infra/.woodpecker/build-cli.yml

when:
  event: push

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      attempts: 5
      backoff: 10s

steps:
  - name: build-image
    image: woodpeckerci/plugin-docker-buildx
    settings:
      username: "viktorbarzin"
      password:
        from_secret: dockerhub-pat
      # Phase 4 of forgejo-registry-consolidation 2026-05-07 —
      # registry.viktorbarzin.me:5050 decommissioned. Push to DockerHub
      # (the public-facing infra image) AND Forgejo (the cluster pull
      # source). Same image, two locations.
      repo:
        - viktorbarzin/infra
        - forgejo.viktorbarzin.me/viktor/infra
      logins:
        - registry: https://index.docker.io/v1/
          username: viktorbarzin
          password:
            from_secret: dockerhub-pat
        - registry: forgejo.viktorbarzin.me
          username:
            from_secret: forgejo_user
          password:
            from_secret: forgejo_push_token
      dockerfile: cli/Dockerfile
      context: cli
      auto_tag: true
      # cache_from/cache_to removed: registry cache corruption causes
      # "short read: expected 32 bytes" BuildKit errors. Inline cache
      # will be re-populated once a clean image is pushed.
      # cache_from: "registry.viktorbarzin.me:5050/infra:latest"
      # cache_to: "type=inline"
[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions 2026-02-22 21:30:25 +00:00			`when:`
			`event: push`

			`clone:`
			`git:`
Woodpecker CI: use built-in clone, fix CoreDNS DNS resolution [CI SKIP] - Switch from custom clone override to woodpeckerci/plugin-git built-in clone (handles auth automatically via netrc from GitHub OAuth token) - Add 8.8.8.8 and 1.1.1.1 as CoreDNS upstream resolvers alongside pfSense (fixes intermittent DNS timeouts causing clone failures) - Fix missing comma after heredoc in audit-policy.tf (syntax error) 2026-02-23 00:08:42 +00:00			`image: woodpeckerci/plugin-git`
			`settings:`
			`attempts: 5`
			`backoff: 10s`
[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions 2026-02-22 21:30:25 +00:00
			`steps:`
			`- name: build-image`
			`image: woodpeckerci/plugin-docker-buildx`
			`settings:`
			`username: "viktorbarzin"`
			`password:`
			`from_secret: dockerhub-pat`
[ci] build-cli: drop registry.viktorbarzin.me:5050 push (decommissioned) The build-cli pipeline was still pushing to the registry.viktorbarzin.me:5050/infra path that no longer exists post Phase 4 — failing with 'error authenticating: exit status 1' on every infra push. Drop the second repo + login; DockerHub + Forgejo are the canonical destinations now. 2026-05-08 07:45:32 +00:00			`# Phase 4 of forgejo-registry-consolidation 2026-05-07 —`
			`# registry.viktorbarzin.me:5050 decommissioned. Push to DockerHub`
			`# (the public-facing infra image) AND Forgejo (the cluster pull`
			`# source). Same image, two locations.`
[ci skip] add TLS to private registry, switch to registry.viktorbarzin.me 2026-02-28 19:40:38 +00:00			`repo:`
			`- viktorbarzin/infra`
[ci] build-cli: drop registry.viktorbarzin.me:5050 push (decommissioned) The build-cli pipeline was still pushing to the registry.viktorbarzin.me:5050/infra path that no longer exists post Phase 4 — failing with 'error authenticating: exit status 1' on every infra push. Drop the second repo + login; DockerHub + Forgejo are the canonical destinations now. 2026-05-08 07:45:32 +00:00			`- forgejo.viktorbarzin.me/viktor/infra`
[ci skip] add BuildKit layer caching and dual-push to build-cli pipeline 2026-02-28 17:56:52 +00:00			`logins:`
			`- registry: https://index.docker.io/v1/`
			`username: viktorbarzin`
			`password:`
			`from_secret: dockerhub-pat`
