ci: move image build off-infra to GHA -> ghcr (ADR-0002)

Generated by infra/scripts/offinfra-onboard: GHA builds+tests on the
GitHub mirror, pushes ghcr.io/viktorbarzin/claude-memory-mcp, then triggers the
Woodpecker deploy (repo 78). Old in-cluster build pipeline
removed: .woodpecker/build.yml .woodpecker/build-fallback.yml

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

.woodpecker/build-fallback.yml

@@ -1,42 +0,0 @@
-when:
-  - event: deployment
-
-clone:
-  git:
-    image: woodpeckerci/plugin-git
-    settings:
-      attempts: 5
-      backoff: 10s
-
-steps:
-  - name: test
-    image: python:3.12-slim
-    commands:
-      - pip install -e ".[api,dev]"
-      - ruff check src/ tests/
-      - pytest tests/ -v --tb=short
-
-  - name: build-and-push
-    image: woodpeckerci/plugin-docker-buildx
-    depends_on:
-      - test
-    settings:
-      username: viktorbarzin
-      password:
-        from_secret: dockerhub-token
-      repo: viktorbarzin/claude-memory-mcp
-      dockerfile: docker/Dockerfile
-      context: .
-      platforms:
-        - linux/amd64
-      tags:
-        - "${CI_PIPELINE_NUMBER}"
-        - latest
-
-  - name: deploy
-    image: bitnami/kubectl:latest
-    depends_on:
-      - build-and-push
-    commands:
-      - kubectl set image deployment/claude-memory claude-memory=viktorbarzin/claude-memory-mcp:${CI_PIPELINE_NUMBER} -n claude-memory
-      - kubectl rollout status deployment/claude-memory -n claude-memory --timeout=120s

.woodpecker/build.yml

@@ -1,84 +0,0 @@
-when:
-  event: push
-  branch: [main, master]
-
-clone:
-  git:
-    image: woodpeckerci/plugin-git
-    settings:
-      attempts: 5
-      backoff: 10s
-
-steps:
-  - name: test
-    image: python:3.12-slim
-    # The woodpecker ns LimitRange defaults containers to a 256Mi memory limit.
-    # `uv sync` + mypy over fastapi/pydantic/sqlalchemy needs far more, so the
-    # step was OOM-killed (exit 137) on every run since the 2026-05-07 Forgejo
-    # switch — repo never built. Pin explicit memory so it never OOMs again.
-    backend_options:
-      kubernetes:
-        resources:
-          requests:
-            cpu: 500m
-            memory: 1Gi
-          limits:
-            memory: 2Gi
-    commands:
-      - pip install --no-cache-dir uv
-      - uv sync --all-extras
-      - uv run ruff check src/ tests/
-      - uv run mypy src/claude_memory/
-      - uv run pytest tests/ -v --tb=short
-
-  - name: build-and-push
-    image: woodpeckerci/plugin-docker-buildx
-    depends_on:
-      - test
-    # buildx + image export also exceeds the 256Mi ns default; give it room.
-    backend_options:
-      kubernetes:
-        resources:
-          requests:
-            cpu: 500m
-            memory: 1Gi
-          limits:
-            memory: 2Gi
-    settings:
-      # Phase 4 of forgejo-registry-consolidation 2026-05-07 — Forgejo only.
-      # The DockerHub mirror stays as the public-facing release target via
-      # the GitHub `release.yml` workflow (still enabled), but the cluster
-      # pulls from Forgejo (infra/stacks/claude-memory/main.tf flipped 2026-05-07).
-      repo:
-        - forgejo.viktorbarzin.me/viktor/claude-memory-mcp
-      logins:
-        - registry: forgejo.viktorbarzin.me
-          username:
-            from_secret: forgejo_user
-          password:
-            from_secret: forgejo_push_token
-      dockerfile: docker/Dockerfile
-      context: .
-      # Tag :latest AND the 8-char commit SHA. The SHA tag is what the deploy
-      # step pins — a unique tag forces a fresh pull under the deployment's
-      # imagePullPolicy: IfNotPresent (a re-pushed :latest would not).
-      tags:
-        - "latest"
-        - "${CI_COMMIT_SHA:0:8}"
-      platforms:
-        - linux/amd64
-
-  - name: deploy
-    image: bitnami/kubectl:latest
-    depends_on:
-      - build-and-push
-    when:
-      branch: [main, master]
-      event: [push, manual]
-    # Owned-app deploy model (infra CLAUDE.md): the build pipeline drives the
-    # rollout, so a push self-deploys — no manual `kubectl set image`. The
-    # woodpecker-agent SA is cluster-admin, so the in-cluster kubectl needs no
-    # kubeconfig. Keel stays enrolled as a redundant net.
-    commands:
-      - "kubectl set image deployment/claude-memory claude-memory=forgejo.viktorbarzin.me/viktor/claude-memory-mcp:${CI_COMMIT_SHA:0:8} -n claude-memory"
-      - "kubectl rollout status deployment/claude-memory -n claude-memory --timeout=300s"

.woodpecker/deploy.yml

@@ -1,7 +1,9 @@
-# Manual-only targeted deploy of a specific tag (set IMAGE_NAME + IMAGE_TAG).
-# Push-driven deploys are handled by build.yml's deploy step now; this no longer
-# fires on push (its IMAGE_TAG-absent exit-78 used to red every push pipeline,
-# since build.yml + deploy.yml are workflows in the same pipeline run).
+# Auto-deploy, triggered ONLY by the GitHub Actions build POSTing to the
+# Woodpecker API (manual event, with IMAGE_TAG + IMAGE_NAME) after a successful
+# off-infra build+push to GHCR (ADR-0002). event:[manual] (NOT push) so the
+# Forgejo->GitHub mirror's raw pushes don't fire a spurious deploy.
+# The woodpecker-agent SA is cluster-admin — no kubeconfig needed.
+# Generated by infra/scripts/offinfra-onboard.
 when:
   - event: manual
 
@@ -9,11 +11,10 @@ steps:
   - name: check-vars
     image: alpine
     commands:
-      - "[ -n \"$IMAGE_TAG\" ] || (echo 'IMAGE_TAG not set, skipping deploy'; exit 78)"
+      - "[ -n \"$IMAGE_TAG\" ] || (echo 'IMAGE_TAG not set — refusing to deploy'; exit 1)"
 
   - name: deploy
     image: bitnami/kubectl:latest
     commands:
-      - "kubectl set image deployment/claude-memory claude-memory=${IMAGE_NAME}:${IMAGE_TAG} -n claude-memory"
-      - "kubectl rollout status deployment/claude-memory -n claude-memory --timeout=300s"
-
+      - "kubectl -n claude-memory set image deployment/claude-memory claude-memory=${IMAGE_NAME}:${IMAGE_TAG}"
+      - "kubectl -n claude-memory rollout status deployment/claude-memory --timeout=300s"