feat: activate Woodpecker CI pipeline #21

Merged

forgejo_admin merged 1 commit from 3-activate-ci into main

2026-03-26 03:47:21 +00:00

forgejo_admin commented

2026-03-25 13:38:12 +00:00

Owner

Summary

Replace the outdated .woodpecker.yml with a .woodpecker.yaml that follows current platform CI patterns. The new pipeline uses the internal Forgejo clone URL, runs tests and svelte-check on all events, and builds/pushes to Harbor via kaniko on main pushes.

Changes

Deleted .woodpecker.yml (v1 syntax, no tests, no clone block, used plugins/docker)
Added .woodpecker.yaml with:
- Internal clone via forgejo-http.forgejo.svc.cluster.local
- Test step: npm ci, svelte-check, vitest run, vite build
- Build step: kaniko push to harbor.harbor.svc.cluster.local (westside-contracts/app)
- Triggers: push to main, pull_request, manual

Test Plan

All 12 vitest tests pass locally
After merge, push to main triggers Woodpecker pipeline
Pipeline runs: clone, test, build-and-push
Image appears in Harbor under westside-contracts/app

Review Checklist

No secrets committed
No unnecessary file changes
Commit messages are descriptive
YAML validated

Closes #3
Plan: plan-wkq Phase 14

## Summary Replace the outdated `.woodpecker.yml` with a `.woodpecker.yaml` that follows current platform CI patterns. The new pipeline uses the internal Forgejo clone URL, runs tests and svelte-check on all events, and builds/pushes to Harbor via kaniko on main pushes. ## Changes - Deleted `.woodpecker.yml` (v1 syntax, no tests, no clone block, used plugins/docker) - Added `.woodpecker.yaml` with: - Internal clone via `forgejo-http.forgejo.svc.cluster.local` - Test step: `npm ci`, `svelte-check`, `vitest run`, `vite build` - Build step: kaniko push to `harbor.harbor.svc.cluster.local` (westside-contracts/app) - Triggers: push to main, pull_request, manual ## Test Plan - [x] All 12 vitest tests pass locally - [ ] After merge, push to main triggers Woodpecker pipeline - [ ] Pipeline runs: clone, test, build-and-push - [ ] Image appears in Harbor under `westside-contracts/app` ## Review Checklist - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive - [x] YAML validated ## Related - Closes #3 - Plan: `plan-wkq` Phase 14

forgejo_admin added 1 commit

2026-03-25 13:38:12 +00:00

feat: activate Woodpecker CI with proper pipeline config 4332056308

Replace outdated .woodpecker.yml with .woodpecker.yaml using current
platform patterns: internal clone URL, kaniko for image builds, test
step with svelte-check + vitest, PR/push/manual triggers.

Closes #3

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented

2026-03-25 13:38:38 +00:00

Author

Owner

Review: LGTM

Files reviewed: .woodpecker.yaml (new), .woodpecker.yml (deleted)

What changed

Old .woodpecker.yml replaced with .woodpecker.yaml following current platform CI patterns (westside-app, mcd-tracker-app).

Verified

Clone block uses internal Forgejo URL -- matches westside-app pattern
node:20-alpine matches Dockerfile base image
Test step runs all four commands: npm ci, svelte-check, vitest, vite build
Kaniko build uses in-cluster Harbor registry with insecure: true
Harbor repo path westside-contracts/app is correct
Triggers: push/main, PR, manual -- build-and-push restricted to main only
Secrets reference harbor_username/harbor_password (platform standard)
Old config issues fixed: plugins/docker (needs Docker socket), external registry URL, bash-syntax SHA truncation, no tests, no clone block

No issues found

0 blocking, 0 nits.