[ci] build-cli: drop registry.viktorbarzin.me:5050 push (decommissioned) The build-cli pipeline was still pushing to the registry.viktorbarzin.me:5050/infra path that no longer exists post Phase 4 — failing with 'error authenticating: exit status 1' on every infra push. Drop the second repo + login; DockerHub + Forgejo are the canonical destinations now. 2026-05-08 07:45:32 +00:00			`- registry: forgejo.viktorbarzin.me`
[ci] build-cli: add logins entry for registry.viktorbarzin.me:5050 ## Context The infra CLI image (`viktorbarzin/infra` + `registry.viktorbarzin.me:5050/infra`) is built by `.woodpecker/build-cli.yml` via plugin-docker-buildx and pushed to two repos. The private-registry htpasswd auth that went in on 2026-03-22 (memory 437) was never wired into this pipeline, so the second push has been failing with `401 Unauthorized` on every blob HEAD for ~4 weeks. That in turn kept every infra pipeline's overall status at `failure`, which fooled the service-upgrade agent into spurious rollbacks before the per-workflow check in bd code-3o3. Now that the agent ignores overall status, this is purely cosmetic — but worth fixing so the pipeline list goes green and the private- registry mirror of the infra CLI image stays fresh. ## This change Extend the plugin's `logins:` array with an entry for `registry.viktorbarzin.me:5050`, pulling credentials from two Woodpecker global secrets `registry_user` / `registry_password`. Secrets plumbing (no CI config changes needed long-term — already `vault-woodpecker-sync` compatible): - Vault `secret/ci/global` now carries `registry_user` + `registry_password`, copied from `secret/viktor` via `vault kv patch`. - `vault-woodpecker-sync` CronJob picks them up on next run and POSTs them to Woodpecker via the API. Also triggered manually as `manual-sync-1776613321` → "Synced 8 global secrets from Vault to Woodpecker". - `curl -H "Authorization: Bearer <wp-api-token>" .../api/secrets` now lists both `registry_user` and `registry_password`. ## What is NOT in this change - A follow-on cleanup of the `docker_username`/`docker_password` globals (which are actually DockerHub creds mis-named). They still work — renaming would cascade across several older pipelines. - Restoring inline BuildKit cache — commit 0c123903 disabled `cache_from/cache_to` due to registry cache corruption; leaving that alone here. ## Test Plan ### Automated Will be validated by the CI run of this very commit: - `build-cli` workflow should log `#14 [auth] viktor/registry.viktorbarzin.me:5050` successful - blob HEAD returns 200/404 instead of 401 - step `build-image` exits 0 - overall pipeline status: success (FINALLY) ### Manual Verification ``` $ curl -sS -H "Authorization: Bearer $(vault kv get -field=woodpecker_api_token secret/ci/global)" \ https://ci.viktorbarzin.me/api/secrets \| jq '.[] \| .name' \| grep registry "registry_password" "registry_user" $ curl -sSI -u viktor:$PASS https://registry.viktorbarzin.me:5050/v2/infra/manifests/<8-char-sha> HTTP/2 200 ``` Closes: code-12b Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-19 15:42:52 +00:00			`username:`
[ci] build-cli: drop registry.viktorbarzin.me:5050 push (decommissioned) The build-cli pipeline was still pushing to the registry.viktorbarzin.me:5050/infra path that no longer exists post Phase 4 — failing with 'error authenticating: exit status 1' on every infra push. Drop the second repo + login; DockerHub + Forgejo are the canonical destinations now. 2026-05-08 07:45:32 +00:00			`from_secret: forgejo_user`
