ci: add .woodpecker.yaml (kaniko → Harbor → kustomize tag bump) #11

Merged

forgejo_admin merged 1 commit from 8-woodpecker-yaml into main 2026-04-28 04:35:30 +00:00

Conversation 1 Commits 1 Files changed 1 +80

forgejo_admin commented 2026-04-27 20:13:22 +00:00

Owner

Copy link

Summary

Adds the 4-step Woodpecker pipeline for westside-admin, mirroring the proven westside-app pattern. Push to main triggers: clone → validate → kaniko build+push to Harbor → bump kustomize tag in pal-e-deployments. PRs run validate only.

Changes

• .woodpecker.yaml — new file, mirrors ~/westside-app/.woodpecker.yaml structure with admin-specific substitutions:
  • Harbor repo: westside-admin/app (per feedback_harbor_project_naming — service key, not owner namespace)
  • Kustomize OVERLAY env: westside-admin
  • update-kustomize-tag step has failure: ignore (image is already pushed; tag bump is best-effort and re-runnable)
  • Clone step: 5-attempt retry on git fetch (per issue AC; sibling did not have this)
  • Image tag: full ${CI_COMMIT_SHA} (not short)

Sibling Pattern Fidelity

Structurally diffed against ~/westside-app/.woodpecker.yaml. Identical shape; deltas are limited to the four substitutions above plus the AC-mandated clone retry. Same kaniko plugin version (woodpeckerci/plugin-kaniko:2.3.0), same Harbor internal registry, same shared update-kustomize-tag.sh from pal-e-platform/scripts/, same secret names (harbor_username, harbor_password, forgejo_token).

Test Plan

• YAML parses cleanly: python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"
• All 3 steps + clone step parse with expected names
• Triggers parse: push/main, pull_request, manual
• Manual: enable repo in Woodpecker UI (one-time, post-merge)
• Manual: push triggers full 4-step pipeline; image lands at harbor.tail5b443a.ts.net/westside-admin/app:<sha>
• Manual: PR triggers only validate
• Manual: pal-e-deployments overlay receives tag-bump commit

Secret-Name Audit

References three Woodpecker secrets: harbor_username, harbor_password, forgejo_token (all global, shared with westside-app). Per ticket #65's PR, the westside-admin-ci Harbor robot was provisioned. If Woodpecker stores per-repo Harbor secrets under different names, from_secret: references need updating before first run. Verify via mcp__woodpecker__list_repo_secrets after enabling.

Discovered Scope

None new. Repo-enable in Woodpecker is a one-time manual step already noted in issue #8.

Review Checklist

• YAML parse-validated (python3 -c "import yaml; yaml.safe_load(...)")
• Sibling-pattern fidelity vs ~/westside-app/.woodpecker.yaml verified
• Harbor repo path matches feedback_harbor_project_naming (service key, not owner namespace)
• failure: ignore on tag-bump step per issue AC
• Clone retry per issue AC
• No Dockerfile or scaffold source modified (out of scope per #7)
• Repo enabled in Woodpecker UI (post-merge)
• First successful pipeline run observed
• First image visible in Harbor at westside-admin/app:<sha>

Related Notes

• feedback_harbor_project_naming — drives Harbor repo path (westside-admin/app, not forgejo_admin/westside-admin)
• feedback_yaml_parse_validation — drives the parse-validate gate
• feedback_woodpecker_quote_heavy_scripts — applied where wget retry needed $$i escaping
• arch-deployment-westside-admin — architecture component this CI feeds
• project-westside-admin — parent project
• Sibling reference: ~/westside-app/.woodpecker.yaml
• Shared script: pal-e-platform/scripts/update-kustomize-tag.sh

Related

• Forgejo issue: forgejo_admin/westside-admin#8
• story: admin-row-crud
• arch: ci-pipeline

