forgejo_admin/pal-e-api
1
0
Fork 1
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

feat: add update-kustomize-tag Woodpecker step #221

Merged
forgejo_admin merged 2 commits from 220-update-kustomize-tag into main 2026-03-27 21:11:49 +00:00
Conversation 2 Commits 2 Files changed 1 +19
forgejo_admin commented 2026-03-27 20:59:46 +00:00
Owner
Copy link

Summary

Adds the update-kustomize-tag step to the Woodpecker pipeline so that successful builds on main automatically update the kustomize overlay image tag in pal-e-deployments, eliminating manual tag bumps.

Changes

  • .woodpecker.yaml -- added update-kustomize-tag step after build-and-push, before smoke-test. Uses the canonical script from pal-e-platform via wget+sh pattern. Targets pal-e-docs overlay. Depends on build-and-push, runs only on push to main.

Test Plan

  • YAML validated with python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"
  • Step uses correct overlay name (pal-e-docs)
  • Step uses internal cluster URL for script download
  • Step depends on build-and-push and gates on push to main
  • Merge and verify Woodpecker pipeline runs the step successfully

Review Checklist

  • Passed automated review-fix loop
  • No secrets committed
  • No unnecessary file changes
  • Commit messages are descriptive

Related Notes

  • forgejo_admin/pal-e-api #220 -- the Forgejo issue this PR implements (Closes #220)
  • forgejo_admin/pal-e-platform #206 -- parent rollout issue
  • pal-e-docs -- the project this work belongs to
## Summary Adds the `update-kustomize-tag` step to the Woodpecker pipeline so that successful builds on main automatically update the kustomize overlay image tag in pal-e-deployments, eliminating manual tag bumps. ## Changes - `.woodpecker.yaml` -- added `update-kustomize-tag` step after `build-and-push`, before `smoke-test`. Uses the canonical script from pal-e-platform via wget+sh pattern. Targets `pal-e-docs` overlay. Depends on `build-and-push`, runs only on push to main. ## Test Plan - [x] YAML validated with `python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"` - [ ] Step uses correct overlay name (`pal-e-docs`) - [ ] Step uses internal cluster URL for script download - [ ] Step depends on `build-and-push` and gates on `push` to `main` - [ ] Merge and verify Woodpecker pipeline runs the step successfully ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - `forgejo_admin/pal-e-api #220` -- the Forgejo issue this PR implements (Closes #220) - `forgejo_admin/pal-e-platform #206` -- parent rollout issue - `pal-e-docs` -- the project this work belongs to
feat: add update-kustomize-tag Woodpecker step after build
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
581af63e12 
Adds the reusable update-kustomize-tag step that downloads and runs
the canonical script from pal-e-platform to update the kustomize
overlay image tag in pal-e-deployments after a successful build.

Closes #220

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-27 21:00:32 +00:00
Author
Owner
Copy link

QA Review -- PR #221

Diff Summary

  • 1 file changed, 17 additions, 0 deletions
  • Single new step added to .woodpecker.yaml

Findings

Step placement: Correctly inserted after build-and-push, before smoke-test. Logical ordering -- tag updates before smoke test waits for ArgoCD rollout.

Template compliance: Step matches the canonical template at pal-e-platform/scripts/woodpecker-update-tag-step.yaml exactly:

  • Image: alpine/git:latest
  • Environment: FORGEJO_TOKEN from secret, OVERLAY, IMAGE_TAG
  • Commands: wget+sh pattern with internal cluster URL
  • depends_on: build-and-push
  • when: event: push, branch: main

Overlay value: pal-e-docs matches the template mapping table (line 10 of template).

Security: Token injected via from_secret, not hardcoded. No secrets in diff.

YAML validity: Confirmed valid via python3 yaml.safe_load().

Issue reference: Closes #220 present in PR body.

Nits

None.

