chore: remove update-deployment-tag CI step (#174)

forgejo_admin commented

2026-03-14 23:38:23 +00:00

Owner

Summary

Removes the obsolete update-deployment-tag CI step from .woodpecker.yaml. ArgoCD Image Updater now handles image tag updates automatically, making the sed-based commit-back-to-main approach unnecessary.

Changes

.woodpecker.yaml: Removed the update-deployment-tag step (alpine/git image that ran sed to update k8s manifests and pushed back to main)
.woodpecker.yaml: Removed the path.exclude block from the trigger (no longer needed since CI no longer commits to k8s/)
k8s/.argocd-source-pal-e-docs.yaml: Deleted stale ArgoCD source override file

Test Plan

Verify CI pipeline triggers correctly on push to main (no path exclusions blocking it)
Verify build-and-push step still tags images with ${CI_COMMIT_SHA}
Verify ArgoCD Image Updater picks up new tags from Harbor and updates the deployment
Confirm no other steps (test, migration-test, build-and-push, smoke-test) were modified

Review Checklist

Passed automated review-fix loop
No secrets committed
No unnecessary file changes
Commit messages are descriptive

Closes #174 -- Forgejo issue for Phase 7a
plan-pal-e-docs Phase 7a -- Remove update-deployment-tag CI step

## Summary Removes the obsolete `update-deployment-tag` CI step from `.woodpecker.yaml`. ArgoCD Image Updater now handles image tag updates automatically, making the sed-based commit-back-to-main approach unnecessary. ## Changes - `.woodpecker.yaml`: Removed the `update-deployment-tag` step (alpine/git image that ran sed to update k8s manifests and pushed back to main) - `.woodpecker.yaml`: Removed the `path.exclude` block from the trigger (no longer needed since CI no longer commits to k8s/) - `k8s/.argocd-source-pal-e-docs.yaml`: Deleted stale ArgoCD source override file ## Test Plan - [ ] Verify CI pipeline triggers correctly on push to main (no path exclusions blocking it) - [ ] Verify build-and-push step still tags images with `${CI_COMMIT_SHA}` - [ ] Verify ArgoCD Image Updater picks up new tags from Harbor and updates the deployment - [ ] Confirm no other steps (test, migration-test, build-and-push, smoke-test) were modified ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related - Closes #174 -- Forgejo issue for Phase 7a - `plan-pal-e-docs` Phase 7a -- Remove update-deployment-tag CI step

forgejo_admin added 1 commit

2026-03-14 23:38:23 +00:00

chore: remove update-deployment-tag CI step

ci/woodpecker/pr/woodpecker Pipeline failed

Details

b710e6b25d

ArgoCD Image Updater now handles image tag updates, making the
sed-based update-deployment-tag step obsolete. Also removes the
path exclude block from the trigger (no longer needed since CI
won't commit back to k8s/) and deletes the stale
.argocd-source-pal-e-docs.yaml file.

Closes #174

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-03-14 23:38:45 +00:00

Author

Owner

Self-Review: PASS

Files changed: 2 (0 additions, 25 deletions)

Verification:

.woodpecker.yaml: Path exclude block removed from trigger (5 lines). update-deployment-tag step removed (17 lines). All other steps (test, migration-test, build-and-push, smoke-test) untouched.
k8s/.argocd-source-pal-e-docs.yaml: Stale ArgoCD image override deleted (3 lines).
No secrets in diff.
No unnecessary file changes.
Purely subtractive -- no new code introduced.
PR is mergeable.

No findings. Ready for merge.