Closes #8

## Summary Adds the 4-step Woodpecker pipeline for `westside-admin`, mirroring the proven westside-app pattern. Push to main triggers: clone → validate → kaniko build+push to Harbor → bump kustomize tag in pal-e-deployments. PRs run validate only. ## Changes - `.woodpecker.yaml` — new file, mirrors `~/westside-app/.woodpecker.yaml` structure with admin-specific substitutions: - Harbor repo: `westside-admin/app` (per `feedback_harbor_project_naming` — service key, not owner namespace) - Kustomize OVERLAY env: `westside-admin` - `update-kustomize-tag` step has `failure: ignore` (image is already pushed; tag bump is best-effort and re-runnable) - Clone step: 5-attempt retry on git fetch (per issue AC; sibling did not have this) - Image tag: full `${CI_COMMIT_SHA}` (not short) ## Sibling Pattern Fidelity Structurally diffed against `~/westside-app/.woodpecker.yaml`. Identical shape; deltas are limited to the four substitutions above plus the AC-mandated clone retry. Same kaniko plugin version (`woodpeckerci/plugin-kaniko:2.3.0`), same Harbor internal registry, same shared `update-kustomize-tag.sh` from `pal-e-platform/scripts/`, same secret names (`harbor_username`, `harbor_password`, `forgejo_token`). ## Test Plan - [x] YAML parses cleanly: `python3 -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"` - [x] All 3 steps + clone step parse with expected names - [x] Triggers parse: push/main, pull_request, manual - [ ] Manual: enable repo in Woodpecker UI (one-time, post-merge) - [ ] Manual: push triggers full 4-step pipeline; image lands at `harbor.tail5b443a.ts.net/westside-admin/app:<sha>` - [ ] Manual: PR triggers only validate - [ ] Manual: pal-e-deployments overlay receives tag-bump commit ## Secret-Name Audit References three Woodpecker secrets: `harbor_username`, `harbor_password`, `forgejo_token` (all global, shared with westside-app). Per ticket #65's PR, the `westside-admin-ci` Harbor robot was provisioned. If Woodpecker stores per-repo Harbor secrets under different names, `from_secret:` references need updating before first run. Verify via `mcp__woodpecker__list_repo_secrets` after enabling. ## Discovered Scope None new. Repo-enable in Woodpecker is a one-time manual step already noted in issue #8. ## Review Checklist - [x] YAML parse-validated (`python3 -c "import yaml; yaml.safe_load(...)"`) - [x] Sibling-pattern fidelity vs `~/westside-app/.woodpecker.yaml` verified - [x] Harbor repo path matches `feedback_harbor_project_naming` (service key, not owner namespace) - [x] `failure: ignore` on tag-bump step per issue AC - [x] Clone retry per issue AC - [x] No Dockerfile or scaffold source modified (out of scope per #7) - [ ] Repo enabled in Woodpecker UI (post-merge) - [ ] First successful pipeline run observed - [ ] First image visible in Harbor at `westside-admin/app:<sha>` ## Related Notes - `feedback_harbor_project_naming` — drives Harbor repo path (`westside-admin/app`, not `forgejo_admin/westside-admin`) - `feedback_yaml_parse_validation` — drives the parse-validate gate - `feedback_woodpecker_quote_heavy_scripts` — applied where wget retry needed `$$i` escaping - `arch-deployment-westside-admin` — architecture component this CI feeds - `project-westside-admin` — parent project - Sibling reference: `~/westside-app/.woodpecker.yaml` - Shared script: `pal-e-platform/scripts/update-kustomize-tag.sh` ## Related - Forgejo issue: forgejo_admin/westside-admin#8 - story: admin-row-crud - arch: ci-pipeline Closes #8

forgejo_admin added 1 commit 2026-04-27 20:13:22 +00:00

ci: add .woodpecker.yaml for kaniko build + Harbor push + tag bump ... 839ffb01a4

Mirrors the established westside-app pipeline pattern with admin-specific
substitutions:

- Harbor repo: westside-admin/app (per feedback_harbor_project_naming)
- Kustomize OVERLAY: westside-admin
- update-kustomize-tag has failure:ignore (image already pushed; tag bump
  is best-effort and re-runnable)
- Clone step has 5-attempt retry per issue AC

Closes #8

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

forgejo_admin referenced this pull request 2026-04-27 20:13:27 +00:00

.woodpecker.yaml: kaniko build → Harbor → kustomize tag bump #8

forgejo_admin referenced this pull request 2026-04-27 20:14:55 +00:00

docker: multi-stage Dockerfile for adapter-node runtime #10

forgejo_admin commented 2026-04-27 20:16:11 +00:00

Author

Owner

Copy link

PR #11 Review

DOMAIN REVIEW

Stack: Woodpecker CI YAML (kaniko -> Harbor -> kustomize tag bump in pal-e-deployments). Single-file PR, +80 lines.

YAML parse: Confirmed via structural read of /tmp/westside-admin-ci/.woodpecker.yaml. Valid shape. Per feedback_woodpecker_quote_heavy_scripts, the two multi-line - | blocks (clone retry loop, wget retry loop) use simple shell with $$i escaping for Woodpecker var-interpolation; no nested quote hazards.

