Merge pull request 'plotting-book: pull image from private ghcr instead of public DockerHub' (#15) from wizard/plotting-ghcr into master
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
This commit is contained in:
commit
81c2b14e29
4 changed files with 29 additions and 6 deletions
|
|
@ -13,7 +13,7 @@ The trigger was a proposal to swap Forgejo out for GitHub entirely. The grilling
|
||||||
Do **not** swap to GitHub. Reaffirm and *complete* the model already in `CONTEXT.md`:
|
Do **not** swap to GitHub. Reaffirm and *complete* the model already in `CONTEXT.md`:
|
||||||
|
|
||||||
- Every first-party repo has exactly **one** push target — its **Canonical repo** on Forgejo. GitHub is a one-way push-mirror (off-site backup + the source GitHub Actions builds from). **No repo is ever dual-pushed.**
|
- Every first-party repo has exactly **one** push target — its **Canonical repo** on Forgejo. GitHub is a one-way push-mirror (off-site backup + the source GitHub Actions builds from). **No repo is ever dual-pushed.**
|
||||||
- A small, explicit set of **GitHub-first repos** are the exception (canonical lives on GitHub, outside the mirror policy): third-party clones/forks where GitHub is genuinely upstream (`jsoncrack.com`, `snmp_exporter`, `SparkyFitness`, `agent-rules-books`, `Plotting-Your-Dream-Book`) and the deliberately-public first-party `health`.
|
- A small, explicit set of **GitHub-first repos** are the exception (canonical lives on GitHub, outside the mirror policy): third-party clones/forks where GitHub is genuinely upstream (`jsoncrack.com`, `snmp_exporter`, `SparkyFitness`, `agent-rules-books`, `Plotting-Your-Dream-Book`) and the deliberately-public first-party `health`. `Plotting-Your-Dream-Book` (owned by Anca, dev in her org) keeps its GHA build in-place and pushes the image to **its own org's ghcr** (`ghcr.io/passionprojectsanca/book-plotter`, private) via the workflow's built-in `GITHUB_TOKEN` — no Forgejo mirror, no `viktorbarzin`-namespace push, no shared PAT in her repo (2026-06-27, migrated off DockerHub).
|
||||||
- `infra` is reconciled into the standard model: its GitHub-only `.github/workflows/build-*.yml` are brought onto Forgejo-canonical (inert on Forgejo, active on the mirror), then the mirror is enabled — ending the deliberate divergence while keeping Woodpecker on the Forgejo forge.
|
- `infra` is reconciled into the standard model: its GitHub-only `.github/workflows/build-*.yml` are brought onto Forgejo-canonical (inert on Forgejo, active on the mirror), then the mirror is enabled — ending the deliberate divergence while keeping Woodpecker on the Forgejo forge.
|
||||||
- Enforcement is **structural**: reconciled clones keep only the Forgejo remote, so there is no GitHub remote to habitually push to; the execution rule is "push to the canonical forge only, never the mirror."
|
- Enforcement is **structural**: reconciled clones keep only the Forgejo remote, so there is no GitHub remote to habitually push to; the execution rule is "push to the canonical forge only, never the mirror."
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -115,9 +115,20 @@ claude-agent-service, claude-memory-mcp, kms-website, Freedify,
|
||||||
instagram-poster, payslip-ingest, broker-sync (image name `wealthfolio-sync`),
|
instagram-poster, payslip-ingest, broker-sync (image name `wealthfolio-sync`),
|
||||||
fire-planner, recruiter-responder, x402-gateway — plus **tripit** (the original
|
fire-planner, recruiter-responder, x402-gateway — plus **tripit** (the original
|
||||||
pilot, 2026-06-09). Earlier public-repo apps already on GHA (Website,
|
pilot, 2026-06-09). Earlier public-repo apps already on GHA (Website,
|
||||||
k8s-portal, apple-health-data, audiblez-web, plotting-book, insta2spotify,
|
k8s-portal, apple-health-data, audiblez-web, insta2spotify,
|
||||||
audiobook-search) now also land on ghcr.