## Review: LGTM **Files reviewed:** `.woodpecker.yaml` (new), `.woodpecker.yml` (deleted) ### What changed Old `.woodpecker.yml` replaced with `.woodpecker.yaml` following current platform CI patterns (westside-app, mcd-tracker-app). ### Verified - Clone block uses internal Forgejo URL -- matches westside-app pattern - `node:20-alpine` matches Dockerfile base image - Test step runs all four commands: `npm ci`, `svelte-check`, `vitest`, `vite build` - Kaniko build uses in-cluster Harbor registry with `insecure: true` - Harbor repo path `westside-contracts/app` is correct - Triggers: push/main, PR, manual -- build-and-push restricted to main only - Secrets reference `harbor_username`/`harbor_password` (platform standard) - Old config issues fixed: plugins/docker (needs Docker socket), external registry URL, bash-syntax SHA truncation, no tests, no clone block ### No issues found 0 blocking, 0 nits.

forgejo_admin commented

2026-03-25 13:40:45 +00:00

Author

Owner

PR #21 Review

DOMAIN REVIEW

Tech stack: Woodpecker CI YAML (v2 syntax), kaniko image build, SvelteKit/Node.js test pipeline.

Clone block: Uses internal Forgejo URL (http://forgejo-http.forgejo.svc.cluster.local:80/) with sleep 2 + shallow fetch. Matches the platform-standard clone pattern used by westside-app, pal-e-mail, minio-api, and basketball-api.

Test step: Runs npm ci, npm run check (svelte-check), npm test (vitest run), npm run build (vite build). All four commands align with the package.json scripts. The step runs on push, pull_request, and manual events -- correct.

Build step: Uses woodpeckerci/plugin-kaniko:2.3.0 with internal Harbor registry (harbor.harbor.svc.cluster.local), insecure: true for in-cluster HTTP, SHA-only tags (immutable, good), and secrets via from_secret. Gated to push + manual on main only -- correct.

Node version consistency: Pipeline uses node:20-alpine, matching the Dockerfile. Consistent.

Comparison with platform peers: The pipeline matches the most current pattern (westside-app, pal-e-mail). The older repos (mcd-tracker-app, minio-api) still use external Harbor URLs and lack clone blocks -- this PR follows the newer, correct pattern.

ArgoCD path exclude: Not needed -- westside-contracts has no k8s/ directory or .argocd-source-* files. Deployments are in pal-e-deployments (kustomize overlays), so no infinite pipeline loop risk.

Old pipeline removal: The deleted .woodpecker.yml used v1 syntax, plugins/docker (not kaniko), external Harbor URL (harbor.tail5b443a.ts.net), latest tag (mutable), no clone block, and no test step. All of these are correctly replaced.

BLOCKERS

None.

This is a CI pipeline configuration change, not new application functionality. The BLOCKER criteria around test coverage apply to new features/logic, not to CI YAML that configures an existing test suite. The pipeline itself runs the existing 12 vitest tests.

NITS

Unused BUILD_SHA build arg (line 35-36): The pipeline passes BUILD_SHA=${CI_COMMIT_SHA} as a build arg, but the Dockerfile has no ARG BUILD_SHA declaration and does not use it. This is harmless (kaniko ignores unused args) but is dead configuration. Note: westside-app has the same pattern, so this appears to be a platform-wide template artifact. Consider filing a cleanup issue to either add ARG BUILD_SHA to Dockerfiles that want it, or remove it from pipelines that don't use it.

SOP COMPLIANCE

Branch named after issue (3-activate-ci references issue #3)
PR body has: Summary, Changes, Test Plan, Related
Related references plan slug (plan-wkq Phase 14) and closes #3
No secrets committed (Harbor creds use from_secret)
No unnecessary file changes (2 files: delete old YAML, add new YAML)
Commit messages are descriptive

PROCESS OBSERVATIONS

Deployment Frequency: Activating CI is a direct DORA enabler. This repo previously had no test step in CI -- every push to main went straight to image build without validation. This PR closes that gap by gating on svelte-check + vitest + vite build before any image push.

Change Failure Rate: The test gate (svelte-check + vitest + build) on PRs means broken code will be caught before merge. The 12 existing tests now run in CI on every PR, which is a meaningful quality gate for a contract-signing application handling sensitive data.