Sibling fidelity vs ~/westside-app/.woodpecker.yaml: High. Acceptable deltas confirmed:

• repo: westside-admin/app (sibling: westsidekingsandqueens/app) — matches feedback_harbor_project_naming (service-key prefix).
• OVERLAY: "westside-admin" (sibling: westsidekingsandqueens).
• failure: ignore on tag-bump step — matches AC and recent platform fix (commit 1d54939 pattern).
• 5-attempt git-fetch retry in clone (sibling lacks this) — matches AC.
• Same kaniko 2.3.0, same internal Harbor registry, same secret names.

BLOCKERS

None on the YAML itself. The file is correct.

NITS / OPERATIONAL GAPS (post-merge gates, not code blockers)

1. Secret provisioning gap (HIGHEST RISK). Verified via mcp__woodpecker__list_global_secrets and mcp__woodpecker__list_repo_secrets for forgejo_admin/westside-app:

   • Globals available: forgejo_user, forgejo_password, forgejo_url, forgejo_publish_user, forgejo_publish_token, forgejo_pypi_url. No harbor_* globals, no forgejo_token global.
   • westside-app repo secrets: harbor_username, harbor_password, forgejo_token — these are repo-scoped, not global. The PR body's claim that they are "global Woodpecker secrets per dev report" is incorrect.
   • Implication for westside-admin: When the new repo is enabled in Woodpecker, the same three secrets MUST be created at the repo level (or promoted to org/global) before the first push. Otherwise the build-and-push step will fail with auth error and the update-kustomize-tag step will fail to download the script.
   • This is not a YAML bug — the YAML is right. It is a provisioning gate that must be done at repo-enable time.

2. OVERLAY directory must exist. update-kustomize-tag.sh exits 1 if overlays/westside-admin/prod/kustomization.yaml is missing in forgejo_admin/pal-e-deployments. The header comment in pal-e-platform/scripts/woodpecker-update-tag-step.yaml enumerates known overlays and westside-admin is NOT listed. Because the step has failure: ignore, this won't block the pipeline (image still pushes), but ArgoCD won't pick up new tags until the overlay exists. Track as discovered scope: "create overlays/westside-admin/prod in pal-e-deployments."

3. Repo-enable required. Confirmed forgejo_admin/westside-admin is NOT in the Woodpecker active-repos list. One-time manual enable required post-merge (already noted in PR body).

4. (Style nit) ${CI_REPO} in the clone URL may double-encode if repo name has unusual chars; not an issue here.

SOP COMPLIANCE

• Branch named 8-woodpecker-yaml (issue-number-kebab purpose)
• PR body has Summary / Changes / Test Plan / Related sections
• Closes #8 + story:admin-row-crud + arch:ci-pipeline traced
• No secrets committed
• YAML parse-validated per feedback_yaml_parse_validation
• Quote-heavy script convention followed per feedback_woodpecker_quote_heavy_scripts
• Single-file scope, no creep

PROCESS OBSERVATIONS

• Strong sibling-pattern reuse — minimal divergence risk. DF impact: positive (new service onto established CI lane).
• Two operational predecessors must land before first green run: (a) repo enabled in Woodpecker UI + 3 secrets created, (b) overlays/westside-admin/prod/ created in pal-e-deployments. Recommend filing both as immediate follow-up tickets so they are not lost.
• PR body asserts the secrets are global. Verified false — they are repo-scoped on westside-app. Update PR body or recordkeeping to avoid future agent confusion.

VERDICT: APPROVED

The YAML is correct and matches the established westside-app pattern with the AC-mandated deltas. Merge is safe. The two post-merge gates (secret creation, overlay creation) are operational, not code defects, but they MUST be completed before the first push to main can produce a deployed image.

