forgejo_admin/pal-e-docs-app
1
0
Fork 0
Code Issues 4 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: replace broken update-deployment-tag with update-kustomize-tag #67

Merged
forgejo_admin merged 1 commit from 66-update-kustomize-tag into main 2026-03-27 21:11:47 +00:00
Conversation 2 Commits 1 Files changed 1 +8 -8
forgejo_admin commented 2026-03-27 20:59:52 +00:00
Owner
Copy link

Summary

  • Replace the broken update-deployment-tag Woodpecker step with the canonical update-kustomize-tag step
  • The old step pushed image tags into k8s/deployment.yaml in this repo, which no longer works after migration to kustomize overlays in pal-e-deployments
  • The new step downloads and runs the shared script from pal-e-platform, targeting the pal-e-app overlay

Changes

  • .woodpecker.yaml: Replaced update-deployment-tag step with update-kustomize-tag using the canonical template from pal-e-platform/scripts/woodpecker-update-tag-step.yaml. Sets OVERLAY: pal-e-app, IMAGE_TAG: ${CI_COMMIT_SHA}, downloads shared script via wget from internal Forgejo service URL.

Test Plan

  • Merge to main and verify the Woodpecker pipeline runs the new update-kustomize-tag step successfully
  • Confirm it clones pal-e-deployments, updates the kustomize overlay at overlays/pal-e-app/prod, commits, and pushes
  • Verify ArgoCD picks up the new tag from pal-e-deployments
  • No regressions in existing CI steps (install, check, lint, build, test, build-and-push)

Review Checklist

  • Passed automated review-fix loop
  • No secrets committed
  • No unnecessary file changes
  • Commit messages are descriptive

Related Notes

  • Closes #66
  • pal-e-app -- the project this work belongs to

Generated with Claude Code

## Summary - Replace the broken `update-deployment-tag` Woodpecker step with the canonical `update-kustomize-tag` step - The old step pushed image tags into `k8s/deployment.yaml` in this repo, which no longer works after migration to kustomize overlays in `pal-e-deployments` - The new step downloads and runs the shared script from `pal-e-platform`, targeting the `pal-e-app` overlay ## Changes - `.woodpecker.yaml`: Replaced `update-deployment-tag` step with `update-kustomize-tag` using the canonical template from `pal-e-platform/scripts/woodpecker-update-tag-step.yaml`. Sets `OVERLAY: pal-e-app`, `IMAGE_TAG: ${CI_COMMIT_SHA}`, downloads shared script via `wget` from internal Forgejo service URL. ## Test Plan - [ ] Merge to main and verify the Woodpecker pipeline runs the new `update-kustomize-tag` step successfully - [ ] Confirm it clones `pal-e-deployments`, updates the kustomize overlay at `overlays/pal-e-app/prod`, commits, and pushes - [ ] Verify ArgoCD picks up the new tag from `pal-e-deployments` - [ ] No regressions in existing CI steps (install, check, lint, build, test, build-and-push) ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related Notes - Closes #66 - `pal-e-app` -- the project this work belongs to Generated with [Claude Code](https://claude.com/claude-code)
fix: replace broken update-deployment-tag with update-kustomize-tag step
Some checks failed
ci/woodpecker/pr/woodpecker Pipeline failed
Details
45b8e9287b 
The old step pushed image tags directly into k8s/deployment.yaml in this
repo.  With the migration to kustomize overlays in pal-e-deployments,
that approach is broken.  Replace it with the canonical
update-kustomize-tag step that downloads and runs the shared script from
pal-e-platform, targeting the pal-e-app overlay in pal-e-deployments.

Closes #66

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
forgejo_admin commented 2026-03-27 21:00:20 +00:00
Author
Owner
Copy link

QA Review

VERDICT: APPROVE

Diff Analysis

Single file change (.woodpecker.yaml), 8 additions / 8 deletions. Replaces the inline update-deployment-tag step with the canonical update-kustomize-tag step.