[ci] build-cli: add logins entry for registry.viktorbarzin.me:5050 ## Context The infra CLI image (`viktorbarzin/infra` + `registry.viktorbarzin.me:5050/infra`) is built by `.woodpecker/build-cli.yml` via plugin-docker-buildx and pushed to two repos. The private-registry htpasswd auth that went in on 2026-03-22 (memory 437) was never wired into this pipeline, so the second push has been failing with `401 Unauthorized` on every blob HEAD for ~4 weeks. That in turn kept every infra pipeline's overall status at `failure`, which fooled the service-upgrade agent into spurious rollbacks before the per-workflow check in bd code-3o3. Now that the agent ignores overall status, this is purely cosmetic — but worth fixing so the pipeline list goes green and the private- registry mirror of the infra CLI image stays fresh. ## This change Extend the plugin's `logins:` array with an entry for `registry.viktorbarzin.me:5050`, pulling credentials from two Woodpecker global secrets `registry_user` / `registry_password`. Secrets plumbing (no CI config changes needed long-term — already `vault-woodpecker-sync` compatible): - Vault `secret/ci/global` now carries `registry_user` + `registry_password`, copied from `secret/viktor` via `vault kv patch`. - `vault-woodpecker-sync` CronJob picks them up on next run and POSTs them to Woodpecker via the API. Also triggered manually as `manual-sync-1776613321` → "Synced 8 global secrets from Vault to Woodpecker". - `curl -H "Authorization: Bearer <wp-api-token>" .../api/secrets` now lists both `registry_user` and `registry_password`. ## What is NOT in this change - A follow-on cleanup of the `docker_username`/`docker_password` globals (which are actually DockerHub creds mis-named). They still work — renaming would cascade across several older pipelines. - Restoring inline BuildKit cache — commit 0c123903 disabled `cache_from/cache_to` due to registry cache corruption; leaving that alone here. ## Test Plan ### Automated Will be validated by the CI run of this very commit: - `build-cli` workflow should log `#14 [auth] viktor/registry.viktorbarzin.me:5050` successful - blob HEAD returns 200/404 instead of 401 - step `build-image` exits 0 - overall pipeline status: success (FINALLY) ### Manual Verification ``` $ curl -sS -H "Authorization: Bearer $(vault kv get -field=woodpecker_api_token secret/ci/global)" \ https://ci.viktorbarzin.me/api/secrets \| jq '.[] \| .name' \| grep registry "registry_password" "registry_user" $ curl -sSI -u viktor:$PASS https://registry.viktorbarzin.me:5050/v2/infra/manifests/<8-char-sha> HTTP/2 200 ``` Closes: code-12b Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-19 15:42:52 +00:00			`password:`
[ci] build-cli: drop registry.viktorbarzin.me:5050 push (decommissioned) The build-cli pipeline was still pushing to the registry.viktorbarzin.me:5050/infra path that no longer exists post Phase 4 — failing with 'error authenticating: exit status 1' on every infra push. Drop the second repo + login; DockerHub + Forgejo are the canonical destinations now. 2026-05-08 07:45:32 +00:00			`from_secret: forgejo_push_token`
[ci skip] Add Woodpecker CI stack (WIP) and claude agents - Add stacks/woodpecker/ with Helm-based deployment config - Add .woodpecker/ CI pipeline configs (default, build-cli, renew-tls) - Add NFS export entry for woodpecker - Add .claude/agents/ definitions 2026-02-22 21:30:25 +00:00			`dockerfile: cli/Dockerfile`
			`context: cli`
			`auto_tag: true`
fix: CI pipeline - disable corrupted cache, add pull before push - build-cli.yml: comment out cache_from/cache_to to avoid BuildKit "short read" errors from corrupted registry cache - default.yml: add git pull --rebase before push in cleanup-and-push to handle remote having newer commits 2026-03-15 22:51:08 +00:00			`# cache_from/cache_to removed: registry cache corruption causes`
			`# "short read: expected 32 bytes" BuildKit errors. Inline cache`
			`# will be re-populated once a clean image is pushed.`
			`# cache_from: "registry.viktorbarzin.me:5050/infra:latest"`
			`# cache_to: "type=inline"`