VERDICT: APPROVE

## QA Review -- PR #221 ### Diff Summary - 1 file changed, 17 additions, 0 deletions - Single new step added to `.woodpecker.yaml` ### Findings **Step placement**: Correctly inserted after `build-and-push`, before `smoke-test`. Logical ordering -- tag updates before smoke test waits for ArgoCD rollout. **Template compliance**: Step matches the canonical template at `pal-e-platform/scripts/woodpecker-update-tag-step.yaml` exactly: - Image: `alpine/git:latest` - Environment: `FORGEJO_TOKEN` from secret, `OVERLAY`, `IMAGE_TAG` - Commands: wget+sh pattern with internal cluster URL - `depends_on: build-and-push` - `when: event: push, branch: main` **Overlay value**: `pal-e-docs` matches the template mapping table (line 10 of template). **Security**: Token injected via `from_secret`, not hardcoded. No secrets in diff. **YAML validity**: Confirmed valid via `python3 yaml.safe_load()`. **Issue reference**: `Closes #220` present in PR body. ### Nits None. --- **VERDICT: APPROVE**
forgejo_admin commented 2026-03-27 21:04:50 +00:00
Author
Owner
Copy link

PR #221 Review

DOMAIN REVIEW

Tech stack: Woodpecker CI pipeline YAML, shell scripting (wget+sh pattern), kustomize/ArgoCD deployment automation.

What this PR does: Adds a single update-kustomize-tag step to .woodpecker.yaml that downloads the canonical update-kustomize-tag.sh script from pal-e-platform and runs it after build-and-push, targeting the pal-e-docs overlay in pal-e-deployments. The step runs only on push to main.

Correctness checks performed:

  1. Overlay name pal-e-docs -- Verified. /home/ldraney/pal-e-deployments/overlays/pal-e-docs/prod/kustomization.yaml exists and has newTag entries. The overlay name matches the Harbor image repo (pal-e-docs/api in the build-and-push step). Correct.

  2. Internal cluster URL -- http://forgejo-http.forgejo.svc.cluster.local:80 is the same internal URL used in the clone step. Correct.

  3. Secret handling -- FORGEJO_TOKEN sourced via from_secret: forgejo_token, same secret already used in the clone step. No plaintext secrets. Correct.

  4. IMAGE_TAG -- Uses ${CI_COMMIT_SHA}, matching the tags: ${CI_COMMIT_SHA} in build-and-push. Correct.

  5. depends_on: build-and-push -- Ensures image is pushed to Harbor before attempting to update the kustomize overlay. Correct.

  6. Canonical script -- Reviewed /home/ldraney/pal-e-platform/scripts/update-kustomize-tag.sh. It validates required env vars (FORGEJO_TOKEN, OVERLAY, IMAGE_TAG), clones pal-e-deployments, updates newTag via sed, commits with [skip ci], and pushes with retry logic. Well-structured.

  7. Scope -- Single file changed, 17 lines added, 0 deleted. Tightly scoped to the issue.

BLOCKERS

1. smoke-test may race with update-kustomize-tag (missing depends_on)

The update-kustomize-tag step declares depends_on: [build-and-push], which switches Woodpecker into dependency-graph scheduling for steps with when conditions matching the same event. The smoke-test step has NO depends_on field.

In Woodpecker's dependency model, a step without depends_on has no declared predecessors -- meaning it could run as soon as the clone completes, potentially in parallel with update-kustomize-tag (or at least not guaranteed to run after it).

The smoke-test's purpose is to validate the ArgoCD rollout, which depends on the kustomize tag being updated first. If smoke-test runs before or concurrently with update-kustomize-tag, it would test the OLD deployment (the 30s sleep is a heuristic that assumed sequential execution).

Fix: Add depends_on: [update-kustomize-tag] to the smoke-test step to ensure the tag update commits to pal-e-deployments before smoke-test begins its ArgoCD wait.

