Merge pull request 'plotting-book: pull image from private ghcr instead of public DockerHub' (#15) from wizard/plotting-ghcr into master

2026-06-27 15:32:35 +00:00 · 2026-06-27 15:32:35 +00:00 · 81c2b14e29
commit 81c2b14e29
parent bf40409141 c13a3f1694
4 changed files with 29 additions and 6 deletions
--- a/docs/adr/0003-keep-forgejo-canonical-complete-mirror.md
+++ b/docs/adr/0003-keep-forgejo-canonical-complete-mirror.md
@ -13,7 +13,7 @@ The trigger was a proposal to swap Forgejo out for GitHub entirely. The grilling
 Do **not** swap to GitHub. Reaffirm and *complete* the model already in `CONTEXT.md`:

 - Every first-party repo has exactly **one** push target — its **Canonical repo** on Forgejo. GitHub is a one-way push-mirror (off-site backup + the source GitHub Actions builds from). **No repo is ever dual-pushed.**
- A small, explicit set of **GitHub-first repos** are the exception (canonical lives on GitHub, outside the mirror policy): third-party clones/forks where GitHub is genuinely upstream (`jsoncrack.com`, `snmp_exporter`, `SparkyFitness`, `agent-rules-books`, `Plotting-Your-Dream-Book`) and the deliberately-public first-party `health`.
+- A small, explicit set of **GitHub-first repos** are the exception (canonical lives on GitHub, outside the mirror policy): third-party clones/forks where GitHub is genuinely upstream (`jsoncrack.com`, `snmp_exporter`, `SparkyFitness`, `agent-rules-books`, `Plotting-Your-Dream-Book`) and the deliberately-public first-party `health`. `Plotting-Your-Dream-Book` (owned by Anca, dev in her org) keeps its GHA build in-place and pushes the image to **its own org's ghcr** (`ghcr.io/passionprojectsanca/book-plotter`, private) via the workflow's built-in `GITHUB_TOKEN` — no Forgejo mirror, no `viktorbarzin`-namespace push, no shared PAT in her repo (2026-06-27, migrated off DockerHub).
 - `infra` is reconciled into the standard model: its GitHub-only `.github/workflows/build-*.yml` are brought onto Forgejo-canonical (inert on Forgejo, active on the mirror), then the mirror is enabled — ending the deliberate divergence while keeping Woodpecker on the Forgejo forge.
 - Enforcement is **structural**: reconciled clones keep only the Forgejo remote, so there is no GitHub remote to habitually push to; the execution rule is "push to the canonical forge only, never the mirror."

--- a/docs/architecture/ci-cd.md
+++ b/docs/architecture/ci-cd.md
@ -115,9 +115,20 @@ claude-agent-service, claude-memory-mcp, kms-website, Freedify,
 instagram-poster, payslip-ingest, broker-sync (image name `wealthfolio-sync`),
 fire-planner, recruiter-responder, x402-gateway — plus **tripit** (the original
 pilot, 2026-06-09). Earlier public-repo apps already on GHA (Website,
-k8s-portal, apple-health-data, audiblez-web, plotting-book, insta2spotify,
+k8s-portal, apple-health-data, audiblez-web, insta2spotify,
 audiobook-search) now also land on ghcr.

+**plotting-book** is a special case (a GitHub-first repo owned by Anca,
+ADR-0003): the build runs in *her* GitHub repo
+(`PassionProjectsAnca/Plotting-Your-Dream-Book`) and pushes to **private
+`ghcr.io/passionprojectsanca/book-plotter`** — under her org's ghcr namespace,
+not `viktorbarzin`, using the workflow's built-in `GITHUB_TOKEN` (no shared
+PAT). The cluster pulls it via the Kyverno-synced `ghcr-credentials` secret (the
+`plotting-book` namespace is on the allowlist; the shared `ghcr_pull_token` has
+read access). Migrated off public DockerHub (`viktorbarzin/book-plotter`) on
+2026-06-27. The Woodpecker deploy hook (repo 43, registered to Anca's repo) is
+unchanged.
+
 ### Infra-owned images (issues #29 / #30)

 Images owned by the infra repo build on GHA workflows **in the infra repo's own
--- a/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
+++ b/stacks/kyverno/modules/kyverno/ghcr-credentials.tf
@ -34,6 +34,10 @@ locals {
    # goldmane-edge-aggregator: PRIVATE ghcr image pulled by the aggregate
    # Deployment + digest CronJob (ADR-0014, infra#58).
    "goldmane-edge-aggregator",
+    # plotting-book: image migrated from public DockerHub to PRIVATE
+    # ghcr.io/passionprojectsanca/book-plotter (built by GHA in Anca's repo,
+    # under her own org's ghcr). The deployment references the cloned secret.
+    "plotting-book",
  ]
 }

--- a/stacks/plotting-book/main.tf
+++ b/stacks/plotting-book/main.tf
@ -118,6 +118,12 @@ resource "kubernetes_deployment" "plotting-book" {
        }
      }
      spec {
+        # Pull the PRIVATE ghcr image. The ghcr-credentials secret is cloned
+        # into this namespace by the Kyverno generate policy in stacks/kyverno
+        # (plotting-book is on its ghcr_private_namespaces allowlist).
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
        volume {
          name = "data"
          persistent_volume_claim {
@ -125,10 +131,12 @@ resource "kubernetes_deployment" "plotting-book" {
          }
        }
        container {
-          # Baseline only — CI owns the live tag (GHA builds viktorbarzin/book-plotter:<sha8>,
-          # Woodpecker repo 43 set-images it; see ignore_changes above). :latest is pushed by
-          # the same GHA build, so a from-scratch apply starts on current code.
-          image             = "viktorbarzin/book-plotter:latest"
+          # Baseline only — CI owns the live tag (GHA in Anca's repo builds
+          # ghcr.io/passionprojectsanca/book-plotter:vX.Y.Z, Woodpecker repo 43
+          # set-images it; see ignore_changes above). :latest is pushed by the
+          # same GHA build, so a from-scratch apply starts on current code.
+          # PRIVATE package — pulled via the ghcr-credentials secret below.
+          image             = "ghcr.io/passionprojectsanca/book-plotter:latest"
          name              = "plotting-book"
          image_pull_policy = "Always"
          env {