactly what to fix. This is the value of <code>@check</code>: the module author defined the security audit once, and every project that installs the toolchain gets it automatically.</p> <p>Six checks, three toolchains, zero lines of code. The CI workflow becomes even simpler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">check</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">check</span> </code></pre> </div> <p>One step. One command. Every AcmeCorp standard enforced.</p> <h3> When to use toolchains vs. pipeline code </h3> <p>Both consumption models are valid. The right choice depends on how much customization the team needs:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Toolchains</th> <th>Pipeline code (<code>.dagger/</code>)</th> </tr> </thead> <tbody> <tr> <td><strong>Setup</strong></td> <td> <code>dagger.json</code> only, no SDK code</td> <td> <code>.dagger/</code> module with Python/Go/TS</td> </tr> <tr> <td><strong>Best for</strong></td> <td>Standard projects that follow org patterns</td> <td>Custom orchestration, conditional logic</td> </tr> <tr> <td><strong>Checks</strong></td> <td>Automatic via <code>dagger check</code> </td> <td>Define your own <code>@check</code> functions</td> </tr> <tr> <td><strong>Customization</strong></td> <td> <code>customizations</code> in JSON</td> <td>Full SDK, compose modules in code</td> </tr> <tr> <td><strong>Deployment</strong></td> <td>Install <code>acme-deploy</code> as toolchain</td> <td>Call <code>dag.acme_deploy()</code> in pipeline</td> </tr> </tbody> </table></div> <p>Most teams start with toolchains. When they need custom orchestration ("run tests in parallel, then deploy backend before frontend"), they graduate to a <code>.dagger/</code> module that imports the private modules. The same modules power both paths.</p> <h3> Deploying with <code>acme-deploy</code> as a toolchain </h3> <p>Vulnerability scanning shouldn't wait until deploy time. In <code>acme-deploy</code>, we've promoted the Trivy scan from a private helper to a public <code>@check</code> function called <code>scan</code>. It builds the container from source using <code>acme-backend</code>, then runs Trivy against it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@function</span> <span class="nd">@check</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">scan</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">),</span> <span class="nc">DefaultPath</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">),</span> <span class="p">],</span> <span class="n">port</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="nb">int</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Application port</span><span class="sh">"</span><span class="p">)]</span> <span class="o">=</span> <span class="mi">8080</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Scan the built container for HIGH and CRITICAL CVEs.</span><span class="sh">"""</span> <span class="n">container</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">acme_backend</span><span class="p">().</span><span class="nf">build</span><span class="p">(</span><span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="n">port</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">trivy</span><span class="p">(</span><span class="n">version</span><span class="o">=</span><span class="n">TRIVY_VERSION</span><span class="p">).</span><span class="nf">container</span><span class="p">(</span><span class="n">container</span><span class="p">).</span><span class="nf">output</span><span class="p">(</span><span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">table</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Install it as a third toolchain alongside <code>acme-backend</code> and <code>acme-frontend</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger toolchain <span class="nb">install </span>github.com/telchak/acme-dagger-modules/acme-deploy@acme-deploy/v1.0.0 </code></pre> </div> <p>With the <code>scan</code> function's <code>source</code> customized to point at <code>/backend</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github.com/telchak/acme-dagger-modules/acme-deploy@acme-deploy/v1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"function"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"scan"</span><span class="p">],</span><span class="w"> </span><span class="nl">"argument"</span><span class="p">:</span><span class="w"> </span><span class="s2">"source"</span><span class="p">,</span><span class="w"> </span><span class="nl">"defaultPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/backend"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now <code>dagger check</code> catches CVEs alongside linting and tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>dagger check ✔ acme-backend:lint OK ✔ acme-backend:test OK ✔ acme-frontend:lint OK ✔ acme-frontend:test OK ✔ acme-frontend:audit OK ✔ acme-deploy:scan OK <span class="c"># ← vulnerability scanning before any deploy</span> </code></pre> </div> <p>The deployment functions (<code>cloud_run</code>, <code>firebase</code>) stay as regular functions — they're not checks, because they mutate external state. Deployments happen intentionally, with full orchestration, not as part of <code>dagger check</code>.</p> <h3> Implementing the deployment step in CI </h3> <p>To actually deploy, you need a CI workflow that calls <code>acme-deploy</code>'s <code>cloud_run</code> and <code>firebase</code> functions after checks pass. This requires some GCP setup first.</p> <p><strong>Step 1: Set up Workload Identity Federation on GCP</strong></p> <p>Workload Identity Federation lets GitHub Actions authenticate to GCP without storing service account keys. Create a Workload Identity Pool and Provider tied to your GitHub repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the Workload Identity Pool</span> gcloud iam workload-identity-pools create <span class="s2">"github"</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="s2">"global"</span> <span class="se">\</span> <span class="nt">--display-name</span><span class="o">=</span><span class="s2">"GitHub Actions"</span> <span class="c"># Create the OIDC Provider for GitHub</span> gcloud iam workload-identity-pools providers create-oidc <span class="s2">"github-actions"</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="s2">"global"</span> <span class="se">\</span> <span class="nt">--workload-identity-pool</span><span class="o">=</span><span class="s2">"github"</span> <span class="se">\</span> <span class="nt">--issuer-uri</span><span class="o">=</span><span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="se">\</span> <span class="nt">--attribute-mapping</span><span class="o">=</span><span class="s2">"google.subject=assertion.sub,attribute.repository=assertion.repository"</span> <span class="se">\</span> <span class="nt">--attribute-condition</span><span class="o">=</span><span class="s2">"assertion.repository_owner == 'your-github-org'"</span> <span class="c"># Create the CI service account</span> gcloud iam service-accounts create <span class="s2">"ci-deployer"</span> <span class="se">\</span> <span class="nt">--display-name</span><span class="o">=</span><span class="s2">"CI Deployer"</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="s2">"acmecorp-staging"</span> <span class="c"># Grant Cloud Run permissions (deploy services, push to Artifact Registry)</span> gcloud projects add-iam-policy-binding <span class="s2">"acmecorp-staging"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:ci-deployer@acmecorp-staging.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/run.admin"</span> gcloud projects add-iam-policy-binding <span class="s2">"acmecorp-staging"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:ci-deployer@acmecorp-staging.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/artifactregistry.writer"</span> <span class="c"># Grant Firebase Hosting permissions</span> gcloud projects add-iam-policy-binding <span class="s2">"acmecorp-staging"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:ci-deployer@acmecorp-staging.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/firebase.admin"</span> <span class="c"># Cloud Run needs to pull images — grant the service agent access</span> gcloud projects add-iam-policy-binding <span class="s2">"acmecorp-staging"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:ci-deployer@acmecorp-staging.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/iam.serviceAccountUser"</span> <span class="c"># Link the service account to the Workload Identity Pool</span> <span class="c"># This allows GitHub Actions from your repo to impersonate ci-deployer</span> gcloud iam service-accounts add-iam-policy-binding <span class="se">\</span> <span class="s2">"ci-deployer@acmecorp-staging.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/iam.workloadIdentityUser"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"principalSet://iam.googleapis.com/projects/123456/locations/global/workloadIdentityPools/github/attribute.repository/your-github-org/dagger-ci-demo"</span> </code></pre> </div> <p>The last command is the critical link: it tells GCP that GitHub Actions workflows running in the <code>your-github-org/dagger-ci-demo</code> repository are allowed to impersonate the <code>ci-deployer</code> service account. Without it, the OIDC token exchange will fail with a permission denied error. The <code>attribute.repository</code> condition ensures that only workflows from your specific repository can authenticate — other repositories in the same GitHub organization cannot.</p> <p><strong>Step 2: No secrets required</strong></p> <p>No GCP credentials or identifiers to store in GitHub. The WIF provider, service account, and project mappings are all encoded in the <code>acme-deploy</code> module itself — that's the whole point of centralizing deployment logic. The only values the CI workflow passes are the GitHub Actions OIDC environment variables (<code>ACTIONS_ID_TOKEN_REQUEST_TOKEN</code> and <code>ACTIONS_ID_TOKEN_REQUEST_URL</code>), which are automatically available when the workflow has <code>id-token: write</code> permission.</p> <p><strong>Step 3: CI workflow with checks + deployment</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># Required for WIF OIDC token</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">check</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">check</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">check</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main' &amp;&amp; github.event_name == 'push'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">&gt;-</span> <span class="s">acme-deploy cloud-run</span> <span class="s">--source=./backend</span> <span class="s">--service-name=api</span> <span class="s">--team=backend</span> <span class="s">--project-id=acmecorp-staging</span> <span class="s">--oidc-request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN</span> <span class="s">--oidc-request-url=env:ACTIONS_ID_TOKEN_REQUEST_URL</span> <span class="s">--environment=staging</span> <span class="s">--region=europe-west1</span> <span class="s">--git-branch=${{ github.ref_name }}</span> <span class="s">--git-sha=${{ github.sha }}</span> </code></pre> </div> <p>The <code>check</code> job runs all toolchain checks (lint, test, audit, scan). The <code>deploy</code> job only runs on pushes to <code>main</code>, after checks pass. No <code>google-github-actions/auth</code> step needed — the <code>acme-deploy</code> module handles the OIDC token exchange internally via the <code>gcp-auth</code> Dagger module. GitHub Actions automatically exposes <code>ACTIONS_ID_TOKEN_REQUEST_TOKEN</code> and <code>ACTIONS_ID_TOKEN_REQUEST_URL</code> when the workflow has <code>id-token: write</code> permission. The <code>gcp-auth</code> module uses the <code>oidc-token</code> module to exchange these for a GCP-compatible OIDC token, then authenticates via Workload Identity Federation. Authentication stays inside the pipeline, not in the CI glue.</p> <p><strong>Trying it locally</strong></p> <p>For local deployment testing, pass your host's gcloud config directory instead of the OIDC tokens. The <code>acme-deploy</code> module detects which authentication method to use based on the arguments you provide:</p> <blockquote> <p><strong>Artifact Registry setup:</strong> The <code>cloud-run</code> function pushes container images to Google Artifact Registry in the <code>europe-west1</code> region by default. The target repository is named <code>acme-{team}</code> (e.g. <code>acme-backend</code> for <code>--team=backend</code>), but you can override it with the <code>--repository</code> flag. If the repository doesn't exist yet, create it first:</p> <pre class="highlight shell"><code>gcloud artifacts repositories create acme-backend <span class="se">\</span> <span class="nt">--repository-format</span><span class="o">=</span>docker <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span>europe-west1 <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span>acmecorp-production <span class="se">\</span> <span class="nt">--description</span><span class="o">=</span><span class="s2">"Docker images for the backend team"</span> </code></pre> <p>This creates a Docker-format repository in your GCP project. You only need to do this once per team/repository.</p> <p><strong>Cloud Run access for Firebase Hosting:</strong> In this setup, the frontend on Firebase Hosting communicates with the backend on Cloud Run through a <a href="https://firebase.google.com/docs/hosting/cloud-run" rel="noopener noreferrer">Firebase Hosting rewrite</a>. The rewrite proxies <code>/api/**</code> requests to your Cloud Run service, so the frontend uses relative URLs and never exposes the backend's address. However, Cloud Run services are private by default — they require IAM authentication for every request, including those from Firebase Hosting. Rather than granting public access (which may be blocked by your organization's IAM policies), you can disable the IAM invoker check using the <code>--disable-invoker-iam-check</code> flag on the <code>cloud-run</code> function. In a production setup, this would typically be handled by your infrastructure-as-code (Terraform, Pulumi, etc.) alongside network-level controls like VPC ingress rules.