Checks

  • Step name, image, env vars, commands, depends_on, and when gate all match the canonical template at pal-e-platform/scripts/woodpecker-update-tag-step.yaml
  • OVERLAY: "pal-e-app" is the correct overlay value per the template's mapping table
  • IMAGE_TAG: "${CI_COMMIT_SHA}" matches the tag used by the build-and-push step
  • Script URL uses internal service DNS (forgejo-http.forgejo.svc.cluster.local:80) -- correct for in-cluster CI
  • Secret reference (forgejo_token) matches the existing secret used by the old step
  • No secrets or sensitive data in the diff
  • No unnecessary file changes
  • PR body has Closes #66, all required sections present

Notes

  • The path.exclude for k8s/deployment.yaml in the top-level when block is now a dead reference (the new step writes to pal-e-deployments, not this repo). Harmless but could be cleaned up in a follow-up.
## QA Review **VERDICT: APPROVE** ### Diff Analysis Single file change (`.woodpecker.yaml`), 8 additions / 8 deletions. Replaces the inline `update-deployment-tag` step with the canonical `update-kustomize-tag` step. ### Checks - [x] Step name, image, env vars, commands, depends_on, and when gate all match the canonical template at `pal-e-platform/scripts/woodpecker-update-tag-step.yaml` - [x] `OVERLAY: "pal-e-app"` is the correct overlay value per the template's mapping table - [x] `IMAGE_TAG: "${CI_COMMIT_SHA}"` matches the tag used by the `build-and-push` step - [x] Script URL uses internal service DNS (`forgejo-http.forgejo.svc.cluster.local:80`) -- correct for in-cluster CI - [x] Secret reference (`forgejo_token`) matches the existing secret used by the old step - [x] No secrets or sensitive data in the diff - [x] No unnecessary file changes - [x] PR body has `Closes #66`, all required sections present ### Notes - The `path.exclude` for `k8s/deployment.yaml` in the top-level `when` block is now a dead reference (the new step writes to `pal-e-deployments`, not this repo). Harmless but could be cleaned up in a follow-up.
forgejo_admin commented 2026-03-27 21:04:24 +00:00
Author
Owner
Copy link

PR #67 Review

DOMAIN REVIEW

Tech stack: Woodpecker CI pipeline (YAML), shell scripting via shared script in pal-e-platform.

Correctness: The new update-kustomize-tag step is a 1:1 match with the canonical template at pal-e-platform/scripts/woodpecker-update-tag-step.yaml and the existing production implementations in westside-app and pal-e-docs. The only difference is OVERLAY: "pal-e-app", which correctly maps to the overlay directory at pal-e-deployments/overlays/pal-e-app/prod/kustomization.yaml.

Shared script validation: The downloaded update-kustomize-tag.sh validates required env vars (FORGEJO_TOKEN, OVERLAY, IMAGE_TAG), verifies the kustomization file exists before modifying it, uses sed to update newTag, and includes a 3-retry push loop with rebase for concurrent push conflicts. The sed pattern matches the format in the target file (line 65: newTag: e23a1d8...).

Secrets handling: FORGEJO_TOKEN is sourced from from_secret: forgejo_token -- proper Woodpecker secret injection. No plaintext secrets in the diff.

Guard conditions: depends_on: build-and-push and when: event push, branch main correctly gate this step to only run after successful image push on main branch merges.

DRY: The old step had inline git/sed logic (8 lines of shell). The new step delegates to the shared canonical script (2 lines: wget + sh). This is the correct centralization pattern -- one script to maintain across all repos.

BLOCKERS

None.

This is a CI pipeline configuration change (replacing one Woodpecker step with another). There is no new application functionality, so the "new functionality must have tests" blocker does not apply. The test plan correctly identifies integration-level verification (merge and observe pipeline execution, ArgoCD pickup).

NITS

  1. Stale path exclusions (lines 11-13): The when block at the top of the file still excludes k8s/.argocd-source-* and k8s/deployment.yaml. The k8s/ directory no longer exists in this repo (confirmed), so these exclusions are dead code. The old step was pushing tag updates to k8s/deployment.yaml in this repo; the new step pushes to pal-e-deployments instead. Recommend a follow-up issue to clean these up (out of scope for this fix).

  2. alpine/git:latest image tag: Using :latest reduces reproducibility. However, this is consistent with the canonical template and all other repos (westside-app, pal-e-docs), so this is a platform-wide decision, not a defect in this PR.