## Self-Review: PASS **Files changed:** 2 (0 additions, 25 deletions) **Verification:** - `.woodpecker.yaml`: Path exclude block removed from trigger (5 lines). `update-deployment-tag` step removed (17 lines). All other steps (test, migration-test, build-and-push, smoke-test) untouched. - `k8s/.argocd-source-pal-e-docs.yaml`: Stale ArgoCD image override deleted (3 lines). - No secrets in diff. - No unnecessary file changes. - Purely subtractive -- no new code introduced. - PR is mergeable. **No findings.** Ready for merge.

forgejo_admin commented

2026-03-14 23:41:12 +00:00

Author

Owner

PR #175 Review

DOMAIN REVIEW

ArgoCD / Image Updater Migration:

The removed update-deployment-tag step was a sed-based commit-back-to-main pattern that modified k8s/deployment.yaml and k8s/embedding-worker.yaml with each build. This is correctly replaced by ArgoCD Image Updater, which writes to pal-e-deployments via kustomization write-back -- a cleaner GitOps pattern that avoids CI-generated commits polluting the app repo's git history.
The stale k8s/.argocd-source-pal-e-docs.yaml (containing a hardcoded image reference to commit 068a26ea...) is correctly deleted. Image Updater now writes these overrides to the deployments repo, not the app repo.
No remaining references to argocd-source or update-deployment-tag exist anywhere in the codebase. Cleanup is thorough.

CI Pipeline Integrity:

All 4 remaining steps are UNCHANGED: test, migration-test, build-and-push, smoke-test. Verified by reading the full .woodpecker.yaml post-diff.
The smoke-test step has no dependency on the removed step. It waits 30s for ArgoCD rollout then hits the health endpoint directly -- this path works regardless of whether Image Updater or the old sed approach triggers the deployment.
Step ordering is correct: test -> migration-test -> build-and-push -> smoke-test (sequential by default in Woodpecker).
The forgejo_token secret reference is gone with the removed step. Only harbor_username and harbor_password remain (used by build-and-push). No orphaned secret references.

Trigger Cleanup:

The path.exclude block that prevented CI from re-triggering on its own k8s/ commits (k8s/.argocd-source-*, k8s/deployment.yaml, k8s/embedding-worker.yaml) is correctly removed. Since CI no longer commits to k8s/, there is no risk of infinite trigger loops.
The remaining trigger is clean: push to main + pull_request events.

k8s/ Directory:

The k8s/ directory retains all 5 expected files: deployment.yaml, embedding-worker.yaml, service.yaml, servicemonitor.yaml, kustomization.yaml. Only the stale .argocd-source-pal-e-docs.yaml was removed. Base manifests remain intact as ArgoCD source.

YAML Validity:

The resulting .woodpecker.yaml is 100 lines, well-structured, properly indented. No dangling references, no broken when clauses, no orphaned configuration.

BLOCKERS

None.

NITS

None. This is a clean, purely subtractive change with zero ambiguity.

SOP COMPLIANCE

Branch named after issue: 174-phase-7a-remove-update-deployment-tag-ci references #174
PR body follows template: Summary, Changes, Test Plan, Review Checklist, Related sections all present
Closes #174 present in PR body (in Related section)
Related references plan slug: plan-pal-e-docs Phase 7a
No secrets committed
No unnecessary file changes: exactly 2 files, both justified (.woodpecker.yaml + stale .argocd-source file)
Commit messages are descriptive
No tofu plan output needed (no Terraform changes -- this is CI-only)

PROCESS OBSERVATIONS

This PR eliminates a CI anti-pattern: CI committing back to main to update image tags. The old approach created [skip ci] commits that polluted git history and introduced a race condition risk (concurrent merges could conflict on k8s/ files). The Image Updater write-back to a separate deployments repo is the correct GitOps pattern.
The forgejo_token secret that was used by the removed step should be verified as no longer needed by any other CI pipeline in this repo. If it is unused, it can be cleaned from Woodpecker's secret store (minor hygiene item, not a blocker).
Deployment frequency (DORA DF): this change slightly improves DF by removing a source of CI failures (the sed + git push step was fragile -- auth token expiry, merge conflicts, network issues could all fail the pipeline after a successful build).

