fix: move pipeline logic to shell script (avoid YAML quoting issues)
This commit is contained in:
Viktor Barzin
parent
df95f52d08
commit
8540f48a28
2 changed files with 66 additions and 19 deletions
|
|
@ -12,29 +12,13 @@ steps:
|
|||
image: python:3.12-alpine
|
||||
commands:
|
||||
- apk add --no-cache jq curl git openssh-client
|
||||
- "PM_FILE=$(git diff HEAD~1 --name-only | grep 'docs/post-mortems/.*\\.md' | head -1)"
|
||||
- "if [ -z \"$PM_FILE\" ]; then echo 'No post-mortem changes'; exit 0; fi"
|
||||
- "echo \"Post-mortem changed: $PM_FILE\""
|
||||
- "if ! git diff HEAD~1 -- \"$PM_FILE\" | grep -q '+.*TODO'; then echo 'No new TODOs'; exit 0; fi"
|
||||
- "bash scripts/parse-postmortem-todos.sh \"$PM_FILE\" > /tmp/todos.json"
|
||||
- "cat /tmp/todos.json"
|
||||
- "TODO_COUNT=$(jq '.safe_todos' /tmp/todos.json)"
|
||||
- "echo \"$TODO_COUNT safe TODO(s) found\""
|
||||
- "if [ \"$TODO_COUNT\" -eq 0 ]; then echo 'No auto-implementable TODOs'; exit 0; fi"
|
||||
- "SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
|
||||
- "VAULT_TOKEN=$(curl -sf -X POST http://vault-active.vault.svc.cluster.local:8200/v1/auth/kubernetes/login -d \"{\\\"role\\\":\\\"ci\\\",\\\"jwt\\\":\\\"$SA_TOKEN\\\"}\" | jq -r .auth.client_token)"
|
||||
- "if [ -z \"$VAULT_TOKEN\" ] || [ \"$VAULT_TOKEN\" = 'null' ]; then echo 'Vault auth failed'; exit 1; fi"
|
||||
- "curl -sf -H \"X-Vault-Token: $VAULT_TOKEN\" http://vault-active.vault.svc.cluster.local:8200/v1/secret/data/ci/infra | jq -r '.data.data.devvm_ssh_key' > /tmp/devvm-key"
|
||||
- "chmod 600 /tmp/devvm-key"
|
||||
- "TODOS=$(cat /tmp/todos.json | tr '\\n' ' ')"
|
||||
- "ssh -i /tmp/devvm-key -o StrictHostKeyChecking=no wizard@10.0.10.10 \"cd ~/code/infra && git pull && claude -p --agent postmortem-todo-resolver --dangerously-skip-permissions --max-budget-usd 5 'Implement TODOs from $PM_FILE: $TODOS'\""
|
||||
- "rm -f /tmp/devvm-key"
|
||||
- sh scripts/postmortem-pipeline.sh
|
||||
|
||||
- name: notify-slack
|
||||
image: alpine
|
||||
commands:
|
||||
- "apk add --no-cache curl"
|
||||
- "curl -sf -X POST \"https://hooks.slack.com/services/${SLACK_WEBHOOK}\" -H 'Content-Type: application/json' -d '{\"text\": \"Post-mortem TODO resolver pipeline completed\"}' || true"
|
||||
- apk add --no-cache curl
|
||||
- "curl -sf -X POST https://hooks.slack.com/services/$SLACK_WEBHOOK -H 'Content-Type: application/json' -d '{\"text\": \"Post-mortem TODO pipeline completed\"}' || true"
|
||||
secrets:
|
||||
- slack_webhook
|
||||
when:
|
||||
|
|
|
|||
63
scripts/postmortem-pipeline.sh
Executable file
63
scripts/postmortem-pipeline.sh
Executable file
|
|
@ -0,0 +1,63 @@
|
|||
#!/bin/sh
|
||||
# postmortem-pipeline.sh — Woodpecker pipeline step for post-mortem TODO automation
|
||||
# Called from .woodpecker/postmortem-todos.yml
|
||||
set -e
|
||||
|
||||
# 1. Find which post-mortem changed
|
||||
PM_FILE=$(git diff HEAD~1 --name-only | grep 'docs/post-mortems/.*[.]md' | head -1)
|
||||
if [ -z "$PM_FILE" ]; then
|
||||
echo "No post-mortem markdown changes detected"
|
||||
exit 0
|
||||
fi
|
||||
echo "Post-mortem changed: $PM_FILE"
|
||||
|
||||
# 2. Check if there are new TODOs (not just TODO→Done updates)
|
||||
if ! git diff HEAD~1 -- "$PM_FILE" | grep -q '+.*TODO'; then
|
||||
echo "No new TODOs added — skipping"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# 3. Parse TODOs
|
||||
bash scripts/parse-postmortem-todos.sh "$PM_FILE" > /tmp/todos.json
|
||||
cat /tmp/todos.json
|
||||
TODO_COUNT=$(jq '.safe_todos' /tmp/todos.json)
|
||||
echo "$TODO_COUNT safe TODO(s) found"
|
||||
if [ "$TODO_COUNT" -eq 0 ]; then
|
||||
echo "No auto-implementable TODOs — skipping"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# 4. Authenticate to Vault via K8s SA JWT
|
||||
SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
|
||||
VAULT_RESP=$(curl -sf -X POST http://vault-active.vault.svc.cluster.local:8200/v1/auth/kubernetes/login \
|
||||
-d "{\"role\":\"ci\",\"jwt\":\"$SA_TOKEN\"}")
|
||||
VAULT_TOKEN=$(echo "$VAULT_RESP" | jq -r .auth.client_token)
|
||||
if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
|
||||
echo "ERROR: Vault authentication failed"
|
||||
exit 1
|
||||
fi
|
||||
echo "Vault authenticated"
|
||||
|
||||
# 5. Fetch DevVM SSH key from Vault
|
||||
curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
|
||||
http://vault-active.vault.svc.cluster.local:8200/v1/secret/data/ci/infra | \
|
||||
jq -r '.data.data.devvm_ssh_key' > /tmp/devvm-key
|
||||
chmod 600 /tmp/devvm-key
|
||||
if [ ! -s /tmp/devvm-key ]; then
|
||||
echo "ERROR: Failed to fetch DevVM SSH key"
|
||||
exit 1
|
||||
fi
|
||||
echo "SSH key fetched"
|
||||
|
||||
# 6. SSH to DevVM and run Claude Code headless
|
||||
TODOS=$(cat /tmp/todos.json)
|
||||
ssh -i /tmp/devvm-key -o StrictHostKeyChecking=no wizard@10.0.10.10 \
|
||||
"cd ~/code/infra && git pull && claude -p \
|
||||
--agent postmortem-todo-resolver \
|
||||
--dangerously-skip-permissions \
|
||||
--max-budget-usd 5 \
|
||||
'Implement the auto-implementable TODOs from $PM_FILE. Parsed TODO list: $TODOS'"
|
||||
|
||||
# 7. Cleanup
|
||||
rm -f /tmp/devvm-key
|
||||
echo "Pipeline complete"
|
||||
Loading…
Add table
Add a link
Reference in a new issue