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy backend to Cloud Run</span> dagger call acme-deploy cloud-run <span class="se">\</span> <span class="nt">--source</span><span class="o">=</span>./backend <span class="se">\</span> <span class="nt">--service-name</span><span class="o">=</span>api <span class="se">\</span> <span class="nt">--team</span><span class="o">=</span>backend <span class="se">\</span> <span class="nt">--project-id</span><span class="o">=</span>acmecorp-production <span class="se">\</span> <span class="nt">--gcloud-config</span><span class="o">=</span><span class="nv">$HOME</span>/.config/gcloud <span class="se">\</span> <span class="nt">--environment</span><span class="o">=</span>production <span class="se">\</span> <span class="nt">--git-branch</span><span class="o">=</span>main <span class="se">\</span> <span class="nt">--disable-invoker-iam-check</span> <span class="c"># Deploy frontend to Firebase Hosting</span> dagger call acme-deploy firebase <span class="se">\</span> <span class="nt">--source</span><span class="o">=</span>./frontend <span class="se">\</span> <span class="nt">--service-name</span><span class="o">=</span>web <span class="se">\</span> <span class="nt">--team</span><span class="o">=</span>backend <span class="se">\</span> <span class="nt">--project-id</span><span class="o">=</span>acmecorp-production <span class="se">\</span> <span class="nt">--gcloud-config</span><span class="o">=</span><span class="nv">$HOME</span>/.config/gcloud <span class="se">\</span> <span class="nt">--environment</span><span class="o">=</span>production <span class="se">\</span> <span class="nt">--git-branch</span><span class="o">=</span>main </code></pre> </div> <p>Under the hood, <code>acme-deploy</code> calls <code>gcp-auth</code>'s <code>gcloud-container-from-host</code> function, which mounts your local Application Default Credentials into the pipeline container. No service account keys needed — just run <code>gcloud auth application-default login</code> once on your machine. The checks (<code>dagger check</code>) don't require any GCP authentication at all.</p> <h2> Module Visibility with Dagger Cloud </h2> <p><a href="https://dagger.io/cloud" rel="noopener noreferrer">Dagger Cloud</a> provides a dashboard that automatically tracks every module used across your organization. When you enable module scanning on your GitHub repositories, Dagger Cloud indexes them and shows:</p> <ul> <li>Which modules exist, their API documentation, and versions</li> <li>Which pipelines depend on which modules</li> <li>Pipeline traces linked to module function calls</li> </ul> <p>This gives the platform team visibility into module adoption without any manual tracking, which is useful for knowing when it's safe to deprecate an old version or to identify teams that haven't upgraded yet.</p> <h2> Summary: The Module Architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy9qzk40bxuvxn0o70n58.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy9qzk40bxuvxn0o70n58.png" alt=" " width="800" height="446"></a><br> <em>Image generated with Google's Gemini "Nano Banana Pro"</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌────────────────────────────────────┐ │ Daggerverse │ │ gcp-auth, gcp-cloud-run, │ │ gcp-firebase, python-build, │ │ angular, trivy, ... │ └──────────────┬─────────────────────┘ │ ▼ ┌────────────────────────────────────┐ │ Private Modules Repo │ │ acme-backend, acme-frontend, │ │ acme-deploy │ │ │ │ Encodes: security, compliance, │ │ naming, defaults, audit, │ │ vulnerability scanning │ └──────────────┬─────────────────────┘ │ ┌─────────────────┼─────────────────┐ ▼ ▼ ▼ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ Service A │ │ Service B │ │ Service C │ │ │ │ │ │ │ │ .dagger/ │ │ dagger.json │ │ dagger.json │ │ main.py │ │ only │ │ only │ │ │ │ │ │ │ │ Custom │ │ Toolchains │ │ Toolchains │ │ pipeline │ │ + checks │ │ + checks │ │ code │ │ │ │ │ │ (SDK) │ │ Zero code │ │ Zero code │ └──────────────┘ └──────────────┘ └──────────────┘ Full control: Standard projects: compose modules install as toolchains, in Python/Go/TS, customize via JSON, custom orchestration dagger check runs all </code></pre> </div> <p>Two consumption paths, same modules. Teams that need custom orchestration (conditional deploys, parallel builds, multi-step workflows) write a <code>.dagger/</code> pipeline module that imports the private modules via SDK code. Teams that follow the standard pattern install them as toolchains in <code>dagger.json</code> and get lint, test, and audit checks with zero code. Both paths enforce the same security, compliance, and naming rules.</p> <p>The pattern scales: public modules handle the generic complexity (GCP auth, Trivy scanning, language builds), private modules enforce your rules (naming, branch gating, vulnerability gates, resource defaults), and project pipelines stay simple, whether they're written in Python or declared in JSON. When something changes (a new compliance requirement, a GCP API deprecation, a CVE severity policy update), you update one module and every pipeline benefits on their next version bump.</p> <h2> What's Next </h2> <p>In <strong>Part 4</strong>, we'll add AI to the mix, by exploring Dagger's agentic capabilities. The modules we built today become the building blocks of a deterministic pipeline that an AI agent (Daggie) generates for you. And when that pipeline fails, coding agents (Monty for Python, Angie for Angular) analyze the error and post fix suggestions directly on the PR.</p> <p>The pipeline stays fixed, deterministic, and fast. The AI writes it, reviews it, and fixes it. We'll also approach how we could build a Spec-driven development agentic platform on top of those foundations.</p> <p>The full source code for AcmeCorp's private modules is available at <a href="https://github.com/telchak/acme-dagger-modules" rel="noopener noreferrer">github.com/telchak/acme-dagger-modules</a>. Clone it as a starting point for your own private module library.</p> <p><strong>Up Next</strong>: <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-4-4323">Part 4: The AI-Native CI/CD Stack: Agents, Modules, and Spec-Driven Development</a></p> <p><em>This is Part 3 of a 4-part series. Follow for updates.</em></p> <p><strong>Tags</strong>: <code>#cicd</code> <code>#dagger</code> <code>#gcp</code> <code>#platform-engineering</code> <code>#modules</code></p> cicd ai devops python Sami Chibani Fri, 27 Mar 2026 00:17:57 +0000 https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75 https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75 <h1> Part 2: Decoupling Pipelines from Infrastructure </h1> <blockquote> <p>In a Platform Engineering world, developers shouldn't care where CI runs. The pipeline code stays the same; only the runner configuration changes.</p> </blockquote> <p>In <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-1-58pi">Part 1</a>, we built our first Dagger pipeline: typed, testable code that runs identically on a developer's laptop and in GitHub Actions. We left off with a minimal, working CI workflow: a few lines of YAML that run <code>dagger call</code> on GitHub's shared runners, with zero infrastructure to manage.</p> <p>That setup works, but it has limits. Every job starts with a cold Dagger cache, builds share GitHub's 2-vCPU runners with the rest of the world, and there's no persistent state between runs. For a small project, that's fine. For a team shipping dozens of PRs a day, it's a bottleneck.</p> <p>This part is more SRE/Platform Engineer oriented. We'll dig into caching internals, runner infrastructure, and the operational tooling that makes Dagger viable at scale. We'll explore three approaches, each with different tradeoffs between simplicity, performance, and control.</p> <h2> The Runner Spectrum </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Setup Time</th> <th>Cost</th> <th>Control</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td>GitHub Actions + Dagger Action</td> <td>5 minutes</td> <td>$0 (free tier)</td> <td>Low</td> <td>Getting started, small teams</td> </tr> <tr> <td>Depot.dev Managed Runners</td> <td>15 minutes</td> <td>~$0.04/min</td> <td>Medium</td> <td>Fast builds, medium teams</td> </tr> <tr> <td>Kubernetes ARC + Shared Cache</td> <td>2-4 hours</td> <td>Your infra</td> <td>Full</td> <td>Enterprise, high volume</td> </tr> </tbody> </table></div> <h2> Option 1: GitHub Actions with dagger-for-github </h2> <p>The simplest approach. Zero infrastructure to manage.</p> <p>Create <code>.github/workflows/ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Test</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="s">all --source=.</span> </code></pre> </div> <p>The <code>dagger/dagger-for-github</code> action installs Dagger, starts the engine, and runs your command.</p> <h3> Understanding Dagger's Cache Architecture </h3> <p>Before we talk about CI runners, we need to understand how Dagger caches work, because caching is probably the single most impactful optimization you'll make. <a href="https://openmeter.io/blog/how-we-made-our-ci-pipeline-5x-faster" rel="noopener noreferrer">OpenMeter cut their CI pipeline from 25 minutes to 5 minutes</a> primarily through better caching, and the same principles apply here.</p> <p>Dagger maintains <strong>three distinct cache categories</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cache Type</th> <th>What It Stores</th> <th>Scope</th> </tr> </thead> <tbody> <tr> <td><strong>Layers</strong></td> <td>Build instructions and results of API calls</td> <td>Content-addressed by input hash</td> </tr> <tr> <td><strong>Volumes</strong></td> <td>Persistent filesystem directories (package caches, build artifacts)</td> <td>Named, persisted across engine sessions</td> </tr> <tr> <td><strong>Function calls</strong></td> <td>Return values from module function invocations</td> <td>Keyed by function signature + arguments</td> </tr> </tbody> </table></div> <p>The engine runs a <a href="https://docs.dagger.io/reference/configuration/cache#garbage-collection" rel="noopener noreferrer">background garbage collector</a> that keeps cache storage below 75% of total disk capacity while preserving at least 20% free space. You can inspect and manage the cache manually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View cache usage summary</span> dagger core engine local-cache entry-set <span class="c"># View detailed cache entries</span> dagger core engine local-cache entry-set entries <span class="c"># Prune all unused cache entries</span> dagger core engine local-cache prune <span class="c"># Prune using the default GC policy</span> dagger core engine local-cache prune <span class="nt">--use-default-policy</span> </code></pre> </div> <p>Now let's see how these three cache types work in practice.</p> <h4> Layer Cache: Content-Addressed Operation Caching </h4> <p>Every operation in Dagger's execution graph is cached based on the <strong>hash of its inputs</strong>. When you chain <code>.with_exec(["pip", "install", ..."])</code> after <code>.with_file("requirements.txt", ...)</code>, Dagger hashes the requirements file content and the base container state. If neither changed, the entire install step is skipped, not re-executed.</p> <p>This is similar to Docker layer caching, but with an important difference: Dagger's cache is <strong>content-addressed</strong>, not order-dependent. Docker invalidates all layers after the first changed layer. Dagger evaluates each operation independently based on its actual inputs.</p> <p><strong>The ordering trick:</strong> Just like Docker, you should place instructions that change infrequently <em>before</em> those that change often. Install dependencies before copying source code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Good: dependencies cached separately from source code </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.13-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Cached until requirements.txt changes </span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/src</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="sh">"</span><span class="s">src</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Only this invalidates on code changes </span><span class="p">)</span> <span class="c1"># Bad: source code change invalidates dependency install </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.13-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="c1"># Any file change invalidates everything below </span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Re-runs even if requirements.txt didn't change </span><span class="p">)</span> </code></pre> </div> <p>This single reordering can save minutes per build. The layer cache lives in the Dagger engine's local storage, by default at <code>/var/lib/dagger</code>.</p> <h4> Cache Volumes: Persistent Package Manager Storage </h4> <p>Beyond layer caching, Dagger provides <strong>cache volumes</strong>: named persistent directories you mount into containers. These are the equivalent of Docker's <code>--mount=type=cache</code> but integrated into the Dagger API.</p> <p>The typical use case: package manager caches. Without a cache volume, <code>pip install</code> re-downloads every package on every run even if the layer cache misses. With a cache volume, pip finds the packages already in its local cache and skips the download.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">build_backend</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build the FastAPI backend container.</span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.13-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Mount a persistent cache volume for pip's download cache. </span> <span class="c1"># dag.cache_volume("pip") creates a named volume that persists </span> <span class="c1"># across runs. pip won't re-download packages it already has. </span> <span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/root/.cache/pip</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">python-pip</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/src</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="sh">"</span><span class="s">src</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_env_variable</span><span class="p">(</span><span class="sh">"</span><span class="s">PORT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">8080</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exposed_port</span><span class="p">(</span><span class="mi">8080</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_entrypoint</span><span class="p">([</span><span class="sh">"</span><span class="s">uvicorn</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">src.main:app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--port</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">8080</span><span class="sh">"</span><span class="p">])</span> <span class="p">)</span> </code></pre> </div> <p>Here's the pattern for common package managers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Python (pip) </span><span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/root/.cache/pip</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">python-pip</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Python (uv) — dramatically faster with cache </span><span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/root/.cache/uv</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">python-uv</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">uv</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--system</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Node.js (npm) </span><span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/root/.npm</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">node-npm</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ci</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Go </span><span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/go/pkg/mod</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">go-mod</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_mounted_cache</span><span class="p">(</span><span class="sh">"</span><span class="s">/root/.cache/go-build</span><span class="sh">"</span><span class="p">,</span> <span class="n">dag</span><span class="p">.