Phase 6.4: Apply-on-merge pipeline — auto tofu apply on push to main #49

New issue

Closed

opened 2026-03-14 17:26:40 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-14 17:26:40 +00:00

Owner

Lineage

plan-pal-e-platform → Phase 6 (CI Hardening) → Phase 6.4

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want infrastructure changes to auto-apply when PRs merge to main
So that the laptop is no longer a SPOF and merge = deploy

Context

Phase 6.3 (Issue #48) adds the plan step to the CI pipeline. Phase 6.4 adds the apply step that runs on push-to-main events. This eliminates the state lock contention between sessions and makes deployment fully automated.

All Woodpecker secrets are already configured from Phase 6.3.

File Targets

Files the agent should modify:

.woodpecker.yaml — add apply step on push-to-main events

Files the agent should NOT touch:

terraform/*.tf — no Terraform changes
Makefile — no changes

Acceptance Criteria

When a PR merges to main, Woodpecker runs tofu apply -auto-approve
Apply step writes kubeconfig from secret, inits with backend override
Apply failure posts a comment on the merge commit or triggers notification
Apply step only runs on push to main (not PRs, not tags)

Test Expectations

Merge a test PR and verify apply runs and succeeds
Run command: verify via Woodpecker pipeline UI

Constraints

Apply step must use same kubeconfig/secret setup as plan step
Must NOT run validate+plan on push-to-main (only apply)
Use when: event: push; branch: main filter

Checklist

PR opened
Tests pass
No unrelated changes

phase-pal-e-platform-ci-6-4-apply-on-merge — phase note
plan-pal-e-platform — parent plan
Issue #48 — Phase 6.3 (prerequisite)

### Lineage `plan-pal-e-platform` → Phase 6 (CI Hardening) → Phase 6.4 ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want infrastructure changes to auto-apply when PRs merge to main So that the laptop is no longer a SPOF and merge = deploy ### Context Phase 6.3 (Issue #48) adds the `plan` step to the CI pipeline. Phase 6.4 adds the `apply` step that runs on push-to-main events. This eliminates the state lock contention between sessions and makes deployment fully automated. All Woodpecker secrets are already configured from Phase 6.3. ### File Targets Files the agent should modify: - `.woodpecker.yaml` — add `apply` step on push-to-main events Files the agent should NOT touch: - `terraform/*.tf` — no Terraform changes - `Makefile` — no changes ### Acceptance Criteria - [ ] When a PR merges to main, Woodpecker runs `tofu apply -auto-approve` - [ ] Apply step writes kubeconfig from secret, inits with backend override - [ ] Apply failure posts a comment on the merge commit or triggers notification - [ ] Apply step only runs on push to main (not PRs, not tags) ### Test Expectations - [ ] Merge a test PR and verify apply runs and succeeds - Run command: verify via Woodpecker pipeline UI ### Constraints - Apply step must use same kubeconfig/secret setup as plan step - Must NOT run validate+plan on push-to-main (only apply) - Use `when: event: push; branch: main` filter ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `phase-pal-e-platform-ci-6-4-apply-on-merge` — phase note - `plan-pal-e-platform` — parent plan - Issue #48 — Phase 6.3 (prerequisite)