VERDICT: APPROVED

## PR #175 Review ### DOMAIN REVIEW **ArgoCD / Image Updater Migration:** - The removed `update-deployment-tag` step was a sed-based commit-back-to-main pattern that modified `k8s/deployment.yaml` and `k8s/embedding-worker.yaml` with each build. This is correctly replaced by ArgoCD Image Updater, which writes to pal-e-deployments via kustomization write-back -- a cleaner GitOps pattern that avoids CI-generated commits polluting the app repo's git history. - The stale `k8s/.argocd-source-pal-e-docs.yaml` (containing a hardcoded image reference to commit `068a26ea...`) is correctly deleted. Image Updater now writes these overrides to the deployments repo, not the app repo. - No remaining references to `argocd-source` or `update-deployment-tag` exist anywhere in the codebase. Cleanup is thorough. **CI Pipeline Integrity:** - All 4 remaining steps are UNCHANGED: `test`, `migration-test`, `build-and-push`, `smoke-test`. Verified by reading the full `.woodpecker.yaml` post-diff. - The `smoke-test` step has no dependency on the removed step. It waits 30s for ArgoCD rollout then hits the health endpoint directly -- this path works regardless of whether Image Updater or the old sed approach triggers the deployment. - Step ordering is correct: test -> migration-test -> build-and-push -> smoke-test (sequential by default in Woodpecker). - The `forgejo_token` secret reference is gone with the removed step. Only `harbor_username` and `harbor_password` remain (used by `build-and-push`). No orphaned secret references. **Trigger Cleanup:** - The `path.exclude` block that prevented CI from re-triggering on its own k8s/ commits (`k8s/.argocd-source-*`, `k8s/deployment.yaml`, `k8s/embedding-worker.yaml`) is correctly removed. Since CI no longer commits to k8s/, there is no risk of infinite trigger loops. - The remaining trigger is clean: push to main + pull_request events. **k8s/ Directory:** - The k8s/ directory retains all 5 expected files: `deployment.yaml`, `embedding-worker.yaml`, `service.yaml`, `servicemonitor.yaml`, `kustomization.yaml`. Only the stale `.argocd-source-pal-e-docs.yaml` was removed. Base manifests remain intact as ArgoCD source. **YAML Validity:** - The resulting `.woodpecker.yaml` is 100 lines, well-structured, properly indented. No dangling references, no broken `when` clauses, no orphaned configuration. ### BLOCKERS None. ### NITS None. This is a clean, purely subtractive change with zero ambiguity. ### SOP COMPLIANCE - [x] Branch named after issue: `174-phase-7a-remove-update-deployment-tag-ci` references #174 - [x] PR body follows template: Summary, Changes, Test Plan, Review Checklist, Related sections all present - [x] `Closes #174` present in PR body (in Related section) - [x] Related references plan slug: `plan-pal-e-docs` Phase 7a - [x] No secrets committed - [x] No unnecessary file changes: exactly 2 files, both justified (`.woodpecker.yaml` + stale `.argocd-source` file) - [x] Commit messages are descriptive - [x] No `tofu plan` output needed (no Terraform changes -- this is CI-only) ### PROCESS OBSERVATIONS - This PR eliminates a CI anti-pattern: CI committing back to main to update image tags. The old approach created `[skip ci]` commits that polluted git history and introduced a race condition risk (concurrent merges could conflict on k8s/ files). The Image Updater write-back to a separate deployments repo is the correct GitOps pattern. - The `forgejo_token` secret that was used by the removed step should be verified as no longer needed by any other CI pipeline in this repo. If it is unused, it can be cleaned from Woodpecker's secret store (minor hygiene item, not a blocker). - Deployment frequency (DORA DF): this change slightly improves DF by removing a source of CI failures (the sed + git push step was fragile -- auth token expiry, merge conflicts, network issues could all fail the pipeline after a successful build). ### VERDICT: APPROVED