Bug: CI pipeline broken — default clone uses external TLS URL (66% failure rate) #133

New issue

Closed

opened 2026-03-21 17:33:24 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-21 17:33:24 +00:00

Owner

Type

Bug

Lineage

plan-pal-e-platform — standalone, discovered during operations/monitoring

Repo

forgejo_admin/pal-e-platform

What Broke

Woodpecker CI pipeline is broken. The default clone step uses the external Tailscale funnel URL (https://forgejo.tail5b443a.ts.net) which has ~66% TLS failure rate from within the cluster. Pipeline #166 (latest push to main) has status error — no steps even run.

Previous fix attempts failed:

PR #118: Used plugin-git with settings: remote: — netrc conflicts with internal URL
PR #128: Removed #118's clone block, tried CI_NETRC_MACHINE — reverted to external TLS clone (diff literally just deletes the clone block)
Issue #121 was closed prematurely after these partial fixes

Repro Steps

Push any commit to main or open a PR on pal-e-platform
Observe Woodpecker pipeline triggered
Clone step fails with TLS handshake error (~66% of the time)

Pipeline #166 (push to main): error status, no steps ran.

Expected Behavior

Clone step should succeed reliably using the internal Forgejo service URL (http://forgejo-http.forgejo.svc.cluster.local:80), matching the pattern already working in westside-app.

Environment

Cluster/namespace: prod / woodpecker
Service version/commit: main at 027c239
Related alerts: CI pipeline failures blocking PR checks and apply-on-merge

Acceptance Criteria

PR event triggers pipeline automatically (not manual)
Clone step succeeds via internal URL (no TLS errors)
Validate step runs (tofu fmt -check + tofu validate)
Plan step runs (tofu plan -lock=false, comment posted to PR)
Push to main triggers apply step with -lock=false
Cross-pillar-review step fires on main push

Supersedes approach from #121, PRs #118, #128
Related to #127 (kube-router ipset sync — sleep 2 workaround)
Reference: ~/westside-app/.woodpecker.yaml (working pattern with alpine/git)

### Type Bug ### Lineage `plan-pal-e-platform` — standalone, discovered during operations/monitoring ### Repo `forgejo_admin/pal-e-platform` ### What Broke Woodpecker CI pipeline is broken. The default clone step uses the external Tailscale funnel URL (`https://forgejo.tail5b443a.ts.net`) which has ~66% TLS failure rate from within the cluster. Pipeline #166 (latest push to main) has status `error` — no steps even run. Previous fix attempts failed: - PR #118: Used `plugin-git` with `settings: remote:` — netrc conflicts with internal URL - PR #128: Removed #118's clone block, tried `CI_NETRC_MACHINE` — reverted to external TLS clone (diff literally just deletes the clone block) - Issue #121 was closed prematurely after these partial fixes ### Repro Steps 1. Push any commit to main or open a PR on pal-e-platform 2. Observe Woodpecker pipeline triggered 3. Clone step fails with TLS handshake error (~66% of the time) Pipeline #166 (push to main): `error` status, no steps ran. ### Expected Behavior Clone step should succeed reliably using the internal Forgejo service URL (`http://forgejo-http.forgejo.svc.cluster.local:80`), matching the pattern already working in westside-app. ### Environment - Cluster/namespace: prod / woodpecker - Service version/commit: main at `027c239` - Related alerts: CI pipeline failures blocking PR checks and apply-on-merge ### Acceptance Criteria - [ ] PR event triggers pipeline automatically (not manual) - [ ] Clone step succeeds via internal URL (no TLS errors) - [ ] Validate step runs (`tofu fmt -check` + `tofu validate`) - [ ] Plan step runs (`tofu plan -lock=false`, comment posted to PR) - [ ] Push to main triggers apply step with `-lock=false` - [ ] Cross-pillar-review step fires on main push ### Related - Supersedes approach from #121, PRs #118, #128 - Related to #127 (kube-router ipset sync — `sleep 2` workaround) - Reference: `~/westside-app/.woodpecker.yaml` (working pattern with `alpine/git`)