</span><span class="nf">cache_volume</span><span class="p">(</span><span class="sh">"</span><span class="s">go-build</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">go</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">build</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">./...</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <p>Cache volumes are <strong>scoped to the Dagger engine instance</strong>. On your laptop, they persist indefinitely. On an ephemeral CI runner, they need to be persisted externally (we'll cover how below).</p> <h4> How the Three Caches Stack </h4> <p>Here's what happens on a typical CI run where you changed one Python source file:</p> <ol> <li> <strong>Function call cache</strong>: checks if <code>build_backend()</code> was called with the same source directory hash. If yes, returns the cached result immediately (entire function skipped). If no, proceeds to step 2.</li> <li> <strong>Layer cache</strong>: the <code>from_("python:3.13-slim")</code> step is cached (image didn't change). The <code>with_file("requirements.txt", ...)</code> step is cached (file didn't change). The <code>pip install</code> step is cached (requirements + base image didn't change). Only the <code>with_directory("/app/src", ...)</code> step and everything after it re-runs.</li> <li> <strong>Cache volume</strong>: if the <code>pip install</code> step <em>does</em> need to re-run (e.g., you added a new dependency), pip finds most packages already downloaded in the cache volume. Only the new package is fetched.</li> </ol> <p>The result: a build that takes 3 minutes cold can drop to 30 seconds when only source code changed, and even a dependency change is fast because the volume cache eliminates most network I/O.</p> <h3> Persisting Cache on Ephemeral Runners </h3> <p>GitHub Actions runners are ephemeral. Every job starts from a clean VM. Without persistence, every run starts with a cold cache.</p> <h4> Why <code>actions/cache</code> Doesn't Work Here </h4> <p>Your first instinct might be to cache <code>/var/lib/dagger</code> with <code>actions/cache@v4</code>. Unfortunately, this doesn't work. Dagger stores its state inside a <strong>Docker volume</strong> named <code>dagger-engine</code>, not directly on the host filesystem. The path <code>/var/lib/dagger</code> only exists <em>inside</em> the engine container, not on the host where <code>actions/cache</code> can reach it.</p> <h4> The Solution: Docker Volume Caching </h4> <p>Since the Dagger engine already persists its state in a named Docker volume (<code>dagger-engine</code>), we just need a way to back up and restore that volume across ephemeral CI runs. <a href="https://github.com/BYK/docker-volume-cache-action" rel="noopener noreferrer"><code>BYK/docker-volume-cache-action</code></a> does exactly that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="c1"># 1. Restore the Dagger engine's Docker volume from cache.</span> <span class="c1"># Use a per-job cache key so parallel matrix jobs don't</span> <span class="c1"># overwrite each other. restore-keys falls back to any</span> <span class="c1"># existing cache for this OS if the exact key doesn't match.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Restore Dagger engine cache</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">BYK/docker-volume-cache-action/restore@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">dagger-engine-${{ runner.os }}-backend</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">dagger-engine-${{ runner.os }}-</span> <span class="na">volumes</span><span class="pi">:</span> <span class="s">dagger-engine</span> <span class="c1"># 2. Run Dagger — the _EXPERIMENTAL_DAGGER_RUNNER_HOST env var</span> <span class="c1"># tells the CLI to use a Docker volume named "dagger-engine"</span> <span class="c1"># for engine state. This is what makes the restore/save work.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Test</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">env</span><span class="pi">:</span> <span class="na">_EXPERIMENTAL_DAGGER_RUNNER_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docker-image://registry.dagger.io/engine:v0.20.3?volume=dagger-engine"</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="s">test-backend --source=./backend</span> <span class="c1"># 3. Stop the engine so the volume is consistent before saving</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Stop Dagger engine</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker stop $(docker ps -q -f 'name=dagger-engine') 2&gt;/dev/null || </span><span class="kc">true</span> <span class="c1"># 4. Save the volume back to cache — only on main branch.</span> <span class="c1"># PRs restore from main's cache but don't save, avoiding</span> <span class="c1"># ~1m30 of overhead per job on every pull request.</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save Dagger engine cache</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always() &amp;&amp; github.ref == 'refs/heads/main'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">BYK/docker-volume-cache-action/save@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">dagger-engine-${{ runner.os }}-backend</span> <span class="na">volumes</span><span class="pi">:</span> <span class="s">dagger-engine</span> </code></pre> </div> <p>A few things to note about this setup:</p> <ul> <li> <strong><code>_EXPERIMENTAL_DAGGER_RUNNER_HOST</code></strong> tells the Dagger CLI to store engine state in a Docker volume named <code>dagger-engine</code>. Without this, the CLI creates an internal volume with an auto-generated name that the cache action can't find.</li> <li> <strong>Per-job cache keys</strong> (e.g. <code>-backend</code>, <code>-frontend</code>) are important when you run parallel matrix jobs. With a shared key, the last job to save would overwrite the cache with only its own data. Per-job keys keep each job's cache independent.</li> <li> <strong>Save only on <code>main</code></strong> avoids wasting ~1m30 per job on pull requests. PRs still benefit from restoring the cache built by <code>main</code>.</li> <li> <strong><code>restore-keys</code> fallback</strong> allows a cache miss on the exact key to fall back to any cache for the same OS, which is useful when a job runs for the first time but other jobs have already populated a cache.</li> </ul> <p>On the first run, the cache is cold and everything executes. On the second run, the Docker volume is restored with all Dagger layers, cache volumes, and function call results intact, and Dagger picks up right where it left off.</p> <blockquote> <p><strong>Performance note:</strong> This approach introduces a "cold start" overhead on every job — the restore step decompresses the volume at the start, and the save step compresses it at the end. For a ~1 GB engine cache, this adds roughly 30-60 seconds per job. This overhead partially offsets Dagger's built-in caching gains, making it <strong>the least performant of the three runner options</strong>. It's a good starting point, but if build speed is critical, Depot runners or self-hosted ARC runners with persistent volumes (Options 2 and 3 below) eliminate this overhead entirely.</p> <p><strong>Note:</strong> GitHub Actions caches are scoped to a branch (with fallback to the default branch) and expire after 7 days of inactivity, with a 10 GB limit per repository. This is generous enough for most projects — but if you hit the limit, Dagger Cloud's distributed caching (covered below) is the next step.</p> </blockquote> <p><strong>The important point: none of this caching logic is CI-specific.</strong> The <code>.with_mounted_cache()</code> calls and operation ordering live in your pipeline code. They work identically on your laptop, on GitHub Actions, on Depot, or on a self-hosted runner. The only CI-specific piece is the volume cache restore/save steps that persist the engine state, and even that becomes unnecessary with persistent runners (see Options 2 and 3 below) or Dagger Cloud.</p> <h3> Dagger Cloud: Distributed Caching and Pipeline Observability </h3> <p><a href="https://dagger.io/cloud" rel="noopener noreferrer">Dagger Cloud</a> is Dagger's centralized control plane. It provides three capabilities that become increasingly valuable as your pipeline usage grows: <strong>pipeline visualization</strong>, <strong>distributed caching</strong>, and <strong>module management</strong>.</p> <h4> Why Dagger Cloud? </h4> <p>The Docker volume caching approach above works well for small projects, but has limitations:</p> <ul> <li> <strong>10 GB limit per repository</strong>: large monorepos or Docker-heavy builds can blow through this</li> <li> <strong>Branch-scoped</strong>: cache from <code>main</code> is available to PRs, but PRs don't share cache between each other</li> <li> <strong>Single runner</strong>: the cache only benefits the specific runner that uploaded it</li> <li> <strong>Save/restore overhead</strong>: compressing and decompressing a multi-GB Docker volume adds 30-60 seconds per job</li> </ul> <p>Dagger Cloud solves all of these with a <strong>distributed cache</strong> that syncs layers and volumes across every Dagger Engine connected to your organization. Cache volumes are downloaded at the start of each run and uploaded back at completion. Layers are fetched on demand as the engine needs them. This means a build on one runner benefits from the cache populated by a completely different runner, even on a different branch.</p> <p><a href="https://openmeter.io/blog/how-we-made-our-ci-pipeline-5x-faster" rel="noopener noreferrer">OpenMeter reported</a> cutting their CI from 25 minutes to 10 minutes with Dagger Cloud caching alone (a 2.5x improvement) before adding faster runners for the full 5x speedup.</p> <h4> Setting Up a Dagger Cloud Account </h4> <p><strong>Pricing:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Plan</th> <th>Cost</th> <th>Users</th> <th>Features</th> </tr> </thead> <tbody> <tr> <td><strong>Individual</strong></td> <td>Free</td> <td>1</td> <td>Pipeline visualization, traces</td> </tr> <tr> <td><strong>Team</strong></td> <td>$50/month</td> <td>Up to 10</td> <td>Visualization + distributed caching + module sharing</td> </tr> <tr> <td><strong>Enterprise</strong></td> <td>Custom</td> <td>Unlimited</td> <td>Dedicated support, SLA, advanced features</td> </tr> </tbody> </table></div> <p>All plans include a 14-day free trial of Team features.</p> <p><strong>Step 1: Create your account.</strong></p> <p>Head to <a href="https://dagger.io/cloud" rel="noopener noreferrer">dagger.io/cloud</a> and create an account directly with your GitHub or Google account. Follow the guided setup: create your organization (alphanumeric + dashes, must be unique), select a plan, and optionally invite teammates.</p> <p>You can then authenticate from the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger login </code></pre> </div> <p>This opens your browser with a verification link. Confirm the unique key matches what the CLI displays, and you're connected.</p> <blockquote> <p><strong>Tip:</strong> Use your company name or team name for the organization — you can't change it later.</p> </blockquote> <p><strong>Step 2: Get your token.</strong></p> <p>Once logged in, navigate to your organization settings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://dagger.cloud/{your-org-name}/settings?tab=Tokens </code></pre> </div> <p>Click the eye icon to reveal your token. Copy it. You'll need it for CI configuration.</p> <p><strong>Step 3: Add the token to GitHub Actions.</strong></p> <p>Go to your repository → Settings → Secrets and variables → Actions → New repository secret. Name it <code>DAGGER_CLOUD_TOKEN</code> and paste your token.</p> <p><strong>Step 4: Update your workflow.</strong></p> <p>Add the <code>cloud-token</code> parameter to the Dagger action:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Test</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="s">all --source=.</span> <span class="na">cloud-token</span><span class="pi">:</span> <span class="s">${{ secrets.DAGGER_CLOUD_TOKEN }}</span> </code></pre> </div> <p>That's it. You can now remove the volume cache restore/save steps. Dagger Cloud handles cache persistence automatically. Alternatively, keep both for redundancy during the transition.</p> <blockquote> <p>Dagger Cloud also supports GitLab CI, CircleCI, Jenkins, and Argo Workflows. The setup is the same: store <code>DAGGER_CLOUD_TOKEN</code> as a secret/variable in your CI system, and Dagger picks it up automatically via the environment variable.</p> </blockquote> <h4> Pipeline Visualization and Traces </h4> <p>Every Dagger run connected to Dagger Cloud generates a <strong>trace</strong>, a visual breakdown of your pipeline execution showing:</p> <ul> <li>Which operations executed and their duration</li> <li>Which operations were <strong>cache hits</strong> (skipped) vs <strong>cache misses</strong> (re-executed)</li> <li>Dependency relationships between operations</li> <li>Error locations and output for failed steps</li> </ul> <p>This is invaluable for optimization. Instead of guessing which steps are slow, you can see exactly where time is spent and whether your caching strategy is working. If a step that should be cached keeps re-executing, the trace will show you.</p> <p><strong>Public traces:</strong> Dagger Cloud automatically detects if traces come from public repositories and makes them publicly accessible by default. You can toggle this in organization settings under Visibility.