[woodpecker] Persist hostAliases patch via null_resource (chart doesn't expose it)

Helm chart 3.5.1 has no `server.hostAliases` field, so the YAML
addition I made earlier was a no-op. Apply via kubectl patch in a
null_resource keyed on helm revision so it re-asserts on every
chart upgrade. Same pattern as the CoreDNS replicas/affinity patch
in stacks/technitium/.

Without this, every helm upgrade on woodpecker reverts the
hostAliases fix and the Forgejo pipeline triggers start failing
with context-deadline-exceeded again.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

stacks/woodpecker/values.yaml

@@ -4,17 +4,12 @@ server:
     reloader.stakater.com/search: "true"
   statefulSet:
     replicaCount: 1
-  # Pin forgejo.viktorbarzin.me to the in-cluster Traefik LB so the
-  # forge-API fetch path never round-trips through Cloudflare. Without
-  # this, OAuth/HTTP requests hit 30s context-deadline timeouts on cold
-  # DNS / TLS handshakes through the WAN gateway, which fails every
-  # pipeline trigger ("could not load config from forge: context
-  # deadline exceeded"). Traefik serves the wildcard cert so SNI
-  # verification still passes.
-  hostAliases:
-    - ip: "10.0.20.200"
-      hostnames:
-        - "forgejo.viktorbarzin.me"
+  # NOTE: hostAliases is NOT exposed by the woodpecker Helm chart (3.5.1 verified) —
+  # see main.tf null_resource.woodpecker_server_host_alias which applies the same
+  # via `kubectl patch` post-helm. Pinned to the in-cluster Traefik LB
+  # (10.0.20.200) so the forge-API fetch path never round-trips through
+  # Cloudflare ("context deadline exceeded" was failing every Forgejo
+  # pipeline trigger).
   image:
     registry: docker.io
     repository: woodpeckerci/woodpecker-server