From f18dfa4c8be95437d77370011cf12776f1ab8d56 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 13 Jun 2026 00:38:09 +0000
Subject: [PATCH] fire-planner: pull image from ghcr + add ghcr-credentials to
 all pod specs

Migrating fire-planner off in-cluster Woodpecker builds to GitHub
Actions -> ghcr.io (ADR-0002, issue #26). The image base moves
forgejo.viktorbarzin.me/viktor/fire-planner ->
ghcr.io/viktorbarzin/fire-planner (a PRIVATE ghcr package), so the
deployment, all three cronjobs (recompute, col-refresh,
examples-weekly) and the examples bulk job gain the ghcr-credentials
imagePullSecret (the kyverno sync-ghcr-credentials allowlist already
covers the fire-planner namespace). registry-credentials stays
alongside so the currently-running sha-pinned forgejo image can still
be pulled until the first ghcr deploy lands; the cronjob images are TF
literals and flip to ghcr :latest on this apply.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 stacks/fire-planner/main.tf | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/stacks/fire-planner/main.tf b/stacks/fire-planner/main.tf
index 6af26754..58321e69 100644
--- a/stacks/fire-planner/main.tf
+++ b/stacks/fire-planner/main.tf
@@ -13,11 +13,13 @@ variable "tls_secret_name" {
 
 locals {
   namespace = "fire-planner"
-  # Phase 3 cutover 2026-05-07. NOTE: the registry-private repo for
-  # fire-planner has 0 tags — first build via Woodpecker on the new Forgejo
-  # repo (viktor/fire-planner, Dockerfile + .woodpecker.yml added 2026-05-07)
-  # must succeed BEFORE the next pod restart, otherwise pulls will 404.
-  image = "forgejo.viktorbarzin.me/viktor/fire-planner:${var.image_tag}"
+  # ADR-0002 off-infra builds (2026-06-13, issue infra#26): GHA on the GitHub
+  # mirror builds + pushes ghcr.io/viktorbarzin/fire-planner (:sha8 + :latest);
+  # Woodpecker is deploy-only. PRIVATE ghcr package — every pod spec pulls via
+  # the ghcr-credentials Secret (kyverno sync-ghcr-credentials allowlist).
+  # registry-credentials stays alongside so the currently-running sha-pinned
+  # forgejo image remains pullable until the first ghcr deploy lands.
+  image = "ghcr.io/viktorbarzin/fire-planner:${var.image_tag}"
   labels = {
     app = "fire-planner"
   }
@@ -230,6 +232,9 @@ resource "kubernetes_deployment" "fire_planner" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
 
         init_container {
           name              = "alembic-migrate"
@@ -390,6 +395,9 @@ resource "kubernetes_cron_job_v1" "fire_planner_recompute" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name    = "recompute"
               image   = local.image
@@ -473,6 +481,9 @@ resource "kubernetes_cron_job_v1" "fire_planner_col_refresh" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name    = "col-refresh"
               image   = local.image
@@ -738,6 +749,9 @@ resource "kubernetes_job_v1" "examples_bulk_ingest" {
         image_pull_secrets {
           name = "registry-credentials"
         }
+        image_pull_secrets {
+          name = "ghcr-credentials"
+        }
         container {
           name              = "ingest"
           image             = local.image
@@ -859,6 +873,9 @@ resource "kubernetes_cron_job_v1" "examples_weekly_delta" {
             image_pull_secrets {
               name = "registry-credentials"
             }
+            image_pull_secrets {
+              name = "ghcr-credentials"
+            }
             container {
               name              = "ingest"
               image             = local.image