forgejo_admin/westside-admin
1
0
Fork 0
Code Issues 6 Pull requests Projects Releases Packages Wiki Activity Actions

.woodpecker.yaml: kaniko build → Harbor → kustomize tag bump #8

New issue
Closed
opened 2026-04-25 22:02:11 +00:00 by forgejo_admin · 3 comments
forgejo_admin commented 2026-04-25 22:02:11 +00:00
Owner
Copy link

Type

Task

Lineage

Hard depends on forgejo_admin/westside-admin#6 (scaffolding — needs package.json + buildable code), #7 (Dockerfile — kaniko needs something to build), and forgejo_admin/pal-e-services#<NEW> (service onboarding — provisions the Harbor project + CI robot account this pipeline pushes to). Without service onboarding, kaniko has no project to push to.

Repo

forgejo_admin/westside-admin

User Story

story-westside-admin-admin-row-crud. Foundational — without CI, no deploys.

Context

Mirror the proven 4-step pipeline from ~/westside-app/.woodpecker.yaml: clone (cluster-internal forgejo URL with retry), validate (npm ci + check + build), build-and-push (kaniko → harbor.harbor.svc.cluster.local), update-kustomize-tag (wgets shared script from pal-e-platform, updates tag in pal-e-deployments).

ArgoCD watches pal-e-deployments and auto-syncs once the kustomize image tag changes. End result: push to main → image at harbor.tail5b443a.ts.net/westside-admin/app:<sha> → ArgoCD applies new tag → pod rolls.

Critical: Harbor project naming. Per feedback_harbor_project_naming and pal-e-services/terraform/services.tf: service key = Harbor project = image_repo prefix. westside-app uses repo: westsidekingsandqueens/app. westside-admin uses repo: westside-admin/app (NOT forgejo_admin/westside-admin — owner namespace is irrelevant). The westside-admin Harbor project is provisioned by the pal-e-services onboarding ticket above.

Scope

Create .woodpecker.yaml mirroring the structure of ~/westside-app/.woodpecker.yaml with these specifics:

  • Triggers: push to main (full pipeline), PR (clone + validate only), manual (full pipeline)
  • Step 1 — clone: alpine/git image, fetch from forgejo-http.forgejo.svc.cluster.local:80 with 5-attempt retry
  • Step 2 — validate: node:22-alpine, runs npm ci && npm run check && npm run build
  • Step 3 — build-and-push: woodpeckerci/plugin-kaniko:2.3.0 plugin, registry harbor.harbor.svc.cluster.local, repo: westside-admin/app, tags: ${CI_COMMIT_SHA}, uses existing global secrets harbor_username / harbor_password. Runs only on push to main + manual.
  • Step 4 — update-kustomize-tag: alpine/git:latest, env OVERLAY=westside-admin and IMAGE_TAG=${CI_COMMIT_SHA}, wgets https://forgejo-http.forgejo.svc.cluster.local:80/forgejo_admin/pal-e-platform/raw/branch/main/scripts/update-kustomize-tag.sh with 5-attempt retry, then runs it. Add failure: ignore per Woodpecker pipeline syntax so a failed kustomize tag bump does NOT mark the pipeline as failed (the image is already pushed; tag bump is best-effort and can be re-run).

YAML must parse-validate per feedback_yaml_parse_validation: run python -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))" before commit.

After merge: enable the repo in Woodpecker (one-time operation via Woodpecker UI or mcp__woodpecker__* tools), trigger manually to verify all 4 steps succeed.

Acceptance Criteria

  • On push to main: clone → validate → build → push → update-kustomize-tag steps all run
  • On PR: only clone + validate run (NO build, NO push, NO tag bump)
  • On manual trigger: full pipeline runs
  • Image tag = ${CI_COMMIT_SHA} (full SHA, not short)
  • Image name in registry: harbor.tail5b443a.ts.net/westside-admin/app:<sha> (project = westside-admin, NOT forgejo_admin)
  • update-kustomize-tag step downloads shared script with 5-attempt retry
  • update-kustomize-tag has failure: ignore so a failure does NOT break the pipeline
  • OVERLAY env var = westside-admin
  • YAML parses cleanly via python -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"