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa5j5qip5hwvwurvw2zsx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa5j5qip5hwvwurvw2zsx.png" alt=" " width="800" height="384"></a><br> <em>Exemple of Dagger pipeline trace with Gantt view</em></p> <h4> Install the GitHub App (Optional) </h4> <p>For even tighter integration, install the <a href="https://github.com/apps/dagger-cloud" rel="noopener noreferrer">Dagger Cloud GitHub App</a>. This adds Dagger pipeline status checks directly to your pull requests, with links to the trace view for each run.</p> <h4> Module Management </h4> <p>If you publish Dagger modules (like we do in Part 3), Dagger Cloud can scan your GitHub repositories and display module information: API documentation, activity history, dependencies, and linked traces. Enable this through Settings → Git Sources → Install the GitHub Application → select repositories → Enable module scanning.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft92yaa1nra16ghz5iqpt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft92yaa1nra16ghz5iqpt.png" alt=" " width="800" height="627"></a><br> <em>Modules page view from Dagger Cloud</em></p> <p><strong>Pros:</strong> Zero infrastructure setup, free tier for individuals, works with any GitHub repository (personal or organization), automatic updates.<br> <strong>Cons:</strong> Slowest of the three options due to volume save/restore overhead on every job, shared infrastructure, 10 GB cache limit per repository (Dagger Cloud removes this limit).</p> <h2> Option 2: Depot.dev Managed Runners </h2> <p><a href="https://depot.dev/" rel="noopener noreferrer">Depot</a> provides managed GitHub runners optimized for container builds. The standout features: <a href="https://depot.dev/docs/github-actions/integrations/dagger" rel="noopener noreferrer">Dagger integration</a> with persistent caching and native arm64 support.</p> <blockquote> <p><strong>Warning:</strong> Depot runners require your repository to be part of a <strong>GitHub organization</strong>. They do not work with personal GitHub repositories. If you're working on a personal repo, you'll need to create an organization (free tier is sufficient) and transfer or fork the repository there before you can use Depot runners.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI (Depot)</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">depot-ubuntu-latest,dagger=0.20.3</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Test</span> <span class="na">run</span><span class="pi">:</span> <span class="s">dagger call all --source=.</span> </code></pre> </div> <p>That's it. No <code>depot/setup-action</code>, no <code>dagger-for-github</code> action, no environment variables. By appending <code>dagger=0.20.3</code> to the <code>runs-on</code> label, Depot pre-configures the runner with the Dagger engine, persistent cache, and all necessary plumbing. You just call <code>dagger</code> directly.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F505aphokj6pr2m553ubk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F505aphokj6pr2m553ubk.png" alt=" " width="800" height="444"></a></p> <p>Depot runners have 16 CPU / 32GB RAM standard (vs GitHub's 2 CPU / 7GB), persistent NVMe caching, and native arm64 with no emulation. A build that takes 8 minutes on GitHub's free runners often completes in under 2 minutes on Depot.</p> <p><strong>Pros:</strong> 4-10x faster, persistent cache, native multi-arch, simple migration.<br> <strong>Cons:</strong> Paid service (~$0.04/minute), another vendor dependency.</p> <h2> Option 3: Self-Hosted Kubernetes with ARC </h2> <p>For maximum control, run your own runners on Kubernetes using GitHub's Actions Runner Controller (ARC).</p> <h3> Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────┐ │ Kubernetes Cluster │ │ │ │ ┌───────────────────────────────────────────────────────┐ │ │ │ ARC Controller (Namespace: arc-systems) │ │ │ └───────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌───────────────────────────────────────────────────────┐ │ │ │ arc-runners namespace │ │ │ │ │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ │ │ Runner 1 │ │ Runner 2 │ │ Runner 3 │ │ │ │ │ │ (pod) │ │ (pod) │ │ (pod) │ │ │ │ │ └─────┬────┘ └─────┬────┘ └─────┬────┘ │ │ │ │ │ │ │ │ │ │ │ │ kube-pod:// or Unix socket │ │ │ │ │ │ │ │ │ │ │ ┌─────▼──────────────▼──────────────▼─────┐ │ │ │ │ │ Dagger Engine (Helm chart) │ │ │ │ │ │ DaemonSet or StatefulSet │ │ │ │ │ │ │ │ │ │ │ │ /var/lib/dagger (cache) │ │ │ │ │ │ hostPath (DS) or PVC (STS) │ │ │ │ │ └─────────────────────┬───────────────────┘ │ │ │ └─────────────────────────┼─────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────┐ │ │ │ Dagger Cloud │ (optional) │ │ │ Magicache │ │ │ └─────────────────────┘ │ └──────────────────────────────────────────────────────────────┘ </code></pre> </div> <p>The key architectural difference from Options 1 and 2: the Dagger engine runs as a <strong>shared, long-lived process</strong> (DaemonSet or StatefulSet) rather than being started fresh inside each runner. Runner pods are lightweight: they just run the GitHub Actions runner process and connect to the engine. This separation means the engine's cache persists across jobs, and runner pods can scale independently from the engine.</p> <h3> Prerequisites: Setting Up the GitHub App </h3> <p>ARC authenticates to GitHub via a <a href="https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps" rel="noopener noreferrer">GitHub App</a>. You need to create one before deploying the infrastructure.</p> <p><strong>Step 1: Create the app.</strong></p> <p>Go to your GitHub App creation page:</p> <ul> <li> <strong>Organization</strong>: <code>https://github.com/organizations/&lt;YOUR_ORG&gt;/settings/apps/new</code> </li> <li> <strong>Personal account</strong>: <code>https://github.com/settings/apps/new</code> </li> </ul> <p>Fill in the form:</p> <ul> <li> <strong>GitHub App name</strong>: something descriptive like <code>ARC Dagger Runners</code> </li> <li> <strong>Homepage URL</strong>: your organization's URL</li> <li> <strong>Webhook</strong>: uncheck <strong>Active</strong> (ARC doesn't use webhooks)</li> </ul> <p>Set the required <strong>Repository permissions</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Permission</th> <th>Access</th> </tr> </thead> <tbody> <tr> <td><strong>Actions</strong></td> <td>Read-only</td> </tr> <tr> <td><strong>Administration</strong></td> <td>Read &amp; write</td> </tr> <tr> <td><strong>Checks</strong></td> <td>Read-only</td> </tr> <tr> <td><strong>Metadata</strong></td> <td>Read-only</td> </tr> </tbody> </table></div> <p>If your runners will be shared across an <strong>organization</strong> (recommended), also set this <strong>Organization permission</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Permission</th> <th>Access</th> </tr> </thead> <tbody> <tr> <td><strong>Self-hosted runners</strong></td> <td>Read &amp; write</td> </tr> </tbody> </table></div> <p>Under "Where can this GitHub App be installed?", choose <strong>Only on this account</strong>. Click <strong>Create GitHub App</strong>.</p> <p>On the app's settings page, note the <strong>App ID</strong> (displayed near the top). Then scroll to <strong>Private keys</strong> and click <strong>Generate a private key</strong>. Save the <code>.pem</code> file securely.</p> <p><strong>Step 2: Install the app.</strong></p> <p>For an <strong>organization</strong> (all repos can use the runners):</p> <ol> <li>Go to <code>https://github.com/organizations/&lt;YOUR_ORG&gt;/settings/apps</code> </li> <li>Click <strong>Configure</strong> next to your app</li> <li>Under <strong>Repository access</strong>, choose <strong>All repositories</strong> (or select specific ones)</li> <li>Click <strong>Save</strong> </li> <li>Note the <strong>Installation ID</strong> from the URL: <code>.../installations/&lt;INSTALLATION_ID&gt;</code> </li> </ol> <p>For a <strong>single repository</strong>:</p> <ol> <li>Go to <code>https://github.com/&lt;OWNER&gt;/&lt;REPO&gt;/settings/installations</code> </li> <li>Click <strong>Configure</strong> next to your app</li> <li>Note the <strong>Installation ID</strong> from the URL</li> </ol> <p>The <code>gh_config_url</code> in the Terraform module should match the scope:</p> <ul> <li>Organization: <code>https://github.com/your-org</code> </li> <li>Single repo: <code>https://github.com/your-org/your-repo</code> </li> </ul> <blockquote> <p><strong>Tip:</strong> Start with organization-level installation even if you only have one repo today. It's easier to add repos later without changing the Terraform configuration.</p> </blockquote> <h3> Terraform Setup </h3> <p>Writing the raw Helm releases and Kubernetes resources by hand gives you full understanding of the moving parts, but for production use, you want a reusable module that handles the boilerplate. We've open-sourced one that builds on the same GKE and ARC foundations as the official <a href="https://github.com/terraform-google-modules/terraform-google-github-actions-runners" rel="noopener noreferrer">terraform-google-github-actions-runners</a> module and adds Dagger-specific features.</p> <p><strong>Full source</strong>: <a href="https://github.com/telchak/terraform-dagger-runners" rel="noopener noreferrer">github.com/telchak/terraform-dagger-runners</a></p> <p>The module is organized in three layers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Module path</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td> <strong>Engine</strong> (root)</td> <td><code>/</code></td> <td>Deploys Dagger engines via Helm. CI-agnostic, cloud-agnostic.</td> </tr> <tr> <td><strong>CI platform</strong></td> <td><code>modules/github/</code></td> <td>Adds ARC controller + runner scale sets. Calls root for engine.</td> </tr> <tr> <td><strong>Cloud</strong></td> <td><code>modules/github/gke/</code></td> <td>Provisions a GKE cluster. Calls CI platform module.</td> </tr> </tbody> </table></div> <p>You pick the layer that matches your situation. Need a full GKE cluster? Use <code>modules/github/gke/</code>. Already have a Kubernetes cluster (GKE, EKS, AKS, on-premise)? Use <code>modules/github/</code> directly.</p> <blockquote> <p><strong>Required Google APIs</strong> — If you're provisioning a GKE cluster for self-hosted runners, enable these APIs on your GCP project:</p> <pre class="highlight shell"><code>gcloud services <span class="nb">enable</span> <span class="se">\</span> container.googleapis.com <span class="se">\</span> compute.googleapis.com <span class="se">\</span> iam.googleapis.com <span class="se">\</span> cloudresourcemanager.googleapis.com </code></pre> <ul> <li> <strong>Kubernetes Engine API</strong> (<code>container.googleapis.com</code>) — create and manage GKE clusters</li> <li> <strong>Compute Engine API</strong> (<code>compute.googleapis.com</code>) — provision VMs, networks, and disks</li> <li> <strong>IAM API</strong> (<code>iam.googleapis.com</code>) — service accounts for nodes and workload identity</li> <li> <strong>Cloud Resource Manager API</strong> (<code>cloudresourcemanager.googleapis.com</code>) — project-level operations</li> </ul> </blockquote> <h4> Scenario A: Create a new GKE cluster with runners </h4> <p>This is the all-in-one option. The module provisions the GKE cluster, networking, ARC controller, runner scale sets, and Dagger engines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"dagger-runners"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/telchak/terraform-dagger-runners//modules/github/gke?ref=v0.1.0"</span> <span class="c1"># GCP</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="nx">create_network</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="s2">"n2-standard-4"</span> <span class="c1"># 4 vCPU, 16 GB RAM — fits ~15 runners</span> <span class="nx">disk_size_gb</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">min_node_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_node_count</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">spot</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Safe with StatefulSet — cache is on PVC</span> <span class="c1"># GitHub App credentials from Step 1 &amp; 2 above.</span> <span class="c1"># Store these in terraform.tfvars (git-ignored) or use TF_VAR_ env vars.</span> <span class="nx">gh_app_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gh_app_id</span> <span class="nx">gh_app_installation_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gh_app_installation_id</span> <span class="nx">gh_app_private_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gh_app_private_key</span> <span class="nx">gh_config_url</span> <span class="p">=</span> <span class="s2">"https://github.com/your-org"</span> <span class="c1"># org or repo URL</span> <span class="c1"># Each version gets its own runner scale set with a unique label.</span> <span class="c1"># Use runs-on: dagger-v0.20 in your workflows.</span> <span class="nx">dagger_versions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.20.3"</span><span class="p">]</span> <span class="nx">min_runners</span> <span class="p">=</span> <span class="mi">0</span> <span class="c1"># Scale to zero when idle</span> <span class="nx">max_runners</span> <span class="p">=</span> <span class="mi">10</span> <span class="c1"># StatefulSet mode: persistent PVC cache per engine version.</span> <span class="c1"># Cache survives pod restarts, node preemptions, and scale-downs.</span> <span class="c1"># Runners connect to the engine via kube-pod:// protocol.</span> <span class="nx">engine_mode</span> <span class="p">=</span> <span class="s2">"statefulset"</span> <span class="nx">persistent_cache_size</span> <span class="p">=</span> <span class="s2">"100Gi"</span> <span class="nx">persistent_cache_storage_class_name</span> <span class="p">=</span> <span class="s2">"premium-rwo"</span> <span class="c1"># GKE SSD-backed PD</span> <span class="c1"># Runner pod resources — runners are lightweight (they just connect</span> <span class="c1"># to the shared Dagger engine), so requests are minimal.</span> <span class="nx">runner_size_templates</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">""</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">runner_requests</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"50m"</span><span class="p">,</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"256Mi"</span> <span class="p">}</span> <span class="nx">runner_limits</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Optional: Dagger Cloud for distributed caching + traces</span> <span class="nx">dagger_cloud_token</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">dagger_cloud_token</span> <span class="p">}</span> </code></pre> </div> <h4> Scenario B: Deploy onto an existing Kubernetes cluster </h4> <p>If you already have a Kubernetes cluster (GKE, EKS, AKS, on-premise, k3s), use <code>modules/github/</code> directly. You configure the <code>kubernetes</code> and <code>helm</code> providers yourself; the module deploys only the ARC controller, runner scale sets, and Dagger engines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"dagger-runners"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/telchak/terraform-dagger-runners//modules/github?ref=v0.1.0"</span> <span class="c1"># GitHub App credentials from Step 1 &amp; 2 above.