ci: retire in-cluster infra-ci build; breakglass becomes manual ghcr pull-and-save (ADR-0002 #30)

infra-ci now builds on GHA → ghcr and the ghcr-based apply is PROVEN (pipeline 165 ran terragrunt apply in the ghcr image). Removing the Woodpecker build-ci-image.yml (clean cut). The breakglass tarball is preserved as a MANUAL Woodpecker job pulling ghcr (public) → registry VM; infra-ci on ghcr is external + node-cached, so the Forgejo-down rationale for the old auto-tarball is moot — this is belt-and-braces DR. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-13 10:07:58 +00:00 · 2026-06-13 10:07:58 +00:00 · 3c3e6bfc95
commit 3c3e6bfc95
parent ee25a41c74
2 changed files with 31 additions and 88 deletions
--- a/.woodpecker/breakglass-infra-ci.yml
+++ b/.woodpecker/breakglass-infra-ci.yml
@ -0,0 +1,31 @@
 # Break-glass: save the ghcr infra-ci image to a tarball on the registry VM
 # (10.0.20.10) so it can be `docker load`-ed onto a node if ghcr is ever
 # unreachable during a recovery. infra-ci now builds on GHA → ghcr (ADR-0002),
 # which is external + node-cached, so this is a belt-and-braces DR artifact —
 # run MANUALLY after an infra-ci rebuild (or periodically). Pulls from ghcr
 # (public, no login). Recovery: docs/runbooks/forgejo-registry-breakglass.md.
 when:
  - event: manual
 steps:
  - name: breakglass-tarball
    image: alpine:3.20
    failure: ignore
    environment:
      REGISTRY_SSH_KEY:
        from_secret: registry_ssh_key
    commands:
      - apk add --no-cache openssh-client
      - mkdir -p ~/.ssh && chmod 700 ~/.ssh
      - printf '%s\n' "$REGISTRY_SSH_KEY" > ~/.ssh/id_ed25519
      - chmod 600 ~/.ssh/id_ed25519
      - ssh-keyscan -t ed25519 10.0.20.10 >> ~/.ssh/known_hosts 2>/dev/null
      - |
        ssh -n -o BatchMode=yes root@10.0.20.10 "
          set -e
          mkdir -p /opt/registry/data/private/_breakglass
          IMAGE=ghcr.io/viktorbarzin/infra-ci:latest
          docker pull \$IMAGE
          docker save \$IMAGE | gzip > /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
          ls -lh /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
        "
--- a/.woodpecker/build-ci-image.yml
+++ b/.woodpecker/build-ci-image.yml
@ -1,88 +0,0 @@
 # Build the CI tools Docker image used by all infra pipelines.
 # Triggers on push that touches ci/Dockerfile, or manual (API/UI) so
 # rebuilds after a registry incident don't need a cosmetic Dockerfile edit.
 when:
  - event: push
    branch: master
    path:
      include:
        - 'ci/Dockerfile'
  - event: manual
 steps:
  - name: build-and-push
    image: woodpeckerci/plugin-docker-buildx
    settings:
      # Phase 4 of forgejo-registry-consolidation 2026-05-07 —
      # registry.viktorbarzin.me dropped, Forgejo is the only target.
      repo:
        - forgejo.viktorbarzin.me/viktor/infra-ci
      dockerfile: ci/Dockerfile
      context: ci/
      tags:
        - latest
        - "${CI_COMMIT_SHA:0:8}"
      platforms: linux/amd64
      logins:
        - registry: forgejo.viktorbarzin.me
          username:
            from_secret: forgejo_user
          password:
            from_secret: forgejo_push_token
  # Post-push integrity check is now redundant with the every-15min
  # forgejo-integrity-probe in stacks/monitoring/, which walks
  # /v2/_catalog + HEADs every blob across the entire Forgejo registry.
  # If a corruption pattern emerges that the periodic probe misses,
  # restore a verify step similar to the pre-Phase-4 version (see
  # commit 49f4956f) but pointed at forgejo.viktorbarzin.me.
  # Break-glass tarball: save the just-pushed infra-ci image to disk on the
  # registry VM (10.0.20.10) so we can `docker load` it back into a node
  # when Forgejo is unreachable. Pulls from Forgejo (the only registry now).
  # Best-effort — failure here doesn't fail the pipeline.
  # Recovery procedure: docs/runbooks/forgejo-registry-breakglass.md.
  - name: breakglass-tarball
    image: alpine:3.20
    failure: ignore
    environment:
      REGISTRY_SSH_KEY:
        from_secret: registry_ssh_key
      FORGEJO_USER:
        from_secret: forgejo_user
      FORGEJO_PASS:
        from_secret: forgejo_push_token
    commands:
      - apk add --no-cache openssh-client
      - mkdir -p ~/.ssh && chmod 700 ~/.ssh
      - printf '%s\n' "$REGISTRY_SSH_KEY" > ~/.ssh/id_ed25519
      - chmod 600 ~/.ssh/id_ed25519
      - ssh-keyscan -t ed25519 10.0.20.10 >> ~/.ssh/known_hosts 2>/dev/null
      - SHA=${CI_COMMIT_SHA:0:8}
      - |
        ssh -n -o BatchMode=yes root@10.0.20.10 "
          set -e
          mkdir -p /opt/registry/data/private/_breakglass
          IMAGE=forgejo.viktorbarzin.me/viktor/infra-ci:$SHA
          echo \$FORGEJO_PASS | docker login forgejo.viktorbarzin.me -u \$FORGEJO_USER --password-stdin
          docker pull \$IMAGE
          docker save \$IMAGE | gzip > /opt/registry/data/private/_breakglass/infra-ci-$SHA.tar.gz
          ln -sfn infra-ci-$SHA.tar.gz /opt/registry/data/private/_breakglass/infra-ci-latest.tar.gz
          ls -t /opt/registry/data/private/_breakglass/infra-ci-*.tar.gz \
            | grep -v 'latest' | tail -n +6 | xargs -r rm -v
          ls -lh /opt/registry/data/private/_breakglass/
        "
  - name: slack
    image: curlimages/curl
    commands:
      - |
        curl -s -X POST -H 'Content-type: application/json' \
          --data "{\"text\":\"CI image built: forgejo.viktorbarzin.me/viktor/infra-ci:${CI_COMMIT_SHA:0:8} (and registry-private mirror)\"}" \
          "$SLACK_WEBHOOK" || true
    environment:
      SLACK_WEBHOOK:
        from_secret: slack_webhook
    when:
      status: [success]