CI pipeline targeted apply — module-aware .woodpecker.yaml #198

New issue

Closed

opened 2026-03-27 04:08:40 +00:00 by forgejo_admin · 2 comments

forgejo_admin commented 2026-03-27 04:08:40 +00:00

Owner

Copy link

Type

Feature

Lineage

Sub-ticket of #197 (Terraform state splitting). Split out because the CI pipeline change is non-trivial — 328-line .woodpecker.yaml with kubeconfig setup, 15+ secrets, lock retry logic.

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want CI to detect which Terraform module changed and only apply that module
So that applies are fast, focused, and don't fail on unrelated provider connectivity

Context

After #197 modularizes main.tf into 9 modules, the CI apply step needs to detect which module changed and run tofu apply -target=module.X instead of a full apply. The current .woodpecker.yaml apply step is 328 lines with kubeconfig rendering, 15+ secret env vars, plan comment posting, and state lock detection/retry. Modifying this requires careful handling.

File Targets

Files to modify:

• .woodpecker.yaml — apply step: add path-based module detection, run targeted apply per changed module

Files NOT to touch:

• terraform/modules/ — already restructured by #197
• terraform/main.tf — already restructured by #197

Acceptance Criteria

• Apply step detects which terraform/modules/X/ directory changed in the commit
• Runs tofu apply -target=module.X for each changed module
• Falls back to full apply if root files changed (main.tf, variables.tf, providers.tf)
• Plan step similarly targets changed modules
• Kubeconfig, secrets, and lock retry logic preserved
• No regression: plan comments still post to Forgejo PR, lock retry still works, cross-pillar-review gate preserved

Test Expectations

• Merge a change touching only terraform/modules/ci/ — verify only module.ci is applied
• Merge a change touching terraform/main.tf — verify full apply runs
• Merge a change touching two modules — verify both are applied
• Run command: verify via Woodpecker pipeline logs

Constraints

• Depends on #197 being merged first (modules must exist)
• Must preserve all existing CI functionality (plan comments, lock retry, cross-pillar-review)
• tofu plan must include -lock=false

Note: module.ci depends on module.storage, module.forgejo, module.database. Targeted apply on module.ci will still refresh upstream providers. Only leaf modules (monitoring, forgejo, keycloak) get true provider isolation.

Checklist

• PR opened
• Tests pass
• No unrelated changes

Related

• #197 — parent ticket (Terraform state splitting)
• #196 — root symptom (MinIO blocking applies)
• project-pal-e-platform

### Type Feature ### Lineage Sub-ticket of #197 (Terraform state splitting). Split out because the CI pipeline change is non-trivial — 328-line `.woodpecker.yaml` with kubeconfig setup, 15+ secrets, lock retry logic. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want CI to detect which Terraform module changed and only apply that module So that applies are fast, focused, and don't fail on unrelated provider connectivity ### Context After #197 modularizes `main.tf` into 9 modules, the CI apply step needs to detect which module changed and run `tofu apply -target=module.X` instead of a full apply. The current `.woodpecker.yaml` apply step is 328 lines with kubeconfig rendering, 15+ secret env vars, plan comment posting, and state lock detection/retry. Modifying this requires careful handling. ### File Targets Files to modify: - `.woodpecker.yaml` — apply step: add path-based module detection, run targeted apply per changed module Files NOT to touch: - `terraform/modules/` — already restructured by #197 - `terraform/main.tf` — already restructured by #197 ### Acceptance Criteria - [ ] Apply step detects which `terraform/modules/X/` directory changed in the commit - [ ] Runs `tofu apply -target=module.X` for each changed module - [ ] Falls back to full apply if root files changed (`main.tf`, `variables.tf`, `providers.tf`) - [ ] Plan step similarly targets changed modules - [ ] Kubeconfig, secrets, and lock retry logic preserved - [ ] No regression: plan comments still post to Forgejo PR, lock retry still works, cross-pillar-review gate preserved ### Test Expectations - [ ] Merge a change touching only `terraform/modules/ci/` — verify only module.ci is applied - [ ] Merge a change touching `terraform/main.tf` — verify full apply runs - [ ] Merge a change touching two modules — verify both are applied - Run command: verify via Woodpecker pipeline logs ### Constraints - Depends on #197 being merged first (modules must exist) - Must preserve all existing CI functionality (plan comments, lock retry, cross-pillar-review) - `tofu plan` must include `-lock=false` > **Note:** `module.ci` depends on `module.storage`, `module.forgejo`, `module.database`. Targeted apply on `module.ci` will still refresh upstream providers. Only leaf modules (`monitoring`, `forgejo`, `keycloak`) get true provider isolation. ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - #197 — parent ticket (Terraform state splitting) - #196 — root symptom (MinIO blocking applies) - `project-pal-e-platform`

