viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

publish-gate + tuya-bridge ghcr cutover prep (ADR-0002 infra#15)
Some checks failed
ci/woodpecker/push/build-cli Pipeline was successful
Details
ci/woodpecker/push/default Pipeline failed
Details

Browse source 
publish-gate: gitleaks + trufflehog (full history) + PII heuristics;
CLEAN verdict gates any public flip, DIRTY = stays private. tuya-bridge:
ghcr-credentials pull secret + image base -> ghcr; namespace added to
the ghcr-credentials allowlist as a safety net (new ghcr packages
default PRIVATE even from public repos — prune after visibility flip).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-12 23:12:02 +00:00
parent 54dfaf6edc
commit 6b0d42c7bc
3 changed files with 75 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
stacks/kyverno/modules/kyverno/ghcr-credentials.tf
View file

@ -13,6 +13,10 @@
locals {
ghcr_private_namespaces = [
"tripit",
# tuya-bridge runs a PUBLIC-decision image, but new ghcr packages default
# PRIVATE until their visibility is flipped (UI) safety net so pulls
# work from the first deploy; prune once the package is public.
"tuya-bridge",
"f1-stream",
"job-hunter",
"instagram-poster",