## PR #11 Review ### DOMAIN REVIEW **Stack:** Woodpecker CI YAML (kaniko -> Harbor -> kustomize tag bump in pal-e-deployments). Single-file PR, +80 lines. **YAML parse:** Confirmed via structural read of `/tmp/westside-admin-ci/.woodpecker.yaml`. Valid shape. Per `feedback_woodpecker_quote_heavy_scripts`, the two multi-line `- |` blocks (clone retry loop, wget retry loop) use simple shell with `$$i` escaping for Woodpecker var-interpolation; no nested quote hazards. **Sibling fidelity vs `~/westside-app/.woodpecker.yaml`:** High. Acceptable deltas confirmed: - `repo: westside-admin/app` (sibling: `westsidekingsandqueens/app`) — matches `feedback_harbor_project_naming` (service-key prefix). - `OVERLAY: "westside-admin"` (sibling: `westsidekingsandqueens`). - `failure: ignore` on tag-bump step — matches AC and recent platform fix (commit 1d54939 pattern). - 5-attempt git-fetch retry in clone (sibling lacks this) — matches AC. - Same kaniko `2.3.0`, same internal Harbor registry, same secret names. ### BLOCKERS None on the YAML itself. The file is correct. ### NITS / OPERATIONAL GAPS (post-merge gates, not code blockers) 1. **Secret provisioning gap (HIGHEST RISK).** Verified via `mcp__woodpecker__list_global_secrets` and `mcp__woodpecker__list_repo_secrets` for `forgejo_admin/westside-app`: - **Globals available:** `forgejo_user`, `forgejo_password`, `forgejo_url`, `forgejo_publish_user`, `forgejo_publish_token`, `forgejo_pypi_url`. **No `harbor_*` globals, no `forgejo_token` global.** - **westside-app repo secrets:** `harbor_username`, `harbor_password`, `forgejo_token` — these are **repo-scoped, not global**. The PR body's claim that they are "global Woodpecker secrets per dev report" is incorrect. - **Implication for westside-admin:** When the new repo is enabled in Woodpecker, the same three secrets MUST be created at the repo level (or promoted to org/global) before the first push. Otherwise the build-and-push step will fail with auth error and the update-kustomize-tag step will fail to download the script. - This is not a YAML bug — the YAML is right. It is a provisioning gate that must be done at repo-enable time. 2. **OVERLAY directory must exist.** `update-kustomize-tag.sh` exits 1 if `overlays/westside-admin/prod/kustomization.yaml` is missing in `forgejo_admin/pal-e-deployments`. The header comment in `pal-e-platform/scripts/woodpecker-update-tag-step.yaml` enumerates known overlays and `westside-admin` is NOT listed. Because the step has `failure: ignore`, this won't block the pipeline (image still pushes), but ArgoCD won't pick up new tags until the overlay exists. Track as discovered scope: "create overlays/westside-admin/prod in pal-e-deployments." 3. **Repo-enable required.** Confirmed `forgejo_admin/westside-admin` is NOT in the Woodpecker active-repos list. One-time manual enable required post-merge (already noted in PR body). 4. (Style nit) `${CI_REPO}` in the clone URL may double-encode if repo name has unusual chars; not an issue here. ### SOP COMPLIANCE - [x] Branch named `8-woodpecker-yaml` (issue-number-kebab purpose) - [x] PR body has Summary / Changes / Test Plan / Related sections - [x] Closes #8 + story:admin-row-crud + arch:ci-pipeline traced - [x] No secrets committed - [x] YAML parse-validated per `feedback_yaml_parse_validation` - [x] Quote-heavy script convention followed per `feedback_woodpecker_quote_heavy_scripts` - [x] Single-file scope, no creep ### PROCESS OBSERVATIONS - Strong sibling-pattern reuse — minimal divergence risk. DF impact: positive (new service onto established CI lane). - Two operational predecessors must land before first green run: (a) repo enabled in Woodpecker UI + 3 secrets created, (b) `overlays/westside-admin/prod/` created in `pal-e-deployments`. Recommend filing both as immediate follow-up tickets so they are not lost. - PR body asserts the secrets are global. Verified false — they are repo-scoped on westside-app. Update PR body or recordkeeping to avoid future agent confusion. ### VERDICT: APPROVED The YAML is correct and matches the established westside-app pattern with the AC-mandated deltas. Merge is safe. The two post-merge gates (secret creation, overlay creation) are operational, not code defects, but they MUST be completed before the first push to main can produce a deployed image.

forgejo_admin merged commit 9d33f04309 into main 2026-04-28 04:35:30 +00:00

forgejo_admin deleted branch 8-woodpecker-yaml 2026-04-28 04:35:30 +00:00

forgejo_admin referenced this pull request from a commit 2026-04-28 04:35:31 +00:00

ci: add .woodpecker.yaml (kaniko → Harbor → kustomize tag bump) (#11)

forgejo_admin referenced this pull request 2026-04-30 12:23:17 +00:00

ci: assert on adapter-node artifacts in validate smoke check #13

forgejo_admin referenced this pull request 2026-05-03 15:24:04 +00:00

feat(auth): keycloak.ts SSR auth lib + vitest setup #18

forgejo_admin referenced this pull request 2026-05-03 15:56:09 +00:00

CI: wire vitest into .woodpecker.yaml so #14's lib tests run on every PR #19

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-admin!11

No description provided.