Severity note: Calling this a BLOCKER because if smoke-test races ahead, it validates stale state. However, I acknowledge there is nuance: Woodpecker's actual behavior with mixed depends_on/no-depends_on steps may vary by version. If the team has verified that Woodpecker preserves definition order for steps without depends_on even when other steps use it, this could be downgraded to a nit. But the safe, explicit approach is to add the dependency.

NITS

  1. alpine/git:latest tag -- Using :latest is mutable and could break unexpectedly. Consider pinning to a specific version (e.g., alpine/git:2.45.2) for reproducibility, consistent with the pinned versions used elsewhere in the pipeline (python:3.12-slim, pgvector/pgvector:pg17, woodpeckerci/plugin-kaniko:2.3.0).

  2. No depends_on for smoke-test on main branch today either -- This is a pre-existing concern (smoke-test already lacked depends_on: [build-and-push] before this PR). The new step makes it more visible. Worth fixing while touching this area.

SOP COMPLIANCE

  • Branch named after issue (220-update-kustomize-tag references issue #220)
  • PR body has Summary, Changes, Test Plan, Related sections
  • Related section references parent rollout issue (pal-e-platform #206)
  • No secrets committed (token sourced from Woodpecker secret)
  • No unnecessary file changes (single file, tightly scoped)
  • Commit messages are descriptive (feat: add update-kustomize-tag Woodpecker step)
  • YAML validated per test plan

PROCESS OBSERVATIONS

  • Deployment Frequency: This PR is part of the rollout tracked in pal-e-platform #206 (9 repos). Completing this for pal-e-api eliminates manual tag bumps and directly improves deployment frequency for the core API.
  • Change Failure Risk: Low. The canonical script has retry logic and [skip ci] commit messages. The only risk is the smoke-test ordering issue noted above.
  • First consumer: This is the first repo adopting the update-kustomize-tag.sh script (no other .woodpecker.yaml files reference it yet). Getting the pattern right here sets the template for the remaining 8 repos.

VERDICT: NOT APPROVED

One blocker: the smoke-test step needs depends_on: [update-kustomize-tag] to guarantee it runs after the kustomize tag is updated. Without this, the smoke-test could validate stale state, defeating its purpose. Fix this dependency and the PR is ready to merge.

