Having tried and largely rejected gitlab due to enterprise-edition restrictions around desired features, one of the possible solutions for flexible, cloud-user-event-spawnable repo design is gitea, since it is not locking any features behind paywalls or proprietary licenses. It appears lightweight and simple enough for us to manage and to be able to be instrumented/orchestrated in ways we need.

General checks (if blocked, stop)

• Do a basic install in toolsbeta and see how it handles things like LDAP (obviously avoiding full LDAP auth inside WMCS userspace). It can do pam auth, which might work.
• If there's nothing blocking after that step, try adding some additional instrumentation such as a general pipeline to the k8s cluster there.
• (optional at this stage) Examine OIDC options for individual connection to other services like argo or even a limited k8s view of one's tools.
• (stretch goal) See if the git mirroring feature would work with gerrit.
• If you got to this step, good for you. Make a new task to perhaps design a real deploy.