forgejo_admin referenced this issue 2026-03-27 04:14:30 +00:00

Terraform state splitting — modularize monolith main.tf for isolated applies #197

forgejo_admin referenced this issue 2026-03-27 05:02:35 +00:00

refactor: modularize terraform monolith into 9 domain modules #199

forgejo_admin referenced this issue 2026-03-27 05:32:15 +00:00

refactor: modularize terraform monolith into 9 domain modules #199

forgejo_admin referenced this issue 2026-03-27 10:59:40 +00:00

refactor: modularize terraform monolith into 9 domain modules #199

forgejo_admin commented 2026-03-27 21:31:48 +00:00

Author

Owner

Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-437-2026-03-27

The ticket is well-structured and all file targets verified, but has a correctness gap that would lead an agent to build on a false assumption.

Issues to fix before next_up:

• Inter-module dependency graph undermines the isolation promise. tofu apply -target=module.ci will still refresh module.storage, module.forgejo, and module.database because module.ci consumes their outputs. Only leaf modules (monitoring, forgejo, keycloak) get true isolation. The ticket should acknowledge this limitation so the agent doesn't write incorrect fallback logic or make false claims.
• "No regression" acceptance criterion is vague. Should be decomposed into: plan comments still post, lock retry still works, cross-pillar-review still triggers, IPv6 disable runs in all steps, all 15+ secret env vars preserved.

No decomposition needed -- single file target, fits in one agent pass.

## Scope Review: NEEDS_REFINEMENT Review note: `review-437-2026-03-27` The ticket is well-structured and all file targets verified, but has a correctness gap that would lead an agent to build on a false assumption. **Issues to fix before `next_up`:** - **Inter-module dependency graph undermines the isolation promise.** `tofu apply -target=module.ci` will still refresh `module.storage`, `module.forgejo`, and `module.database` because `module.ci` consumes their outputs. Only leaf modules (monitoring, forgejo, keycloak) get true isolation. The ticket should acknowledge this limitation so the agent doesn't write incorrect fallback logic or make false claims. - **"No regression" acceptance criterion is vague.** Should be decomposed into: plan comments still post, lock retry still works, cross-pillar-review still triggers, IPv6 disable runs in all steps, all 15+ secret env vars preserved. No decomposition needed -- single file target, fits in one agent pass.

forgejo_admin referenced this issue 2026-03-27 21:32:06 +00:00

Bug: tofu apply fails on MinIO provider refresh during unrelated Helm changes #196

forgejo_admin referenced this issue 2026-03-27 21:44:30 +00:00

Bug: tofu apply fails on MinIO provider refresh during unrelated Helm changes #196

forgejo_admin commented 2026-03-27 22:04:29 +00:00

Author

Owner

Copy link

Issue body updated per scope review corrections.

Issue body updated per scope review corrections.

forgejo_admin referenced this issue from a commit 2026-03-28 00:16:30 +00:00

feat: CI pipeline targeted apply — module-aware plan and apply steps

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-28 00:17:33 +00:00

feat: CI pipeline targeted apply — module-aware plan and apply #211

forgejo_admin closed this issue 2026-03-28 00:21:40 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform#198

No description provided.