## PR #221 Review ### DOMAIN REVIEW **Tech stack:** Woodpecker CI pipeline YAML, shell scripting (wget+sh pattern), kustomize/ArgoCD deployment automation. **What this PR does:** Adds a single `update-kustomize-tag` step to `.woodpecker.yaml` that downloads the canonical `update-kustomize-tag.sh` script from pal-e-platform and runs it after `build-and-push`, targeting the `pal-e-docs` overlay in pal-e-deployments. The step runs only on push to main. **Correctness checks performed:** 1. **Overlay name `pal-e-docs`** -- Verified. `/home/ldraney/pal-e-deployments/overlays/pal-e-docs/prod/kustomization.yaml` exists and has `newTag` entries. The overlay name matches the Harbor image repo (`pal-e-docs/api` in the `build-and-push` step). Correct. 2. **Internal cluster URL** -- `http://forgejo-http.forgejo.svc.cluster.local:80` is the same internal URL used in the clone step. Correct. 3. **Secret handling** -- `FORGEJO_TOKEN` sourced via `from_secret: forgejo_token`, same secret already used in the clone step. No plaintext secrets. Correct. 4. **IMAGE_TAG** -- Uses `${CI_COMMIT_SHA}`, matching the `tags: ${CI_COMMIT_SHA}` in `build-and-push`. Correct. 5. **depends_on: build-and-push** -- Ensures image is pushed to Harbor before attempting to update the kustomize overlay. Correct. 6. **Canonical script** -- Reviewed `/home/ldraney/pal-e-platform/scripts/update-kustomize-tag.sh`. It validates required env vars (`FORGEJO_TOKEN`, `OVERLAY`, `IMAGE_TAG`), clones pal-e-deployments, updates `newTag` via sed, commits with `[skip ci]`, and pushes with retry logic. Well-structured. 7. **Scope** -- Single file changed, 17 lines added, 0 deleted. Tightly scoped to the issue. ### BLOCKERS **1. smoke-test may race with update-kustomize-tag (missing `depends_on`)** The `update-kustomize-tag` step declares `depends_on: [build-and-push]`, which switches Woodpecker into dependency-graph scheduling for steps with `when` conditions matching the same event. The `smoke-test` step has NO `depends_on` field. In Woodpecker's dependency model, a step without `depends_on` has no declared predecessors -- meaning it could run as soon as the clone completes, potentially in parallel with `update-kustomize-tag` (or at least not guaranteed to run after it). The smoke-test's purpose is to validate the ArgoCD rollout, which depends on the kustomize tag being updated first. If smoke-test runs before or concurrently with `update-kustomize-tag`, it would test the OLD deployment (the 30s sleep is a heuristic that assumed sequential execution). **Fix:** Add `depends_on: [update-kustomize-tag]` to the `smoke-test` step to ensure the tag update commits to pal-e-deployments before smoke-test begins its ArgoCD wait. **Severity note:** Calling this a BLOCKER because if smoke-test races ahead, it validates stale state. However, I acknowledge there is nuance: Woodpecker's actual behavior with mixed `depends_on`/no-`depends_on` steps may vary by version. If the team has verified that Woodpecker preserves definition order for steps without `depends_on` even when other steps use it, this could be downgraded to a nit. But the safe, explicit approach is to add the dependency. ### NITS 1. **`alpine/git:latest` tag** -- Using `:latest` is mutable and could break unexpectedly. Consider pinning to a specific version (e.g., `alpine/git:2.45.2`) for reproducibility, consistent with the pinned versions used elsewhere in the pipeline (`python:3.12-slim`, `pgvector/pgvector:pg17`, `woodpeckerci/plugin-kaniko:2.3.0`). 2. **No `depends_on` for smoke-test on main branch today either** -- This is a pre-existing concern (smoke-test already lacked `depends_on: [build-and-push]` before this PR). The new step makes it more visible. Worth fixing while touching this area. ### SOP COMPLIANCE - [x] Branch named after issue (`220-update-kustomize-tag` references issue #220) - [x] PR body has Summary, Changes, Test Plan, Related sections - [x] Related section references parent rollout issue (`pal-e-platform #206`) - [x] No secrets committed (token sourced from Woodpecker secret) - [x] No unnecessary file changes (single file, tightly scoped) - [x] Commit messages are descriptive (`feat: add update-kustomize-tag Woodpecker step`) - [x] YAML validated per test plan ### PROCESS OBSERVATIONS - **Deployment Frequency:** This PR is part of the rollout tracked in `pal-e-platform #206` (9 repos). Completing this for pal-e-api eliminates manual tag bumps and directly improves deployment frequency for the core API. - **Change Failure Risk:** Low. The canonical script has retry logic and `[skip ci]` commit messages. The only risk is the smoke-test ordering issue noted above. - **First consumer:** This is the first repo adopting the `update-kustomize-tag.sh` script (no other `.woodpecker.yaml` files reference it yet). Getting the pattern right here sets the template for the remaining 8 repos. ### VERDICT: NOT APPROVED One blocker: the `smoke-test` step needs `depends_on: [update-kustomize-tag]` to guarantee it runs after the kustomize tag is updated. Without this, the smoke-test could validate stale state, defeating its purpose. Fix this dependency and the PR is ready to merge.
fix: add depends_on to smoke-test step so it waits for kustomize tag update
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
e7ebae19f7 
Without this, smoke-test could run concurrently with update-kustomize-tag,
potentially testing the old deployment instead of the newly tagged image.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin deleted branch 220-update-kustomize-tag 2026-03-27 21:11:49 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-api!221
No description provided.