From 83496f6e0cbf24a866a06788ee47ea3eb6043f23 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 7 May 2026 17:03:25 +0000 Subject: [PATCH] [forgejo] Allow webhook delivery to ci.viktorbarzin.me + *.viktorbarzin.me MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Forgejo→Woodpecker webhook (so Woodpecker fires on each push to viktor/) was being blocked by the existing ALLOWED_HOST_LIST of *.svc.cluster.local — ci.viktorbarzin.me resolves to the public IP because Cloudflare proxying wasn't covering that path. Without this fix, no Woodpecker pipeline run was triggered on push, the dual-push bake would never start, and Forgejo's package catalog stays empty. Add ci.viktorbarzin.me explicitly + *.viktorbarzin.me as a future- proofing wildcard. The list still excludes arbitrary external hosts, so this is not a security regression — just unblocking the webhook to our own CI. Co-Authored-By: Claude Opus 4.7 --- stacks/forgejo/main.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index 3b597804..cde93da5 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -109,10 +109,12 @@ resource "kubernetes_deployment" "forgejo" { name = "FORGEJO__openid__ENABLE_OPENID_SIGNIN" value = "false" } - # Allow webhook delivery to internal k8s services + # Allow webhook delivery to internal k8s services AND to the public + # ingress hostnames Forgejo's own webhooks point to (ci.viktorbarzin.me + # for Woodpecker pipelines). env { name = "FORGEJO__webhook__ALLOWED_HOST_LIST" - value = "*.svc.cluster.local" + value = "*.svc.cluster.local,ci.viktorbarzin.me,*.viktorbarzin.me" } # OCI registry (container packages). Default-on in Forgejo v11 but # explicit so it can't be silently disabled by an upstream config