Located at ~/.config/startpaac/config (override with STARTPAC_CONFIG_FILE env var).
# Path to your pipelines-as-code checkout (auto-detected if unset)
PAC_DIR=~/go/src/github.com/tektoncd/pipelines-as-code
# Secrets via password-store (pass)
# Folder structure: github-application-id, github-private-key, smee, webhook.secret
PAC_PASS_SECRET_FOLDER=github/apps/my-app
# Or secrets as plain text files (same structure as above)
PAC_SECRET_FOLDER=~/path/to/secrets
# Where Kind runs: "local" or a remote hostname
TARGET_HOST=local
# Extra flags for ko
KO_EXTRA_FLAGS=() # e.g. --platform linux/arm64 --insecure-registry
## Remote VM setup (not needed when TARGET_HOST=local)
# Set up a wildcard DNS *.lan.mydomain.com pointing to your TARGET_HOST.
# Tip: https://nextdns.io lets you create wildcard DNS for local networks.
DOMAIN_NAME=lan.mydomain.com
PAC=paac.${DOMAIN_NAME}
REGISTRY=registry.${DOMAIN_NAME}
FORGE_HOST=gitea.${DOMAIN_NAME}
DASHBOARD=dashboard.${DOMAIN_NAME}
TARGET_BIND_IP=192.168.1.5 # comma-separated for multiple IPsSecrets are the GitHub App credentials needed by PAC. You need four files:
github-application-id-- your GitHub App IDgithub-private-key-- the app's private keysmee-- your smee.io or hook.pipelinesascode.com webhook URLwebhook.secret-- the shared webhook secret
Set PAC_PASS_SECRET_FOLDER in your config to the pass folder path:
github/apps/my-app
├── github-application-id
├── github-private-key
├── smee
└── webhook.secret
Set PAC_SECRET_FOLDER to a directory with the same structure, files in plain text.
Set PAC_PASS_SECOND_FOLDER (same structure as above) and use --github-second-ctrl / --second-secret=SECRET.
Customize the connection in lib/postgresql/values.yaml:
global:
postgresql:
auth:
username: "myuser"
password: "mypassword"
database: "mydatabase"Default credentials are weak and for local dev only.
Component selections are saved to ~/.config/startpaac/preferences.json when you choose to save them. On subsequent runs, saved preferences are used automatically.
./startpaac --menu # force the menu even with saved preferences
./startpaac --reset-preferences # clear saved preferencesIf you have PAC already installed (e.g. via the OpenShift operator):
./startpaac --configure-pac-target $KUBECONFIG $TARGET_NAMESPACE $DIRECTORY_OR_PASS_FOLDER$KUBECONFIG-- kubeconfig for the cluster$TARGET_NAMESPACE-- namespace where PAC is installed (e.g.openshift-pipelines)$DIRECTORY_OR_PASS_FOLDER-- secret folder (plain text dir or pass folder)
Hooks are executable scripts that run at defined points in the installation flow.
Place hooks in ~/.config/startpaac/hooks/ (override with HOOKS_DIR env var).
Files are named pre-<component> or post-<component>:
pre-install-tekton -- runs before Tekton install
post-configure-pac -- runs after PAC configuration
Available hook points: all, sync-kubeconfig, install-nginx, install-registry, install-tekton, install-triggers, install-chains, install-dashboard, install-pac, configure-pac, configure-pac-custom-certs, patch-pac-service-nodeport, install-forgejo, setup-forgejo-sample, install-postgresql, install-custom-objects, install-github-second-ctrl.
Hooks run in the full install flows and in matching direct component commands such as --install-tekton, --install-paac, --install-forgejo, and --configure-pac.
A hook can be a single executable file or a directory of executables (run in sorted order):
~/.config/startpaac/hooks/post-install-tekton # single file
~/.config/startpaac/hooks/post-install-tekton/01-extras # directory of scripts
Hooks inherit the current environment. startpaac also exports its scalar runtime/config values for hooks (KUBECONFIG, TARGET_HOST, PAC_DIR, etc.). STARTPAC_HOOK_NAME is exported with the current hook name; STARTPAAC_HOOK_NAME is also available as an alias.
A non-zero exit from any hook aborts the run.
mkdir -p ~/.config/startpaac/hooks
cat > ~/.config/startpaac/hooks/post-install-tekton <<'EOF'
#!/bin/bash
echo "Tekton installed -- applying custom resources"
kubectl apply -f ~/my-extra-resources/
EOF
chmod +x ~/.config/startpaac/hooks/post-install-tekton