Registering a Git source¶
Form fields¶
GitOps → New source:
| Field | Notes |
|---|---|
| Name | Unique per tenant; shows up in the UI and in the audit log |
| Repository URL | HTTPS or SSH clone URL |
| Branch | Tracked branch; default main |
| Path glob | E.g. configs/**/*.yaml; default **/*.yaml |
| Credential kind | None (public repo), Pat, or SshKey |
| PAT / SSH key | Pasted in plaintext, wrapped at save, never read back |
| Poll interval | 15 s – 1 h; default 60 s |
Naming configurations¶
Each tracked file becomes one Configuration. The name is, in order:
- The value of
# ampora.name: <name>if it appears as the first line of the YAML (frontmatter). - The filename without extension.
Use the frontmatter form if filenames could collide across the path glob (prod.yaml in two folders).
What a sweep does¶
- Open or shallow-clone the repo into the local cache.
- Check out the configured branch.
- Resolve the tip commit. If it equals
LastSyncedSha, return — no work. - Walk the tree at tip, filtered by the path glob. For each file:
- read UTF-8 content,
- resolve the configuration name,
- upsert the Configuration row (Source = Git),
- if the file's blob hash differs from the latest existing version, create a new draft via the normal
Create versionpath so validation, lint, semantic-diff, and live-update events fire normally. - Persist
LastSyncedSha = tip.Shaand write aGitSyncRunrow.
A per-file error is captured in GitSyncRun.ErrorsJson but does not abort the sweep — partial progress is preferable to all-or-nothing on a 50-config repo.
Inspecting sync runs¶
GitOps → {source} → Sync runs: every run with start / finish UTC, files-processed, files-imported, errors-encountered, tip commit. Click into a run for the per-file detail.
The retention is 30 days — older runs are pruned.
Pause / resume¶
The source has a Status toggle (Active / Paused). The sweeper skips paused sources entirely. Useful during a maintenance window or when you want to detach the GitOps wiring temporarily.
Rotating credentials¶
Credentials cannot be edited in place. Delete the source and recreate it with the new credential. Existing imported configurations are kept; the next sweep continues from the new credential.
Force a sweep¶
Sync now runs the sweep immediately, skipping the poll-interval timer. Useful right after fixing a broken file in the repo.
Air-gapped operation¶
Polling works in air-gapped environments — no inbound HTTPS endpoint required. The Ampora server must be able to reach the Git host (HTTPS or SSH) over your normal egress path, that is all.
Public-readable repo¶
If the repo is public and credential-less, set Credential kind: None. No PAT or SSH key is requested. This is mostly useful for demos or open-source collector configurations shared between teams.