fix(ci): switch Woodpecker image push to internal Harbor URL #5

New issue

Closed

opened 2026-04-21 01:27:26 +00:00 by forgejo_admin · 1 comment

forgejo_admin commented

2026-04-21 01:27:26 +00:00

Contributor

Type

Bug

Lineage

Standalone — surfaced during deploy scoping for project-notion-mcp-remote. SOP violation identified by cross-referencing .woodpecker.yaml against service-onboarding-sop → Pre-Deploy Validation Checklist row "CI registry URL".

Repo

forgejo_admin/notion-mcp-remote

What Broke

.woodpecker.yaml:15 pushes images to harbor.tail5b443a.ts.net (the external Tailscale-routed URL). SOP requires the internal cluster URL (harbor-core.harbor.svc.cluster.local). External URL routes through the Tailscale DERP relay and is unreliable from inside the cluster — causes intermittent CI failures on image push.

Offending snippet:

build-and-push:
  image: woodpeckerci/plugin-kaniko:2.3.0
  settings:
    registry: harbor.tail5b443a.ts.net
    repo: notion-mcp-remote/notion-mcp-remote

Repro Steps

Push to main on notion-mcp-remote
Observe the build-and-push step attempt to push to harbor.tail5b443a.ts.net
On a bad Tailscale DERP day, push hangs or times out

Expected Behavior

Pipeline pushes the image to harbor-core.harbor.svc.cluster.local (or $HARBOR_INTERNAL env var if defined on the Woodpecker agent). No references to the external Harbor URL in .woodpecker.yaml. SOP-compliant behavior.

Environment

Cluster/namespace: pre-prod (service not yet deployed)
Service version/commit: 837e2f2 (main HEAD)
Related alerts: none — latent until first prod pipeline run

Acceptance Criteria

.woodpecker.yaml registry value is harbor-core.harbor.svc.cluster.local (or $HARBOR_INTERNAL)
No occurrences of harbor.tail5b443a.ts.net in .woodpecker.yaml
A test pipeline run on a branch successfully pushes an image to Harbor
No regression in lint/test steps

project-notion-mcp-remote
service-onboarding-sop (Pre-Deploy Validation Checklist → "CI registry URL" row)
story-notion-mcp-remote-ops-deploy-gitops

### Type Bug ### Lineage Standalone — surfaced during deploy scoping for `project-notion-mcp-remote`. SOP violation identified by cross-referencing `.woodpecker.yaml` against `service-onboarding-sop` → Pre-Deploy Validation Checklist row "CI registry URL". ### Repo `forgejo_admin/notion-mcp-remote` ### What Broke `.woodpecker.yaml:15` pushes images to `harbor.tail5b443a.ts.net` (the external Tailscale-routed URL). SOP requires the internal cluster URL (`harbor-core.harbor.svc.cluster.local`). External URL routes through the Tailscale DERP relay and is unreliable from inside the cluster — causes intermittent CI failures on image push. Offending snippet: ```yaml build-and-push: image: woodpeckerci/plugin-kaniko:2.3.0 settings: registry: harbor.tail5b443a.ts.net repo: notion-mcp-remote/notion-mcp-remote ``` ### Repro Steps 1. Push to `main` on notion-mcp-remote 2. Observe the `build-and-push` step attempt to push to `harbor.tail5b443a.ts.net` 3. On a bad Tailscale DERP day, push hangs or times out ### Expected Behavior Pipeline pushes the image to `harbor-core.harbor.svc.cluster.local` (or `$HARBOR_INTERNAL` env var if defined on the Woodpecker agent). No references to the external Harbor URL in `.woodpecker.yaml`. SOP-compliant behavior. ### Environment - Cluster/namespace: pre-prod (service not yet deployed) - Service version/commit: `837e2f2` (main HEAD) - Related alerts: none — latent until first prod pipeline run ### Acceptance Criteria - [ ] `.woodpecker.yaml` registry value is `harbor-core.harbor.svc.cluster.local` (or `$HARBOR_INTERNAL`) - [ ] No occurrences of `harbor.tail5b443a.ts.net` in `.woodpecker.yaml` - [ ] A test pipeline run on a branch successfully pushes an image to Harbor - [ ] No regression in lint/test steps ### Related - `project-notion-mcp-remote` - `service-onboarding-sop` (Pre-Deploy Validation Checklist → "CI registry URL" row) - `story-notion-mcp-remote-ops-deploy-gitops`

forgejo_admin commented

2026-04-21 12:27:57 +00:00

Author

Contributor

Scope Review: APPROVED

Review note: review-1042-2026-04-21

Scope is solid: bug template complete, .woodpecker.yaml file target verified, SOP violation confirmed against service-onboarding-sop → Pre-Deploy Validation → "CI registry URL" row. Single-file, single-line fix with testable ACs. Ready to advance from backlog to next_up.

Minor notes for the implementing agent (non-blocking):

Line reference in "What Broke" says .woodpecker.yaml:15; the actual offending line is :22 (the quoted snippet makes the target unambiguous).
k8s/deployment.yaml:23 also references the external Harbor URL, but that's the runtime image pull — out of scope for this CI-push bug. Do NOT expand scope; file a separate ticket if that needs changing.
AC3 assumes the Woodpecker agent runs inside the cluster (can resolve harbor-core.harbor.svc.cluster.local). If it runs externally, fall back to $HARBOR_INTERNAL env var as already noted in Expected Behavior.

## Scope Review: APPROVED Review note: `review-1042-2026-04-21` Scope is solid: bug template complete, `.woodpecker.yaml` file target verified, SOP violation confirmed against `service-onboarding-sop` → Pre-Deploy Validation → "CI registry URL" row. Single-file, single-line fix with testable ACs. Ready to advance from backlog to next_up. Minor notes for the implementing agent (non-blocking): - Line reference in "What Broke" says `.woodpecker.yaml:15`; the actual offending line is `:22` (the quoted snippet makes the target unambiguous). - `k8s/deployment.yaml:23` also references the external Harbor URL, but that's the runtime image pull — out of scope for this CI-push bug. Do NOT expand scope; file a separate ticket if that needs changing. - AC3 assumes the Woodpecker agent runs inside the cluster (can resolve `harbor-core.harbor.svc.cluster.local`). If it runs externally, fall back to `$HARBOR_INTERNAL` env var as already noted in Expected Behavior.