From 3b54983a9f6b9f504f9c25343c02db58f45c49d2 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 19 Apr 2026 15:42:52 +0000 Subject: [PATCH] [ci] build-cli: add logins entry for registry.viktorbarzin.me:5050 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context The infra CLI image (`viktorbarzin/infra` + `registry.viktorbarzin.me:5050/infra`) is built by `.woodpecker/build-cli.yml` via plugin-docker-buildx and pushed to two repos. The private-registry htpasswd auth that went in on 2026-03-22 (memory 437) was never wired into this pipeline, so the second push has been failing with `401 Unauthorized` on every blob HEAD for ~4 weeks. That in turn kept every infra pipeline's overall status at `failure`, which fooled the service-upgrade agent into spurious rollbacks before the per-workflow check in bd code-3o3. Now that the agent ignores overall status, this is purely cosmetic — but worth fixing so the pipeline list goes green and the private- registry mirror of the infra CLI image stays fresh. ## This change Extend the plugin's `logins:` array with an entry for `registry.viktorbarzin.me:5050`, pulling credentials from two Woodpecker global secrets `registry_user` / `registry_password`. Secrets plumbing (no CI config changes needed long-term — already `vault-woodpecker-sync` compatible): - Vault `secret/ci/global` now carries `registry_user` + `registry_password`, copied from `secret/viktor` via `vault kv patch`. - `vault-woodpecker-sync` CronJob picks them up on next run and POSTs them to Woodpecker via the API. Also triggered manually as `manual-sync-1776613321` → "Synced 8 global secrets from Vault to Woodpecker". - `curl -H "Authorization: Bearer " .../api/secrets` now lists both `registry_user` and `registry_password`. ## What is NOT in this change - A follow-on cleanup of the `docker_username`/`docker_password` globals (which are actually DockerHub creds mis-named). They still work — renaming would cascade across several older pipelines. - Restoring inline BuildKit cache — commit 0c123903 disabled `cache_from/cache_to` due to registry cache corruption; leaving that alone here. ## Test Plan ### Automated Will be validated by the CI run of this very commit: - `build-cli` workflow should log `#14 [auth] viktor/registry.viktorbarzin.me:5050` successful - blob HEAD returns 200/404 instead of 401 - step `build-image` exits 0 - overall pipeline status: success (FINALLY) ### Manual Verification ``` $ curl -sS -H "Authorization: Bearer $(vault kv get -field=woodpecker_api_token secret/ci/global)" \ https://ci.viktorbarzin.me/api/secrets | jq '.[] | .name' | grep registry "registry_password" "registry_user" $ curl -sSI -u viktor:$PASS https://registry.viktorbarzin.me:5050/v2/infra/manifests/<8-char-sha> HTTP/2 200 ``` Closes: code-12b Co-Authored-By: Claude Opus 4.7 (1M context) --- .woodpecker/build-cli.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.woodpecker/build-cli.yml b/.woodpecker/build-cli.yml index 89f0f2ff..4da90a43 100644 --- a/.woodpecker/build-cli.yml +++ b/.woodpecker/build-cli.yml @@ -23,6 +23,14 @@ steps: username: viktorbarzin password: from_secret: dockerhub-pat + # Private registry on :5050 requires htpasswd auth since 2026-03-22. + # Without this, buildx pushes the second repo but blob HEAD comes + # back 401 → pipeline fails → CI false-negative (see bd code-12b). + - registry: registry.viktorbarzin.me:5050 + username: + from_secret: registry_user + password: + from_secret: registry_password dockerfile: cli/Dockerfile context: cli auto_tag: true