Build Pipelines
All container images and the installer bundle are built by GitHub Actions. No builds happen on production servers — zynctl.sh deploy only pulls pre-built images.
Container Images
| # | Image | Source Repo | Workflow | Arch |
|---|---|---|---|---|
| 1 | zynomi/zynexa | ctms-web | docker-build.yml | amd64 |
| 2 | zynomi/ctms-api-gateway | ctms.devops | build-ctms-api-gateway.yml | amd64 + arm64 |
| 3 | zynomi/ctms-init | ctms.devops | build-ctms-init.yml | amd64 + arm64 |
| 4 | zynomi/ctms-supabase-seed | ctms.devops | build-ctms-supabase-seed.yml | amd64 + arm64 |
| 5 | zynomi/frappe-marley-health | ctms.devops | build-frappe-marley-health.yml | amd64 |
| 6 | zynomi/ctms-cube | ctms-data-pipeline-ai-analytics | docker-build-ctms-cube.yml | amd64 |
| 7 | zynomi/ctms-dbt | ctms-data-pipeline-ai-analytics | docker-build-ctms-dbt.yml | amd64 |
| 8 | zynomi/ctms-ingester | ctms-data-pipeline-ai-analytics | docker-build-ctms-ingester.yml | amd64 |
| 9 | zynomi/ctms-mcp-server | ctms-data-pipeline-ai-analytics | docker-build-ctms-mcp-server.yml | amd64 |
| 10 | zynomi/ctms-odm-api | ctms-data-pipeline-ai-analytics | docker-build-ctms-odm-api.yml | amd64 |
| 11 | zynomi/product-docs | docs.zynomi.com | docker-build.yml | amd64 |
| 12 | zynomi/sublink | sublink | docker-build.yml | amd64 |
| 13 | zynomi/comp-website | zynomi-comp-web-site | docker-build.yml | amd64 |
Installer Bundle
| Artifact | Workflow | Source Repo | Output |
|---|---|---|---|
zynctl-bundle-*.tar.gz | build-install-bundle.yml | ctms.devops | GitHub Release tarball + SHA256 checksum |
See Installer Bundle for contents and deployment instructions.
Data Pipeline Runner
| Workflow | Source Repo | Purpose | Schedule |
|---|---|---|---|
dbt-lakehouse-pipeline.yml | ctms-data-pipeline-ai-analytics | Runs Ingester → DBT on CI infra | Daily 2 AM UTC + manual |
This workflow builds throwaway images locally (push: false) and executes the ETL pipeline against the remote database. It does not publish images — those are handled by the dedicated build workflows above.
Trigger Strategies
Every build workflow supports three trigger modes:
| Trigger | When it fires | What happens |
|---|---|---|
| Path-filtered push | Push to main (or develop) touching relevant paths | Builds and pushes latest + auto-increment tag |
| Git tag | Push a semver tag (e.g. v1.2.0) | Builds and pushes immutable semver tags |
| Manual dispatch | Triggered from Actions UI | Builds on demand with optional inputs |
Path Filters by Repo
| Repo | Paths that trigger builds |
|---|---|
| ctms.devops | Per-service: ctms-api-gateway/**, scripts/frappe-seed/**, scripts/supabase-seed/**, frappe-marley-health/** |
| ctms-data-pipeline-ai-analytics | Per-service: ctms-cube/**, ctms-dbt/**, ctms-ingester/**, ctms-mcp-server/**, ctms-odm-xml-pdf-generator/** |
| ctms-web | Any push to main or develop |
| docs.zynomi.com | Any push to main or develop |
| sublink | Any push to main or develop |
| zynomi-comp-web-site | Any push to main or develop |
PR Behaviour
Pull requests to main/develop trigger a build-only step (compile + lint) but never push images.
Secrets & Variables
Registry Credentials
Required in every repo that builds images:
| Secret | Description |
|---|---|
DOCKER_USERNAME | Container registry username |
DOCKER_PASSWORD | Container registry access token |
Application Build Args (ctms-web only)
The Zynexa app bakes environment values at build time via --build-arg:
| Type | Variable | Purpose |
|---|---|---|
| Secret | DATABASE_URL | Prisma connection string |
| Secret | DIRECT_URL | Prisma direct connection |
| Secret | SUPABASE_URL | Supabase API endpoint |
| Secret | SUPABASE_ANON_KEY | Supabase public key |
| Secret | SUPABASE_SERVICE_ROLE_KEY | Supabase admin key |
| Secret | API_BASE_URL | Backend API URL |
| Secret | NEXT_PUBLIC_API_BASE_URL | Client-side API URL |
| Secret | NEXT_PUBLIC_DEFAULT_PRACTITIONER_ID | Default practitioner |
| Secret | NEXT_PUBLIC_PUBLIC_ROUTES | Public route list |
| Secret | NEXT_PUBLIC_STUDY_PARTICIPATION_CONCENT | Consent form URL |
| Var | NEXT_PUBLIC_CUBE_API_URL | Cube.dev endpoint |
| Var | NEXT_PUBLIC_MCP_API_ENDPOINT | MCP server endpoint |
| Var | NEXT_PUBLIC_ODM_API_ENDPOINT | ODM API endpoint |
| Var | NEXT_PUBLIC_BRAND_NAME | Brand display name |
| Var | NEXT_PUBLIC_SITE_URL | Public site URL |
| Var | NEXT_PUBLIC_SITE_DESCRIPTION | SEO description |
| Var | NEXT_PUBLIC_OG_IMAGE | Social share image |
| Var | NEXT_PUBLIC_LOGO_PREFIX | Logo asset prefix |
| Var | NEXT_PUBLIC_LOGO_EXT | Logo file extension |
| Var | NEXT_PUBLIC_STUDY_PERSONNEL_ROLES | Personnel role list |
| Var | NEXT_PUBLIC_USER_ROLES | User role list |
| Var | NEXT_PUBLIC_MCP_CHAT_TITLE | AI chat title |
| Var | NEXT_PUBLIC_MCP_CHAT_SUBTITLE | AI chat subtitle |
| Var | NEXT_PUBLIC_MCP_CHAT_ENABLED | AI chat feature flag |
| Var | NEXT_PUBLIC_MCP_CHAT_THEME | AI chat theme |
Data Pipeline Secrets (dbt-lakehouse-pipeline only)
| Secret | Purpose |
|---|---|
FRAPPE_BASE_URL | Frappe API endpoint for ingestion |
TARGET_DB_HOST | Target PostgreSQL host |
TARGET_DB_PORT | Target PostgreSQL port |
TARGET_DB_NAME | Target database name |
TARGET_DB_USER | Database username |
TARGET_DB_PASSWORD | Database password |
TARGET_DB_SSLMODE | SSL mode (require, disable) |
Versioning
For the full versioning strategy, tag conventions, and image tag matrix, see CI/CD & Versioning.
Related
- Installer Bundle — bundle contents, versioning, and deployment
- CI/CD & Versioning — semver strategy and tag conventions
- Environment Variables — runtime configuration reference