</span> <span class="nx">gh_app_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gh_app_id</span> <span class="nx">gh_app_installation_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gh_app_installation_id</span> <span class="nx">gh_app_private_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">gh_app_private_key</span> <span class="nx">gh_config_url</span> <span class="p">=</span> <span class="s2">"https://github.com/your-org"</span> <span class="nx">dagger_versions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.20.3"</span><span class="p">]</span> <span class="nx">min_runners</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_runners</span> <span class="p">=</span> <span class="mi">10</span> <span class="c1"># DaemonSet mode (default): simplest setup, no PVC needed.</span> <span class="c1"># One engine per node, ephemeral cache at /var/lib/dagger on the host.</span> <span class="c1"># Works on any cluster without a StorageClass.</span> <span class="nx">engine_mode</span> <span class="p">=</span> <span class="s2">"daemonset"</span> <span class="c1"># Or use StatefulSet mode for persistent cache:</span> <span class="c1"># engine_mode = "statefulset"</span> <span class="c1"># persistent_cache_size = "100Gi"</span> <span class="c1"># Leave persistent_cache_storage_class_name empty to use the cluster's</span> <span class="c1"># default StorageClass, or set it explicitly:</span> <span class="c1"># GKE: "premium-rwo"</span> <span class="c1"># EKS: "gp3"</span> <span class="c1"># AKS: "managed-premium"</span> <span class="c1"># On-premise: "longhorn", "rook-ceph-block", etc.</span> <span class="c1"># Optional: Dagger Cloud for distributed caching + traces</span> <span class="c1"># dagger_cloud_token = var.dagger_cloud_token</span> <span class="p">}</span> </code></pre> </div> <p>This is the option to use when you manage your own infrastructure, or when running on a cloud provider the module doesn't have a dedicated cloud layer for yet (e.g. AWS, Azure). The interface is identical; only the cluster provisioning is your responsibility.</p> <h4> Step 3: Deploy </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Store credentials safely — never commit the private key.</span> <span class="nb">export </span><span class="nv">TF_VAR_gh_app_private_key</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cat</span> /path/to/your-app.pem<span class="si">)</span><span class="s2">"</span> terraform init terraform plan <span class="se">\</span> <span class="nt">-var</span><span class="o">=</span><span class="s2">"project_id=my-project"</span> <span class="se">\</span> <span class="nt">-var</span><span class="o">=</span><span class="s2">"gh_app_id=123456"</span> <span class="se">\</span> <span class="nt">-var</span><span class="o">=</span><span class="s2">"gh_app_installation_id=12345678"</span> terraform apply </code></pre> </div> <blockquote> <p><strong>Tip:</strong> If you manage your GitHub App secret through an external system like HashiCorp Vault or <a href="https://external-secrets.io/" rel="noopener noreferrer">External Secrets Operator</a>, you can pass <code>gh_app_existing_secret_name</code> instead of the credentials — the module will reference the pre-existing Kubernetes secret and skip creating one.</p> </blockquote> <p>The module handles: ARC controller, runner scale sets, Dagger engine deployment (via the official Dagger Helm chart), StatefulSet RBAC, VPA, Dagger Cloud secret injection, and failed pod cleanup. The key Dagger-specific features:</p> <ul> <li> <strong><code>dagger_versions</code></strong>: list of Dagger engine versions to deploy. Each version creates exact labels (<code>dagger-v0.20.3</code>), minor aliases (<code>dagger-v0.20</code> pointing to the latest patch), and a <code>dagger-latest</code> label pointing to the newest version overall.</li> <li> <strong>Engine modes</strong>: <code>daemonset</code> (one engine per node, ephemeral hostPath cache) or <code>statefulset</code> (one engine per version, persistent PVC cache). StatefulSet is recommended for Spot instances and when cache warmth matters.</li> <li> <strong><code>_EXPERIMENTAL_DAGGER_RUNNER_HOST</code></strong>: automatically set on each runner to point at the correct Dagger engine for that scale set (Unix socket for DaemonSet, <code>kube-pod://</code> for StatefulSet).</li> <li> <strong>Dagger Cloud token</strong>: injected as a Kubernetes secret and set as <code>DAGGER_CLOUD_TOKEN</code> env var on runner pods when provided. Also enables Magicache on the engine.</li> </ul> <h4> Multi-Version Runners </h4> <p>One of the most powerful features is running multiple Dagger versions side-by-side. This is invaluable during version upgrades, as teams can migrate repositories at their own pace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Deploy two versions simultaneously</span> <span class="nx">dagger_versions</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"0.19.5"</span><span class="p">,</span> <span class="s2">"0.20.3"</span><span class="p">]</span> </code></pre> </div> <p>This creates five runner scale sets: exact versions, minor aliases, and a latest pointer:</p> <ul> <li> <code>runs-on: dagger-v0.19.5</code>: exact, pinned to 0.19.5</li> <li> <code>runs-on: dagger-v0.19</code>: minor alias, points to 0.19.5</li> <li> <code>runs-on: dagger-v0.20.3</code>: exact, pinned to 0.20.3</li> <li> <code>runs-on: dagger-v0.20</code>: minor alias, points to 0.20.3</li> <li> <code>runs-on: dagger-latest</code>: always the newest version (0.20.3)</li> </ul> <p>Teams that want reproducibility pin to an exact version. Teams that want automatic patch updates use the minor alias. Repositories that just need "whatever is current" use <code>dagger-latest</code>.</p> <h4> Runner Size Templates </h4> <p>By default, runner pods have no resource constraints, so they get <code>BestEffort</code> QoS and are the first to be evicted under memory pressure. For production workloads, the module supports <strong>size templates</strong> that define resource requests and limits per runner. Each label gets a size suffix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">runner_size_templates</span> <span class="err">=</span> <span class="p">{</span> <span class="c1"># Default size (no suffix): runs-on: dagger-v0.20</span> <span class="s2">""</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">runner_requests</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"50m"</span><span class="p">,</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"256Mi"</span> <span class="p">}</span> <span class="nx">runner_limits</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> <span class="c1"># Large size (suffix): runs-on: dagger-v0.20-large</span> <span class="nx">large</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">runner_requests</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"250m"</span><span class="p">,</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"512Mi"</span> <span class="p">}</span> <span class="nx">runner_limits</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"1"</span><span class="p">,</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"1Gi"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Runner pods are lightweight: they only run the GitHub Actions runner process. The Dagger engine runs separately as a DaemonSet or StatefulSet and is shared across all runners. This separation means you don't need to give runner pods large CPU/memory allocations; the engine handles the heavy lifting independently.</p> <p>With the above templates and <code>dagger_versions = ["0.20.3"]</code>, you get six labels: <code>dagger-v0.20.3</code>, <code>dagger-v0.20</code>, <code>dagger-latest</code> (default size), and <code>dagger-v0.20.3-large</code>, <code>dagger-v0.20-large</code>, <code>dagger-latest-large</code>. Teams pick the size that matches their workload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">lint</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">dagger-v0.20</span> <span class="c1"># default size — fast checks</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">dagger-v0.20-large</span> <span class="c1"># heavy builds with work outside Dagger</span> </code></pre> </div> <h4> Node Sizing </h4> <p>The minimum viable node is <strong>2 vCPU / 8 GB RAM</strong>, but larger nodes are more cost-efficient because they amortize system pod overhead (kube-dns, ARC controller, Dagger engine) across more runner pods:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Machine type</th> <th>vCPU</th> <th>RAM</th> <th>Runners per node</th> <th>Best for</th> </tr> </thead> <tbody> <tr> <td><code>e2-standard-2</code></td> <td>2</td> <td>8 GB</td> <td>~5</td> <td>Dev/test, low concurrency</td> </tr> <tr> <td><code>n2-standard-4</code></td> <td>4</td> <td>16 GB</td> <td>~15</td> <td>Small teams</td> </tr> <tr> <td><code>n2-standard-8</code></td> <td>8</td> <td>32 GB</td> <td>~30</td> <td>Medium teams, multi-version</td> </tr> <tr> <td><code>n2-standard-16</code></td> <td>16</td> <td>64 GB</td> <td>~50+</td> <td>Large teams, high concurrency</td> </tr> </tbody> </table></div> <blockquote> <p>Runner counts assume 50m CPU / 256Mi memory requests per runner and ~1.5 vCPU / 2 GB overhead for system pods + engine. Actual capacity depends on your workload.</p> </blockquote> <h3> Caching: Engine Modes and Dagger Cloud </h3> <p>With self-hosted runners, you choose how the Dagger engine stores its cache, and the Terraform module supports all options:</p> <p><strong>DaemonSet mode</strong> (simplest): <code>engine_mode = "daemonset"</code>. One engine per node, cache on the host disk via <code>hostPath</code>. No PVC needed; works on any cluster. Cache is ephemeral: lost when the node is recycled. Best for stable node pools or when Dagger Cloud handles cache persistence.</p> <p><strong>StatefulSet mode</strong> (persistent): <code>engine_mode = "statefulset"</code>. One engine per Dagger version, cache on a PVC managed by the Helm chart. Cache survives pod restarts, node preemptions, and scale-downs. Runners connect via <code>kube-pod://</code> protocol (RBAC created automatically). Best for Spot instances and when cache warmth is critical.</p> <p><strong>Dagger Cloud</strong> (complementary): Set <code>dagger_cloud_token</code> in the module. <a href="https://docs.dagger.io/cloud/magicache" rel="noopener noreferrer">Magicache</a> syncs cache layers across all engines connected to your organization, even across clusters and regions. You also get the trace UI and module management described earlier. Works with <strong>both</strong> DaemonSet and StatefulSet modes.</p> <p>You can combine them: StatefulSet for fast local cache on PVC + Dagger Cloud for cross-cluster sharing and observability. This is the recommended production setup.</p> <h3> Vertical Pod Autoscaler (VPA) </h3> <p>Getting resource requests right for the Dagger engine is tricky. Too low and the scheduler under-provisions nodes; too high and you waste capacity. The module includes optional <strong>Vertical Pod Autoscaler</strong> support to solve this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Enable VPA on the cluster (GKE-specific, creates the VPA objects automatically)</span> <span class="nx">enable_vertical_pod_autoscaling</span> <span class="err">=</span> <span class="kc">true</span> <span class="c1"># Start in recommendation-only mode — no automatic resizing</span> <span class="nx">vpa_update_mode</span> <span class="err">=</span> <span class="s2">"Off"</span> </code></pre> </div> <p>With <code>vpa_update_mode = "Off"</code>, the VPA controller observes actual engine resource usage and produces recommendations without touching the pods. You can inspect them with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get vpa <span class="nt">-n</span> arc-runners <span class="nt">-o</span> yaml </code></pre> </div> <p>Look for the <code>recommendation</code> section, which shows <code>target</code>, <code>lowerBound</code>, and <code>upperBound</code> for CPU and memory. After a few days of representative workload, use these values to tune <code>dagger_engine_requests</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Apply the VPA recommendations to your engine requests</span> <span class="nx">dagger_engine_requests</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"500m"</span> <span class="c1"># from VPA target recommendation</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"16Gi"</span> <span class="c1"># from VPA target recommendation</span> <span class="p">}</span> </code></pre> </div> <h4> In-Place Pod Resizing (Kubernetes 1.33+) </h4> <p>Starting with Kubernetes 1.33, the <strong>InPlacePodVerticalScaling</strong> feature gate enables resizing pod resources without restarting them. This is particularly valuable for the Dagger engine, since a restart means losing in-memory state and warming the cache from disk. The module supports this via:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vpa_update_mode</span> <span class="err">=</span> <span class="s2">"InPlaceOrRecreate"</span> </code></pre> </div> <p>With this mode, the VPA will resize the engine pod's CPU and memory in place when possible, falling back to a recreate only if the node can't accommodate the new size. This feature graduates to GA in <strong>Kubernetes 1.35</strong>, at which point it works without any feature gate configuration.</p> <blockquote> <p><strong>Tip:</strong> Start with <code>"Off"</code> to collect recommendations, then move to <code>"InPlaceOrRecreate"</code> once you're confident in the VPA's suggestions and your cluster supports it. This gives you automatic right-sizing without engine downtime.</p> </blockquote> <h3> Scale to Zero </h3> <p>The <code>min_runners = 0</code> setting means no idle runners consuming resources. Combined with <code>min_node_count = 0</code> on the GKE node pool and cluster autoscaling, this creates fully elastic CI infrastructure that costs nearly nothing when idle.</p> <p><strong>Pros:</strong> Full control, scale to zero, private networks, infrastructure as code, multi-version Dagger support.