|
audiobook-search) now also land on ghcr.
|
||||||
|
|
||||||
|
**plotting-book** is a special case (a GitHub-first repo owned by Anca,
|
||||||
|
ADR-0003): the build runs in *her* GitHub repo
|
||||||
|
(`PassionProjectsAnca/Plotting-Your-Dream-Book`) and pushes to **private
|
||||||
|
`ghcr.io/passionprojectsanca/book-plotter`** — under her org's ghcr namespace,
|
||||||
|
not `viktorbarzin`, using the workflow's built-in `GITHUB_TOKEN` (no shared
|
||||||
|
PAT). The cluster pulls it via the Kyverno-synced `ghcr-credentials` secret (the
|
||||||
|
`plotting-book` namespace is on the allowlist; the shared `ghcr_pull_token` has
|
||||||
|
read access). Migrated off public DockerHub (`viktorbarzin/book-plotter`) on
|
||||||
|
2026-06-27. The Woodpecker deploy hook (repo 43, registered to Anca's repo) is
|
||||||
|
unchanged.
|
||||||
|
|
||||||
### Infra-owned images (issues #29 / #30)
|
### Infra-owned images (issues #29 / #30)
|
||||||
|
|
||||||
Images owned by the infra repo build on GHA workflows **in the infra repo's own
|
Images owned by the infra repo build on GHA workflows **in the infra repo's own
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,10 @@ locals {
|
||||||
# goldmane-edge-aggregator: PRIVATE ghcr image pulled by the aggregate
|
# goldmane-edge-aggregator: PRIVATE ghcr image pulled by the aggregate
|
||||||
# Deployment + digest CronJob (ADR-0014, infra#58).
|
# Deployment + digest CronJob (ADR-0014, infra#58).
|
||||||
"goldmane-edge-aggregator",
|
"goldmane-edge-aggregator",
|
||||||
|
# plotting-book: image migrated from public DockerHub to PRIVATE
|
||||||
|
# ghcr.io/passionprojectsanca/book-plotter (built by GHA in Anca's repo,
|
||||||
|
# under her own org's ghcr). The deployment references the cloned secret.
|
||||||
|
"plotting-book",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -118,6 +118,12 @@ resource "kubernetes_deployment" "plotting-book" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
spec {
|
spec {
|
||||||
|
# Pull the PRIVATE ghcr image. The ghcr-credentials secret is cloned
|
||||||
|
# into this namespace by the Kyverno generate policy in stacks/kyverno
|
||||||
|
# (plotting-book is on its ghcr_private_namespaces allowlist).
|
||||||
|
image_pull_secrets {
|
||||||
|
name = "ghcr-credentials"
|
||||||
|
}
|
||||||
volume {
|
volume {
|
||||||
name = "data"
|
name = "data"
|
||||||
persistent_volume_claim {
|
persistent_volume_claim {
|
||||||
|
|
@ -125,10 +131,12 @@ resource "kubernetes_deployment" "plotting-book" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
container {
|
container {
|
||||||
# Baseline only — CI owns the live tag (GHA builds viktorbarzin/book-plotter:<sha8>,
|
# Baseline only — CI owns the live tag (GHA in Anca's repo builds
|
||||||
# Woodpecker repo 43 set-images it; see ignore_changes above). :latest is pushed by
|
# ghcr.io/passionprojectsanca/book-plotter:vX.Y.Z, Woodpecker repo 43
|
||||||
# the same GHA build, so a from-scratch apply starts on current code.
|
# set-images it; see ignore_changes above). :latest is pushed by the
|
||||||
image = "viktorbarzin/book-plotter:latest"
|
# same GHA build, so a from-scratch apply starts on current code.
|
||||||
|
# PRIVATE package — pulled via the ghcr-credentials secret below.
|
||||||
|
image = "ghcr.io/passionprojectsanca/book-plotter:latest"
|
||||||
name = "plotting-book"
|
name = "plotting-book"
|
||||||
image_pull_policy = "Always"
|
image_pull_policy = "Always"
|
||||||
env {
|
env {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue