Phase 6.3: Plan-on-PR pipeline — tofu plan output as PR comment #48

New issue

Closed

opened 2026-03-14 17:25:58 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented 2026-03-14 17:25:58 +00:00

Owner

Copy link

Lineage

plan-pal-e-platform → Phase 6 (CI Hardening) → Phase 6.3

Repo

forgejo_admin/pal-e-platform

User Story

As an infrastructure reviewer
I want to see tofu plan output on every PR
So that I can review planned infrastructure changes before approving a merge

Context

Woodpecker CI is now activated for pal-e-platform (repo ID 29). Phase 6.2 deployed a validation pipeline (.woodpecker.yaml with tofu fmt -check + tofu validate). Phase 6.3 adds a plan step that runs a full tofu plan and posts the output as a Forgejo PR comment.

All 17 Woodpecker repo secrets have been pre-created by Betty Sue:

• KUBECONFIG_CONTENT — modified kubeconfig with server: https://10.0.0.217:6443 for in-cluster API access
• FORGEJO_TOKEN — API token with write:issue scope for posting PR comments
• 15 TF_VAR_* secrets matching every variable in terraform/variables.tf

Key architectural decisions:

• CI kubeconfig uses 10.0.0.217:6443 (node IP) instead of 127.0.0.1:6443 (localhost) because CI pods have their own network namespace
• Backend config override: tofu init -backend-config="config_path=/tmp/kubeconfig"
• Provider config override: TF_VAR_kubeconfig_path=/tmp/kubeconfig
• Plan output posted via curl to Forgejo API (no plugin needed)
• The ghcr.io/opentofu/opentofu:1.9 image is Alpine-based — install curl and jq via apk add

File Targets

Files the agent should modify:

• .woodpecker.yaml — add plan step after existing validate step

Files the agent should NOT touch:

• terraform/*.tf — no Terraform changes in this PR
• Makefile — no changes

Acceptance Criteria

• When a PR is opened, Woodpecker runs validate then plan
• Plan step writes kubeconfig from secret, inits with backend override, runs tofu plan -no-color
• Plan output is posted as a Forgejo PR comment with ```-fenced code block
• Plan step fails if tofu plan fails (exit code preserved)
• Secrets are not leaked in pipeline logs

Test Expectations

• Open a test PR with a trivial .tf change and verify plan comment appears
• Run command: verify via Woodpecker pipeline UI + Forgejo PR comments

Constraints

• Must use ghcr.io/opentofu/opentofu:1.9 image (same as validate step)
• Plan step must run AFTER validate (validate gates plan — use depends_on: [validate])
• Keep the existing when: event: pull_request trigger for validate; plan uses same trigger
• Truncate plan output if > 60000 chars (Forgejo comment limit)
• Use jq for safe JSON encoding of plan output (avoid shell escaping issues)

Checklist

• PR opened
• Tests pass
• No unrelated changes

Related

• phase-pal-e-platform-ci-6-3-plan-on-pr — phase note
• plan-pal-e-platform — parent plan

### Lineage `plan-pal-e-platform` → Phase 6 (CI Hardening) → Phase 6.3 ### Repo `forgejo_admin/pal-e-platform` ### User Story As an infrastructure reviewer I want to see `tofu plan` output on every PR So that I can review planned infrastructure changes before approving a merge ### Context Woodpecker CI is now activated for pal-e-platform (repo ID 29). Phase 6.2 deployed a validation pipeline (`.woodpecker.yaml` with `tofu fmt -check` + `tofu validate`). Phase 6.3 adds a `plan` step that runs a full `tofu plan` and posts the output as a Forgejo PR comment. All 17 Woodpecker repo secrets have been pre-created by Betty Sue: - `KUBECONFIG_CONTENT` — modified kubeconfig with `server: https://10.0.0.217:6443` for in-cluster API access - `FORGEJO_TOKEN` — API token with `write:issue` scope for posting PR comments - 15 `TF_VAR_*` secrets matching every variable in `terraform/variables.tf` **Key architectural decisions:** - CI kubeconfig uses `10.0.0.217:6443` (node IP) instead of `127.0.0.1:6443` (localhost) because CI pods have their own network namespace - Backend config override: `tofu init -backend-config="config_path=/tmp/kubeconfig"` - Provider config override: `TF_VAR_kubeconfig_path=/tmp/kubeconfig` - Plan output posted via `curl` to Forgejo API (no plugin needed) - The `ghcr.io/opentofu/opentofu:1.9` image is Alpine-based — install `curl` and `jq` via `apk add` ### File Targets Files the agent should modify: - `.woodpecker.yaml` — add `plan` step after existing `validate` step Files the agent should NOT touch: - `terraform/*.tf` — no Terraform changes in this PR - `Makefile` — no changes ### Acceptance Criteria - [ ] When a PR is opened, Woodpecker runs validate then plan - [ ] Plan step writes kubeconfig from secret, inits with backend override, runs `tofu plan -no-color` - [ ] Plan output is posted as a Forgejo PR comment with ```-fenced code block - [ ] Plan step fails if `tofu plan` fails (exit code preserved) - [ ] Secrets are not leaked in pipeline logs ### Test Expectations - [ ] Open a test PR with a trivial `.tf` change and verify plan comment appears - Run command: verify via Woodpecker pipeline UI + Forgejo PR comments ### Constraints - Must use `ghcr.io/opentofu/opentofu:1.9` image (same as validate step) - Plan step must run AFTER validate (validate gates plan — use `depends_on: [validate]`) - Keep the existing `when: event: pull_request` trigger for validate; plan uses same trigger - Truncate plan output if > 60000 chars (Forgejo comment limit) - Use `jq` for safe JSON encoding of plan output (avoid shell escaping issues) ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `phase-pal-e-platform-ci-6-3-plan-on-pr` — phase note - `plan-pal-e-platform` — parent plan

forgejo_admin referenced this issue 2026-03-14 17:26:40 +00:00

Phase 6.4: Apply-on-merge pipeline — auto tofu apply on push to main #49

forgejo_admin referenced this issue from a commit 2026-03-14 17:30:59 +00:00

Add CI plan-on-PR and apply-on-merge pipeline steps (Phase 6.3+6.4)

forgejo_admin referenced this issue from a pull request that will close it, 2026-03-14 17:31:40 +00:00

Add CI plan-on-PR and apply-on-merge pipeline (Phase 6.3+6.4) #50

forgejo_admin referenced this issue 2026-03-14 17:36:39 +00:00

Add CI plan-on-PR and apply-on-merge pipeline (Phase 6.3+6.4) #50

forgejo_admin 2026-03-14 17:36:40 +00:00

• closed this issue
• added the
  status:needs-fix
  label

forgejo_admin referenced this issue 2026-03-26 03:39:39 +00:00

Bug: merge_approved_pr has no approval gate hook #163

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform#48

No description provided.