<br> <strong>Cons:</strong> Initial setup complexity, Kubernetes expertise required, you manage updates.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjmxigrgpfb578fdhz2ox.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjmxigrgpfb578fdhz2ox.jpg" alt=" " width="800" height="436"></a><br> <em>Image generated with Google's Gemini Imagen "Nano Banana Pro"</em></p> <h2> Choosing Your Path </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>If you...</th> <th>Choose...</th> </tr> </thead> <tbody> <tr> <td>Are just starting with Dagger</td> <td>GitHub Actions + Dagger Action</td> </tr> <tr> <td>Need fast builds without infra work</td> <td>Depot.dev</td> </tr> <tr> <td>Have Kubernetes expertise and volume</td> <td>Self-hosted ARC</td> </tr> <tr> <td>Need air-gapped or private network</td> <td>Self-hosted ARC</td> </tr> <tr> <td>Want the best of both worlds</td> <td>Depot for dev, ARC for production</td> </tr> </tbody> </table></div> <p><strong>Dagger Cloud</strong> is orthogonal to the runner choice and works with all three options. Start with the free Individual plan for pipeline visualization and traces. Upgrade to Team ($50/month) when you need distributed caching across runners or when the <code>actions/cache</code> 10 GB limit becomes a bottleneck.</p> <p>Your pipeline code doesn't change. Only the runner configuration does. That's the decoupling that matters.</p> <h2> What's Next </h2> <p>In <strong>Part 3</strong>, we'll build a library of reusable Dagger modules: GCP Auth, Artifact Registry, Cloud Run, and Firebase Hosting. These modules compose into a single pipeline that deploys both our Angular frontend and FastAPI backend.</p> <p>The modules will work on all three runner setups we just configured.</p> <p><strong>Up Next</strong>: <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge">Part 3: From Scripts to a Platform: Your CI/CD Module Library</a></p> <p><em>This is Part 2 of a 4-part series. Follow for updates.</em></p> <p><strong>Tags</strong>: <code>#cicd</code> <code>#dagger</code> <code>#kubernetes</code> <code>#github-actions</code> <code>#platform-engineering</code></p> cicd ai devops python Sami Chibani Fri, 27 Mar 2026 00:16:43 +0000 https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-1-58pi https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-1-58pi <h1> Part 1: The CI/CD Bottleneck Nobody Talks About </h1> <blockquote> <p>Platform Engineering matured how we provision infrastructure. It hasn't touched how we build and deploy code.</p> </blockquote> <p>CI/CD was, a decade ago, at the heart of the DevOps revolution. It deeply transformed the way we ship software by providing continuous automation workflows from code to production. It hasn't changed much since then. And like every tool that has been continuously used for so long, the more years pass, the more the flaws and frustrations seem obvious. The "traditional" way of building CI/CD nowadays often feels cumbersome and rusty.</p> <p>Among the almost always recurrent flaws that any DevOps engineer has witnessed:</p> <ul> <li><p><strong>Lack of development ergonomics.</strong> For most technologies, the only way to really test pipelines is by pushing the code to the server, waiting, and iterating. It's inefficient and time-consuming. The feedback loop for CI/CD code is worse than for any other code in your organization.</p></li> <li><p><strong>YAML sprawl.</strong> As soon as pipelines require more logic and complexity, you rapidly end up with thousands of YAML files to maintain across repositories, each slightly different, each owned by whoever touched it last.</p></li> <li><p><strong>Opaque failure investigation.</strong> When things go wrong in a pipeline, there is no intelligence. Developers sift through thousands of log lines to manually investigate, with no programmatic way to diagnose or recover.</p></li> </ul> <p>Meanwhile, Infrastructure-as-Code solved provisioning. GitOps solved configuration drift. Internal Developer Platforms gave teams golden paths for spinning up services, databases, and environments. But open any repository in your organization and look at the CI/CD: it's still bespoke YAML. In a world where platform teams build abstractions for everything else, CI/CD remains the one piece of developer infrastructure that every team reinvents from scratch.</p> <p>This series explores what a CI/CD pipeline could look like in 2026, one that addresses all three of these flaws, at the intersection of Platform Engineering and AI agents. To do that, we'll use one of the most exciting tools I've seen in the CI/CD landscape in a long time: <a href="https://dagger.io" rel="noopener noreferrer">Dagger</a>. Dagger reimagines pipelines as typed functions written in real programming languages, running inside containers with deterministic caching, portable across any CI engine. But what makes it particularly relevant for this series is that it doesn't stop at build automation: it has native LLM integration, a composable module system, and an emerging agent ecosystem that lets you go from reusable pipeline modules to AI-powered CI/CD workflows. It's the right tool to explore what happens when Platform Engineering meets AI agents in the CI/CD space.</p> <p>We'll build pipelines as real code, decouple them from the infrastructure they run on, package them as reusable modules, and eventually compose AI agents that handle review, build, and deployment from a single natural language command.</p> <h3> The Series at a Glance </h3> <p>This is a 4-part series. Each part builds on the previous one, progressively transforming how we think about CI/CD:</p> <ol> <li><p><strong>Part 1 (this article)</strong>: Pipelines as real code. We replace YAML with typed, testable, locally-runnable pipeline functions using <a href="https://dagger.io" rel="noopener noreferrer">Dagger</a>, and build a complete CI/CD pipeline for an Angular + FastAPI stack deployed to Google Cloud.</p></li> <li><p><strong><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75">Part 2: Decoupling Pipelines from Infrastructure</a></strong>: Same pipeline code, different runners. We explore three options for scaling: GitHub Actions (free tier), managed runners with Depot.dev, and self-hosted Kubernetes runners with ARC, including a Terraform module for production deployments.</p></li> <li><p><strong><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-3-9ge">Part 3: From Scripts to a Platform: Your CI/CD Module Library</a></strong>: Modules as the unit of CI/CD reuse. We build a two-layer architecture: public daggerverse modules for generic operations (GCP Auth, Cloud Run, Firebase) wrapped by private organizational modules that enforce compliance, security, and conventions.</p></li> <li><p><strong><a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-4-4323">Part 4: The AI-Native CI/CD Stack: Agents, Modules, and Spec-Driven Development</a></strong>: We leverage the agentic capabilities of Dagger to enhance the developer experience, automate CI failure remediation, and explore what an Internal Developer Factory looks like when built on Spec-Driven Development principles. The pipeline itself stays fast and deterministic, with no LLM in the hot path.</p></li> </ol> <p>But first: let's look at the root cause.</p> <h2> The YAML Illusion </h2> <p>YAML-based CI/CD looks simple. A few lines, a <code>run:</code> step, and you have a pipeline. But that simplicity is an illusion. The moment a real-world project needs conditional logic, secret management, reusable workflows, matrix builds, or cross-repository dependencies, every CI platform reaches for its own layer of abstractions on top of YAML.</p> <p>GitHub Actions has reusable workflows, composite actions, and a marketplace of third-party actions you import by reference. GitLab CI has <code>include:</code>, <code>extends:</code>, and multi-project pipelines. CircleCI has orbs. Azure DevOps has templates and task groups. Each platform reinvented inheritance, composition, and parameterization (poorly) on top of a configuration format that was never designed for it.</p> <p>The result is a system that is declarative in appearance but imperative in practice. A developer looking at a <code>.github/workflows/deploy.yml</code> that imports three reusable workflows, each with their own <code>if:</code> conditions and secret references, is not reading a simple configuration file. They're reading a distributed program written in a language with no type system, no IDE support, no debugger, and no way to run it locally.</p> <p>This is the fundamental problem: <strong>CI/CD, as it exists today, is not part of the software factory.</strong> It sits outside the development workflow. It can't be run on a developer's machine. It can't be unit tested. It can't be refactored with confidence. It can't be debugged step by step. It doesn't benefit from the tooling, the practices, or the discipline that every other piece of software in the organization does.</p> <p>And yet it's the most critical automation in your delivery chain, the one that decides whether code reaches production.</p> <h2> CI/CD as Software </h2> <p>The fix isn't a better YAML syntax. It's a paradigm shift: <strong>treat CI/CD as an integral part of the software factory.</strong></p> <p>That means CI/CD primitives (building a container, running tests, publishing an artifact, deploying a service) should be programmatic abstractions. Written in real programming languages. With types, functions, imports, error handling. Runnable on a developer's laptop. Testable. Debuggable. Versioned alongside the application code. Reviewable in the same pull request.</p> <p>This is what Dagger does. It decomposes CI/CD operations into typed functions, available through SDKs in Python, Go, and TypeScript. A pipeline is not a configuration file interpreted by a remote server. It's code that runs inside containers, with content-addressed caching at every step.</p> <blockquote> <p><strong>A note on language choice</strong> — Throughout this series, we'll use Python for all our examples. But everything we write here works identically in Go, TypeScript, or Java. Dagger's SDKs expose the same API surface and the same types across all supported languages — the pipeline behavior is determined by the engine, not the SDK. Pick the language your team is most comfortable with.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Annotated</span> <span class="kn">import</span> <span class="n">dagger</span> <span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">Doc</span><span class="p">,</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">MyPipeline</span><span class="p">:</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">build</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Application source code</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build the application container.</span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.12-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">with_entrypoint</span><span class="p">([</span><span class="sh">"</span><span class="s">python</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">main.py</span><span class="sh">"</span><span class="p">])</span> <span class="p">)</span> </code></pre> </div> <p>This is a typed, composable function that:</p> <ul> <li>Runs on your laptop with <code>dagger call build --source=.</code> </li> <li>Runs in GitHub Actions with the exact same command</li> <li>Runs in GitLab CI with the exact same command</li> <li>Can be debugged, unit tested, and refactored like any other code</li> </ul> <p>No YAML translation. No platform-specific quirks. The same code, the same command, everywhere.</p> <p>The shift is subtle but significant. CI/CD is no longer a separate discipline with its own language, its own debugging workflow, and its own specialists. It's software. Developers can read it, understand it, modify it, and run it, the same way they do with application code. That's the self-service promise of Platform Engineering applied to the one area it hadn't reached yet.</p> <h2> Three Properties That Make It Work </h2> <p>When CI/CD becomes software, three properties emerge that YAML pipelines fundamentally cannot provide.</p> <h3> 1. Container-Based Execution </h3> <p>Every operation happens inside a container. When you write:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">().</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.12-slim</span><span class="sh">"</span><span class="p">).</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pytest</span><span class="sh">"</span><span class="p">])</span> </code></pre> </div> <p>You're building a container execution graph. The engine takes this graph and executes it efficiently. Your pipeline is reproducible (same inputs, same outputs), isolated (no "works on my machine"), and portable (containers run anywhere).</p> <p>This is what enables local execution. The same container graph that runs on a CI runner runs on your laptop. No emulation, no mocking, just the real thing. A developer can iterate on a pipeline the same way they iterate on application code: change, run, observe, repeat. The feedback loop goes from "push and wait 10 minutes" to "run and see in seconds."</p> <h3> 2. Content-Addressed Caching </h3> <p>Every operation is cached based on the hash of its inputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Application source code</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run tests with intelligent caching.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.12-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="c1"># Cached if source unchanged </span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Cached if requirements unchanged </span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pytest</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Only re-runs if dependencies changed </span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> </code></pre> </div> <p>Change a test file? Only the test execution re-runs. Change <code>requirements.txt</code>? Dependencies reinstall, but the base image stays cached. This is content-addressed: Dagger hashes the actual content, not timestamps.</p> <p>Because it's deterministic, caching works identically on your laptop and in CI. A developer running <code>dagger call test --source=.</code> after changing one test file gets the same instant feedback a CI runner would, with no cold start and no full rebuild.</p> <h3> 3. A Module System </h3> <p>Modules are reusable pipeline components that can be published and shared:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use a published module</span> dagger call <span class="nt">-m</span> github.com/purpleclay/daggerverse/golang@v0.5.0 build <span class="nt">--source</span><span class="o">=</span><span class="nb">.