From 68a503e29f63b3639f34b59ece65812dfc19639d Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 23 May 2026 08:52:48 +0000
Subject: [PATCH] kyverno: allowlist woodpeckerci/* for CI step pods
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wave-1 trusted-registries allowlist was missing woodpeckerci/* which is
used by every .woodpecker.yml's clone step (woodpeckerci/plugin-git) and
build steps (woodpeckerci/plugin-docker-buildx). Result: ALL Woodpecker
pipelines have been failing at the git step since the Audit→Enforce flip
on 2026-05-19. First surfaced via code-da4h (recruiter-responder pushes
not building).

Added between viren070/* and zelest/* in the same DockerHub-user-repos
block as the 2026-05-22 batch (commit 2d35d72a).

Closes: code-da4h
---
 stacks/kyverno/modules/kyverno/security-policies.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/stacks/kyverno/modules/kyverno/security-policies.tf b/stacks/kyverno/modules/kyverno/security-policies.tf
index bd508400..163031ec 100644
--- a/stacks/kyverno/modules/kyverno/security-policies.tf
+++ b/stacks/kyverno/modules/kyverno/security-policies.tf
@@ -355,7 +355,8 @@ resource "kubectl_manifest" "policy_require_trusted_registries" {
                   "shadowsocks/*", "shlinkio/*", "stirlingtools/*",
                   "technitium/*", "teddysun/*", "temporalio/*",
                   "typhonragewind/*", "tzahi12345/*", "vabene1111/*",
-                  "vaultwarden/*", "viktorbarzin/*", "viren070/*", "zelest/*",
+                  "vaultwarden/*", "viktorbarzin/*", "viren070/*",
+                  "woodpeckerci/*", "zelest/*",
                 ])
               }]
             }