Test Expectations

  • Manual: push a no-op commit to main, watch full pipeline succeed
  • Manual: open a PR, verify only validate runs
  • Manual: confirm pal-e-deployments overlay receives a tag bump commit
  • Manual: confirm image visible in Harbor at westside-admin/app:<sha>

Constraints

  • Cluster-internal forgejo URL forgejo-http.forgejo.svc.cluster.local:80 for clone
  • kaniko plugin version: woodpeckerci/plugin-kaniko:2.3.0 (match westside-app)
  • Use existing global Woodpecker secrets harbor_username, harbor_password, forgejo_token — pal-e-services onboarding ticket ensures the new Harbor project accepts those creds
  • YAML parse-validated before commit
  • Harbor project = westside-admin (NOT forgejo_admin/westside-admin)

Checklist

  • PR opened
  • YAML parse-validated
  • First successful build observed in Woodpecker UI
  • First image visible in Harbor at correct path

Related

  • project-westside-admin
  • arch-deployment-westside-admin
  • feedback_harbor_project_naming (driving rule for image path)
  • Reference: ~/westside-app/.woodpecker.yaml
  • DEPENDS ON: #6 (scaffolding), #7 (Dockerfile), forgejo_admin/pal-e-services#<NEW> (service onboarding)
### Type Task ### Lineage Hard depends on `forgejo_admin/westside-admin#6` (scaffolding — needs `package.json` + buildable code), `#7` (Dockerfile — kaniko needs something to build), and `forgejo_admin/pal-e-services#<NEW>` (service onboarding — provisions the Harbor project + CI robot account this pipeline pushes to). Without service onboarding, kaniko has no project to push to. ### Repo `forgejo_admin/westside-admin` ### User Story `story-westside-admin-admin-row-crud`. Foundational — without CI, no deploys. ### Context Mirror the proven 4-step pipeline from `~/westside-app/.woodpecker.yaml`: clone (cluster-internal forgejo URL with retry), validate (npm ci + check + build), build-and-push (kaniko → harbor.harbor.svc.cluster.local), update-kustomize-tag (wgets shared script from pal-e-platform, updates tag in pal-e-deployments). ArgoCD watches pal-e-deployments and auto-syncs once the kustomize image tag changes. End result: push to main → image at `harbor.tail5b443a.ts.net/westside-admin/app:<sha>` → ArgoCD applies new tag → pod rolls. **Critical: Harbor project naming.** Per `feedback_harbor_project_naming` and `pal-e-services/terraform/services.tf`: service key = Harbor project = image_repo prefix. westside-app uses `repo: westsidekingsandqueens/app`. westside-admin uses `repo: westside-admin/app` (NOT `forgejo_admin/westside-admin` — owner namespace is irrelevant). The `westside-admin` Harbor project is provisioned by the pal-e-services onboarding ticket above. ### Scope Create `.woodpecker.yaml` mirroring the structure of `~/westside-app/.woodpecker.yaml` with these specifics: - **Triggers:** push to main (full pipeline), PR (clone + validate only), manual (full pipeline) - **Step 1 — clone:** `alpine/git` image, fetch from `forgejo-http.forgejo.svc.cluster.local:80` with 5-attempt retry - **Step 2 — validate:** `node:22-alpine`, runs `npm ci && npm run check && npm run build` - **Step 3 — build-and-push:** `woodpeckerci/plugin-kaniko:2.3.0` plugin, registry `harbor.harbor.svc.cluster.local`, `repo: westside-admin/app`, `tags: ${CI_COMMIT_SHA}`, uses existing global secrets `harbor_username` / `harbor_password`. Runs only on push to main + manual. - **Step 4 — update-kustomize-tag:** `alpine/git:latest`, env `OVERLAY=westside-admin` and `IMAGE_TAG=${CI_COMMIT_SHA}`, wgets `https://forgejo-http.forgejo.svc.cluster.local:80/forgejo_admin/pal-e-platform/raw/branch/main/scripts/update-kustomize-tag.sh` with 5-attempt retry, then runs it. Add `failure: ignore` per Woodpecker pipeline syntax so a failed kustomize tag bump does NOT mark the pipeline as failed (the image is already pushed; tag bump is best-effort and can be re-run). YAML must parse-validate per `feedback_yaml_parse_validation`: run `python -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"` before commit. After merge: enable the repo in Woodpecker (one-time operation via Woodpecker UI or `mcp__woodpecker__*` tools), trigger manually to verify all 4 steps succeed. ### Acceptance Criteria - [ ] On push to main: clone → validate → build → push → update-kustomize-tag steps all run - [ ] On PR: only clone + validate run (NO build, NO push, NO tag bump) - [ ] On manual trigger: full pipeline runs - [ ] Image tag = `${CI_COMMIT_SHA}` (full SHA, not short) - [ ] Image name in registry: `harbor.tail5b443a.ts.net/westside-admin/app:<sha>` (project = `westside-admin`, NOT `forgejo_admin`) - [ ] update-kustomize-tag step downloads shared script with 5-attempt retry - [ ] update-kustomize-tag has `failure: ignore` so a failure does NOT break the pipeline - [ ] OVERLAY env var = `westside-admin` - [ ] YAML parses cleanly via `python -c "import yaml; yaml.safe_load(open('.woodpecker.yaml'))"` ### Test Expectations - Manual: push a no-op commit to main, watch full pipeline succeed - Manual: open a PR, verify only validate runs - Manual: confirm pal-e-deployments overlay receives a tag bump commit - Manual: confirm image visible in Harbor at `westside-admin/app:<sha>` ### Constraints - Cluster-internal forgejo URL `forgejo-http.forgejo.svc.cluster.local:80` for clone - kaniko plugin version: `woodpeckerci/plugin-kaniko:2.3.0` (match westside-app) - Use existing global Woodpecker secrets `harbor_username`, `harbor_password`, `forgejo_token` — pal-e-services onboarding ticket ensures the new Harbor project accepts those creds - YAML parse-validated before commit - Harbor project = `westside-admin` (NOT `forgejo_admin/westside-admin`) ### Checklist - [ ] PR opened - [ ] YAML parse-validated - [ ] First successful build observed in Woodpecker UI - [ ] First image visible in Harbor at correct path ### Related - `project-westside-admin` - `arch-deployment-westside-admin` - `feedback_harbor_project_naming` (driving rule for image path) - Reference: `~/westside-app/.woodpecker.yaml` - DEPENDS ON: `#6` (scaffolding), `#7` (Dockerfile), `forgejo_admin/pal-e-services#<NEW>` (service onboarding)
forgejo_admin commented 2026-04-25 22:08:59 +00:00
Author
Owner
Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-1094-2026-04-25