</span> <span class="c"># Or reference your own</span> dagger call <span class="nt">-m</span> ./.dagger build <span class="nt">--source</span><span class="o">=</span><span class="nb">.</span> </code></pre> </div> <p>Modules have typed interfaces, documentation, and versioning. They compose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">deploy</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Application source</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Authenticate to GCP </span> <span class="n">gcp</span> <span class="o">=</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_auth</span><span class="p">().</span><span class="nf">from_service_account_key</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">sa_key</span><span class="p">,</span> <span class="n">project</span><span class="o">=</span><span class="n">project</span><span class="p">)</span> <span class="c1"># Publish to Artifact Registry </span> <span class="n">image_uri</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_artifact_registry</span><span class="p">(</span><span class="n">gcp</span><span class="p">).</span><span class="nf">publish</span><span class="p">(</span> <span class="n">container</span><span class="o">=</span><span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">build</span><span class="p">(</span><span class="n">source</span><span class="p">),</span> <span class="n">repository</span><span class="o">=</span><span class="sh">"</span><span class="s">my-repo</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="sh">"</span><span class="s">my-app</span><span class="sh">"</span><span class="p">,</span> <span class="n">tag</span><span class="o">=</span><span class="sh">"</span><span class="s">latest</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Deploy to Cloud Run </span> <span class="k">return</span> <span class="k">await</span> <span class="n">dag</span><span class="p">.</span><span class="nf">gcp_cloud_run</span><span class="p">(</span><span class="n">gcp</span><span class="p">).</span><span class="nf">service</span><span class="p">().</span><span class="nf">deploy</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">my-service</span><span class="sh">"</span><span class="p">,</span> <span class="n">image</span><span class="o">=</span><span class="n">image_uri</span><span class="p">,</span> <span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">us-central1</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>This is the Platform Engineering pattern applied to CI/CD. A platform team builds and maintains modules (<code>gcp-auth</code>, <code>artifact-registry</code>, <code>cloud-run</code>) the same way they'd maintain Terraform modules or Helm charts. Developers consume them as typed dependencies. They don't need to know how GCP authentication works internally; they call <code>dag.gcp_auth()</code> and get an authenticated container. Self-service, with guardrails.</p> <h2> Putting It Into Practice </h2> <p>Enough theory. For the rest of this series, we're going to simulate, as closely as we can, a production deployment. Not a toy example with a single endpoint and a <code>hello world</code> container, but a realistic two-component product with a frontend, a backend, authentication between them, and deployment to a real cloud provider.</p> <p>The goal is a deep dive: from writing the first pipeline function on your laptop, all the way to a multi-agent CI/CD system that reviews, builds, and deploys both apps from a single natural language command.</p> <h3> Prerequisites </h3> <p>To follow along, you'll need three things set up:</p> <ol> <li><p><strong>Dagger CLI</strong>: Install the Dagger engine and CLI on your machine. This is what runs your pipelines locally and in CI.<br> → <a href="https://docs.dagger.io/install/" rel="noopener noreferrer">Install Dagger</a></p></li> <li><p><strong>A GitHub account</strong>: We'll use GitHub as our code server and CI runner (via GitHub Actions). The companion repository with all example code is public.<br> → <a href="https://github.com/signup" rel="noopener noreferrer">Create a GitHub account</a> if you don't have one</p></li> <li><p><strong>A Google Cloud account with a project</strong>: GCP is our deployment target throughout the series. You'll need a project with billing enabled (the free tier is sufficient for everything we do here).<br> → <a href="https://cloud.google.com/free" rel="noopener noreferrer">Create a GCP account</a><br> → <a href="https://cloud.google.com/resource-manager/docs/creating-managing-projects" rel="noopener noreferrer">Create a GCP project</a></p></li> </ol> <blockquote> <p><strong>Required Google APIs</strong> — Enable these APIs on your GCP project before deploying. You can do it from the <a href="https://console.cloud.google.com/apis/library" rel="noopener noreferrer">API Library</a> or via <code>gcloud</code>:</p> <pre class="highlight shell"><code>gcloud services <span class="nb">enable</span> <span class="se">\</span> run.googleapis.com <span class="se">\</span> artifactregistry.googleapis.com <span class="se">\</span> firebasehosting.googleapis.com <span class="se">\</span> firebase.googleapis.com <span class="se">\</span> iam.googleapis.com <span class="se">\</span> cloudresourcemanager.googleapis.com </code></pre> <ul> <li> <strong>Cloud Run API</strong> (<code>run.googleapis.com</code>) — deploy the FastAPI backend</li> <li> <strong>Artifact Registry API</strong> (<code>artifactregistry.googleapis.com</code>) — store container images</li> <li> <strong>Firebase Hosting API</strong> (<code>firebasehosting.googleapis.com</code>) — host the Angular frontend</li> <li> <strong>Firebase API</strong> (<code>firebase.googleapis.com</code>) — Firebase Anonymous Auth for the frontend</li> <li> <strong>IAM API</strong> (<code>iam.googleapis.com</code>) — manage service accounts and OIDC federation</li> <li> <strong>Cloud Resource Manager API</strong> (<code>cloudresourcemanager.googleapis.com</code>) — project-level operations</li> </ul> </blockquote> <p>You'll also want Docker installed locally (Dagger uses it under the hood), and Python 3.12+ and Node.js 20+ for the example apps themselves.</p> <h3> The Product: Angular Frontend + FastAPI Backend </h3> <p>Our product is two apps that talk to each other:</p> <ul> <li> <strong>Angular 21 SPA</strong> on Firebase Hosting: displays items from the API, authenticates via Firebase Anonymous Auth</li> <li> <strong>FastAPI REST API</strong> on Cloud Run: serves items, validates Firebase ID tokens from the frontend</li> </ul> <p>The frontend authenticates anonymously with Firebase, gets an ID token, and sends it as a <code>Bearer</code> header to the backend. The backend validates the token using <code>google-auth</code>. This is a realistic pattern for any Firebase + Cloud Run stack.</p> <h3> Initializing the Module </h3> <p>Clone the companion repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/telchak/dagger-ci-demo.git <span class="nb">cd </span>dagger-ci-demo </code></pre> </div> <p>We have a monorepo with <code>backend/</code> and <code>frontend/</code>. Rather than creating a separate Dagger module for each app, we'll initialize a single module at the repository root. This gives us one place to define pipeline functions for the entire product:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger init <span class="nt">--sdk</span><span class="o">=</span>python <span class="nt">--name</span><span class="o">=</span>dagger-ci-demo </code></pre> </div> <p>This creates a <code>.dagger/</code> directory (Dagger's convention, like <code>.github/</code> for GitHub Actions) containing a <code>dagger.json</code> manifest, a <code>pyproject.toml</code>, and a source scaffold where we'll write our pipeline functions.</p> <h3> Key Concepts: Types, Functions, and Chaining </h3> <p>Before looking at the code, let's clarify three core Dagger concepts (<a href="https://docs.dagger.io/getting-started/concepts" rel="noopener noreferrer">docs</a>):</p> <p><strong>Types.</strong> The Dagger API provides specialized types that represent CI/CD primitives. The ones we'll use most:</p> <ul> <li> <code>Container</code>: an OCI container image with its filesystem and configuration</li> <li> <code>Directory</code>: a filesystem tree (your source code, build output, etc.)</li> <li> <code>File</code>: a single file artifact</li> <li> <code>Secret</code>: sensitive data (API keys, credentials) that Dagger never logs or caches</li> <li> <code>Service</code>: a running network service (for integration testing, local dev, etc.)</li> </ul> <p>These types are the building blocks. They replace the implicit, untyped operations of YAML pipelines with explicit, typed abstractions.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2caatx0tpknpub7201cm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2caatx0tpknpub7201cm.png" alt=" " width="800" height="446"></a><br> <em>Image generated with Google's Gemini Imagen "Nano Banana Pro"</em> </p> <p><strong>Functions.</strong> A Dagger module exposes functions, decorated with <code>@function</code>, that accept these types as parameters and return them as outputs. Functions are the unit of work. Each one is a self-contained operation: build a container, run tests, publish an image.</p> <p><strong>Chaining.</strong> Each Dagger type comes with its own methods, and these methods return the same (or related) types. This enables <em>chaining</em>: you pass the output of one operation directly into the next, building up a pipeline step by step. When you write <code>dag.container().from_("python:3.12-slim").with_exec(["pip", "install", "..."])</code>, you're chaining three operations on a <code>Container</code> type. Dagger evaluates this chain lazily: nothing executes until a terminal operation (like <code>.stdout()</code> or <code>.publish()</code>) triggers the full graph.</p> <h3> The Pipeline: Backend and Frontend </h3> <p>Here's what we'll write at <code>.dagger/src/dagger_ci_demo/main.py</code>, a single class with functions for both apps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="sh">"""</span><span class="s">CI/CD pipeline for the dagger-ci-demo product.</span><span class="sh">"""</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Annotated</span> <span class="kn">import</span> <span class="n">dagger</span> <span class="kn">from</span> <span class="n">dagger</span> <span class="kn">import</span> <span class="n">Doc</span><span class="p">,</span> <span class="n">dag</span><span class="p">,</span> <span class="n">function</span><span class="p">,</span> <span class="n">object_type</span> <span class="c1"># @object_type marks this class as a Dagger module. # Its public methods become callable pipeline functions. </span><span class="nd">@object_type</span> <span class="k">class</span> <span class="nc">DaggerCiDemo</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Pipeline for the Angular + FastAPI product.</span><span class="sh">"""</span> <span class="c1"># --- Backend (FastAPI) --- </span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">build_backend</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Container</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build the FastAPI backend container. Returns a Container — the core Dagger type representing an OCI image. The caller can publish it, export it, or chain further operations on it. </span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="c1"># Start from a base image — returns a Container </span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.12-slim</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Set the working directory inside the container </span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Copy only requirements.txt first — this layer is cached </span> <span class="c1"># as long as requirements.txt doesn't change, even if </span> <span class="c1"># source code changes. This is the Docker cache optimization </span> <span class="c1"># pattern, expressed as a function chain. </span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Install dependencies — cached if requirements.txt unchanged </span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--no-cache-dir</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Copy application source — only this layer and below re-run </span> <span class="c1"># when source code changes </span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/src</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="sh">"</span><span class="s">src</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Configure the container for Cloud Run </span> <span class="p">.</span><span class="nf">with_env_variable</span><span class="p">(</span><span class="sh">"</span><span class="s">PORT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">8080</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exposed_port</span><span class="p">(</span><span class="mi">8080</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_entrypoint</span><span class="p">([</span> <span class="sh">"</span><span class="s">uvicorn</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">src.main:app</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">0.0.0.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--port</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">8080</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--workers</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">2</span><span class="sh">"</span><span class="p">,</span> <span class="p">])</span> <span class="p">)</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_backend</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Backend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run the backend test suite. Returns a string (stdout) — a terminal type that triggers execution. Everything before .stdout() is lazily evaluated; Dagger only runs the container when it needs the output. </span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">python:3.12-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Mount the full source directory (tests need everything) </span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pip</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">install</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--no-cache-dir</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-r</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">requirements.txt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Run pytest — if this command fails, the function raises an error </span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">pytest</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-v</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">tests/</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># .stdout() is the terminal operation: it triggers execution </span> <span class="c1"># of the entire chain and returns the command's output as a string </span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> <span class="c1"># --- Frontend (Angular) --- </span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">build_frontend</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Frontend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Build the Angular frontend for production. Returns a Directory — the build output (dist/) that can be deployed to Firebase Hosting, exported to the host filesystem, or passed to another function. </span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">node:20-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Copy package files first for dependency caching </span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/package.