Lead Time: The pipeline follows the standard pattern, so no unique operational overhead. Clone + test + build should complete in under 3 minutes for this repo size.

VERDICT: APPROVED

## PR #21 Review ### DOMAIN REVIEW **Tech stack**: Woodpecker CI YAML (v2 syntax), kaniko image build, SvelteKit/Node.js test pipeline. **Clone block**: Uses internal Forgejo URL (`http://forgejo-http.forgejo.svc.cluster.local:80/`) with `sleep 2` + shallow fetch. Matches the platform-standard clone pattern used by westside-app, pal-e-mail, minio-api, and basketball-api. **Test step**: Runs `npm ci`, `npm run check` (svelte-check), `npm test` (vitest run), `npm run build` (vite build). All four commands align with the `package.json` scripts. The step runs on push, pull_request, and manual events -- correct. **Build step**: Uses `woodpeckerci/plugin-kaniko:2.3.0` with internal Harbor registry (`harbor.harbor.svc.cluster.local`), `insecure: true` for in-cluster HTTP, SHA-only tags (immutable, good), and secrets via `from_secret`. Gated to `push` + `manual` on `main` only -- correct. **Node version consistency**: Pipeline uses `node:20-alpine`, matching the Dockerfile. Consistent. **Comparison with platform peers**: The pipeline matches the most current pattern (westside-app, pal-e-mail). The older repos (mcd-tracker-app, minio-api) still use external Harbor URLs and lack clone blocks -- this PR follows the newer, correct pattern. **ArgoCD path exclude**: Not needed -- westside-contracts has no `k8s/` directory or `.argocd-source-*` files. Deployments are in pal-e-deployments (kustomize overlays), so no infinite pipeline loop risk. **Old pipeline removal**: The deleted `.woodpecker.yml` used v1 syntax, `plugins/docker` (not kaniko), external Harbor URL (`harbor.tail5b443a.ts.net`), `latest` tag (mutable), no clone block, and no test step. All of these are correctly replaced. ### BLOCKERS None. This is a CI pipeline configuration change, not new application functionality. The BLOCKER criteria around test coverage apply to new features/logic, not to CI YAML that configures an existing test suite. The pipeline itself runs the existing 12 vitest tests. ### NITS 1. **Unused `BUILD_SHA` build arg** (line 35-36): The pipeline passes `BUILD_SHA=${CI_COMMIT_SHA}` as a build arg, but the Dockerfile has no `ARG BUILD_SHA` declaration and does not use it. This is harmless (kaniko ignores unused args) but is dead configuration. Note: westside-app has the same pattern, so this appears to be a platform-wide template artifact. Consider filing a cleanup issue to either add `ARG BUILD_SHA` to Dockerfiles that want it, or remove it from pipelines that don't use it. ### SOP COMPLIANCE - [x] Branch named after issue (`3-activate-ci` references issue #3) - [x] PR body has: Summary, Changes, Test Plan, Related - [x] Related references plan slug (`plan-wkq` Phase 14) and closes #3 - [x] No secrets committed (Harbor creds use `from_secret`) - [x] No unnecessary file changes (2 files: delete old YAML, add new YAML) - [x] Commit messages are descriptive ### PROCESS OBSERVATIONS **Deployment Frequency**: Activating CI is a direct DORA enabler. This repo previously had no test step in CI -- every push to main went straight to image build without validation. This PR closes that gap by gating on svelte-check + vitest + vite build before any image push. **Change Failure Rate**: The test gate (svelte-check + vitest + build) on PRs means broken code will be caught before merge. The 12 existing tests now run in CI on every PR, which is a meaningful quality gate for a contract-signing application handling sensitive data. **Lead Time**: The pipeline follows the standard pattern, so no unique operational overhead. Clone + test + build should complete in under 3 minutes for this repo size. ### VERDICT: APPROVED