Scope mirrors ~/westside-app/.woodpecker.yaml correctly, but a Harbor naming claim conflicts with the documented convention and will break kaniko push if shipped as written. Backing notes (story page, arch note) also missing.

Issues:

  • [BODY] Harbor project AC is wrong. Ticket says project = forgejo_admin "matches repo owner per feedback_harbor_project_naming." Convention (and pal-e-services/terraform/services.tf line 7) is service key = Harbor project = image_repo prefix — derived from image_repo, NOT repo owner. Reference westside-app uses repo: westsidekingsandqueens/app, not forgejo_admin/westside-app. Pick a service key (suggest westside-admin matching mcd-tracker-app precedent), set image_repo = "westside-admin/app", and use kaniko repo: westside-admin/app.
  • [BODY] update-kustomize-tag non-blocking behavior. Reference repo does NOT have explicit failure: ignore. Cited commit 1d54939 changed when-conditions on a different step, not failure tolerance for this step. Dev must add failure: ignore (or verify actual mechanism) — don't assume implicit.
  • [BODY] Missing dependency. Service-registry onboarding (new entry in pal-e-services/terraform/k3s.tfvars + tofu apply) is required before kaniko can push (provisions Harbor project + CI robot). Not mentioned in Lineage. Document as blocker or open sibling ticket.
  • [SCOPE] Story note missing. No project-westside-admin page found in pal-e-docs. Create the user-stories section, or confirm under different slug.
  • [SCOPE] Arch note missing. No arch-woodpecker-ci note exists. Either create it, or relabel board item to arch:deployment-westside-admin (matches the issue body's Related section).
  • [LABEL] Confirm arch label resolves to a real arch note before todo→next_up.

No decomposition needed — single-pass agent task once scope corrected.