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">package.json</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/package-lock.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">package-lock.json</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># npm ci installs exact versions from lockfile — cached if </span> <span class="c1"># package files unchanged </span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ci</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Copy the rest of the source </span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/src</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="sh">"</span><span class="s">src</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/angular.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">angular.json</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/tsconfig.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">tsconfig.json</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">with_file</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/tsconfig.app.json</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">.</span><span class="nf">file</span><span class="p">(</span><span class="sh">"</span><span class="s">tsconfig.app.json</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Build for production — Angular CLI outputs to dist/ </span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ng</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">build</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--configuration=production</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># Extract just the build output directory. </span> <span class="c1"># .directory() returns a Directory type — stripping away the </span> <span class="c1"># container and keeping only the filesystem artifact we need. </span> <span class="p">.</span><span class="nf">directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app/dist/angular-frontend/browser</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="nd">@function</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">test_frontend</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="n">Annotated</span><span class="p">[</span><span class="n">dagger</span><span class="p">.</span><span class="n">Directory</span><span class="p">,</span> <span class="nc">Doc</span><span class="p">(</span><span class="sh">"</span><span class="s">Frontend source directory</span><span class="sh">"</span><span class="p">)],</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run the Angular test suite.</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">await </span><span class="p">(</span> <span class="n">dag</span><span class="p">.</span><span class="nf">container</span><span class="p">()</span> <span class="p">.</span><span class="nf">from_</span><span class="p">(</span><span class="sh">"</span><span class="s">node:20-slim</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_workdir</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_directory</span><span class="p">(</span><span class="sh">"</span><span class="s">/app</span><span class="sh">"</span><span class="p">,</span> <span class="n">source</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ci</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">with_exec</span><span class="p">([</span><span class="sh">"</span><span class="s">npx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ng</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">])</span> <span class="p">.</span><span class="nf">stdout</span><span class="p">()</span> <span class="p">)</span> </code></pre> </div> <p>Let's unpack what's going on here.</p> <p>The class <code>DaggerCiDemo</code> is a <strong>module</strong>, a collection of functions packaged together. The <code>@object_type</code> decorator registers it with the Dagger engine, and every <code>@function</code> method becomes a callable operation, both from the CLI and from other modules.</p> <p>Each function takes a <code>Directory</code> as input, Dagger's type for a filesystem tree. When you pass <code>--source=./backend</code> from the CLI, Dagger packages that directory and hands it to the function as a typed <code>Directory</code> object. No string paths, no glob patterns, just a real, content-addressed filesystem reference.</p> <p>The function bodies are <strong>chains</strong> of operations on Dagger types. <code>dag.container().from_("python:3.12-slim")</code> creates a <code>Container</code> from a base image. Each <code>.with_*()</code> call returns a new <code>Container</code> with the modification applied. Nothing executes yet. Dagger builds a directed acyclic graph (DAG) of operations. Execution only happens when a terminal operation like <code>.stdout()</code> or <code>.publish()</code> forces the engine to resolve the graph.</p> <p>This is why caching works so well. Dagger hashes each node in the graph based on its inputs. If <code>requirements.txt</code> hasn't changed, the <code>pip install</code> step is a cache hit, instantly. If only a source file changed, only the layers after <code>.with_directory("/app/src", ...)</code> re-execute. Same content-addressed logic, on your laptop and in CI.</p> <p>Notice how <code>build_backend</code> returns a <code>Container</code> while <code>build_frontend</code> returns a <code>Directory</code>. The return type determines what the caller can do next. A <code>Container</code> can be published to a registry, started as a service, or chained further. A <code>Directory</code> can be deployed to static hosting, exported, or mounted into another container. Types guide composition. They make it clear what flows where.</p> <h3> Run It Locally </h3> <p>With Dagger installed (see prerequisites above), let's explore the module from the repository root.</p> <h4> Discovering Functions </h4> <p>Before running anything, you can inspect what the module exposes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger functions </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name Description build-backend Build the FastAPI backend container. build-frontend Build the Angular frontend for production. test-backend Run the backend test suite. test-frontend Run the Angular test suite. </code></pre> </div> <p>This is auto-generated. Dagger reads the <code>@function</code> decorators, their docstrings, and the <code>Doc()</code> annotations on parameters, and produces CLI documentation from them, in any SDK language. The same metadata that describes a function in Python generates the same CLI interface as it would in Go or TypeScript.</p> <p>You can drill into any function with <code>--help</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dagger call build-backend <span class="nt">--help</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Build the FastAPI backend container. Returns a Container — the core Dagger type representing an OCI image. The caller can publish it, export it, or chain further operations on it. USAGE dagger call build-backend [arguments] ARGUMENTS --source Directory Backend source directory [required] </code></pre> </div> <p>Everything here (the description, the argument name, the type, the <code>[required]</code> marker) comes directly from your code. The <code>Doc("Backend source directory")</code> annotation you wrote in the <code>Annotated[dagger.Directory, Doc("...")]</code> parameter becomes the argument's help text. The function's docstring becomes the command's description. There's no separate documentation to write or maintain. The code <em>is</em> the documentation, and Dagger keeps it in sync for both the CLI and the SDK.</p> <p>This is what makes self-service work. A developer who has never seen this module before can run <code>dagger functions</code>, pick the operation they need, check its arguments with <code>--help</code>, and run it, without reading source code or asking the platform team.</p> <h4> Running Functions </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test the backend</span> dagger call test-backend <span class="nt">--source</span><span class="o">=</span>./backend <span class="c"># Build the backend container</span> dagger call build-backend <span class="nt">--source</span><span class="o">=</span>./backend <span class="c"># Test the frontend</span> dagger call test-frontend <span class="nt">--source</span><span class="o">=</span>./frontend <span class="c"># Build the frontend (returns the dist/ directory)</span> dagger call build-frontend <span class="nt">--source</span><span class="o">=</span>./frontend </code></pre> </div> <p>A few things to notice about the CLI:</p> <ul> <li> <strong><code>dagger call</code></strong> is the universal entry point for running any function. It works the same way whether you're calling a local module or a remote one (<code>dagger call -m github.com/...</code>).</li> <li> <strong>Function names</strong> are converted from Python's <code>snake_case</code> to CLI <code>kebab-case</code> automatically (<code>build_backend</code> → <code>build-backend</code>).</li> <li> <strong><code>--source</code></strong> is not a built-in Dagger flag. It's the parameter we defined with <code>Annotated[dagger.Directory, Doc("...")]</code>. Dagger turns every function parameter into a CLI flag, typed accordingly. A <code>dagger.Directory</code> parameter accepts a local path; a <code>dagger.Secret</code> would accept <code>env:MY_SECRET</code> or <code>file:./key.json</code>.</li> <li> <strong>Return types</strong> determine what the CLI shows. <code>test_backend</code> returns a <code>str</code>, so Dagger prints the stdout. <code>build_backend</code> returns a <code>Container</code>, so Dagger shows the image digest. <code>build_frontend</code> returns a <code>Directory</code>, which you can export with <code>dagger call build-frontend --source=./frontend export --path=./dist</code>.</li> </ul> <p>Same functions, same commands, for both apps. A developer debugging a build failure doesn't push a commit and wait. They run the same command on their laptop, inspect the output, and fix the issue with the same tools they use for application code. CI/CD is part of the software factory.</p> <h3> From Laptop to CI: The Same Commands in GitHub Actions </h3> <p>We've been running everything locally. Now let's prove the claim: the same code runs in CI without any changes. Create <code>.github/workflows/ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v6</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test Backend</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="s">test-backend --source=./backend</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test Frontend</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dagger/dagger-for-github@v8.4.1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.20.3"</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">call</span> <span class="na">args</span><span class="pi">:</span> <span class="s">test-frontend --source=./frontend</span> </code></pre> </div> <p>That's it. No Dockerfile to maintain. No shell scripts gluing steps together. No CI-specific logic. The <code>dagger/dagger-for-github</code> action installs the Dagger CLI and engine, and runs the exact same <code>dagger call</code> commands we just ran locally. The pipeline code doesn't know, or care, where it's running.</p> <p>This is the minimal, working CI setup. Push it, open a pull request, and watch the same tests you just ran on your laptop execute in GitHub Actions. Same functions, same caching, same results.</p> <h2> Why Now </h2> <p>Three trends make this approach timely:</p> <p><strong>Platform Engineering is maturing.</strong> The core promise of Platform Engineering is developer self-service: give teams golden paths so they can ship without waiting for specialists. CI/CD modules are the missing piece in that story: reusable, versioned, self-documenting abstractions that reduce cognitive load the same way a Terraform module does. When CI/CD is software, it fits naturally into the Internal Developer Platform.</p> <p><strong>AI agents need programmatic interfaces.</strong> When your pipeline is real code with typed functions, AI agents can interact with it through tool use. YAML pipelines are opaque to agents. Typed Dagger functions are not. (We'll explore this in Part 4.)</p> <p><strong>Multi-cloud is the norm.</strong> A pipeline that deploys to GCP today can deploy to AWS tomorrow with a module swap. No vendor lock-in at the CI layer. The platform team maintains the modules; developers maintain their code.</p> <h2> What's Next </h2> <p>We now have a working CI pipeline, real code running both locally and in GitHub Actions with the same commands. But this minimal setup has limitations: every job starts with a cold cache, builds run on GitHub's shared 2-vCPU runners, and there's no persistent state between runs.</p> <p>In <strong>Part 2</strong>, we'll tackle the infrastructure side: caching strategies that cut build times by 5x, managed runners with persistent NVMe storage, and self-hosted Kubernetes runners with shared Dagger engines. Three approaches, each with different tradeoffs between simplicity and control.</p> <p>The pipeline code won't change. Only where it runs will.</p> <p><strong>Up Next</strong>: <a href="https://dev.to/sami_chibani/cicd-in-the-era-of-ai-and-platform-engineering-a-deep-dive-into-dagger-ci-part-2-3e75">Part 2: Decoupling Pipelines from Infrastructure</a></p> <p><em>This is Part 1 of a 4-part series. Follow for updates.</em></p> <p><strong>Tags</strong>: <code>#cicd</code> <code>#dagger</code> <code>#platform-engineering</code> <code>#python</code> <code>#angular</code></p> cicd ai devops python