From 03f0efcdff6a8827ad9c23850dcfef127fd2c179 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 4 Jun 2026 19:32:02 +0000
Subject: [PATCH] =?UTF-8?q?ci:=20auto-deploy=20on=20push=20(owned-app=20mo?=
 =?UTF-8?q?del)=20=E2=80=94=20no=20more=20manual=20kubectl=20set=20image?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adopt the documented owned-app deploy model (infra CLAUDE.md, ref
tuya_bridge/.woodpecker.yml): build.yml now tags the image with the
8-char commit SHA (alongside :latest) and adds a `deploy` step that
`kubectl set image`s the deployment to that SHA tag + waits for rollout.
A unique SHA tag forces a fresh pull under the deployment's
imagePullPolicy: IfNotPresent (a re-pushed :latest would not). The
woodpecker-agent SA is cluster-admin so the in-cluster kubectl needs no
kubeconfig; Keel stays enrolled as a redundant net.

Also stop deploy.yml firing on push: it's a manual-only targeted-deploy
tool now. Its IMAGE_TAG-absent exit-78 used to mark the whole push
pipeline red (build.yml + deploy.yml are workflows in one pipeline run),
masking real build/deploy status.

Removes the manual deploy step the recall fix required.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .woodpecker/build.yml  | 22 +++++++++++++++++++++-
 .woodpecker/deploy.yml |  6 +++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/.woodpecker/build.yml b/.woodpecker/build.yml
index 81aa45f..a675f4a 100644
--- a/.woodpecker/build.yml
+++ b/.woodpecker/build.yml
@@ -59,6 +59,26 @@ steps:
             from_secret: forgejo_push_token
       dockerfile: docker/Dockerfile
       context: .
-      auto_tag: true
+      # Tag :latest AND the 8-char commit SHA. The SHA tag is what the deploy
+      # step pins — a unique tag forces a fresh pull under the deployment's
+      # imagePullPolicy: IfNotPresent (a re-pushed :latest would not).
+      tags:
+        - "latest"
+        - "${CI_COMMIT_SHA:0:8}"
       platforms:
         - linux/amd64
+
+  - name: deploy
+    image: bitnami/kubectl:latest
+    depends_on:
+      - build-and-push
+    when:
+      branch: [main, master]
+      event: [push, manual]
+    # Owned-app deploy model (infra CLAUDE.md): the build pipeline drives the
+    # rollout, so a push self-deploys — no manual `kubectl set image`. The
+    # woodpecker-agent SA is cluster-admin, so the in-cluster kubectl needs no
+    # kubeconfig. Keel stays enrolled as a redundant net.
+    commands:
+      - "kubectl set image deployment/claude-memory claude-memory=forgejo.viktorbarzin.me/viktor/claude-memory-mcp:${CI_COMMIT_SHA:0:8} -n claude-memory"
+      - "kubectl rollout status deployment/claude-memory -n claude-memory --timeout=300s"
diff --git a/.woodpecker/deploy.yml b/.woodpecker/deploy.yml
index 07bf214..0b32588 100644
--- a/.woodpecker/deploy.yml
+++ b/.woodpecker/deploy.yml
@@ -1,5 +1,9 @@
+# Manual-only targeted deploy of a specific tag (set IMAGE_NAME + IMAGE_TAG).
+# Push-driven deploys are handled by build.yml's deploy step now; this no longer
+# fires on push (its IMAGE_TAG-absent exit-78 used to red every push pipeline,
+# since build.yml + deploy.yml are workflows in the same pipeline run).
 when:
-  - event: [manual, push]
+  - event: manual
 
 steps:
   - name: check-vars