## Scope Review: NEEDS_REFINEMENT Review note: `review-1094-2026-04-25` Scope mirrors `~/westside-app/.woodpecker.yaml` correctly, but a Harbor naming claim conflicts with the documented convention and will break kaniko push if shipped as written. Backing notes (story page, arch note) also missing. Issues: - **[BODY] Harbor project AC is wrong.** Ticket says project = `forgejo_admin` "matches repo owner per `feedback_harbor_project_naming`." Convention (and `pal-e-services/terraform/services.tf` line 7) is `service key = Harbor project = image_repo prefix` — derived from `image_repo`, NOT repo owner. Reference westside-app uses `repo: westsidekingsandqueens/app`, not `forgejo_admin/westside-app`. Pick a service key (suggest `westside-admin` matching `mcd-tracker-app` precedent), set `image_repo = "westside-admin/app"`, and use kaniko `repo: westside-admin/app`. - **[BODY] update-kustomize-tag non-blocking behavior.** Reference repo does NOT have explicit `failure: ignore`. Cited commit `1d54939` changed when-conditions on a different step, not failure tolerance for this step. Dev must add `failure: ignore` (or verify actual mechanism) — don't assume implicit. - **[BODY] Missing dependency.** Service-registry onboarding (new entry in `pal-e-services/terraform/k3s.tfvars` + `tofu apply`) is required before kaniko can push (provisions Harbor project + CI robot). Not mentioned in Lineage. Document as blocker or open sibling ticket. - **[SCOPE] Story note missing.** No `project-westside-admin` page found in pal-e-docs. Create the user-stories section, or confirm under different slug. - **[SCOPE] Arch note missing.** No `arch-woodpecker-ci` note exists. Either create it, or relabel board item to `arch:deployment-westside-admin` (matches the issue body's Related section). - **[LABEL] Confirm arch label resolves to a real arch note before todo→next_up.** No decomposition needed — single-pass agent task once scope corrected.
forgejo_admin commented 2026-04-25 23:42:37 +00:00
Author
Owner
Copy link

Scope Review v2: APPROVED

Review note: review-1094-2026-04-25-v2 (supersedes review-1094-2026-04-25 NEEDS_REFINEMENT)

All previously flagged issues resolved in the refined body:

  • Harbor project naming corrected to westside-admin/app (service-key prefix per services.tf:7 convention, NOT Forgejo owner)
  • failure: ignore explicit on update-kustomize-tag step
  • Service onboarding dependency named (pal-e-services#64, board #1098)
  • Arch label updated to canonical arch:ci-pipeline (per convention-architecture-ids)
  • Story + project page traceability verified (story-westside-admin-admin-row-crud listed in project-westside-admin user-stories)

Ready to advance backlog → todo. No further refinement needed.

## Scope Review v2: APPROVED Review note: `review-1094-2026-04-25-v2` (supersedes `review-1094-2026-04-25` NEEDS_REFINEMENT) All previously flagged issues resolved in the refined body: - Harbor project naming corrected to `westside-admin/app` (service-key prefix per `services.tf:7` convention, NOT Forgejo owner) - `failure: ignore` explicit on update-kustomize-tag step - Service onboarding dependency named (pal-e-services#64, board #1098) - Arch label updated to canonical `arch:ci-pipeline` (per `convention-architecture-ids`) - Story + project page traceability verified (`story-westside-admin-admin-row-crud` listed in `project-westside-admin` user-stories) Ready to advance backlog → todo. No further refinement needed.
forgejo_admin commented 2026-04-27 20:13:27 +00:00
Author
Owner
Copy link

PR opened: #11

.woodpecker.yaml mirrors westside-app sibling pattern with admin-specific substitutions (westside-admin/app Harbor repo, westside-admin overlay, failure: ignore on tag bump, 5-attempt clone retry). YAML parse-validated.

PR opened: https://forgejo.tail5b443a.ts.net/forgejo_admin/westside-admin/pulls/11 `.woodpecker.yaml` mirrors westside-app sibling pattern with admin-specific substitutions (`westside-admin/app` Harbor repo, `westside-admin` overlay, `failure: ignore` on tag bump, 5-attempt clone retry). YAML parse-validated.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-admin#8
No description provided.