excalidraw: migrate image build to GHA -> private ghcr (ADR-0002)

The image was still built by hand and pushed to DockerHub (v1..v4),
predating the all-builds-off-infra doctrine; Viktor chose to move it
onto the standard pipeline while shipping the export/rename feature
rather than keep the manual flow.

Mirrors the k8s-portal pattern: .github/workflows/build-excalidraw.yml
(go test + buildx linux/amd64, pushes ghcr latest+sha), excalidraw ns
added to the Kyverno ghcr-credentials allowlist (package is PRIVATE),
deployment now pins ghcr :latest with pullPolicy Always + pull secret,
Keel force/match-tag/5m annotations seed the metadata (live values win
via ignore_changes). DockerHub viktorbarzin/excalidraw-library:v4 stays
frozen as the rollback image. Docs: ci-cd.md + .claude/CLAUDE.md image
lists updated (also backfilled the missing k8s-portal rows in ci-cd.md).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-07-02 14:29:23 +00:00
parent 1cbc1e962b
commit 8fc657f431
5 changed files with 77 additions and 7 deletions

View file

@ -137,7 +137,7 @@ audiobook-search) now also land on ghcr.
chrome-service-novnc, android-emulator.
- **PRIVATE ghcr:** f1-stream, job-hunter, instagram-poster, payslip-ingest,
wealthfolio-sync, fire-planner, recruiter-responder, tripit, infra-cli,
infra-ci, k8s-portal. Pulled via the Kyverno-synced `ghcr-credentials` allowlist
infra-ci, k8s-portal, excalidraw-library. Pulled via the Kyverno-synced `ghcr-credentials` allowlist
(`stacks/kyverno/modules/kyverno/ghcr-credentials.tf`; NOT cluster-wide; cred
= Vault `secret/viktor/ghcr_pull_token`, a dedicated classic PAT scoped to
`read:packages` (UI-minted 2026-06-15; no longer the admin `github_pat`
@ -153,7 +153,9 @@ github↔forgejo divergence was deliberately NOT reconciled):
`build-cli.yml` → DockerHub `viktorbarzin/infra` (kept) + `ghcr.io/viktorbarzin/infra-cli`;
`build-infra-ci.yml``ghcr.io/viktorbarzin/infra-ci`; `build-k8s-portal.yml`
PRIVATE `ghcr.io/viktorbarzin/k8s-portal` (Keel-deployed; the LAST in-cluster
Woodpecker build, migrated 2026-06-13 — completes "no local builds"). **infra-ci**
Woodpecker build, migrated 2026-06-13 — completes "no local builds"); `build-excalidraw.yml`
PRIVATE `ghcr.io/viktorbarzin/excalidraw-library` (Keel-deployed; replaced
manual DockerHub pushes 2026-07-02 — DockerHub `:v4` frozen as rollback). **infra-ci**
is the image the `.woodpecker/default.yml` apply step + `drift-detection.yml` run
in (proven by pipelines 165/166). chatterbox-tts is already built by tripit's GHA → ghcr.
The Woodpecker `build-ci-image.yml` + `build-cli.yml` pipelines were REMOVED;