CI reliability: add -lock=false to plan + use internal Forgejo URL for comments #57

New issue

Closed

opened 2026-03-14 19:39:52 +00:00 by forgejo_admin · 0 comments

forgejo_admin commented

2026-03-14 19:39:52 +00:00

Owner

Lineage

plan-pal-e-platform → Phase 6 (CI Pipeline)
Resolves: todo-tofu-plan-lock-false, partially resolves todo-remove-clone-url-overrides

Repo

forgejo_admin/pal-e-platform

User Story

As a platform operator
I want CI plan steps to not lock state and PR comments to use internal URLs
So that CI doesn't block local tofu operations and PR comments don't fail with TLS EOF errors

Context

Two CI reliability issues in .woodpecker.yaml:

State lock contention: tofu plan in CI acquires a state lock, which blocks concurrent tofu apply or local tofu plan runs. Plan is read-only and doesn't need the lock. This was discovered when a worktree tofu plan locked shared state and blocked CI apply.
TLS EOF on PR comments: The curl command posting plan output as PR comments uses the external Forgejo URL (https://forgejo.tail5b443a.ts.net), which goes through Tailscale funnel TLS. Internal cluster traffic should use the in-cluster service URL to avoid TLS overhead and intermittent EOF errors. This is the same TLS fix pattern applied to Woodpecker clone URLs in PR #56.

File Targets

Files the agent should modify:

.woodpecker.yaml — add -lock=false to tofu plan command (line 62), change curl URL to internal service URL (line 73)

Files the agent should NOT touch:

terraform/main.tf — no infrastructure changes needed
terraform/variables.tf — no new variables needed

Acceptance Criteria

tofu plan step includes -lock=false flag
curl URL for PR comments uses http://forgejo-http.forgejo.svc.cluster.local:80 instead of https://forgejo.tail5b443a.ts.net
No other changes to .woodpecker.yaml

Test Expectations

YAML syntax is valid (CI validate step will catch this on PR)
tofu plan step still captures output and handles failure correctly
Run command: yamllint .woodpecker.yaml or CI validate step

Constraints

Only change the two specific lines — no other modifications
The internal URL pattern matches what was done for clone URLs in PR #56
The -lock=false flag is standard tofu/terraform — safe for read-only plan operations

Checklist

PR opened
Tests pass
No unrelated changes

plan-pal-e-platform — Platform Hardening plan
todo-tofu-plan-lock-false — resolves this TODO
todo-remove-clone-url-overrides — partially resolves (pal-e-platform part)

### Lineage `plan-pal-e-platform` → Phase 6 (CI Pipeline) Resolves: `todo-tofu-plan-lock-false`, partially resolves `todo-remove-clone-url-overrides` ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform operator I want CI plan steps to not lock state and PR comments to use internal URLs So that CI doesn't block local tofu operations and PR comments don't fail with TLS EOF errors ### Context Two CI reliability issues in `.woodpecker.yaml`: 1. **State lock contention**: `tofu plan` in CI acquires a state lock, which blocks concurrent `tofu apply` or local `tofu plan` runs. Plan is read-only and doesn't need the lock. This was discovered when a worktree `tofu plan` locked shared state and blocked CI apply. 2. **TLS EOF on PR comments**: The `curl` command posting plan output as PR comments uses the external Forgejo URL (`https://forgejo.tail5b443a.ts.net`), which goes through Tailscale funnel TLS. Internal cluster traffic should use the in-cluster service URL to avoid TLS overhead and intermittent EOF errors. This is the same TLS fix pattern applied to Woodpecker clone URLs in PR #56. ### File Targets Files the agent should modify: - `.woodpecker.yaml` — add `-lock=false` to tofu plan command (line 62), change curl URL to internal service URL (line 73) Files the agent should NOT touch: - `terraform/main.tf` — no infrastructure changes needed - `terraform/variables.tf` — no new variables needed ### Acceptance Criteria - [ ] `tofu plan` step includes `-lock=false` flag - [ ] `curl` URL for PR comments uses `http://forgejo-http.forgejo.svc.cluster.local:80` instead of `https://forgejo.tail5b443a.ts.net` - [ ] No other changes to `.woodpecker.yaml` ### Test Expectations - [ ] YAML syntax is valid (CI validate step will catch this on PR) - [ ] `tofu plan` step still captures output and handles failure correctly - Run command: `yamllint .woodpecker.yaml` or CI validate step ### Constraints - Only change the two specific lines — no other modifications - The internal URL pattern matches what was done for clone URLs in PR #56 - The `-lock=false` flag is standard tofu/terraform — safe for read-only plan operations ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `plan-pal-e-platform` — Platform Hardening plan - `todo-tofu-plan-lock-false` — resolves this TODO - `todo-remove-clone-url-overrides` — partially resolves (pal-e-platform part)