SOP COMPLIANCE

  • Branch named after issue (66-update-kustomize-tag references issue #66)
  • PR body has Summary, Changes, Test Plan, Related sections
  • Related section references "Closes #66" and names the project (pal-e-app)
  • Related section does not reference a plan slug (acceptable -- this is a fix, not plan-driven work)
  • No secrets committed
  • No unnecessary file changes (1 file changed, 8 additions, 8 deletions -- clean swap)
  • Commit messages are descriptive

PROCESS OBSERVATIONS

  • Deployment frequency: This PR unblocks the CD pipeline for pal-e-app. Without this fix, main branch merges build and push images to Harbor but never update the kustomize overlay, meaning ArgoCD never picks up new tags. This directly improves deployment frequency (DORA DF metric).
  • Change failure risk: Low. The canonical script is already battle-tested across westside-app and pal-e-docs. The pattern is identical.
  • Discovered scope: The stale k8s/ path exclusions in the when block should be tracked as a follow-up cleanup issue.

VERDICT: APPROVED

## PR #67 Review ### DOMAIN REVIEW **Tech stack**: Woodpecker CI pipeline (YAML), shell scripting via shared script in `pal-e-platform`. **Correctness**: The new `update-kustomize-tag` step is a 1:1 match with the canonical template at `pal-e-platform/scripts/woodpecker-update-tag-step.yaml` and the existing production implementations in `westside-app` and `pal-e-docs`. The only difference is `OVERLAY: "pal-e-app"`, which correctly maps to the overlay directory at `pal-e-deployments/overlays/pal-e-app/prod/kustomization.yaml`. **Shared script validation**: The downloaded `update-kustomize-tag.sh` validates required env vars (`FORGEJO_TOKEN`, `OVERLAY`, `IMAGE_TAG`), verifies the kustomization file exists before modifying it, uses `sed` to update `newTag`, and includes a 3-retry push loop with rebase for concurrent push conflicts. The sed pattern matches the format in the target file (line 65: ` newTag: e23a1d8...`). **Secrets handling**: `FORGEJO_TOKEN` is sourced from `from_secret: forgejo_token` -- proper Woodpecker secret injection. No plaintext secrets in the diff. **Guard conditions**: `depends_on: build-and-push` and `when: event push, branch main` correctly gate this step to only run after successful image push on main branch merges. **DRY**: The old step had inline git/sed logic (8 lines of shell). The new step delegates to the shared canonical script (2 lines: wget + sh). This is the correct centralization pattern -- one script to maintain across all repos. ### BLOCKERS None. This is a CI pipeline configuration change (replacing one Woodpecker step with another). There is no new application functionality, so the "new functionality must have tests" blocker does not apply. The test plan correctly identifies integration-level verification (merge and observe pipeline execution, ArgoCD pickup). ### NITS 1. **Stale path exclusions (lines 11-13)**: The `when` block at the top of the file still excludes `k8s/.argocd-source-*` and `k8s/deployment.yaml`. The `k8s/` directory no longer exists in this repo (confirmed), so these exclusions are dead code. The old step was pushing tag updates to `k8s/deployment.yaml` in this repo; the new step pushes to `pal-e-deployments` instead. Recommend a follow-up issue to clean these up (out of scope for this fix). 2. **`alpine/git:latest` image tag**: Using `:latest` reduces reproducibility. However, this is consistent with the canonical template and all other repos (`westside-app`, `pal-e-docs`), so this is a platform-wide decision, not a defect in this PR. ### SOP COMPLIANCE - [x] Branch named after issue (`66-update-kustomize-tag` references issue #66) - [x] PR body has Summary, Changes, Test Plan, Related sections - [x] Related section references "Closes #66" and names the project (`pal-e-app`) - [ ] Related section does not reference a plan slug (acceptable -- this is a fix, not plan-driven work) - [x] No secrets committed - [x] No unnecessary file changes (1 file changed, 8 additions, 8 deletions -- clean swap) - [x] Commit messages are descriptive ### PROCESS OBSERVATIONS - **Deployment frequency**: This PR unblocks the CD pipeline for `pal-e-app`. Without this fix, main branch merges build and push images to Harbor but never update the kustomize overlay, meaning ArgoCD never picks up new tags. This directly improves deployment frequency (DORA DF metric). - **Change failure risk**: Low. The canonical script is already battle-tested across `westside-app` and `pal-e-docs`. The pattern is identical. - **Discovered scope**: The stale `k8s/` path exclusions in the `when` block should be tracked as a follow-up cleanup issue. ### VERDICT: APPROVED
forgejo_admin deleted branch 66-update-kustomize-tag 2026-03-27 21:11:47 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend
No labels
domain:backend
domain:devops
domain:frontend
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/pal-e-docs-app!67
No description provided.